Fortinet black logo

Cookbook

DLP fingerprinting

DLP fingerprinting

DLP fingerprinting can be used to detect sensitive data. The file that the DLP sensor will filter for is uploaded and the FortiGate generates and stores a checksum fingerprint. The FortiGate unit generates a fingerprint for all of the files that are detected in network traffic, and compares all of the checksums stored in its database. If a match is found, the configured action is taken.

Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

To use fingerprinting:

  • Select the files to be fingerprinted by targeting a document source.
  • Add fingerprinting filters to DLP sensors.
  • Add the sensors to firewall policies that accept traffic that the fingerprinting will be applied on.
Note

The document fingerprint feature requires a FortiGate device that has internal storage.

To configure a DLP fingerprint document:
config dlp fp-doc-source
    edit <name_str>
        set server-type smb
        set server <string>
        set period {none | daily | weekly | monthly}
        set vdom {mgmt | current}
        set scan-subdirectories {enable | disable}
        set remove-deleted {enable | disable}
        set keep-modified {enable | disable}
        set username <string>
        set password <password>
        set file-path <string>
        set file-pattern <string>
        set sensitivity <Critical | Private | Warning>
        set tod-hour <integer>
        set tod-min <integer>
        set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
        set date <integer>
    next
end

Command

Description

server-type smb

The protocol used to communicate with document server. Only Samba (SMB) servers are supported.

server <string>

IPv4 or IPv6 address of the server.

period {none | daily | weekly | monthly}

The frequency that the FortiGate checks the server for new or changed files.

vdom {mgmt | current}

The VDOM that can communicate with the file server.

scan-subdirectories {enable | disable}

Enable/disable scanning subdirectories to find files.

remove-deleted {enable | disable}

Enable/disable keeping the fingerprint database up to date when a file is deleted from the server.

keep-modified {enable | disable}

Enable/disable keeping the old fingerprint and adding a new one when a file is changed on the server.

username <string>

The user name required to log into the file server.

password <password>

The password required to log into the file server.

file-path <string>

The path on the server to the fingerprint files.

file-pattern <string>

Files matching this pattern on the server are fingerprinted.

sensitivity <Critical | Private | Warning>

The sensitivity or threat level for matches with this fingerprint database.

tod-hour <integer>

Set the hour of the day. This option is only available when period is not none.

tod-min <integer>

Set the minute of the hour. This option is only available when period is not none.

weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}

Set the day of the week. This option is only available when period is weekly.

date <integer>

Set the day of the month. This option is only available when period is monthly.

To configure a DLP fingerprint sensor:
config dlp sensor
    edit <sensor name>
        config filter
            edit <id number of filter>
                set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi}
                set filter-by fingerprint
                set sensitivity {Critical | Private | Warning}
                set match-percentage <integer>
                set action {allow | log-only | block | ban | quarantine-ip}
            next
        end
    next
end

Command

Description

proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi}

The protocol to inspect.

filter-by fingerprint

Match against a fingerprint sensitivity.

sensitivity {Critical | Private | Warning}

Select a DLP file pattern sensitivity to match.

match-percentage <integer>

The percentage of the checksum required to match before the sensor is triggered.
action {allow | log-only | block | ban | quarantine-ip} The action to take with content that this DLP sensor matches.

View the DLP fingerprint database on the FortiGate

The CLI debug command diagnose test application dlpfingerprint can be used to display the fingerprint information that is on the FortiGate.

Fingerprint Daemon Test Usage;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  1 : This menu
  2 : Dump database
  3 : Dump all files
  5 : Dump all chunk
  6 : Refresh all doc sources in all VDOMs
  7 : Show the db file size and the limit
  9 : Display stats
 10 : Clear stats
 99 : Restart this daemon

For example, option 3 will dump all fingerprinted files:

DLP_WANOPT-CLT (global) # diagnose test application dlpfingerprint 3
DLPFP diag_test_handler called
File DB:
---------------------------------------
id, filename,                               vdom, archive, deleted, scanTime,   docSourceSrvr, sensitivity, chunkCnt, reviseCnt,
1,  /fingerprint/upload/1.txt,              vdom1,  0,      0,      1494868196,   1,      2,      1,    0,
2,  /fingerprint/upload/30percentage.xls,   vdom1,  0,      0,      1356118250,   1,      2,    13,      0,
3,  /fingerprint/upload/50.pdf,             vdom1,  0,      0,      1356118250,   1,      2,      122,  0,
4,  /fingerprint/upload/50.pdf.tar.gz,      vdom1,  0,      0,      1356118250,   1,      2,    114,     0,
5,  /fingerprint/upload/check-list_AL-SIP_HA.xls,   vdom1,  0,      0,      1356118251,     1,    2,       32,     0,
6,  /fingerprint/upload/clean.zip,          vdom1,  0,      0,      1356118251,   1,      2,      1,    0,
7,  /fingerprint/upload/compare.doc,        vdom1,  0,      0,      1522097410,   1,      2,    18,      0,
8,  /fingerprint/upload/dlpsensor-watermark.pdf,    vdom1,  0,      0,      1356118250,     1,    2,       11,     0,
9,  /fingerprint/upload/eicar.com,          vdom1,  0,      0,      1356118250,   1,      2,      1,    0,
10, /fingerprint/upload/eicar.zip,          vdom1,  0,      0,      1356118250,   1,      2,      1,    0,
11, /fingerprint/upload/EMAIL-CONTENT-ARCHIVE.ppt,  vdom1,  0,      0,      1356118250,     1,    2,       11,     0,
12, /fingerprint/upload/encrypt.zip,        vdom1,  0,      0,      1356118250,   1,      2,    77,      0,
13, /fingerprint/upload/extension_7_8_1.crx,        vdom1,  0,      0,      1528751781,     1,    2,       2720,   0,
14, /fingerprint/upload/fingerprint.txt,    vdom1,  0,      0,      1498582679,   1,      2,    37,      0,
15, /fingerprint/upload/fingerprint90.txt,  vdom1,  0,      0,      1498582679,   1,      2,    37,      0,
16, /fingerprint/upload/fo2.pdf,            vdom1,  0,      0,      1450488049,   1,      2,      1,    0,
17, /fingerprint/upload/foo.doc,            vdom1,  0,      0,      1388538131,   1,      2,      9,    0,
18, /fingerprint/upload/fortiauto.pdf,      vdom1,  0,      0,      1356118251,   1,      2,    146,     0,
19, /fingerprint/upload/image.out,          vdom1,  0,      0,      1531802940,   1,      2,      5410, 0,
20, /fingerprint/upload/jon_file.txt,       vdom1,  0,      0,      1536596091,   1,      2,    1,       0,
21, /fingerprint/upload/machotest,          vdom1,  0,      0,      1528751955,   1,      2,      19,   0,
22, /fingerprint/upload/nntp-server.doc,    vdom1,  0,      0,      1356118250,   1,      2,    17,      0,
23, /fingerprint/upload/notepad++.exe,      vdom1,  0,      0,      1456090734,   1,      2,    1061,    0,
24, /fingerprint/upload/nppIExplorerShell.exe,      vdom1,  0,      0,      1438559930,     1,    2,       5,      0,
25, /fingerprint/upload/NppShell_06.dll,    vdom1,  0,      0,      1456090736,   1,      2,    111,     0,
26, /fingerprint/upload/PowerCollections.chm,       vdom1,  0,      0,      1533336889,     1,    2,       728,    0,
27, /fingerprint/upload/reflector.dmg,      vdom1,  0,      0,      1533336857,   1,      2,    21117,   0,
28, /fingerprint/upload/roxio.iso,          vdom1,  0,      0,      1517531765,   1,      2,      49251,0,
29, /fingerprint/upload/SciLexer.dll,       vdom1,  0,      0,      1456090736,   1,      2,    541,     0,
30, /fingerprint/upload/screen.jpg,         vdom1,  0,      0,      1356118250,   1,      2,      55,   0,
31, /fingerprint/upload/Spec to integrate FASE into FortiOS.doc,    vdom1,  0,    0,      1356118251,    1,      2,      31,     0,
32, /fingerprint/upload/subdirectory1/subdirectory2/subdirectory3/hibun.aea,        vdom1,  0,    0,       1529019743,     1,      2,      1,      0,
33, /fingerprint/upload/test.pdf,           vdom1,  0,      0,      1356118250,   1,      2,      5,    0,
34, /fingerprint/upload/test.tar,           vdom1,  0,      0,      1356118251,   1,      2,      3,    0,
35, /fingerprint/upload/test.tar.gz,        vdom1,  0,      0,      1356118250,   1,      2,    1,       0,
36, /fingerprint/upload/test1.txt,          vdom1,  0,      0,      1540317547,   1,      2,      1,    0,
37, /fingerprint/upload/thousand-files.zip, vdom1,  0,      0,      1536611774,   1,      2,    241,     0,
38, /fingerprint/upload/Thumbs.db,          vdom1,  0,      0,      1445878135,   1,      2,      3,    0,
39, /fingerprint/upload/widget.pdf,         vdom1,  0,      0,      1356118251,   1,      2,      18,   0,
40, /fingerprint/upload/xx00-xx01.tar,      vdom1,  0,      0,      1356118250,   1,      2,    5,       0,
41, /fingerprint/upload/xx02-xx03.tar.gz,   vdom1,  0,      0,      1356118251,   1,      2,    1,       0,

DLP fingerprinting

DLP fingerprinting

DLP fingerprinting can be used to detect sensitive data. The file that the DLP sensor will filter for is uploaded and the FortiGate generates and stores a checksum fingerprint. The FortiGate unit generates a fingerprint for all of the files that are detected in network traffic, and compares all of the checksums stored in its database. If a match is found, the configured action is taken.

Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

To use fingerprinting:

  • Select the files to be fingerprinted by targeting a document source.
  • Add fingerprinting filters to DLP sensors.
  • Add the sensors to firewall policies that accept traffic that the fingerprinting will be applied on.
Note

The document fingerprint feature requires a FortiGate device that has internal storage.

To configure a DLP fingerprint document:
config dlp fp-doc-source
    edit <name_str>
        set server-type smb
        set server <string>
        set period {none | daily | weekly | monthly}
        set vdom {mgmt | current}
        set scan-subdirectories {enable | disable}
        set remove-deleted {enable | disable}
        set keep-modified {enable | disable}
        set username <string>
        set password <password>
        set file-path <string>
        set file-pattern <string>
        set sensitivity <Critical | Private | Warning>
        set tod-hour <integer>
        set tod-min <integer>
        set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
        set date <integer>
    next
end

Command

Description

server-type smb

The protocol used to communicate with document server. Only Samba (SMB) servers are supported.

server <string>

IPv4 or IPv6 address of the server.

period {none | daily | weekly | monthly}

The frequency that the FortiGate checks the server for new or changed files.

vdom {mgmt | current}

The VDOM that can communicate with the file server.

scan-subdirectories {enable | disable}

Enable/disable scanning subdirectories to find files.

remove-deleted {enable | disable}

Enable/disable keeping the fingerprint database up to date when a file is deleted from the server.

keep-modified {enable | disable}

Enable/disable keeping the old fingerprint and adding a new one when a file is changed on the server.

username <string>

The user name required to log into the file server.

password <password>

The password required to log into the file server.

file-path <string>

The path on the server to the fingerprint files.

file-pattern <string>

Files matching this pattern on the server are fingerprinted.

sensitivity <Critical | Private | Warning>

The sensitivity or threat level for matches with this fingerprint database.

tod-hour <integer>

Set the hour of the day. This option is only available when period is not none.

tod-min <integer>

Set the minute of the hour. This option is only available when period is not none.

weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}

Set the day of the week. This option is only available when period is weekly.

date <integer>

Set the day of the month. This option is only available when period is monthly.

To configure a DLP fingerprint sensor:
config dlp sensor
    edit <sensor name>
        config filter
            edit <id number of filter>
                set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi}
                set filter-by fingerprint
                set sensitivity {Critical | Private | Warning}
                set match-percentage <integer>
                set action {allow | log-only | block | ban | quarantine-ip}
            next
        end
    next
end

Command

Description

proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi}

The protocol to inspect.

filter-by fingerprint

Match against a fingerprint sensitivity.

sensitivity {Critical | Private | Warning}

Select a DLP file pattern sensitivity to match.

match-percentage <integer>

The percentage of the checksum required to match before the sensor is triggered.
action {allow | log-only | block | ban | quarantine-ip} The action to take with content that this DLP sensor matches.

View the DLP fingerprint database on the FortiGate

The CLI debug command diagnose test application dlpfingerprint can be used to display the fingerprint information that is on the FortiGate.

Fingerprint Daemon Test Usage;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  1 : This menu
  2 : Dump database
  3 : Dump all files
  5 : Dump all chunk
  6 : Refresh all doc sources in all VDOMs
  7 : Show the db file size and the limit
  9 : Display stats
 10 : Clear stats
 99 : Restart this daemon

For example, option 3 will dump all fingerprinted files:

DLP_WANOPT-CLT (global) # diagnose test application dlpfingerprint 3
DLPFP diag_test_handler called
File DB:
---------------------------------------
id, filename,                               vdom, archive, deleted, scanTime,   docSourceSrvr, sensitivity, chunkCnt, reviseCnt,
1,  /fingerprint/upload/1.txt,              vdom1,  0,      0,      1494868196,   1,      2,      1,    0,
2,  /fingerprint/upload/30percentage.xls,   vdom1,  0,      0,      1356118250,   1,      2,    13,      0,
3,  /fingerprint/upload/50.pdf,             vdom1,  0,      0,      1356118250,   1,      2,      122,  0,
4,  /fingerprint/upload/50.pdf.tar.gz,      vdom1,  0,      0,      1356118250,   1,      2,    114,     0,
5,  /fingerprint/upload/check-list_AL-SIP_HA.xls,   vdom1,  0,      0,      1356118251,     1,    2,       32,     0,
6,  /fingerprint/upload/clean.zip,          vdom1,  0,      0,      1356118251,   1,      2,      1,    0,
7,  /fingerprint/upload/compare.doc,        vdom1,  0,      0,      1522097410,   1,      2,    18,      0,
8,  /fingerprint/upload/dlpsensor-watermark.pdf,    vdom1,  0,      0,      1356118250,     1,    2,       11,     0,
9,  /fingerprint/upload/eicar.com,          vdom1,  0,      0,      1356118250,   1,      2,      1,    0,
10, /fingerprint/upload/eicar.zip,          vdom1,  0,      0,      1356118250,   1,      2,      1,    0,
11, /fingerprint/upload/EMAIL-CONTENT-ARCHIVE.ppt,  vdom1,  0,      0,      1356118250,     1,    2,       11,     0,
12, /fingerprint/upload/encrypt.zip,        vdom1,  0,      0,      1356118250,   1,      2,    77,      0,
13, /fingerprint/upload/extension_7_8_1.crx,        vdom1,  0,      0,      1528751781,     1,    2,       2720,   0,
14, /fingerprint/upload/fingerprint.txt,    vdom1,  0,      0,      1498582679,   1,      2,    37,      0,
15, /fingerprint/upload/fingerprint90.txt,  vdom1,  0,      0,      1498582679,   1,      2,    37,      0,
16, /fingerprint/upload/fo2.pdf,            vdom1,  0,      0,      1450488049,   1,      2,      1,    0,
17, /fingerprint/upload/foo.doc,            vdom1,  0,      0,      1388538131,   1,      2,      9,    0,
18, /fingerprint/upload/fortiauto.pdf,      vdom1,  0,      0,      1356118251,   1,      2,    146,     0,
19, /fingerprint/upload/image.out,          vdom1,  0,      0,      1531802940,   1,      2,      5410, 0,
20, /fingerprint/upload/jon_file.txt,       vdom1,  0,      0,      1536596091,   1,      2,    1,       0,
21, /fingerprint/upload/machotest,          vdom1,  0,      0,      1528751955,   1,      2,      19,   0,
22, /fingerprint/upload/nntp-server.doc,    vdom1,  0,      0,      1356118250,   1,      2,    17,      0,
23, /fingerprint/upload/notepad++.exe,      vdom1,  0,      0,      1456090734,   1,      2,    1061,    0,
24, /fingerprint/upload/nppIExplorerShell.exe,      vdom1,  0,      0,      1438559930,     1,    2,       5,      0,
25, /fingerprint/upload/NppShell_06.dll,    vdom1,  0,      0,      1456090736,   1,      2,    111,     0,
26, /fingerprint/upload/PowerCollections.chm,       vdom1,  0,      0,      1533336889,     1,    2,       728,    0,
27, /fingerprint/upload/reflector.dmg,      vdom1,  0,      0,      1533336857,   1,      2,    21117,   0,
28, /fingerprint/upload/roxio.iso,          vdom1,  0,      0,      1517531765,   1,      2,      49251,0,
29, /fingerprint/upload/SciLexer.dll,       vdom1,  0,      0,      1456090736,   1,      2,    541,     0,
30, /fingerprint/upload/screen.jpg,         vdom1,  0,      0,      1356118250,   1,      2,      55,   0,
31, /fingerprint/upload/Spec to integrate FASE into FortiOS.doc,    vdom1,  0,    0,      1356118251,    1,      2,      31,     0,
32, /fingerprint/upload/subdirectory1/subdirectory2/subdirectory3/hibun.aea,        vdom1,  0,    0,       1529019743,     1,      2,      1,      0,
33, /fingerprint/upload/test.pdf,           vdom1,  0,      0,      1356118250,   1,      2,      5,    0,
34, /fingerprint/upload/test.tar,           vdom1,  0,      0,      1356118251,   1,      2,      3,    0,
35, /fingerprint/upload/test.tar.gz,        vdom1,  0,      0,      1356118250,   1,      2,    1,       0,
36, /fingerprint/upload/test1.txt,          vdom1,  0,      0,      1540317547,   1,      2,      1,    0,
37, /fingerprint/upload/thousand-files.zip, vdom1,  0,      0,      1536611774,   1,      2,    241,     0,
38, /fingerprint/upload/Thumbs.db,          vdom1,  0,      0,      1445878135,   1,      2,      3,    0,
39, /fingerprint/upload/widget.pdf,         vdom1,  0,      0,      1356118251,   1,      2,      18,   0,
40, /fingerprint/upload/xx00-xx01.tar,      vdom1,  0,      0,      1356118250,   1,      2,    5,       0,
41, /fingerprint/upload/xx02-xx03.tar.gz,   vdom1,  0,      0,      1356118251,   1,      2,    1,       0,