Skip to Content

How to configure Data Loss Prevention (DLP) in FortiSASE – content blocking and file extension formats

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how to configure Data Loss Prevention (DLP) in FortiSASE, including content blocking and file extension formats.

Scope

FortiSASE.

Solution

There are two options available while configuring DLP.
One option is to block the contents within the document files, such as downloaded files or email attachments, and the other option is to block contents related to messages like email messages or even a web page.

This article will illustrate how to block keywords such as, for example, ‘tanks’ and ‘missiles’.

Step 1: On the FortiSASE portal, go to Configuration > Security.

Step 2: On the top right under Profile Group, create a New Entry and select it.

Config-Security

Step 3: All Security Profiles should be disabled.

Step 4: Enable Data Loss Prevention (DLP) and select Customize.

DLP Profile

Step 5: Select Create New and enter a Name.

Step 6: In the New Rule page, for Sensor, select the drop-down menu and select the ‘+’ sign.

New Rule

Step 7: In the New/Edit DLP Sensor page, select Any for Entry matches needed to trigger the sensor and select Create.

DLP Sensor

Step 8: In the New Entry page, for Dictionary, select Drop and select the ‘+’ to open the New DLP Dictionary page

DLP Dictionary

Step 9: There, enter a Name, select Any for Entries to evaluate, and select Create.

Step 10: Select the Keyword for Type and enter ‘missile’ for the Pattern. Keep Case Sensitive and Repeat enabled if desired, and select OK.

NewEntry Dictionary

Step 11: Repeat steps 9 and 10 to create another entry for ‘tanks’, as well as for any different entries desired.

Step 12: Select OK on each page until the New Rule page appears. There, choose the desired value for Severity, set the Action to Block, set the Type to File or Message, and add any required Protocols. To add more file extension types that are not on the list for the DLP (Data Loss Prevention) Profile, refer to Technical Tip: How to add file extension types that are not in the list for DLP (Data Loss Preventio….

Step 13: Once this is done, go to SSL Inspection and enable Deep Inspection.

Step 14: Download the Certificate and import it to users’ machines under the Trusted Root Authority Folder.

Notes:

  • In Step 10 above, when using Keyword for Type, FortiGate will block the Contents of the Files and email attachments containing those words. When using the Regex option, avoid using the File Type in Step 12. Using File will result in FortiGate blocking all of the file types related to the extensions used and will ignore the Sensor.
  • The file should only be supplied as Type when the Keyword option is used for DLP Dictionary Entries, as it will match and take action based on the contents of the documents.