Data Exfiltration Prevention from Servers Using Fortinet Firewalls

Still grokey and running on post-DefCon energy — Sanjay Seth here, writing from my desk at PJ Networks after my third cup of coffee.

Quick Take

If you don’t have a lot of time (and who does?), here’s the half-minute version:

• Fortinet firewalls with DLP (Data Loss Prevention) can prevent your sensitive data from walking out the door — literally byte-by-byte.
• And want to actually stop unauthorized data leaks? Configure Layer 7 inspection, content filtering, and deploy outbound rules that would make your perimeter tighter than a submarine hatch.
• Zero-trust is not a buzzword. It matters. In just the last quarter, I’ve helped three banks further their advancement to real zero-trust and Fortinet played a major role.
• Data exfiltration protection = must have if you even touch anything external with your servers.

Got a few more minutes? Let’s dig into it.

What is Data Exfiltration?

Okay. So before we get fancy with the acronyms, let’s do the basics. This can include data exfiltration, in which sensitive information leaves your network without authorization. Think: customer databases, financial records, source code, strategic plans — basically the kind of stuff attackers salivate over.

And it’s not always pretty work. A lot of times it’s stealthy. That’s the scary part.

Back in ’93 when I was a network admin, the concern was floppy disks going out the door. Then came modems. Then Slammer in 2003 slapped half the internet awake — we learned the hard way how quickly worms could burrow into vulnerable SQL servers and poke holes in our networks.

Today, attackers are smarter. They exfiltrate stolen data gradually over time via an array of protocols, be it HTTPS, DNS tunnels, SSH bounce-backs, you name it. The aim is always here: garner your information, without you noticing.

How Fortinet Enables Detection & Blocking of Data Theft

Now here’s the catch — that old-school firewall of yours? Not enough anymore. A dumb stateful packet inspection box can neither decode app-layer traffic nor notice files get sucked out the back door after hours.

And that’s why I go heavy into Fortinet’s FortiGate series. We roll these out all the time at PJ Networks (cattle, not pets-was a latest multi-site FortiGate cluster for a regional bank-happy to say no alerts since deploying six weeks ago. Yet.)

So let’s look at how Fortinet can help:

1. You are on a data set up to October 2023. This one’s the MVP. You define patterns like PANs, emails, IBANs, keywords, etc., and Fortinet scans outgoing traffic for matches.
• 14 numbers of credit cards in pdf? Blocked.
• Customer SSNs in Excel document? Blocked.
• A suspicious Base64 chunk in a POST request at 2 AM? Alert and lockdown.

This works because DLP is content-aware. Not only those based on port or protocol.

2. Application Control. You’d be amazed at how much data swims out on the back of Slack, Dropbox or some obscure FTP client you didn’t even know was on a dev server.

Fortinet detects hundreds of apps and services, allowing you to:

• Block them entirely.
• Run them in read-only modes.
• Uploads are allowed but only from some users.

I typically log everything first — and then tighten the screws.

3. SSL/Deep Packet Inspection. Yes, it’s a privacy horror show if abused. But for corporate firewalls where traffic is consented to? It’s gold.

The outgoing SSL/TLS is decrypted by Fortinet, the payload is analyzed and then re-encrypted. If something sensitive is being transmitted through Gmail or OneDrive, it is flagged. Or quarantined straight away.

4. Integrates Threat Intelligence. That hardware hacking village at this year’s DefCon? Made it crystal clear that attackers don’t just come in through code — they come in through firmware, supply chain, side-channels…

   Fortinet Scalability: The integrated approach, combined with FortiGuard services, ensures that new exfil methods (new C2 domains, updated malware payloads) are caught almost as soon as they get spawned in the wild.

Data Breach Prevention: Best Practices

It’s not only about the gear — it’s about how you use it. I have seen orgs spend lakhs on firewalls only to misconfigure them and have the data flow through Port 443 as if it was a firehouse.

These are some battle-tested practices that I push incredibly hard with every client:

• Make clear outbound rules. Try to abide by the rule of “Default Deny” — block all, only allow what is needed.
• Regularly use DLP and update policies as your data landscape evolves.
• Segment your networks. DMZs, guest VLANs, dev environment separation, it all counts.
• Regular audits. Not yearly. Monthly. You may even want to do this weekly if you’re dealing with PII, financials, etc.
• Deploy zero-trust techniques: No one is trusted ipso facto. Not even the server that’s been at an address for 12 years and has “never been a problem.”
• If you do not specifically need to use known risky apps, block them and always log app usage.
• Monitor user behavior analytics. For example, what if Mukesh in Accounting decides to upload 500MB to an FTP at 11pm on a Saturday? That’s not normal. Fortinet, in conjunction with a decent SIEM, can recognize that.

Data Security Solutions by PJ Networks

Yeah, small plug here — but, only because I’m proud of the work we do.

We excel at PJ Networks in:

• From small to large scale multi-site deployment and hardening of Fortinet firewalls
• Building custom DLP rule packs for banks, law firms, and healthcare organizations
• Establishing secure data transfer systems for APIs, webapps, and internal apps
• Training IT teams to detect and respond to exfil attempts
• Enabling orgs to progress to real zero-trust models rather than checkbox frameworks

One example from recent times: a national bank with over 200 branches. They were working with suspicious data streams (but not very often). We brought in FortiGate with internal segmentation, developed custom DLP rules, and rolled up their logs to a holistic FortiAnalyzer view.

Result? Two detected exfiltration attempts in the first week: both from insider sources, one accidental, the other not.

That’s why I pushed this tech so much.

Conclusion

Here’s what I’ll close with:

How can you stop data theft if you cannot see your own traffic? And too many businesses are still treating the installation of a firewall as a one-off fix. It’s not. It’s a journey.

Fortinet’s DLP and inspection tools let you see what you don’t already — and have a hand to lock things up before regulators, customers, or headlines come looking for you.

Am I calling Fortinet magic? No.

But as someone who’s seen the internet grow from PSTN modems and muxes to cloud everything — and had to pull CAT5 through literal walls — I will tell you this:

If you care about security at the firewall, and stopping data exfiltration at the gate? If configured correctly, Fortinet is by far your best bet. Protect your data; don’t leave it unattended. I’ve seen what happens. And just trust me — you don’t want your internal HR spreadsheet appearing on Telegram.

Until next time—
Sanjay
Founder, PJ Networks Pvt Ltd
Still caffeinated. Still paranoid. You train until your bytes are locked down.