DLP fingerprinting
DLP fingerprinting can be used to detect sensitive data. The file that the DLP sensor will filter for is uploaded and the FortiGate generates and stores a checksum fingerprint. The FortiGate unit generates a fingerprint for all of the files that are detected in network traffic, and compares all of the checksums stored in its database. If a match is found, the configured action is taken.
Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.
To use fingerprinting:
- Select the files to be fingerprinted by targeting a document source.
- Add fingerprinting filters to DLP sensors.
- Add the sensors to firewall policies that accept traffic that the fingerprinting will be applied on.
|
The document fingerprint feature requires a FortiGate device that has internal storage. |
To configure a DLP fingerprint document:
config dlp fp-doc-source
edit <name_str>
set server-type smb
set server <string>
set period {none | daily | weekly | monthly}
set vdom {mgmt | current}
set scan-subdirectories {enable | disable}
set remove-deleted {enable | disable}
set keep-modified {enable | disable}
set username <string>
set password <password>
set file-path <string>
set file-pattern <string>
set sensitivity <Critical | Private | Warning>
set tod-hour <integer>
set tod-min <integer>
set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set date <integer>
next
end
|
Command |
Description |
|---|---|
|
server-type smb |
The protocol used to communicate with document server. Only Samba (SMB) servers are supported. |
|
server <string> |
IPv4 or IPv6 address of the server. |
|
period {none | daily | weekly | monthly} |
The frequency that the FortiGate checks the server for new or changed files. |
|
vdom {mgmt | current} |
The VDOM that can communicate with the file server. |
|
scan-subdirectories {enable | disable} |
Enable/disable scanning subdirectories to find files. |
|
remove-deleted {enable | disable} |
Enable/disable keeping the fingerprint database up to date when a file is deleted from the server. |
|
keep-modified {enable | disable} |
Enable/disable keeping the old fingerprint and adding a new one when a file is changed on the server. |
|
username <string> |
The user name required to log into the file server. |
|
password <password> |
The password required to log into the file server. |
|
file-path <string> |
The path on the server to the fingerprint files. |
|
file-pattern <string> |
Files matching this pattern on the server are fingerprinted. |
|
sensitivity <Critical | Private | Warning> |
The sensitivity or threat level for matches with this fingerprint database. |
|
tod-hour <integer> |
Set the hour of the day. This option is only available when |
|
tod-min <integer> |
Set the minute of the hour. This option is only available when |
|
weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} |
Set the day of the week. This option is only available when |
|
date <integer> |
Set the day of the month. This option is only available when |
To configure a DLP fingerprint sensor:
config dlp sensor
edit <sensor name>
config filter
edit <id number of filter>
set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi}
set filter-by fingerprint
set sensitivity {Critical | Private | Warning}
set match-percentage <integer>
set action {allow | log-only | block | ban | quarantine-ip}
next
end
next
end
|
Command |
Description |
|---|---|
|
proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} |
The protocol to inspect. |
|
filter-by fingerprint |
Match against a fingerprint sensitivity. |
|
sensitivity {Critical | Private | Warning} |
Select a DLP file pattern sensitivity to match. |
|
match-percentage <integer> |
The percentage of the checksum required to match before the sensor is triggered. |
| action {allow | log-only | block | ban | quarantine-ip} | The action to take with content that this DLP sensor matches. |
View the DLP fingerprint database on the FortiGate
The CLI debug command diagnose test application dlpfingerprint can be used to display the fingerprint information that is on the FortiGate.
Fingerprint Daemon Test Usage; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 1 : This menu 2 : Dump database 3 : Dump all files 5 : Dump all chunk 6 : Refresh all doc sources in all VDOMs 7 : Show the db file size and the limit 9 : Display stats 10 : Clear stats 99 : Restart this daemon
For example, option 3 will dump all fingerprinted files:
DLP_WANOPT-CLT (global) # diagnose test application dlpfingerprint 3 DLPFP diag_test_handler called File DB: --------------------------------------- id, filename, vdom, archive, deleted, scanTime, docSourceSrvr, sensitivity, chunkCnt, reviseCnt, 1, /fingerprint/upload/1.txt, vdom1, 0, 0, 1494868196, 1, 2, 1, 0, 2, /fingerprint/upload/30percentage.xls, vdom1, 0, 0, 1356118250, 1, 2, 13, 0, 3, /fingerprint/upload/50.pdf, vdom1, 0, 0, 1356118250, 1, 2, 122, 0, 4, /fingerprint/upload/50.pdf.tar.gz, vdom1, 0, 0, 1356118250, 1, 2, 114, 0, 5, /fingerprint/upload/check-list_AL-SIP_HA.xls, vdom1, 0, 0, 1356118251, 1, 2, 32, 0, 6, /fingerprint/upload/clean.zip, vdom1, 0, 0, 1356118251, 1, 2, 1, 0, 7, /fingerprint/upload/compare.doc, vdom1, 0, 0, 1522097410, 1, 2, 18, 0, 8, /fingerprint/upload/dlpsensor-watermark.pdf, vdom1, 0, 0, 1356118250, 1, 2, 11, 0, 9, /fingerprint/upload/eicar.com, vdom1, 0, 0, 1356118250, 1, 2, 1, 0, 10, /fingerprint/upload/eicar.zip, vdom1, 0, 0, 1356118250, 1, 2, 1, 0, 11, /fingerprint/upload/EMAIL-CONTENT-ARCHIVE.ppt, vdom1, 0, 0, 1356118250, 1, 2, 11, 0, 12, /fingerprint/upload/encrypt.zip, vdom1, 0, 0, 1356118250, 1, 2, 77, 0, 13, /fingerprint/upload/extension_7_8_1.crx, vdom1, 0, 0, 1528751781, 1, 2, 2720, 0, 14, /fingerprint/upload/fingerprint.txt, vdom1, 0, 0, 1498582679, 1, 2, 37, 0, 15, /fingerprint/upload/fingerprint90.txt, vdom1, 0, 0, 1498582679, 1, 2, 37, 0, 16, /fingerprint/upload/fo2.pdf, vdom1, 0, 0, 1450488049, 1, 2, 1, 0, 17, /fingerprint/upload/foo.doc, vdom1, 0, 0, 1388538131, 1, 2, 9, 0, 18, /fingerprint/upload/fortiauto.pdf, vdom1, 0, 0, 1356118251, 1, 2, 146, 0, 19, /fingerprint/upload/image.out, vdom1, 0, 0, 1531802940, 1, 2, 5410, 0, 20, /fingerprint/upload/jon_file.txt, vdom1, 0, 0, 1536596091, 1, 2, 1, 0, 21, /fingerprint/upload/machotest, vdom1, 0, 0, 1528751955, 1, 2, 19, 0, 22, /fingerprint/upload/nntp-server.doc, vdom1, 0, 0, 1356118250, 1, 2, 17, 0, 23, /fingerprint/upload/notepad++.exe, vdom1, 0, 0, 1456090734, 1, 2, 1061, 0, 24, /fingerprint/upload/nppIExplorerShell.exe, vdom1, 0, 0, 1438559930, 1, 2, 5, 0, 25, /fingerprint/upload/NppShell_06.dll, vdom1, 0, 0, 1456090736, 1, 2, 111, 0, 26, /fingerprint/upload/PowerCollections.chm, vdom1, 0, 0, 1533336889, 1, 2, 728, 0, 27, /fingerprint/upload/reflector.dmg, vdom1, 0, 0, 1533336857, 1, 2, 21117, 0, 28, /fingerprint/upload/roxio.iso, vdom1, 0, 0, 1517531765, 1, 2, 49251,0, 29, /fingerprint/upload/SciLexer.dll, vdom1, 0, 0, 1456090736, 1, 2, 541, 0, 30, /fingerprint/upload/screen.jpg, vdom1, 0, 0, 1356118250, 1, 2, 55, 0, 31, /fingerprint/upload/Spec to integrate FASE into FortiOS.doc, vdom1, 0, 0, 1356118251, 1, 2, 31, 0, 32, /fingerprint/upload/subdirectory1/subdirectory2/subdirectory3/hibun.aea, vdom1, 0, 0, 1529019743, 1, 2, 1, 0, 33, /fingerprint/upload/test.pdf, vdom1, 0, 0, 1356118250, 1, 2, 5, 0, 34, /fingerprint/upload/test.tar, vdom1, 0, 0, 1356118251, 1, 2, 3, 0, 35, /fingerprint/upload/test.tar.gz, vdom1, 0, 0, 1356118250, 1, 2, 1, 0, 36, /fingerprint/upload/test1.txt, vdom1, 0, 0, 1540317547, 1, 2, 1, 0, 37, /fingerprint/upload/thousand-files.zip, vdom1, 0, 0, 1536611774, 1, 2, 241, 0, 38, /fingerprint/upload/Thumbs.db, vdom1, 0, 0, 1445878135, 1, 2, 3, 0, 39, /fingerprint/upload/widget.pdf, vdom1, 0, 0, 1356118251, 1, 2, 18, 0, 40, /fingerprint/upload/xx00-xx01.tar, vdom1, 0, 0, 1356118250, 1, 2, 5, 0, 41, /fingerprint/upload/xx02-xx03.tar.gz, vdom1, 0, 0, 1356118251, 1, 2, 1, 0,