DLP fingerprinting
DLP fingerprinting can be used to detect sensitive data. The file that the DLP profile filters is uploaded and the FortiGate generates and stores a checksum fingerprint. The FortiGate generates a fingerprint for all the files that are detected in network traffic, and compares all the checksums stored in its database. If a match is found, the configured action is taken. Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.
Using fingerprinting requires:
- Selecting the files to be fingerprinted by targeting a document source.
- Adding fingerprinting filters to DLP profiles.
- Adding the profiles to firewall policies that accept traffic that the fingerprinting will be applied on.
|
The document fingerprint feature requires a FortiGate that has internal storage. |
To configure a DLP fingerprint document:
config dlp fp-doc-source
edit <name>
*set server-type samba
*set server <string>
set period {none | daily | weekly | monthly}
set vdom {mgmt | current}
set scan-subdirectories {enable | disable}
set remove-deleted {enable | disable}
set keep-modified {enable | disable}
*set username <string>
set password <password>
set file-path <string>
set file-pattern <string>
*set sensitivity <Critical | Private | Warning>
set tod-hour <integer>
set tod-min <integer>
set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set date <integer>
next
end
Parameters marked with an asterisk (*) are mandatory and must be filled in.
|
Command |
Description |
|---|---|
|
server-type samba |
Set the protocol used to communicate with document server. Only Samba (SMB) servers are supported. |
|
server <string> |
Enter the IPv4 or IPv6 address of the server. |
|
period {none | daily | weekly | monthly} |
Set the frequency that the FortiGate checks the server for new or changed files. |
|
vdom {mgmt | current} |
Enter the VDOM that can communicate with the file server. |
|
scan-subdirectories {enable | disable} |
Enable/disable scanning subdirectories to find files. |
|
remove-deleted {enable | disable} |
Enable/disable keeping the fingerprint database up to date when a file is deleted from the server. |
|
keep-modified {enable | disable} |
Enable/disable keeping the old fingerprint and adding a new one when a file is changed on the server. |
|
username <string> |
Enter the user name required to log into the file server. |
|
password <password> |
Enter the password required to log into the file server. |
|
file-path <string> |
Enter the path on the server to the fingerprint files. |
|
file-pattern <string> |
Enter the pattern for matching files on the server to be fingerprinted. |
|
sensitivity <Critical | Private | Warning> |
Set the sensitivity or threat level for matches with this fingerprint database. |
|
tod-hour <integer> |
Set the hour of the day. This option is only available when |
|
tod-min <integer> |
Set the minute of the hour. This option is only available when |
|
weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} |
Set the day of the week. This option is only available when |
|
date <integer> |
Set the day of the month. This option is only available when |
To configure a DLP fingerprint profile:
config dlp profile
edit <name>
set feature-set proxy
config rule
edit <id>
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs}
set filter-by fingerprint
set sensitivity {Critical | Private | Warning}
set match-percentage <integer>
set action {allow | log-only | block | quarantine-ip}
next
end
next
end
|
Command |
Description |
|---|---|
|
proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs} |
Set the protocol to inspect. |
|
filter-by fingerprint |
Set to match against a fingerprint sensitivity. |
|
sensitivity {Critical | Private | Warning} |
Set the DLP file pattern sensitivity to match. |
|
match-percentage <integer> |
Set the percentage of the checksum required to match before the profile is triggered. |
|
action {allow | log-only | block | ban | quarantine‑ip} |
Set the action to take with content that matches the DLP profile. |
View the DLP fingerprint database on the FortiGate
Use diagnose test application dlpfingerprint <integer> to display the fingerprint information that is on the FortiGate.
|
Integer |
Function |
|---|---|
|
1 |
Show the fingerprint daemon menu |
|
2 |
Dump the database |
|
3 |
Dump all files |
|
5 |
Dump all chunks |
|
6 |
Refresh all document sources in all VDOMs |
|
7 |
Show the database file size and limit |
|
9 |
Display statistics |
|
10 |
Clear statistics |
|
99 |
Restart this daemon |
To dump all fingerprinted files:
# diagnose test application dlpfingerprint 3 DLPFP diag_test_handler called File DB: --------------------------------------- id, filename, vdom, archive, deleted, scanTime, docSourceSrvr, sensitivity, chunkCnt, reviseCnt, 1, /fingerprint/upload/1.txt, vdom1, 0, 0, 1494868196, 1, 2, 1, 0, 2, /fingerprint/upload/30percentage.xls, vdom1, 0, 0, 1356118250, 1, 2, 13, 0, 3, /fingerprint/upload/50.pdf, vdom1, 0, 0, 1356118250, 1, 2, 122, 0, 4, /fingerprint/upload/50.pdf.tar.gz, vdom1, 0, 0, 1356118250, 1, 2, 114, 0, 5, /fingerprint/upload/check-list_AL-SIP_HA.xls, vdom1, 0, 0, 1356118251, 1, 2, 32, 0, 6, /fingerprint/upload/clean.zip, vdom1, 0, 0, 1356118251, 1, 2, 1, 0, 7, /fingerprint/upload/compare.doc, vdom1, 0, 0, 1522097410, 1, 2, 18, 0, 8, /fingerprint/upload/dlpsensor-watermark.pdf, vdom1, 0, 0, 1356118250, 1, 2, 11, 0, 9, /fingerprint/upload/eicar.com, vdom1, 0, 0, 1356118250, 1, 2, 1, 0, 10, /fingerprint/upload/eicar.zip, vdom1, 0, 0, 1356118250, 1, 2, 1, 0, 11, /fingerprint/upload/EMAIL-CONTENT-ARCHIVE.ppt, vdom1, 0, 0, 1356118250, 1, 2, 11, 0, 12, /fingerprint/upload/encrypt.zip, vdom1, 0, 0, 1356118250, 1, 2, 77, 0, 13, /fingerprint/upload/extension_7_8_1.crx, vdom1, 0, 0, 1528751781, 1, 2, 2720, 0, 14, /fingerprint/upload/fingerprint.txt, vdom1, 0, 0, 1498582679, 1, 2, 37, 0, 15, /fingerprint/upload/fingerprint90.txt, vdom1, 0, 0, 1498582679, 1, 2, 37, 0, 16, /fingerprint/upload/fo2.pdf, vdom1, 0, 0, 1450488049, 1, 2, 1, 0, 17, /fingerprint/upload/foo.doc, vdom1, 0, 0, 1388538131, 1, 2, 9, 0, 18, /fingerprint/upload/fortiauto.pdf, vdom1, 0, 0, 1356118251, 1, 2, 146, 0, 19, /fingerprint/upload/image.out, vdom1, 0, 0, 1531802940, 1, 2, 5410, 0, 20, /fingerprint/upload/jon_file.txt, vdom1, 0, 0, 1536596091, 1, 2, 1, 0, 21, /fingerprint/upload/machotest, vdom1, 0, 0, 1528751955, 1, 2, 19, 0, 22, /fingerprint/upload/nntp-server.doc, vdom1, 0, 0, 1356118250, 1, 2, 17, 0, 23, /fingerprint/upload/notepad++.exe, vdom1, 0, 0, 1456090734, 1, 2, 1061, 0, 24, /fingerprint/upload/nppIExplorerShell.exe, vdom1, 0, 0, 1438559930, 1, 2, 5, 0, 25, /fingerprint/upload/NppShell_06.dll, vdom1, 0, 0, 1456090736, 1, 2, 111, 0, 26, /fingerprint/upload/PowerCollections.chm, vdom1, 0, 0, 1533336889, 1, 2, 728, 0, 27, /fingerprint/upload/reflector.dmg, vdom1, 0, 0, 1533336857, 1, 2, 21117, 0, 28, /fingerprint/upload/roxio.iso, vdom1, 0, 0, 1517531765, 1, 2, 49251,0, 29, /fingerprint/upload/SciLexer.dll, vdom1, 0, 0, 1456090736, 1, 2, 541, 0, 30, /fingerprint/upload/screen.jpg, vdom1, 0, 0, 1356118250, 1, 2, 55, 0, 31, /fingerprint/upload/Spec to integrate FASE into FortiOS.doc, vdom1, 0, 0, 1356118251, 1, 2, 31, 0, 32, /fingerprint/upload/subdirectory1/subdirectory2/subdirectory3/hibun.aea, vdom1, 0, 0, 1529019743, 1, 2, 1, 0, 33, /fingerprint/upload/test.pdf, vdom1, 0, 0, 1356118250, 1, 2, 5, 0, 34, /fingerprint/upload/test.tar, vdom1, 0, 0, 1356118251, 1, 2, 3, 0, 35, /fingerprint/upload/test.tar.gz, vdom1, 0, 0, 1356118250, 1, 2, 1, 0, 36, /fingerprint/upload/test1.txt, vdom1, 0, 0, 1540317547, 1, 2, 1, 0, 37, /fingerprint/upload/thousand-files.zip, vdom1, 0, 0, 1536611774, 1, 2, 241, 0, 38, /fingerprint/upload/Thumbs.db, vdom1, 0, 0, 1445878135, 1, 2, 3, 0, 39, /fingerprint/upload/widget.pdf, vdom1, 0, 0, 1356118251, 1, 2, 18, 0, 40, /fingerprint/upload/xx00-xx01.tar, vdom1, 0, 0, 1356118250, 1, 2, 5, 0, 41, /fingerprint/upload/xx02-xx03.tar.gz, vdom1, 0, 0, 1356118251, 1, 2, 1, 0,