Technical Note : Using FortiGate DLP to block/filter email/spam based on "sender" (From:) information

rmetzger · ‎06-04-2010

Description
This article explains how to configure and verify DLP (Data Leak Prevention) to block / filter the emails / spams based on criteria present in the "sender" (From:) information.

Scope

FortiOS 4.0MR1 and 4.0MR2
Example presented in 4.0MR2

Solution
The example presented hereafter is intended to block all emails that have the keyword "watch" in the email envelope or MIME header, and more specifically the sender information.

It is assumed that the SMTP traffic is initiated from the WAN2 interface and destined to an SMTP server reachable via the DMZ interface.

CLI configuration example (FortiOS 4.0MR2) :

config dlp rule
    edit "All-Email-from-watch-sender"
        set protocol email
        set sub-protocol smtp
        set field sender
        set regexp "*watch*"
        set regexp-wildcard enable
    next
end

config dlp sensor
    edit "sensor_block_watch"
            config rule
                edit "All-Email-from-watch-sender"
                    set action ban    (or ban-sender,to block only mails for this sender)
                    set archive enable
                    set expiry 10m
                next
            end
        set dlp-log enable
    next
end

config firewall policy
    edit 2
        set srcintf "wan2"
        set dstintf "dmz"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set utm-status enable
        set schedule "always"
            set service "ANY"
        set dlp-sensor "sensor_block_watch"
        set profile-protocol-options "default"
    next
end

Test and verification :

Send a mail through the FortiGate, from wan2 to dmz, and from the sender " watch_shop@test.lab"

The message sent back to the user MUA (tested with outlook express), is the following :

An unknown error has occurred. Account: '10.160.0.8', Server: '10.160.0.8', Protocol: SMTP, Server Response: '554 5.7.1 This email has been blocked because a data leak was detected. Please contact your admin to be re-enabled.', Port: 25, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC6F

Check the FortiGate log :

FGT# execute log display

1 logs found.
1 logs returned.

1: 2010-06-04 15:08:09 log_id=0954024576 type=dlp subtype=dlp pri=warning vd="root" policyid=2 identidx=0 serial=107333 user="N/A" group="N/A" src=10.112.0.10 sport=1694 src_port=1694 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp status=detected hostname="N/A" url="N/A" from="N/A" to="N/A" msg="data leak detected(Data Leak Prevention Rule matched: ip address banned)" rulename="All-Email-from-watch-sender" compoundname="N/A" action=ban severity=1

or , if ban-sender was user :

1: 2010-06-04 16:21:15 log_id=0954024576 type=dlp subtype=dlp pri=warning vd="root" policyid=2 identidx=0serial=109156 user="N/A" group="N/A" src=10.112.0.10 sport=1911 src_port=1911 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp status=detected hostname="N/A" url="N/A" from="N/A" to="N/A" msg="data leak detected(Data Leak Prevention Rule matched)" rulename="All-Email-from-watch-sender" compoundname="N/A" action=ban sender severity=1

Check the sensor action applied in the ban list :

FGT# get user ban list

id cause src-ip-addr dst-ip-addr expires created dlp-proto
1 All-Email-from-watch-sender 10.112.0.10 Fri Jun 4 15:18:09 2010 Fri Jun 4 15:08:09 2010 SMTP

Related Articles

Technical Note : FortiGate configuration for email filtering based on the language or the character ...