Fortinet FortiGate Series Administration Manual page 587

Data Leak Prevention
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Action Select the action to be taken against traffic matching the configured DLP rule or DLP
compound rule. The actions are:
• None prevents the DLP rule from taking any action on network traffic. Other
matching rules in the same sensor and other sensors may still operate on
matching traffic.
• Block prevents the traffic matching the rule from being delivered. The matching
message or download is replaced with the Data leak prevention replacement
message.
• Exempt prevents any DLP sensors from taking action on matching traffic. This
action overrides any other action from any matching sensors.
• Ban if the user is authenticated, blocks all traffic to or from the user using the
protocol that triggered the rule and the user will be added to the Banned User list.
If the user is not authenticated, all traffic of the protocol that triggered the rule from
the user's IP address will be blocked. If the user that is banned is using HTTP,
FTP, NNTP (or HTTPS if the FortiGate unit supports SSL content scanning and
inspection) the FortiGate unit displays the Banned by data leak prevention
replacement message for the protocol. If the user is using IM, the IM and P2P
Banned by data leak prevention message replaces the banned IM message and
this message is forwarded to the recipient. If the user is using IMAP, POP3, SMTP
(or MAPS, POP3S, SMTPS if your FortiGate unit supports SSL content scanning
and inspection) the Mail Banned by data leak prevention message replaces the
banned email message and this message is forwarded to the recipient. These
replacement messages also replace all subsequent communication attempts until
the user is removed from the banned user list.
• Ban Sender blocks email or IM traffic from the sender of matching email or IM
messages and adds the sender to the Banned User list. This action is available
only for email and IM protocols. For email, the sender is determined by the From:
address in the email header. For IM, all members of an IM session are senders
and the senders are determined by finding the IM user IDs in the session. Similar
to Ban, the IM or Mail Banned by data leak prevention message replaces the
banned message and this message is forwarded to the recipient. These
replacement messages also replace all subsequent communication attempts until
the user is removed from the banned user list.
• Quarantine IP address blocks access through the FortiGate unit for any IP
address that sends traffic matching a sensor with this action. The IP address is
added to the Banned User list. The FortiGate unit displays the NAC Quarantine
DLP Message replacement message for all connection attempts from this IP
address until the IP address is removed from the banned user list.
• Quarantine Interface blocks access to the network for all users connecting to the
interface that received traffic matching a sensor with this action. The FortiGate unit
displays the NAC Quarantine DLP Message replacement message for all
connection attempts to the interface until the interface is removed from the banned
user list.
Ban, Ban Sender, Quarantine IP, and Quarantine Interface provide functionality
similar to NAC quarantine. However, these DLP options cause DLP to block users
and IP addresses at the application layer while NAC quarantine blocks IP addresses
and interfaces at the network layer. For more information, see
the Banned User list" on page
For more information about configuring DLP replacement messages, see
"Replacement messages" on page
If you have configured DLP to block IP addresses and if the FortiGate unit receives
sessions that have passed through a NAT device, all traffic from that NAT device
could be blocked not just individual users. You can avoid this problem by
implementing authentication or where possible select Ban Sender.
Archive Configure DLP archiving for the rule. Archive is available for Email, FTP, HTTP, IM,
and Session Control rules and compound rules. The options are:
• Disable, do not archive.
• Full, perform full DLP archiving.
• Summary, perform summary DLP archiving.
See "DLP archiving" on page
678.
250.
588.
DLP Sensors
"NAC quarantine and
587