FortiDLP Agent Deployment Guide

Home FortiDLP Agent 12.0.0 FortiDLP Agent Deployment Guide

12.0.0

Print monitoring

FortiDLP's print monitoring functionality enables you to track the print activity occurring across your organization and configure detections to be raised for unauthorized print jobs matching various properties. Print jobs are reported before they are received by the printer.

From version 11.1.1 on Windows, version 10.2.0 on macOS, and version 12.0.0 on Linux (Preview), the FortiDLP Agent can perform content inspection on a print job to identify if it contains sensitive information.

From version 11.2.0 on all OSs, the FortiDLP Agent can block a print job from being sent to the printer, based on configured policy parameters. For more information, refer to the FortiDLP Console User Guide.

Monitored printers across OSs

Printer type

Supported OS(s)

Description

Local

Windows, macOS, and Linux

USB-connected, parallel-connected, and serial printers.

Network

Windows, macOS, and Linux

Printers that are connected directly over the network, shared printers, and print servers.

On Windows, setup is required to enable the Agent to monitor print jobs sent to Windows-shared printers and print servers. For details, see the next section.

Virtual

Windows

Print to PDF, OneNote, or XPS.

Windows enhanced visibility and content-aware print monitoring

This Windows printing implementation provides enhanced visibility, which monitors a wider range of printers that are sent print jobs, and provides content-aware capabilities, which allow content inspection to be performed.

To ensure this feature works alongside other security tools, configure these tools to exclude the C:\Program Files\Jazz Networks\Agent\spool_shim64.dll process. For more information, see Excluding FortiDLP Agent processes, directories, and files from antivirus scanning.

Requirements: FortiDLP Agent 11.1.1+ and FortiDLP Policy Templates 6.8.0+. Additionally, the following setup steps are required:

The Print monitoring Agent configuration group option must be turned On, as this feature is set to Legacy on the Agent by default. The Legacy Windows printing implementation reports less printing activity and is not content-aware.
To enable monitoring of print servers and Windows-shared printers, the steps below must be completed. For detailed instructions, refer to the Next DLP Support Portal article here.
- To monitor print jobs sent to a printer shared by a Windows computer, client-side rendering must be enabled on the computer sharing the printer.
- To monitor print jobs sent to a print server, driver isolation must be set to None on the computer that is printing.
To enable content inspection for FortiDLP Agent 11.4.6 or earlier, the XPS Viewer IFilter must be installed on the computer that is printing. For detailed instructions, refer to the Next DLP Support Portal article here.

The following limitations apply, and if a configured policy parameter is not available, no detection will be raised for it.

Content inspection can only be performed on print jobs that are sent using a v4 printer driver, which includes Microsoft IPP Class Drivers. For guidance with checking which driver your printer uses, refer to the Next DLP Support Portal article here.
Content inspection cannot be performed on all of or parts of a print job that have been converted into image format. This applies to most print jobs sent from a browser, as the entire print job is often an image file, and sometimes applies to PDFs that are created via the print to/save to PDF operations on a source file containing specifically formatted word boundaries.
For USB-connected printers, no printer unique identifier (UUID) is available.
No print process information is available.

macOS enhanced visibility and content-aware print monitoring

This macOS printing implementation provides enhanced visibility, which monitors a wide range of printers that are sent print jobs, and provides content-aware capabilities, which allow content inspection to be performed. This feature is enabled on the Agent by default.

Requirements: FortiDLP Agent 10.2.0+ and FortiDLP Policy Templates 6.4.0+.

The following limitations apply, and if a configured policy parameter is not available, no detection will be raised for it.

A print job's number of pages may not always be available, but it is for print jobs from the standard macOS frameworks, which include most GUI apps and some command-line apps.
For IPP network printers with hard-coded network addresses (i.e. addresses without service discovery), no printer unique identifier (UUID) is available.
Local printers are assigned a UUID. If a local printer is shared, a new printer UUID is created, and this UUID will be reported when devices use the shared printer.
No printer UUID or IP address are available for print jobs sent to a printer shared by a Windows computer.

Linux print monitoring (GA) and content-aware print monitoring (Preview)

Requirements: For GA print monitoring, FortiDLP Agent 10.2.0+ and FortiDLP Policy Templates 6.5.0+. This feature is enabled on the Agent by default. For Preview content-aware print monitoring, FortiDLP Agent 12.0.0+ and FortiDLP Policy Templates 8.0.0+. To enable content-aware print monitoring, contact Fortinet Support.

The following limitations apply, and if a configured policy parameter is not available, no detection will be raised for it.

For all print jobs, no number of pages is available.
For network printers using mDNS service discovery, no IP address is available.
For IPP network printers with hard-coded network addresses (i.e. addresses without service discovery), no printer unique identifier (UUID) is available.
For USB-connected printers, no printer type or UUID is available.
Local printers are assigned a UUID. If a local printer is shared, a new printer UUID is created, and this UUID will be reported when devices use the shared printer.
No printer UUID or IP address are available for print jobs sent to a printer shared by a Windows computer.