FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ck_FTNT
Staff
Staff
Article Id 198163

Description

 

MIP is a solution that helps you discover, classify, and protect sensitive information wherever it lives or travels by applying labels to content.
AIP extends this functionality to the Azure cloud.

Consult Microsoft’s documents for further reading on Microsoft Information Protection and Azure Information Protection.

FortiGate integrates with MIP and AIP by scanning traffic for these labels, and taking action when it matches.
This is accomplished by defining a Data Leak Prevention sensor to match the label, and apply an action such as dropping the traffic.


This sensor is added to a policy which matches the route your sensitive information could take to leave the secure network.

This article provides details how to configure the FortiGate to detect labels applied to your data by AIP/MIP.


Solution

 

To implement label matching using DLP regex with the following steps:

1) Create the DLP sensor using the generated label.
2) Optionally, you may need to define custom ports to inspect. 
3) Add the DLP sensor and optionally a different profile-protocol-options to the policy which would pass the data to detect.

1) DLP sensor sample configuration

 

 

DLP uses regex to match the MIP/AIP label. You must also use the proxy feature set, which relies on the policy using proxy inspection mode.

 

 

Starting with FOS version 6.2.2, the DLP sensor is only configurable through the CLI.

 

 

 

 #

config dlp sensor
  edit mipaip
    set feature-set proxy
    # config filter
      edit 0
        set proto smtp pop3 imap http-get http-post
        set filter-by regexp
        set regexp “0011bc0f-dd9a-47b5-9a61-bc3b5f442af7”
        set action block
      next
    end
  next
end

 

2) Customize the protocol options

Because DLP leverages protocols to define the traffic it inspects, it may be necessary to update the default ports should the organization .

To adjust these ports, navigate to Policy & Object -> Protocol Options. If the default profile is not used, customize the ports.

Otherwise, create a new profile to customize the ports.

This protocol options profile is referenced alongside the DLP profile in the FortiGate policy.

MIP_Protocol_Options.png
 
 
2) Configure the policy which evaluates the traffic
 
Note that this policy is wide open and is not recommended for production.
Only the bolded values are important to the implementation of this article.

# config firewall policy
  edit 1
    set name outbound_traffic
    set srcintf lan
    set dstintf wan
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set utm-status enable
    set inspection-mode proxy
    set profile-protocol-options “Custom protocol options”

    set ssl-ssh-profile "deep-inspection"
    set dlp-sensor "mipaip"
    set nat enable
  next
end

 

 

 

Results

When trying to download a file which contains the label, FortiGate will block the download. Depending on the protocol used, the block message will vary.

 

 

 

Here is an example of an HTTP POST request for a MIP protected file:

 

 

MIP_block_page.png

 

Comments
al14cioli_FTNT

Hi,

 

Does FortiOS perform a raw pattern matching on the whole document? Or does it search for specific fields in the header or metadata section of the file (which involves detecting the file type and supporting to inspect of such file format)? 

 

Regards,

Alain