Configuring Dlp Archiving - Fortinet FortiGate Series Administration Manual

Data Leak Prevention

Configuring DLP archiving

FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
You enable Email, Web, FTP, IM, and session control DLP archiving in DLP sensors. Then
you add the DLP sensors to protection profiles and add the protection profiles to firewall
policies. All sessions accepted by firewall policies that are matched by rules in DLP
sensors are DLP archived.
DLP includes the Content_Archive and Content_Summary pre-defined DLP sensors. The
Content_Archive sensor includes pre-defined DLP rules that provide full DLP archiving for
HTTP, Email, FTP, and IM protocols. To provide full DLP archiving, when you add a rule to
a sensor, set Archive to Full.
The Content_Summary sensor also includes predefined DLP rules and provides summary
DLP archiving for HTTP, Email, FTP, and IM protocols. To provide summary DLP
archiving, when you add a rule to a sensor, set Archive to Summary Only.
You can add the pre-defined All-session-control DLP rule to the Content_Archive and
Content_Summary pre-defined DLP sensors to DLP archive session control sessions.
If your FortiGate unit supports SSL content scanning and inspection you can also archive
HTTPS, IMAPS, POP3S, and SMTPS content. By default the SSL protocols are not
enabled in the All-Email and All-HTTP pre-defined DLP rules. To archive the SSL
protocols, you must edit these pre-defined rules and select the SSL protocols to be able to
archive them.
In addition to these pre-defined DLP rules and sensors, you can add your own DLP rules
and sensors and use them for full and summary DLP archiving. See
page 583 for more information about configuring DLP sensors.
Note: DLP prevents duplicate action. Even if more than one rule in a sensor matches some
content, DLP will not create more than one DLP archive entry from the same content.
Note: Enabling full DLP archiving reduces the amount of system memory available for virus
scanning. Fortinet recommends against using full DLP archiving if antivirus scanning is also
configured because of these memory constraints. Especially on FortiGate units with low
system memory.
To DLP archive all email messages
This procedure describes how to add the All-Email DLP rule to a DLP sensor and in the
sensor to configure the rule for full DLP archiving.
1 Go to UTM > Data Leak Prevention > Sensor and add a sensor.
2 Add rules to the sensor for whatever requirements you may have for the sensor
3 Add the All-Email DLP rule to the sensor and set Archive to Full.
4 Go to Firewall > Policy > Protection Profile and add a new or edit a protection profile.
5 Select the Data Leak Prevention Sensor expand arrow.
6 Select Data Leak Prevention Sensor and select the sensor from the list.
7 Add the protection profile to a firewall policy that accepts email traffic.
The sensor will now match and archive all email messages processed by the firewall
policy.
DLP archiving
"DLP Sensors" on
589