DO NOT REPRINT

© FORTINET
Lab 13: Data Leak Prevention (DLP)

In this lab, you will use data leak prevention (DLP) rules and sensors to block sensitive data from leaving the
private network.

Objectives
l Configure DLP to block ZIP files.
l Read and interpret DLP log entries.
l Set up DLP banning and quarantining.
l Configure DLP fingerprinting.

Time to Complete
Estimated: 30 minutes

Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.

To restore the Local-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > FortiGate-Security > DLP > local-dlp.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.

212 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Blocking Files by File Type

There are multiple ways to configure DLP to prevent sensitive information from leaving your network.

In this exercise, you will configure DLP to block files by file type, and apply DLP to a firewall policy. Then, you will
test the configuration and view the logs.The DLP feature is only available in the proxy mode.

Enable DLP

By default, DLP is not enabled in the GUI. You will enable DLP to be visible in the GUI.

To enable DLP
1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. Click System > Feature Visibility.
3. In the Security Features section, enable DLP.
4. Click Apply.

Configure the DLP Sensor and DLP Filter

You will configure a new DLP sensor, and create a DLP filter to block ZIP files.

To configure the DLP sensor and DLP filter

1. Continuing on the Local-FortiGate GUI, click Security Profiles > Data Leak Prevention.
2. In the top right corner of the GUI, click the + icon to create a new sensor.

3. In the Name field, enter No_ZIP_files.

4. Click Add Filter to create a new filter.

FortiGate Security 6.0 Lab Guide 213

Fortinet Technologies Inc.
DO Configure
NOTtheREPRINT
DLP Sensor and DLP Filter Exercise 1: Blocking Files by File Type

© FORTINET

5. Configure the following settings:

Field Value

Type Files

Specify File Types <select>

File Types Archive (zip)

Tip: On right side of the screen, type the name in the search box, and
then click file types to add.

Action Block

Your configuration should look like the following example:

214 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Blocking
REPRINT
Files by File Type Apply a DLP Sensor to a Firewall Policy

© FORTINET

6. Click OK.
7. Click Apply.

You can also block traffic based on a file name of *.zip, but it is not recommended. A
person could circumvent that type of DLP by changing the filename to, for example,
*.zp1, or *.txt.

By comparison, file type identification works by analyzing the binary layout of the file.

Apply a DLP Sensor to a Firewall Policy

Now that you have created a DLP sensor, you will edit the existing firewall policy to apply the DLP sensor to it.

Take the Expert Challenge!

On the Local-FortiGate GUI (10.0.1.254), apply the previously created DLP sensor to the existing
firewall policy named DLP.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Test the DLP Sensor on page 217 .

FortiGate Security 6.0 Lab Guide 215

Fortinet Technologies Inc.
DO Apply
NOT a DLPREPRINT
Sensor to a Firewall Policy Exercise 1: Blocking Files by File Type

© FORTINET
To apply a DLP sensor to firewall policy
1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
2. Right-click the ID column for the DLP firewall policy and click Edit.
3. In the Security Profiles section, enable DLP Sensor, and from the drop-down menu, select No_ZIP_files.

When selecting a DLP sensor, Proxy Options and SSL/SSH Inspection is

automatically enabled. You cannot disable Proxy Options and SSL/SSH
Inspection, but you can select any preconfigured profile in the associated drop-down
menu.

Your configuration should look like the following example:

4. Click OK.
5. Optionally, if you would like to see the default proxy options profile that is selected in the firewall policy, click
Security Profiles > Proxy Options.
This profile determines how FortiGate’s proxies pick up protocols. For example, the HTTP listening port is set
to port 80.

216 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Blocking
REPRINT
Files by File Type Test the DLP Sensor

© FORTINET
Test the DLP Sensor

Now, you will test the DLP sensor by trying to transmit a ZIP file by uploading the file to a web URL.

To test the DLP sensor

1. Continuing on the Local-Windows VM, open a new web browser tab and go to the following URL:

http://10.200.1.254/fileupload.html

2. On the web page, click Browse.

3. Browse to Desktop > Resources > FortiGate-Security > DLP > DLP_Lab.zip, and then click Open.
4. Click Submit the file.
The DLP block message will appear.

Check the DLP Logs

Now, you will check the logs related to DLP for the test you performed previously.

To check the DLP logs

1. On the Local-FortiGate GUI, click Log & Report > Forward Traffic.
2. Locate the log entry that has DLP in the Security Events column and a Deny: UTM Blocked in the Result
column for this attempted data leak.
3. Double-click that log entry to view more details.

4. On the right side of the screen, the Details tab shows the forward traffic log information, such as NAT translation,
NAT IP, policy ID, and security action.

FortiGate Security 6.0 Lab Guide 217

Fortinet Technologies Inc.
DO Check
NOT REPRINT
the DLP Logs Exercise 1: Blocking Files by File Type

© FORTINET

5. Click the Security tab to view security log information.

This tab provides information that is more specific to the security profile, such as event type, file name, file
type, filter type, filter category, and security profile name.

You can also view DLP logs under Log & Report > Data Leak Prevention.

The DLP logs section will not display if there are no DLP logs. FortiGate will show it
after creating logs.  If the DLP menu item does not display in the GUI, refresh your
browser or log out of the Local-FortiGate GUI and log back in again.

218 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Quarantining IP Addresses

You can configure the DLP filter to quarantine IP addresses that are trying to leak sensitive information. The
quarantined IP address will be blocked from accessing the network so that you have time to investigate the issue.

Quarantine an IP Address

Now, you will modify the action of the previously configured DLP filter to quarantine the IP address.

To quarantine an IP address
1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. Click Security Profiles > Data Leak Prevention.
3. In the upper-right corner of the screen, from the drop-down menu, select No_ZIP_files.

4. Select Seq# 1, and then click Edit Filter.

5. In the Action drop-down list, select Quarantine IP Address, and enter an interval of 5 minutes.

6. Click OK.
7. Click Apply.

Test the Quarantined IP Address

Now, you will test the quarantine action by trying to upload a ZIP file.

To test the quarantined IP address

1. Continuing on the Local-Windows VM, open a web browser and go to the following URL:

http://10.200.1.254/fileupload.html

2. On the web page, click Browse.

3. Browse to Desktop > Resources > FortiGate-Security > DLP > DLP_Lab.zip, and then click Open.
4. Click Submit the file.

FortiGate Security 6.0 Lab Guide 219

Fortinet Technologies Inc.
DO Remove
NOTa Quarantined
REPRINT IP Address From the Banned Entry List Exercise 2: Quarantining IP Addresses

© FORTINET
The DLP block message will appear.

5. On the Local-Windows VM, open a few new web browser tabs and go to the following websites:
l http://10.200.1.254
l http://10.200.3.254
A replacement message appears instead of the website. This occurs because the IP address that is sending
the request has been quarantined and is not allowed through the firewall policy on FortiGate.

Remove a Quarantined IP Address From the Banned Entry List

Now, you will remove the quarantined IP address from the banned entry list so that you can access the network.

To remove a quarantined IP address from the banned entry list

1. Return to your browser tab where you are logged in to the Local-FortiGate GUI, and click Monitor > Quarantine
Monitor.
2. Select the entry with the banned IP 10.0.1.10.
3. Click Delete to remove it from the banned entry list.
4. Click OK.
5. On the Local-Windows VM, open additional web browser tabs and go to a few websites, such as:
l http://www.bbc.com
l http://dailymotion.com
You should be able to access the Internet, even if the five minutes time interval you set has not yet elapsed.

6. Close all browser tabs except for the Local-FortiGate GUI.

220 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: DLP Fingerprinting

DLP fingerprinting is a technique that uses content-based filtering and identifies specific files using one or more
cyclic redundancy checks (CRC) for the files in the configured network share.

Configure a DLP Filter for the Network Share

A network share is preconfigured on the Local-Windows VM with a user account of Administrator and share
name of DLPshare.

In the configuration that you uploaded at the beginning of this exercise, FortiGate is preconfigured to access the
network share.

In this procedure, you will first view the DLP configuration for the network share, and then you will configure a new
filter for DLP fingerprinting.

To configure a DLP filter for the network share

1. On the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
2. At the login prompt, enter the user name admin and password password.
3. Enter the following command to check the DLP fingerprinting configuration.
show dlp fp-doc-source

You will notice that the Local-FortiGate is configured to access the network share configured on Local-
Windows with an IP address of 10.0.1.10.

4. Enter the following commands to configure a new filter for DLP fingerprinting in the DLP sensor named No_ZIP_
files:
config dlp sensor
edit No_ZIP_files
config filter
edit 2
set proto http-post
set filter-by fingerprint
set fp-sensitivity Critical
set action block
end
end

FortiGate Security 6.0 Lab Guide 221

Fortinet Technologies Inc.
DO Add
NOT a File toREPRINT
the Network Share Exercise 3: DLP Fingerprinting

© FORTINET
The DLP fingerprinting filter can be configured using only the CLI. After it is
configured, it is visible on the GUI.

Add a File to the Network Share

Now, you will add a file to the network share.

To add file to the network share

1. Continuing on the Local-Windows VM,open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with
the user name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Backup.

3. Click OK.
4. Click Save File.
5. Click OK.
The file saves to the Downloads folder.

7. Click the down arrow download icon on the top right of the browser.

8. Right-click the backup file for your configuration, and then click Open Containing Folder.

222 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: DLPREPRINT
Fingerprinting Test DLP Fingerprinting

© FORTINET

9. Right-click the configuration file and click Copy.

10. Go to C:\DLPshare.
11. Right-click and click Paste to paste the configuration file in that folder.

Test DLP Fingerprinting

Now, you will test DLP fingerprinting for the file you added to the network share. DLP fingerprinting is configured
based on a schedule. For the purpose of this lab, we will trigger fingerprint checksums manually, using CLI
commands. This is because training is conducted at different times globally, and a configured schedule may not
work correctly.

To test DLP fingerprinting

1. Continuing on the Local-Windows VM, return to theLOCAL-FORTIGATE PuTTY session, and run the following
command to refresh the DLP fingerprint checksums:

diagnose test application dlpfingerprint 6

2. Run the following command to check the updated checksum:

diagnose test application dlpfingerprint 9

You will see that a new file has been added.

FortiGate Security 6.0 Lab Guide 223

Fortinet Technologies Inc.
DO Modify
NOT REPRINT
a File in the Network Share Exercise 3: DLP Fingerprinting

© FORTINET

3. Open a new browser tab and go to the following URL:

http://10.200.1.254/fileupload.html

4. On the web page, click Browse, and go to C: > DLPshare > Local-FortiGate_
<yourtimestamp>.conf.
5. Click Open.
6. Click Submit the file.
The file upload should be blocked.

Modify a File in the Network Share

Now, you will modify a file in the network share.

To modify a file in the Network Share

1. Continuing on the Local-Windows VM, open File Explorer, and go to C: > DLPshare.
2. Right-click the FortiGate configuration file and click Edit with Notepad++.
3. Make a few small changes to different areas of the configuration.
4. Click Save.

5. Close Notepad++.

224 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: DLPREPRINT
Fingerprinting Test DLP Fingerprinting With the Modified File

© FORTINET
Test DLP Fingerprinting With the Modified File

Now, you will test DLP fingerprinting using the modified file in the network share. DLP fingerprinting is configured
based on schedule. For the purpose of this lab, you will trigger fingerprint checksums manually, using CLI
commands. This is because training is conducted at different times globally and using a configured schedule
might not work correctly.

To test DLP fingerprinting with the modified file

1. Continuing on Local-Windows, return to LOCAL-FORTIGATE PuTTY session, run the following command to
refresh the DLP fingerprint checksums:

diagnose test application dlpfingerprint 6

Tip: You can press the up button on your keyboard twice to get that command you entered previously.
2. Run the following command to check the updated checksum:

diagnose test application dlpfingerprint 9

You will see that the file has been updated.

3. Open a browser and go to the following URL:

http://10.200.1.254/fileupload.html

4. On the web page, click Browse and go to C: > DLPshare.

5. Click the configuration file.
6. Click Open.
7. Click Submit the file.
The file upload should be blocked (assuming that changes to file were not too large, and not made in too
many areas).

Fingerprinting breaks the file into chunks and performs checksums on each part. By
default, DLP will detect a match if any part's checksum from the fingerprint matches.

FortiGate Security 6.0 Lab Guide 225

Fortinet Technologies Inc.