Fortinet white logo
Fortinet white logo

Cookbook

DLP watermarking

DLP watermarking

Watermarking marks files with a digital pattern to designate them as proprietary to a specific company. A small pattern is added to the file that is recognized by the DLP watermark filter, but is invisible to the end user (except for text files).

FortiExplorer client, or a Linux-based command line tool, can be used to add a watermark to the following file types:

  • .txt
  • .doc and .docx
  • .pdf
  • .ppt and .pptx
  • .xls and .xlsx

The following information is covered in this section:

  • Watermarking a file with FortiExplorer.
  • Watermarking a file with the Linux tool.
  • Configuring a DLP sensor to detect watermarked files.

FortiExplorer

In this example, a watermark will be added to small text file. The content of the file is:

This is to show how DLP watermarking is done using FortiExplorer.

FortiExplorer can also be used to watermark an entire directory.

To watermark the text file with FortiExplorer:
  1. Open the FortiExplorer client.
  2. Select DLP Watermark from the left side bar.

  3. Set Apply Watermark To to Select File.
  4. Browse for the file, copy the file's path into the Select File field.
  5. Set the Sensitivity Level. The available options are: Critical, Private, and Warning.
  6. Enter a company identifier in the Identifier field.
  7. Select the Output Directory where the watermarked file will be saved.
  8. Click Apply Watermark. The file is watermarked.

  9. The watermarked file content is changed to:

    This is to show how DLP watermarking is done using FortiExplorer.=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=identifier=FortiDemo sensitivity=Critical=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

  10. Note

    The watermark pattern is visible in text files. For all other supported file types, it is invisible.

Linux-based command line tool

A Linux-based command line tool can be used to watermark files. The tool can be executed is a Linux environment by passing in files or directories of files.

To download the tool:
  1. Log in to Fortinet Service and Support. A valid support contract is required.
  2. Go to Download > Firmware Images.
  3. Select the Download tab, and go to FortiGate/v5.00/5.0/5.0.0/WATERMARK.

  4. Download the fortinet-watermark-linux.out file.
To run the tool:

Enter the following to run the tool on a file:

watermark_linux_amd64 <options> -f <file name> -i <identifier> -l <sensitivity level>

Enter the following to run the tool on a directory:

watermark_linux_amd64 <options> -d <directory> -i <identifier> -l <sensitivity level>

The following options are available:

-h

Print this help.

-I

Watermark the file in place (don't make a copy of the file).

-o

The output file or directory.

-e

Encode <to non-readable>.

-i

Add a watermark identifier.

-l

Add a watermark sensitivity level.

-D

Delete a watermark identifier.

-L

Delete a watermark sensitivity level.

DLP watermark sensor

A DLP watermark sensor must be configured to detect watermarked files.

To configure a DLP watermark sensor:
config dlp sensor
   edit <sensor name>
      config filter
         edit <id number of filter>
           set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} <-- Protocol to inspect
           set filter-by watermark
           set sensitivity {Critical | Private | Warning}
           set company-identifier <string>
           set action {allow | log-only | block | ban | quarantine-ip}
         next
      end
   next
end

DLP watermarking

DLP watermarking

Watermarking marks files with a digital pattern to designate them as proprietary to a specific company. A small pattern is added to the file that is recognized by the DLP watermark filter, but is invisible to the end user (except for text files).

FortiExplorer client, or a Linux-based command line tool, can be used to add a watermark to the following file types:

  • .txt
  • .doc and .docx
  • .pdf
  • .ppt and .pptx
  • .xls and .xlsx

The following information is covered in this section:

  • Watermarking a file with FortiExplorer.
  • Watermarking a file with the Linux tool.
  • Configuring a DLP sensor to detect watermarked files.

FortiExplorer

In this example, a watermark will be added to small text file. The content of the file is:

This is to show how DLP watermarking is done using FortiExplorer.

FortiExplorer can also be used to watermark an entire directory.

To watermark the text file with FortiExplorer:
  1. Open the FortiExplorer client.
  2. Select DLP Watermark from the left side bar.

  3. Set Apply Watermark To to Select File.
  4. Browse for the file, copy the file's path into the Select File field.
  5. Set the Sensitivity Level. The available options are: Critical, Private, and Warning.
  6. Enter a company identifier in the Identifier field.
  7. Select the Output Directory where the watermarked file will be saved.
  8. Click Apply Watermark. The file is watermarked.

  9. The watermarked file content is changed to:

    This is to show how DLP watermarking is done using FortiExplorer.=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=identifier=FortiDemo sensitivity=Critical=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

  10. Note

    The watermark pattern is visible in text files. For all other supported file types, it is invisible.

Linux-based command line tool

A Linux-based command line tool can be used to watermark files. The tool can be executed is a Linux environment by passing in files or directories of files.

To download the tool:
  1. Log in to Fortinet Service and Support. A valid support contract is required.
  2. Go to Download > Firmware Images.
  3. Select the Download tab, and go to FortiGate/v5.00/5.0/5.0.0/WATERMARK.

  4. Download the fortinet-watermark-linux.out file.
To run the tool:

Enter the following to run the tool on a file:

watermark_linux_amd64 <options> -f <file name> -i <identifier> -l <sensitivity level>

Enter the following to run the tool on a directory:

watermark_linux_amd64 <options> -d <directory> -i <identifier> -l <sensitivity level>

The following options are available:

-h

Print this help.

-I

Watermark the file in place (don't make a copy of the file).

-o

The output file or directory.

-e

Encode <to non-readable>.

-i

Add a watermark identifier.

-l

Add a watermark sensitivity level.

-D

Delete a watermark identifier.

-L

Delete a watermark sensitivity level.

DLP watermark sensor

A DLP watermark sensor must be configured to detect watermarked files.

To configure a DLP watermark sensor:
config dlp sensor
   edit <sensor name>
      config filter
         edit <id number of filter>
           set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} <-- Protocol to inspect
           set filter-by watermark
           set sensitivity {Critical | Private | Warning}
           set company-identifier <string>
           set action {allow | log-only | block | ban | quarantine-ip}
         next
      end
   next
end