Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JohnGeorge
New Contributor

DLP not working with Dropbox Enhanced Uploader

Stats:

-Fortigate with 5.4.4 firmware

-DLP policy enabled, configured to block certain files

-SSL "full inspection" enabled. no category exemptions, no address exemptions for dropbox.com, reputable websites is disabled. Fortigate certificate installed on client machines, and appears in the browser when viewing dropbox.com.

-Proxy option Default policy enabled

 

When uploading a certain blocked file, DLP fails to block with Dropbox's "enhanced uploader." If I use the dropbox "basic uploader" the files is blocked with a DLP message from Fortigate.

 

Why could DLP be failing with the enhanced uploader?

3 REPLIES 3
JohnGeorge
New Contributor

Further testing seems to indicate this is a problem specifically with "File Name Patterns" on the DLP policy. Why?

tanr
Valued Contributor II

Is it possible the file is getting broken up and transferred through multiple connections (like google QUIC)?  That might hide a filename and make other pattern matching difficult.  I don't know if dropbox using HTTP/2 multiplexing for some things could be part of this.

 

Also, are you doing SSL deep inspection on all ports?  Perhaps the enhanced uploader is just using non-standard ports? My understanding was that Dropbox only used HTTP and HTTPS, except for LAN sync, but that may no longer be the case.

 

Do let us know what you find.  I've had to block QUIC and TEREDO on some subnets to allow full SSL inspection. Would be good to know if there is something else I need to work around as well.

hmtay_FTNT
Staff
Staff

Hello JohnGeorge,

 

I tested DLP + deep-inspection with Enhanced Uploader and I am able to block the files. From my traffic analysis, Dropbox does not appear to use QUIC protocol. I left "File Name Patterns" empty though. Looking at the plaintext HTTP headers, they look like standard headers that a regular string search should be able to easily detect. 

 

Can you give me more information on the "File Name Patterns" you used and I can check on my side? Thanks!

 

HoMing

Labels
Top Kudoed Authors