The following is a fairly complex example but shows what can be done by combining various components in the correct configuration.
The company has a number of copyrighted documents that it does not want “escaping” to the Internet but it does want to be able to send those documents to the printers for turning into hardcopy.
The policies and procedures regarding this issue state that:
l Only members of the groupSenior_Editorscan send copyrighted material to the printers. l Every member of the company by default is included in the groupemployees.
l Even permitted transmission of copyrighted material should be recorded. l All of the printers IP addresses are in a group calledapproved_printers.
l There is a file share called copyrighted where any file that is copyrighted is required to have a copy stored.
l It doesn’t happen often but for legal reasons sometimes these files can be changed, but all versions of a file in this
directory need to be secured.
l All network connections to the Internet must have Antivirus enabled using at least the default profile. l The SSL/SSH Inspection profile used will bedefault.
It is assumed for the purposes of this example that:
l Any addresses or address groups have been created. l User accounts and groups have been created.
DLP examples Data leak prevention
l The copyrighted sensitivity level needs to be created.
l The copyrighted material is stored at \\192.168.27.50\books\copyrighted\ 1. Add a new Sensitivity Level by running the following commands in the CLI
config dlp fp-sensitivity edit copyrighted end
2. Apply files to the fingerprint database
a. Go toSecurity Profiles>Advanced>DLP Fingerprint.
b. In theDocument Sourcessectionselect Create New. Use the following field values:
Name copyrighted_material
Server Type Windows Share
Server Address 192.168.27.50
User Name fgtaccess
Password ******
Path books/copyrighted/
Filename Pattern *.pdf
Sensitivity copyrighted
Scan Periodically enabled
<Frequency> Daily, Hour: 2, Min: 0
Advanced
Fingerprint files in subdirectories
enabled
Remove fingerprints for deleted files
not enabled
Keep previous fingerprints for modified files
enabled
Two Sensors need to be created. One for blocking the transmission of copyrighted material and a second for allowing the passing of copyrighted material under specific circumstances.
3. Create the first DLP Sensor
l Go toSecurity Profile>Data Leak Prevention. l Create a new sensor.
Data leak prevention DLP examples
Name block_copyrighted
Comment <optional>
l In the Filter table, selectCreate New.
Use the following values
Filter
Filter Files
Filter option File Finger Print
Finger print value from dropdown
“copyrighted”
Examine the Following Services
Make sure all of the services are being examined.
Action
From the drop down menu chooseBlock 4. Create the second DLP Sensor
l Go toSecurity Profile>Data Leak Prevention. l Create a new sensor.
Use the following field values:
Name allow_copyrighted
Comment <optional>
l In the Filter table, selectCreate New.
Use the following values
Filter
Filter Files
Filter option File Finger Print
Finger print value from dropdown
“copyrighted”
Examine the Following Services
Make sure all of the services are being examined.
Action
DLP examples Data leak prevention
a. Go toPolicy & Objects > Policy > IPv4.
b. SelectCreate New.
c. Use the following values in the Policy:
Incoming Interface LAN
Source Address all
Outgoing Interface wan1
Destination Address all
Schedule always
Service all
Action ACCEPT
Enable NAT enabled -- Use Destination Interface Address
Antivirus <ON> default
DLP <ON> Copyrighted
SSL/SSH Inspection <ON> default
Enable this policy <ON>
This policy should be place as close to the beginning of the list of policies so the it is among the first tested against.
6. Create a policy to block transmission of copyrighted material.
This will in effect be the default template for all following policies in that they will have to use the DLP profile that blocks the transmission of the copyrighted material.
a. Go toPolicy & Objects > Policy > IPv4 b. SelectCreate Newor Edit an existing policy.
c. Use the following values in the Policy:
The fields should include what ever values you need to accomplish your requirements are but each policy should include the DLP sensor block_copyrighted or if a different DLP configuration is required it should include a filter that blockscopyrightedfingerprinted file.
If you need to create a policy that is identity based make sure that there is an Authentication rule for the groupemployeesthat uses the DLP sensor that blocks copyrighted material.
ICAP The Protocol
ICAP
ICAP is the acronym for Internet Content Adaptation Protocol The purpose of the feature is to off load work that would normally take place on the firewall to a separate server specifically set up for the specialized processing of the incoming traffic. This takes some of the resource strain off of the FortiGate firewall leaving it to concentrate its resources on things that only it can do.
Off-loading value-added services from Web servers to ICAP servers allows those same web servers to be scaled according to raw HTTP throughput versus having to handle these extra tasks.
ICAP servers are focused on a specific function, for example:
l Ad insertion l Virus scanning l Content translation
l HTTP header or URL manipulation l Language translation
l Content filtering
ICAP does not appear by default in the web-based manager. You must enable it in
System > Admin > Settingsto display ICAP in the web-based manager.
The following topics are included in this section:
l The Protocol
l Offloading using ICAP l Configuration Settings l Example ICAP sequence l Example Scenerio