DLP archiving Data Leak Prevention
FortiGate Version 4.0 MR1 Administration Guide
588 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
DLP archiving
You can use DLP archiving to collect and view historical logs that have been archived to a
FortiAnalyzer unit or the FortiGuard Analysis and Management service. DLP archiving is
available for FortiAnalyzer when you add a FortiAnalyzer unit to the FortiGate
configuration (see “Remote logging to a FortiAnalyzer unit” on page 710). The FortiGuard
Analysis and Management server becomes available when you subscribe to the
FortiGuard Analysis and Management Service (see the FortiGuard Analysis and
Management Service Administration Guide).
You can configure full DLP archiving and summary DLP archiving. Full DLP archiving
includes all content, for example, full email DLP archiving includes complete email
messages and attachments. Summary DLP archiving includes just the meta data about
the content, for example, email message summary records include only the email header.
You can archive Email, FTP, HTTP, IM, MMS, and session control content:
• Email content includes IMAP, POP3, and SMTP sessions. Email content can also
include email messages tagged as spam by FortiGate Email filtering. If your FortiGate
unit supports SSL content scanning and inspection, Email content can also include
IMAPS, POP3S, and SMTPS sessions.
• HTTP content includes HTTP sessions. If your FortiGate unit supports SSL content
scanning and inspection HTTP content can also include HTTPS sessions.
For more information about SSL content scanning and inspection, see “SSL content
scanning and inspection” on page 481.
• IM content includes AIM, ICQ, MSN, and Yahoo! sessions.
• Session control content includes SIP, SIMPLE and SCCP sessions. Only summary
DLP archiving is available for SIP and SCCP. Full and summary DLP archiving is
available for SIMPLE.
You add DLP sensors to archive Email, Web, FTP, IM, and session control content.
Archiving of spam email messages is configured in protection profiles.
Severity Enter the severity of the content that the rule or compound rule is a match for. Use the
severity to indicate the seriousness of the problems that would result from the content
passing through the FortiGate unit. For example, if the DLP rule finds high-security
content the severity could be 5. On the other hand if the DLP rule finds any content
the severity should be 1.
DLP adds the severity to the severity field of the log message generated when the
rule or compound rule matches content. The higher the number the greater the
severity.
Expires When the action is set to Ban, Ban Sender, or Quarantine IP address, you can specify
how long the ban will last. Select Indefinite for a ban ending only if the offender is
manually removed from the banned user list, or select After and enter the required
number of minutes, hours or days the ban will last. When the specified duration
expires, the offender is automatically removed from the banned user list.
Member
Type
Select Rule or Compound Rule. The rules of the selected type will be displayed in the
table below.
Name The names of all available rules or compound rules.
Description The optional description entered for each rule or compound rule.
To Next Page
Loading...
Need help?
General