DescriptionThis article explains how to archive message content of all emails passing through a FortiGate with their attachments.
ScopeDLP archiving.
SolutionThere are two forms of DLP archiving: Summary Only and Full.
Summary archiving records information about the supported traffic types. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses the Web, every URL the user visits is recorded. The result is a summary of all activity the sensor detected.
For more detailed records, Full archiving is necessary. When an email message is detected, the message itself, including any attachments, is archived. When a user accesses the Web, every page the user visits is archived. Far more detailed than a summary, Full DLP archives require more storage space and processing.
DLP archiving is set in the CLI only.
To set the archive to Full and Summary Archive :-
config dlp sensor
edit <name of sensor>
config filter
edit 1
set type message
set proto smtp pop3 imap
set filter-by regexp
set regexp ".*"
set archive enable -> enable archive (IMPORTANT)
set action log-only
next
end
set full-archive-proto smtp pop3 imap -> set archive-type to Full (IMPORTANT)
set summary-proto smtp pop3 imap -> set archive-type to Summary (IMPORTANT)
end
When email content is archived to a FortiAnalyzer using DLP archive, the archived email can be seen under FortiView.
Go to Log & Report > Security > DLP > DLP Logs that detect email > Select one of these logs > Go to second tab > Download file that has email content.
