Fortinet black logo

Administration Guide

DLP fingerprinting

DLP fingerprinting

DLP fingerprinting can be used to detect sensitive data. The file that the DLP profile filters is uploaded and the FortiGate generates and stores a checksum fingerprint. The FortiGate generates a fingerprint for all the files that are detected in network traffic, and compares all the checksums stored in its database. If a match is found, the configured action is taken. Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

Using fingerprinting requires:

  1. Selecting the files to be fingerprinted by targeting a document source.
  2. Adding fingerprinting filters to DLP profiles.
  3. Adding the profiles to firewall policies that accept traffic that the fingerprinting will be applied on.
Note

The document fingerprint feature requires a FortiGate that has internal storage.

To configure a DLP fingerprint document:
config dlp fp-doc-source
    edit <name>
        set server-type smb
        set server <string>
        set period {none | daily | weekly | monthly}
        set vdom {mgmt | current}
        set scan-subdirectories {enable | disable}
        set remove-deleted {enable | disable}
        set keep-modified {enable | disable}
        set username <string>
        set password <password>
        set file-path <string>
        set file-pattern <string>
        set sensitivity <Critical | Private | Warning>
        set tod-hour <integer>
        set tod-min <integer>
        set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
        set date <integer>
    next
end

Command

Description

server-type smb

Set the protocol used to communicate with document server. Only Samba (SMB) servers are supported.

server <string>

Enter the IPv4 or IPv6 address of the server.

period {none | daily | weekly | monthly}

Set the frequency that the FortiGate checks the server for new or changed files.

vdom {mgmt | current}

Enter the VDOM that can communicate with the file server.

scan-subdirectories {enable | disable}

Enable/disable scanning subdirectories to find files.

remove-deleted {enable | disable}

Enable/disable keeping the fingerprint database up to date when a file is deleted from the server.

keep-modified {enable | disable}

Enable/disable keeping the old fingerprint and adding a new one when a file is changed on the server.

username <string>

Enter the user name required to log into the file server.

password <password>

Enter the password required to log into the file server.

file-path <string>

Enter the path on the server to the fingerprint files.

file-pattern <string>

Enter the pattern for matching files on the server to be fingerprinted.

sensitivity <Critical | Private | Warning>

Set the sensitivity or threat level for matches with this fingerprint database.

tod-hour <integer>

Set the hour of the day. This option is only available when period is not none.

tod-min <integer>

Set the minute of the hour. This option is only available when period is not none.

weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}

Set the day of the week. This option is only available when period is weekly.

date <integer>

Set the day of the month. This option is only available when period is monthly.

To configure a DLP fingerprint profile:
config dlp profile
    edit <name>
        config filter
            edit <id>
                set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi}
                set filter-by fingerprint
                set sensitivity {Critical | Private | Warning}
                set match-percentage <integer>
                set action {allow | log-only | block | ban | quarantine-ip}
            next
        end
    next
end

Command

Description

proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi}

Set the protocol to inspect.

filter-by fingerprint

Set to match against a fingerprint sensitivity.

sensitivity {Critical | Private | Warning}

Set the DLP file pattern sensitivity to match.

match-percentage <integer>

Set the percentage of the checksum required to match before the profile is triggered.

action {allow | log-only | block | ban | quarantine-ip}

Set the action to take with content that matches the DLP profile.

View the DLP fingerprint database on the FortiGate

Use diagnose test application dlpfingerprint <integer> to display the fingerprint information that is on the FortiGate.

Integer

Function

1

Show the fingerprint daemon menu

2

Dump the database

3

Dump all files

5

Dump all chunks

6

Refresh all document sources in all VDOMs

7

Show the database file size and limit

9

Display statistics

10

Clear statistics

99

Restart this daemon

To dump all fingerprinted files:
# diagnose test application dlpfingerprint 3
DLPFP diag_test_handler called
File DB:
---------------------------------------
id, filename,                               vdom, archive, deleted, scanTime,   docSourceSrvr, sensitivity, chunkCnt, reviseCnt,
1,  /fingerprint/upload/1.txt,              vdom1,  0,      0,      1494868196,   1,      2,      1,    0,
2,  /fingerprint/upload/30percentage.xls,   vdom1,  0,      0,      1356118250,   1,      2,    13,      0,
3,  /fingerprint/upload/50.pdf,             vdom1,  0,      0,      1356118250,   1,      2,      122,  0,
4,  /fingerprint/upload/50.pdf.tar.gz,      vdom1,  0,      0,      1356118250,   1,      2,    114,     0,
5,  /fingerprint/upload/check-list_AL-SIP_HA.xls,   vdom1,  0,      0,      1356118251,     1,    2,       32,     0,
6,  /fingerprint/upload/clean.zip,          vdom1,  0,      0,      1356118251,   1,      2,      1,    0,
7,  /fingerprint/upload/compare.doc,        vdom1,  0,      0,      1522097410,   1,      2,    18,      0,
8,  /fingerprint/upload/dlpsensor-watermark.pdf,    vdom1,  0,      0,      1356118250,     1,    2,       11,     0,
9,  /fingerprint/upload/eicar.com,          vdom1,  0,      0,      1356118250,   1,      2,      1,    0,
10, /fingerprint/upload/eicar.zip,          vdom1,  0,      0,      1356118250,   1,      2,      1,    0,
11, /fingerprint/upload/EMAIL-CONTENT-ARCHIVE.ppt,  vdom1,  0,      0,      1356118250,     1,    2,       11,     0,
12, /fingerprint/upload/encrypt.zip,        vdom1,  0,      0,      1356118250,   1,      2,    77,      0,
13, /fingerprint/upload/extension_7_8_1.crx,        vdom1,  0,      0,      1528751781,     1,    2,       2720,   0,
14, /fingerprint/upload/fingerprint.txt,    vdom1,  0,      0,      1498582679,   1,      2,    37,      0,
15, /fingerprint/upload/fingerprint90.txt,  vdom1,  0,      0,      1498582679,   1,      2,    37,      0,
16, /fingerprint/upload/fo2.pdf,            vdom1,  0,      0,      1450488049,   1,      2,      1,    0,
17, /fingerprint/upload/foo.doc,            vdom1,  0,      0,      1388538131,   1,      2,      9,    0,
18, /fingerprint/upload/fortiauto.pdf,      vdom1,  0,      0,      1356118251,   1,      2,    146,     0,
19, /fingerprint/upload/image.out,          vdom1,  0,      0,      1531802940,   1,      2,      5410, 0,
20, /fingerprint/upload/jon_file.txt,       vdom1,  0,      0,      1536596091,   1,      2,    1,       0,
21, /fingerprint/upload/machotest,          vdom1,  0,      0,      1528751955,   1,      2,      19,   0,
22, /fingerprint/upload/nntp-server.doc,    vdom1,  0,      0,      1356118250,   1,      2,    17,      0,
23, /fingerprint/upload/notepad++.exe,      vdom1,  0,      0,      1456090734,   1,      2,    1061,    0,
24, /fingerprint/upload/nppIExplorerShell.exe,      vdom1,  0,      0,      1438559930,     1,    2,       5,      0,
25, /fingerprint/upload/NppShell_06.dll,    vdom1,  0,      0,      1456090736,   1,      2,    111,     0,
26, /fingerprint/upload/PowerCollections.chm,       vdom1,  0,      0,      1533336889,     1,    2,       728,    0,
27, /fingerprint/upload/reflector.dmg,      vdom1,  0,      0,      1533336857,   1,      2,    21117,   0,
28, /fingerprint/upload/roxio.iso,          vdom1,  0,      0,      1517531765,   1,      2,      49251,0,
29, /fingerprint/upload/SciLexer.dll,       vdom1,  0,      0,      1456090736,   1,      2,    541,     0,
30, /fingerprint/upload/screen.jpg,         vdom1,  0,      0,      1356118250,   1,      2,      55,   0,
31, /fingerprint/upload/Spec to integrate FASE into FortiOS.doc,    vdom1,  0,    0,      1356118251,    1,      2,      31,     0,
32, /fingerprint/upload/subdirectory1/subdirectory2/subdirectory3/hibun.aea,        vdom1,  0,    0,       1529019743,     1,      2,      1,      0,
33, /fingerprint/upload/test.pdf,           vdom1,  0,      0,      1356118250,   1,      2,      5,    0,
34, /fingerprint/upload/test.tar,           vdom1,  0,      0,      1356118251,   1,      2,      3,    0,
35, /fingerprint/upload/test.tar.gz,        vdom1,  0,      0,      1356118250,   1,      2,    1,       0,
36, /fingerprint/upload/test1.txt,          vdom1,  0,      0,      1540317547,   1,      2,      1,    0,
37, /fingerprint/upload/thousand-files.zip, vdom1,  0,      0,      1536611774,   1,      2,    241,     0,
38, /fingerprint/upload/Thumbs.db,          vdom1,  0,      0,      1445878135,   1,      2,      3,    0,
39, /fingerprint/upload/widget.pdf,         vdom1,  0,      0,      1356118251,   1,      2,      18,   0,
40, /fingerprint/upload/xx00-xx01.tar,      vdom1,  0,      0,      1356118250,   1,      2,    5,       0,
41, /fingerprint/upload/xx02-xx03.tar.gz,   vdom1,  0,      0,      1356118251,   1,      2,    1,       0,

DLP fingerprinting

DLP fingerprinting can be used to detect sensitive data. The file that the DLP profile filters is uploaded and the FortiGate generates and stores a checksum fingerprint. The FortiGate generates a fingerprint for all the files that are detected in network traffic, and compares all the checksums stored in its database. If a match is found, the configured action is taken. Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

Using fingerprinting requires:

  1. Selecting the files to be fingerprinted by targeting a document source.
  2. Adding fingerprinting filters to DLP profiles.
  3. Adding the profiles to firewall policies that accept traffic that the fingerprinting will be applied on.
Note

The document fingerprint feature requires a FortiGate that has internal storage.

To configure a DLP fingerprint document:
config dlp fp-doc-source
    edit <name>
        set server-type smb
        set server <string>
        set period {none | daily | weekly | monthly}
        set vdom {mgmt | current}
        set scan-subdirectories {enable | disable}
        set remove-deleted {enable | disable}
        set keep-modified {enable | disable}
        set username <string>
        set password <password>
        set file-path <string>
        set file-pattern <string>
        set sensitivity <Critical | Private | Warning>
        set tod-hour <integer>
        set tod-min <integer>
        set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
        set date <integer>
    next
end

Command

Description

server-type smb

Set the protocol used to communicate with document server. Only Samba (SMB) servers are supported.

server <string>

Enter the IPv4 or IPv6 address of the server.

period {none | daily | weekly | monthly}

Set the frequency that the FortiGate checks the server for new or changed files.

vdom {mgmt | current}

Enter the VDOM that can communicate with the file server.

scan-subdirectories {enable | disable}

Enable/disable scanning subdirectories to find files.

remove-deleted {enable | disable}

Enable/disable keeping the fingerprint database up to date when a file is deleted from the server.

keep-modified {enable | disable}

Enable/disable keeping the old fingerprint and adding a new one when a file is changed on the server.

username <string>

Enter the user name required to log into the file server.

password <password>

Enter the password required to log into the file server.

file-path <string>

Enter the path on the server to the fingerprint files.

file-pattern <string>

Enter the pattern for matching files on the server to be fingerprinted.

sensitivity <Critical | Private | Warning>

Set the sensitivity or threat level for matches with this fingerprint database.

tod-hour <integer>

Set the hour of the day. This option is only available when period is not none.

tod-min <integer>

Set the minute of the hour. This option is only available when period is not none.

weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}

Set the day of the week. This option is only available when period is weekly.

date <integer>

Set the day of the month. This option is only available when period is monthly.

To configure a DLP fingerprint profile:
config dlp profile
    edit <name>
        config filter
            edit <id>
                set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi}
                set filter-by fingerprint
                set sensitivity {Critical | Private | Warning}
                set match-percentage <integer>
                set action {allow | log-only | block | ban | quarantine-ip}
            next
        end
    next
end

Command

Description

proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi}

Set the protocol to inspect.

filter-by fingerprint

Set to match against a fingerprint sensitivity.

sensitivity {Critical | Private | Warning}

Set the DLP file pattern sensitivity to match.

match-percentage <integer>

Set the percentage of the checksum required to match before the profile is triggered.

action {allow | log-only | block | ban | quarantine-ip}

Set the action to take with content that matches the DLP profile.

View the DLP fingerprint database on the FortiGate

Use diagnose test application dlpfingerprint <integer> to display the fingerprint information that is on the FortiGate.

Integer

Function

1

Show the fingerprint daemon menu

2

Dump the database

3

Dump all files

5

Dump all chunks

6

Refresh all document sources in all VDOMs

7

Show the database file size and limit

9

Display statistics

10

Clear statistics

99

Restart this daemon

To dump all fingerprinted files:
# diagnose test application dlpfingerprint 3
DLPFP diag_test_handler called
File DB:
---------------------------------------
id, filename,                               vdom, archive, deleted, scanTime,   docSourceSrvr, sensitivity, chunkCnt, reviseCnt,
1,  /fingerprint/upload/1.txt,              vdom1,  0,      0,      1494868196,   1,      2,      1,    0,
2,  /fingerprint/upload/30percentage.xls,   vdom1,  0,      0,      1356118250,   1,      2,    13,      0,
3,  /fingerprint/upload/50.pdf,             vdom1,  0,      0,      1356118250,   1,      2,      122,  0,
4,  /fingerprint/upload/50.pdf.tar.gz,      vdom1,  0,      0,      1356118250,   1,      2,    114,     0,
5,  /fingerprint/upload/check-list_AL-SIP_HA.xls,   vdom1,  0,      0,      1356118251,     1,    2,       32,     0,
6,  /fingerprint/upload/clean.zip,          vdom1,  0,      0,      1356118251,   1,      2,      1,    0,
7,  /fingerprint/upload/compare.doc,        vdom1,  0,      0,      1522097410,   1,      2,    18,      0,
8,  /fingerprint/upload/dlpsensor-watermark.pdf,    vdom1,  0,      0,      1356118250,     1,    2,       11,     0,
9,  /fingerprint/upload/eicar.com,          vdom1,  0,      0,      1356118250,   1,      2,      1,    0,
10, /fingerprint/upload/eicar.zip,          vdom1,  0,      0,      1356118250,   1,      2,      1,    0,
11, /fingerprint/upload/EMAIL-CONTENT-ARCHIVE.ppt,  vdom1,  0,      0,      1356118250,     1,    2,       11,     0,
12, /fingerprint/upload/encrypt.zip,        vdom1,  0,      0,      1356118250,   1,      2,    77,      0,
13, /fingerprint/upload/extension_7_8_1.crx,        vdom1,  0,      0,      1528751781,     1,    2,       2720,   0,
14, /fingerprint/upload/fingerprint.txt,    vdom1,  0,      0,      1498582679,   1,      2,    37,      0,
15, /fingerprint/upload/fingerprint90.txt,  vdom1,  0,      0,      1498582679,   1,      2,    37,      0,
16, /fingerprint/upload/fo2.pdf,            vdom1,  0,      0,      1450488049,   1,      2,      1,    0,
17, /fingerprint/upload/foo.doc,            vdom1,  0,      0,      1388538131,   1,      2,      9,    0,
18, /fingerprint/upload/fortiauto.pdf,      vdom1,  0,      0,      1356118251,   1,      2,    146,     0,
19, /fingerprint/upload/image.out,          vdom1,  0,      0,      1531802940,   1,      2,      5410, 0,
20, /fingerprint/upload/jon_file.txt,       vdom1,  0,      0,      1536596091,   1,      2,    1,       0,
21, /fingerprint/upload/machotest,          vdom1,  0,      0,      1528751955,   1,      2,      19,   0,
22, /fingerprint/upload/nntp-server.doc,    vdom1,  0,      0,      1356118250,   1,      2,    17,      0,
23, /fingerprint/upload/notepad++.exe,      vdom1,  0,      0,      1456090734,   1,      2,    1061,    0,
24, /fingerprint/upload/nppIExplorerShell.exe,      vdom1,  0,      0,      1438559930,     1,    2,       5,      0,
25, /fingerprint/upload/NppShell_06.dll,    vdom1,  0,      0,      1456090736,   1,      2,    111,     0,
26, /fingerprint/upload/PowerCollections.chm,       vdom1,  0,      0,      1533336889,     1,    2,       728,    0,
27, /fingerprint/upload/reflector.dmg,      vdom1,  0,      0,      1533336857,   1,      2,    21117,   0,
28, /fingerprint/upload/roxio.iso,          vdom1,  0,      0,      1517531765,   1,      2,      49251,0,
29, /fingerprint/upload/SciLexer.dll,       vdom1,  0,      0,      1456090736,   1,      2,    541,     0,
30, /fingerprint/upload/screen.jpg,         vdom1,  0,      0,      1356118250,   1,      2,      55,   0,
31, /fingerprint/upload/Spec to integrate FASE into FortiOS.doc,    vdom1,  0,    0,      1356118251,    1,      2,      31,     0,
32, /fingerprint/upload/subdirectory1/subdirectory2/subdirectory3/hibun.aea,        vdom1,  0,    0,       1529019743,     1,      2,      1,      0,
33, /fingerprint/upload/test.pdf,           vdom1,  0,      0,      1356118250,   1,      2,      5,    0,
34, /fingerprint/upload/test.tar,           vdom1,  0,      0,      1356118251,   1,      2,      3,    0,
35, /fingerprint/upload/test.tar.gz,        vdom1,  0,      0,      1356118250,   1,      2,    1,       0,
36, /fingerprint/upload/test1.txt,          vdom1,  0,      0,      1540317547,   1,      2,      1,    0,
37, /fingerprint/upload/thousand-files.zip, vdom1,  0,      0,      1536611774,   1,      2,    241,     0,
38, /fingerprint/upload/Thumbs.db,          vdom1,  0,      0,      1445878135,   1,      2,      3,    0,
39, /fingerprint/upload/widget.pdf,         vdom1,  0,      0,      1356118251,   1,      2,      18,   0,
40, /fingerprint/upload/xx00-xx01.tar,      vdom1,  0,      0,      1356118250,   1,      2,    5,       0,
41, /fingerprint/upload/xx02-xx03.tar.gz,   vdom1,  0,      0,      1356118251,   1,      2,    1,       0,