DLP fingerprinting
DLP fingerprinting employs Indexed Document Matching (IDM) to detect sensitive data. See Indexed Document Matching (IDM) for more information. The file that the DLP profile filters is uploaded and the FortiProxy generates and stores a checksum fingerprint. The FortiProxy generates a fingerprint for all the files that are detected in network traffic, and compares all the checksums stored in its database. If a match is found, the configured action is taken. Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.
Using fingerprinting requires:
-
Adding the profiles to policies that accept traffic that the fingerprinting will be applied on.
See Fingerprinting example for a sample configuration.
|
The document fingerprint feature requires a FortiProxy that has internal storage. |
To configure a DLP fingerprint document:
config dlp fp-doc-source
edit <name>
set server <string>
set username <string>
set password <password>
set file-path <string>
set sensitivity <Critical | Private | Warning>
next
end
|
Command |
Description |
|---|---|
|
server <string> |
Enter the IPv4 or IPv6 address of the file server. |
|
username <string> |
Enter the user name required to log into the file server. |
|
password <password> |
Enter the password required to log into the file server. |
|
file-path <string> |
Enter the path on the server to the fingerprint files. |
|
sensitivity <Critical | Private | Warning> |
Set the sensitivity or threat level for matches with this fingerprint database. |
See config dlp fp-doc-source in the FortiProxy CLI Reference for a comprehensive list of commands.
|
|
A file server is required for the user to upload files. Each uploaded file will have a fingerprint generated by FortiProxy, and will be stored locally as a checksum. Currently, only servers that are using the Samba (SMB) protocol are compatible. |
To configure a DLP fingerprint profile:
config dlp profile
edit <name>
config rule
edit <id>
set severity {info | low | medium | high | critical}
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs}
set filter-by fingerprint
set sensitivity {Critical | Private | Warning}
set action {allow | log-only | block | ban | quarantine-ip}
next
end
set full-archive-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs}
next
end
|
Command |
Description |
|---|---|
|
|
Set the severity or threat level that matches this filter. |
|
proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs} |
Set the protocol to inspect. |
|
filter-by fingerprint |
Set to match against a fingerprint sensitivity. |
|
sensitivity {Critical | Private | Warning} |
Set the DLP file pattern sensitivity to match. |
|
action {allow | log-only | block | ban | quarantine‑ip} |
Set the action to take with content that matches the DLP profile. |
|
|
Set the protocols to always content archive. |
Fingerprinting example
This configuration will block HTTPS download traffic that matches the checksums that are stored in the FortiProxy fingerprint database.
|
|
When utilizing commonly-used SSL-encrypted protocols, such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Create or edit an SSL/SSH inspection profile for more information. The client machine must also have the corresponding deep inspection Certificate Authority (CA) certificate installed. |
In this example, a text document with sensitive data is being downloaded by the client using the HTTP GET method. The term Protected Server refers to the Samba file server that stores the fingerprint files. It is assumed that you already have a configured Samba file server.
The FortiProxy intercepts the traffic using deep inspection and blocks the traffic as it matches the DLP profile configured on this FortiProxy. See Sample log for a log sample.
To block network traffic that matches the checksums stored in the FortiProxy fingerprint database:
-
Configure the DLP fingerprint database:
config dlp fp-doc-source edit "test" set server "172.16.200.55" set username "kiki" set password ***** set file-path "/Users/" set sensitivity "Warning" next endThis step can only be configured in the CLI.
-
Configure the DLP profile:
config dlp profile edit "fingerprint" config rule edit 1 set proto http-get set filter-by fingerprint set sensitivity "Critical" set action block next end next endDLP profiles that filter by fingerprint can only be configured in the CLI.
-
Add the DLP profile to a policy:
config firewall policy edit 1 set type explicit-web set name "ExplicitPROXY" set uuid c0a2e814-7ff8-51ee-1815-054bdf34bd03 set dstintf "any" set srcaddr "LAB-SUBNET" set dstaddr "all" set action accept set schedule "always" set service "webproxy" set explicit-web-proxy "web-proxy" set utm-status enable set logtraffic all set log-http-transaction all set ssl-ssh-profile "test" set dlp-profile "fingerprint" next endThis can also be configured in the GUI. See Create or edit a policy.
To verify the results:
-
Verify that the DLP fingerprint database is present on the FortiProxy:
# diagnose te app dlpfingerprint 3 File DB: --------------------------------------- id, filename, vdom, archive, deleted, scanTime, docSourceSrvr, sensitivity, chunkCnt, reviseCnt, 1, /Users/test.pdf, root, 0, 0, 1709852459, fp1, 3, 190, 0, 2, /Users/test.zip, root, 0, 0, 1710201502, fp1, 3, 1, 0
-
Verify HTTP GET traffic that matches the checksums stored in the FortiProxy fingerprint database is being blocked:
download attempt of a zip file from a linux device was made using Firefox. This zip file is the same as the one located on the protected server and its fingerprint is saved in the FortiProxy fingerprint database.
Sample log
To view the sample log:
-
Go to Log & Report > Security Events and select Data Loss Prevention.
-
View the log details in the GUI, or download the log file:
date=2024-03-12 time=17:14:24 eventtime=1710288863581501560 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 dlpextra="Critical, Private, Warning" filtertype="fingerprint" filtercat="file" severity="low" policyid=1 poluuid="c0a2e814-7ff8-51ee-1815-054bdf34bd03" policytype="policy" sessionid=1710678066 epoch=1845053153 eventid=0 srcip=10.40.1.1 srcport=46572 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" srcuuid="7f1725e0-7ff8-51ee-fbe1-b5ff0424dfda" dstip=172.18.20.226 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="zip" direction="incoming" action="block" hostname="172.18.20.226" url=" https://172.18.20.226/files/test.zip" agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0" httpmethod="GET" filename="test.zip" filesize=501 profile="fingerprint"