Each DLP sensor must have one or more filters configured within it. Filters can examine traffic for the following:
File filters allow you to block files based on their file names and types. When a file filter list is applied to a DLP sensor filter, the network traffic is examined against the list entries, and, if the sensor filter is triggered, the predefined action is taken by the DLP sensor filter.
The general steps for configuring filters are as follows:
Select Add Filter to open the New Filter window.
To open the Edit Filter window, select a filter and then select Edit Filter.
Configure the following settings in the New Filter window or the Edit Filter window and then select OK.
| Filter | ||
| Type | Select Messages or Files to filter for specific messages or based on file attributes, respectively. | |
| Containing | Select and then select Credit Card # or SSN from the drop-down list. | |
| File size over | Select and then enter the maximum file size allowed, in KB. This option is only available when filtering files. |
|
| Specify File Types | Select and then select File Types and File Name Patterns from the drop-down menus provided. See File types. This option is only available when filtering files. |
|
| Regular Expression | Select and then enter the pattern that network traffic is examined for. See Regular expressions | |
| Encrypted | Select to cause encrypted files to trigger the filter. This option is only available when filtering files. |
|
| Examine the Following Services |
Select the services whose traffic the filter will examine. This allows resources to be optimized by only examining relevant traffic.
|
|
| Action | Select an action to take if the filter is triggered from the drop-down list. Available actions are Allow, Log Only, Block, and Quarantine IP Address. | |
| Allow | No action is taken when the filter is triggered. | |
| Log Only | When the filter is triggered, the match is logged, but no other action is taken. | |
| Block | Traffic matching the filter is blocked and replaced with a replacement message. See Replacement messages. | |
| Quarantine IP Address | Block access for any IP address that sends traffic matching the filter. The IP address is added to the banned user list, and an appropriate replacement message is sent for all connection attempts until the quarantine time expires. Enter the amount of time that the IP address will be quarantined for (>= 1 minute). |
|
Network traffic is examined for the pattern described by the regular expression specified in the DLP sensor filters. Fortinet uses a variation of the Perl Compatible Regular Expressions (PCRE) library. For some examples of Perl expressions, see Appendix A - Perl regular expressions. For more information about using Perl regular expressions, go to http://perldoc.perl.org/perlretut.html.
By adding multiple filters containing regular expressions to a sensor, a dictionary can be developed within the sensor. The filters can include expressions that accommodate complex variations of words or target phrases. Within the sensors, each expression can be assigned a different action, allowing for a very granular implementation.
|
Archive (7z) Archive (arj) Archive (bzip) Archive (bzip2) Archive (cab) Archive (gzip) Archive (lzh) Archive (rar) Archive (tar) Archive (xz) Archive (zip) Audio (avi) Audio (mp3) Audio (wav) Audio (wma) Batch File (bat) BMP Image (bmp) Common Console Document (msc) Encoded Data (base64) |
Encoded Data (binhex) Encoded Data (mime) Encoded Data (uue) Executable (elf) Executable (exe) GIF Image (gif) HTML Application (hta) HTML File (html) Ignored File Type (ignored) Java Application Descriptor (jad) Java Class File (class) Java Compiled Bytecode (cod) JavaScript File (javascript) JPEG Image (jpeg) Microsoft Active Mime Object (activemime) Microsoft Office (msoffice) Microsoft Office (msofficex) |
Packer (aspack) Packer (fsg) Packer (petite) Packer (upx) PalmOS Application (prc) PDF (pdf) PNG Image (png) Real Media Streaming (rm) Symbian Installer System File (sis) TIFF Image (tiff) Torrent (torrent) Unknown File Type (unknown) Video (mov) Video (mpeg) Windows Help File (hlp) Windows Installer Package (msi) |