Data Leak Prevention – Fortinet FortiGate

Data leak prevention

The FortiGate data leak prevention (DLP) system allows you to prevent sensitive data from leaving your network. When you define sensitive data patterns, data matching these patterns will be blocked, or logged and allowed, when passing through the FortiGate unit. You configure the DLP system by creating individual filters based on file type, file size, a regular expression, an advanced rule, or a compound rule, in a DLP sensor and assign the sensor to a security policy.

Although the primary use of the DLP feature is to stop sensitive data from leaving your network, it can also be used to prevent unwanted data from entering your network and to archive some or all of the content passing through the FortiGate unit.

This section describes how to configure the DLP settings.

The following topics are included:

  • Data leak prevention concepts
  • Enable data leak prevention
  • Fingerprint
  • File filter
  • DLP archiving
  • DLP examples

Data leak prevention concepts

Data leak prevention examines network traffic for data patterns you specify. You define whatever patterns you want the FortiGate unit to look for in network traffic. The DLP feature is broken down into a number of parts.

DLP sensor

A DLP sensor is a package of filters. To use DLP, you must enable it in a security policy and select the DLP sensor to use. The traffic controlled by the security policy will be searched for the patterns defined in the filters contained in the DLP sensor. Matching traffic will be passed or blocked according to how you configured the filters.

DLP filter

Each DLP sensor has one or more filters configured within it. Filters can examine traffic for known files using DLP fingerprints, for files of a particular type or name, for files larger than a specified size, for data matching a specified regular expression, or for traffic matching an advanced rule or compound rule.

Page 121

You can configure the action taken when a match is detected. The actions include:

  • None
  • Log Only,
  • Block
  • Quarantine User,
  • Quarantine IP address
  • Quarantine Interface

Log Only is enabled by default.


Fingerprint scanning allows you to create a library of files for the FortiGate unit to examine. It will create checksum fingerprints so each file can be easily identified. Then, when files appear in network traffic, the FortiGate will generate a checksum fingerprint and compare it to those in the fingerprint database. A match triggers the configured action.

File filter

File filters use file filter lists to examine network traffic for files that match either file names or file types. For example, you can create a file filter list that will find files called secret.* and also all JPEG graphic files. You can create multiple file filter lists and use them in filters in multiple DLP sensors as required.

File size

This filter-type checks for files exceeding a configured size. All files larger than the specified size are subject to the configured action.

Regular expression

The FortiGate unit checks network traffic for the regular expression specified in a regular expression filter. The regular expression library used by Fortinet is a variation of a library called PCRE (Perl Compatible Regular Expressions). A number of these filters can be added to a sensor making a sort of ‘dictionary’ subset within the sensor.

Some other, more limited DLP implementations, use a list of words in a text file to define what words are searched for. While the format used here is slightly different than what some people are used to, the resulting effect is similar. Each Regular Expression filter can be thought of as a more versatile word to be searched against. In this dictionary (or sensor), the list of words is not limited to just predefined words. It can include expressions that can accommodate complex variations on those words and even target phrases. Another advantage of the individual filter model of this dictionary over the list is that each word can be assigned its own action, making this implementation much more granular.


Watermarking is essentially marking files with a digital pattern to mark the file as being proprietary to a specific company. Fortinet has a utility that will apply a digital watermark to files. The utility adds a small (approx. 100 byte) pattern to the file that is recognised by the DLP Watermark filter. the pattern is invisible to the end user.

When watermarking a file it should be verified that the pattern matches up to a category found on the FortiGate firewall. For example, if you are going to watermark a file with the sensitivity


level of “Secret” you should verify that “Secret” is a sensitivity level that has been assigned in the FortiGate unit.

Software Versions

Before planning on using watermarking software it is always best to verify that the software will work with your OS. Currently the utility was only available for the Linux and Windows operating systems.

The Linux version can be found in one of 3 command line executable programs.

  • watermark_linux_amd64
  • watermark_linux_arm
  • watermark_linux_x86

The Windows version is part of the FortiExplorer software.

File types

The Watermark tool does not work with every file type. The following file types are supported by the watermark tool:

  • .txt
  • .pdf
  • .doc
  • .xls
  • .ppt
  • .docx
  • .pptx • .xlsx

Currently the DLP only works with Fortinet’s watermarking software.

Using the FortiExplorer Watermark tool

The FortiExplorer software can be downloaded from the Fortinet Support Site.

  1. Choose whether to “Apply Watermark To:”
  • Select File • Entire Directory
  1. Fill in the fields:
    1. Select File

This Field has a browse icon next to it which will allow the user to browse to and select a single file or directory to apply the water mark to.

  1. Sensitivity Level

This field is a drop down menu that lists the available sensitivity levels that the FortiGate can scan for

  1. Identifier

This is a unique identifier string of characters to identify the company that the document belongs to.

  1. Output Directory

This Field has a browse icon next to it which will allow the user to browse to a directory where the altered file will be placed. If the output directory is the same as the source directory the original file will be overwritten. If the output directory is different than the source directory then the watermarked version of the file will be place there and the unaltered original will be left in the source directory.

  1. Select Apply Watermark to start the process.

You should get output in the window similar to this:

> fortinet-watermark-win.exe -v -f “C:\Users\TestUser\Documents\test document.txt” -i “123456ABC” -l “Private” -o “C:\Users\TestUser\Watermarked Documents”     Creating watermark. Pattern:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=identifier=123456ABC sensitivity=Private=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

–> ‘C:\Users\TestUser\Documents\test document.txt’

Inserted watermark size 231


1 file(s) processed. (success = 1, failure = 0)

Installation of the watermark utility on Linux

Add the watermark file to a location on the system that is in the $PATH.

To see what the path is use the command echo $PATH

Example results:

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/ga mes for example you could move or copy the file to the :/bin directory.

Permissions on the watermark file:

Check the existing permissions:

The command in Linux for listing file along with the permissions is: ls -l

Run the check to see if the permission status. The results may be something along these lines:

-rw-r–r– 1 root root 2053868 Jan 10 11:44 watermark

You will see that in this case it has no executable permissions To change the permissions on the watermark file:

It will be assume for this command that the utility is in the bin directory and that you have ownership level access.

chmod o+x /bin/watermark

To verify the change: ls -l wa* -rw-r–r-x 1 root root 2053868 Jan 10 11:44 watermark

You can see how the x for executable has been added to the permissions for the others group.

Syntax of the Watermark utility

The tool is executed in a Linux environment by passing in files or directories of files to insert a watermark.


watermark <options> -f <file name> -i <identifier> -l <sensitivity level> watermark <options> -d <directory> -i <identifier> -l <sensitivity level>


-h print help

-v verbose information

-I inplace watermarking (don’t copy file)

-o output directory

-e encode <to non-readable>

-a add additional watermark (by default replaces watermarks existing watermarks)

-D delete all watermarks

Using the watermark utility

Now if you are in your home directory and you want to watermark a file in the Documents directory you could plan out the command like this: watermark [because that is the executable to be used]

-v [so that you can get as much feedback as possible]

-I [because you don’t want a new file you just want to watermark the existing one]

-f [because you only want to change the one file not the entire directory] filename.pdf [the name of the file]

-i 123456 [to set the identifier to 123456 – this is a required setting

-l Private [to set the sensitivity level to “Private”]

Now at the command prompt enter all of these components in order:

watermark -v -I -f filename.pdf -i 12345 -l Private Creating watermark.  Pattern:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=identifier=12345 sensitivity=Private=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Watermarking file: ‘filename.pdf’

Inserted watermark size 148

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos