Fortinet white logo
Fortinet white logo

Administration Guide

DLP fingerprinting

DLP fingerprinting

DLP fingerprinting employs Indexed Document Matching (IDM) to detect sensitive data. See Indexed Document Matching (IDM) for more information. The file that the DLP profile filters is uploaded and the FortiProxy generates and stores a checksum fingerprint. The FortiProxy generates a fingerprint for all the files that are detected in network traffic, and compares all the checksums stored in its database. If a match is found, the configured action is taken. Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

Using fingerprinting requires:

  1. Creating a DLP fingerprint database by allowing the FortiProxy to access a file server containing files from which to create fingerprints.

  2. Adding fingerprinting filters to DLP sensors.

  3. Adding the sensors to policies that accept traffic that the fingerprinting will be applied on.

See Fingerprinting example for a sample configuration.

Note

The document fingerprint feature requires a FortiProxy that has internal storage.

To configure a DLP fingerprint document:
config dlp fp-doc-source
    edit <name>
        set server <string>
        set username <string>
        set password <password>
        set file-path <string>
        set sensitivity <Critical | Private | Warning>
    next
end

Command

Description

server <string>

Enter the IPv4 or IPv6 address of the file server.

username <string>

Enter the user name required to log into the file server.

password <password>

Enter the password required to log into the file server.

file-path <string>

Enter the path on the server to the fingerprint files.

sensitivity <Critical | Private | Warning>

Set the sensitivity or threat level for matches with this fingerprint database.

See config dlp fp-doc-source in the FortiProxy CLI Reference for a comprehensive list of commands.

Note

A file server is required for the user to upload files. Each uploaded file will have a fingerprint generated by FortiProxy, and will be stored locally as a checksum. Currently, only servers that are using the Samba (SMB) protocol are compatible.

To configure a DLP fingerprint sensor:
config dlp sensor
    edit <name>
        config filter
            edit <id>
		 set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs}
                set filter-by fingerprint
                set sensitivity {Critical | Private | Warning}
                set action {allow | log-only | block | ban | quarantine-ip}
            next
end

Command

Description

proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs}

Set the protocol to inspect.

filter-by fingerprint

Set to match against a fingerprint sensitivity.

sensitivity {Critical | Private | Warning}

Set the DLP file pattern sensitivity to match.

action {allow | log-only | block | ban | quarantine‑ip}

Set the action to take with content that matches the DLP profile.

Fingerprinting example

This configuration will block HTTPS download traffic that matches the checksums that are stored in the FortiProxy fingerprint database.

Note

When utilizing commonly-used SSL-encrypted protocols, such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Create or edit an SSL/SSH inspection profile for more information.

The client machine must also have the corresponding deep inspection Certificate Authority (CA) certificate installed.

In this example, a text document with sensitive data is being downloaded by the client using the HTTP GET method. The term Protected Server refers to the Samba file server that stores the fingerprint files. It is assumed that you already have a configured Samba file server.

The FortiProxy intercepts the traffic using deep inspection and blocks the traffic as it matches the DLP profile configured on this FortiProxy. See Sample log for a log sample.

To block network traffic that matches the checksums stored in the FortiProxy fingerprint database:
  1. Configure the DLP fingerprint database:

    config dlp fp-doc-source
        edit "test"
            set server "172.16.200.55"
            set username "kiki"
            set password *****
            set file-path "/Users/"
            set sensitivity "Warning"
        next
    end
    

    This step can only be configured in the CLI.

  2. Configure the DLP sensor:

    config dlp sensor
        edit "fingerprint"
            config filter
                edit 1
                    set proto http-get
                    set filter-by fingerprint
                    set sensitivity "Critical"
                    set action block
                next
            end
        next
    end
    

    DLP sensors that filter by fingerprint can only be configured in the CLI.

  3. Add the DLP sensor to a policy:

    config firewall policy
        edit 1
            set type explicit-web
            set name "ExplicitPROXY"
            set uuid c0a2e814-7ff8-51ee-1815-054bdf34bd03
            set dstintf "any"
            set srcaddr "LAB-SUBNET"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "webproxy"
            set explicit-web-proxy "web-proxy"
            set utm-status enable
            set logtraffic all
            set log-http-transaction all
            set ssl-ssh-profile "test"
            set dlp-sensor "fingerprint"
        next
    end
    

    This can also be configured in the GUI. See Create or edit a policy.

To verify the results:
  1. Verify that the DLP fingerprint database is present on the FortiProxy:

    # diagnose te app dlpfingerprint 3
    File DB:
    ---------------------------------------
    id,     filename,       vdom,   archive,        deleted,        scanTime,       docSourceSrvr,  sensitivity,    chunkCnt,       reviseCnt,
    1,      /Users/test.pdf,        root,   0,      0,      1709852459,     fp1,    3,      190,    0,
    2,      /Users/test.zip,        root,   0,      0,      1710201502,     fp1,    3,      1,      0
  2. Verify HTTP GET traffic that matches the checksums stored in the FortiProxy fingerprint database is being blocked:

    download attempt of a zip file from a linux device was made using Firefox. This zip file is the same as the one located on the protected server and its fingerprint is saved in the FortiProxy fingerprint database.

Sample log

To view the sample log:
  1. Go to Log & Report > Security Events and select Data Leak Prevention.

  2. View the log details in the GUI, or download the log file:

    date=2024-03-12 time=17:14:24 eventtime=1710288863581501560 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 dlpextra="Critical, Private, Warning" filtertype="fingerprint" filtercat="file" severity="low" policyid=1 poluuid="c0a2e814-7ff8-51ee-1815-054bdf34bd03" policytype="policy" sessionid=1710678066 epoch=1845053153 eventid=0 srcip=10.40.1.1 srcport=46572 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" srcuuid="7f1725e0-7ff8-51ee-fbe1-b5ff0424dfda" dstip=172.18.20.226 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="zip" direction="incoming" action="block" hostname="172.18.20.226" url="
    https://172.18.20.226/files/test.zip"
    agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0" httpmethod="GET" filename="test.zip" filesize=501 profile="fingerprint"

DLP fingerprinting

DLP fingerprinting

DLP fingerprinting employs Indexed Document Matching (IDM) to detect sensitive data. See Indexed Document Matching (IDM) for more information. The file that the DLP profile filters is uploaded and the FortiProxy generates and stores a checksum fingerprint. The FortiProxy generates a fingerprint for all the files that are detected in network traffic, and compares all the checksums stored in its database. If a match is found, the configured action is taken. Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

Using fingerprinting requires:

  1. Creating a DLP fingerprint database by allowing the FortiProxy to access a file server containing files from which to create fingerprints.

  2. Adding fingerprinting filters to DLP sensors.

  3. Adding the sensors to policies that accept traffic that the fingerprinting will be applied on.

See Fingerprinting example for a sample configuration.

Note

The document fingerprint feature requires a FortiProxy that has internal storage.

To configure a DLP fingerprint document:
config dlp fp-doc-source
    edit <name>
        set server <string>
        set username <string>
        set password <password>
        set file-path <string>
        set sensitivity <Critical | Private | Warning>
    next
end

Command

Description

server <string>

Enter the IPv4 or IPv6 address of the file server.

username <string>

Enter the user name required to log into the file server.

password <password>

Enter the password required to log into the file server.

file-path <string>

Enter the path on the server to the fingerprint files.

sensitivity <Critical | Private | Warning>

Set the sensitivity or threat level for matches with this fingerprint database.

See config dlp fp-doc-source in the FortiProxy CLI Reference for a comprehensive list of commands.

Note

A file server is required for the user to upload files. Each uploaded file will have a fingerprint generated by FortiProxy, and will be stored locally as a checksum. Currently, only servers that are using the Samba (SMB) protocol are compatible.

To configure a DLP fingerprint sensor:
config dlp sensor
    edit <name>
        config filter
            edit <id>
		 set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs}
                set filter-by fingerprint
                set sensitivity {Critical | Private | Warning}
                set action {allow | log-only | block | ban | quarantine-ip}
            next
end

Command

Description

proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs}

Set the protocol to inspect.

filter-by fingerprint

Set to match against a fingerprint sensitivity.

sensitivity {Critical | Private | Warning}

Set the DLP file pattern sensitivity to match.

action {allow | log-only | block | ban | quarantine‑ip}

Set the action to take with content that matches the DLP profile.

Fingerprinting example

This configuration will block HTTPS download traffic that matches the checksums that are stored in the FortiProxy fingerprint database.

Note

When utilizing commonly-used SSL-encrypted protocols, such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Create or edit an SSL/SSH inspection profile for more information.

The client machine must also have the corresponding deep inspection Certificate Authority (CA) certificate installed.

In this example, a text document with sensitive data is being downloaded by the client using the HTTP GET method. The term Protected Server refers to the Samba file server that stores the fingerprint files. It is assumed that you already have a configured Samba file server.

The FortiProxy intercepts the traffic using deep inspection and blocks the traffic as it matches the DLP profile configured on this FortiProxy. See Sample log for a log sample.

To block network traffic that matches the checksums stored in the FortiProxy fingerprint database:
  1. Configure the DLP fingerprint database:

    config dlp fp-doc-source
        edit "test"
            set server "172.16.200.55"
            set username "kiki"
            set password *****
            set file-path "/Users/"
            set sensitivity "Warning"
        next
    end
    

    This step can only be configured in the CLI.

  2. Configure the DLP sensor:

    config dlp sensor
        edit "fingerprint"
            config filter
                edit 1
                    set proto http-get
                    set filter-by fingerprint
                    set sensitivity "Critical"
                    set action block
                next
            end
        next
    end
    

    DLP sensors that filter by fingerprint can only be configured in the CLI.

  3. Add the DLP sensor to a policy:

    config firewall policy
        edit 1
            set type explicit-web
            set name "ExplicitPROXY"
            set uuid c0a2e814-7ff8-51ee-1815-054bdf34bd03
            set dstintf "any"
            set srcaddr "LAB-SUBNET"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "webproxy"
            set explicit-web-proxy "web-proxy"
            set utm-status enable
            set logtraffic all
            set log-http-transaction all
            set ssl-ssh-profile "test"
            set dlp-sensor "fingerprint"
        next
    end
    

    This can also be configured in the GUI. See Create or edit a policy.

To verify the results:
  1. Verify that the DLP fingerprint database is present on the FortiProxy:

    # diagnose te app dlpfingerprint 3
    File DB:
    ---------------------------------------
    id,     filename,       vdom,   archive,        deleted,        scanTime,       docSourceSrvr,  sensitivity,    chunkCnt,       reviseCnt,
    1,      /Users/test.pdf,        root,   0,      0,      1709852459,     fp1,    3,      190,    0,
    2,      /Users/test.zip,        root,   0,      0,      1710201502,     fp1,    3,      1,      0
  2. Verify HTTP GET traffic that matches the checksums stored in the FortiProxy fingerprint database is being blocked:

    download attempt of a zip file from a linux device was made using Firefox. This zip file is the same as the one located on the protected server and its fingerprint is saved in the FortiProxy fingerprint database.

Sample log

To view the sample log:
  1. Go to Log & Report > Security Events and select Data Leak Prevention.

  2. View the log details in the GUI, or download the log file:

    date=2024-03-12 time=17:14:24 eventtime=1710288863581501560 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 dlpextra="Critical, Private, Warning" filtertype="fingerprint" filtercat="file" severity="low" policyid=1 poluuid="c0a2e814-7ff8-51ee-1815-054bdf34bd03" policytype="policy" sessionid=1710678066 epoch=1845053153 eventid=0 srcip=10.40.1.1 srcport=46572 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" srcuuid="7f1725e0-7ff8-51ee-fbe1-b5ff0424dfda" dstip=172.18.20.226 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="zip" direction="incoming" action="block" hostname="172.18.20.226" url="
    https://172.18.20.226/files/test.zip"
    agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0" httpmethod="GET" filename="test.zip" filesize=501 profile="fingerprint"