Data Leak Prevention – Fortinet FortiGate

DLP document fingerprinting

One of the DLP techniques to detect sensitive data is fingerprinting (also called document fingerprinting). Most DLP techniques rely on you providing a characteristic of the file you want to detect, whether it’s the file type, the file name, or part of the file contents. Fingerprinting is different in that you provide the file itself. The FortiGate unit then generates a checksum fingerprint and stores it. The FortiGate unit generates a fingerprint for all files detected in network traffic, and it is compared to all of the fingerprints stored in its fingerprint database. If a match is found, the configured action is taken.

The document fingerprint feature requires a FortiGate unit with internal storage. The document fingerprinting menu item does not appear on models without internal storage.

Any type of file can be detected by DLP fingerprinting and fingerprints can be saved for each revision of your files as they are updated.

To use fingerprinting you select the documents to be fingerprinted and then add fingerprinting filters to DLP sensors and add the sensors to firewall policies that accept the traffic to which to apply fingerprinting.

Fingerprinted Documents

The FortiGate unit must have access to the documents for which it generates fingerprints. One method is to manually upload documents to be fingerprinted directly to the FortiGate unit. The other is to allow the FortiGate unit to access a network share that contains the documents to be fingerprinted.

If only a few documents are to be fingerprinted, a manual upload may be the easiest solution. If many documents require fingerprinting, or if the fingerprinted documents are frequently revised, using a network share makes user access easier to manage.

To configure manual document fingerprints

  1. Go to Security Profiles > Data Leak Prevention > Document Fingerprinting.
  2. In the Manual Document Fingerprints section, select Create New.
  3. Select the file to be fingerprinted.
  4. Choose a Sensitivity level. The default choices are Critical, Private and Warning, but more can be added in the CLI.
  5. If the file is an archive containing other files, select Process files inside archive if you also want the individual files inside the archive to have fingerprints generated in addition to the archive itself.
  6. Select OK.

The file is uploaded and a fingerprint generated.

To configure a fingerprint document source

  1. Go to Security Profiles > Data Leak Prevention > Document Fingerprinting.
  2. In the Document Sources section, select Create New.
  3. Configure the settings:
Name Enter a descriptive name for the document source.
Server Type This refers to the type of server share that is being accessed. The default is Windows Share but this will also work on Samba shares.
Server Address Enter the IP address of the server.
User Name

Password

Enter the user name and password of the account the FortiGate unit uses to access the server network share.
Path Enter the path to the document folder.
Filename Pattern You may enter a filename pattern to restrict fingerprinting to only those files that match the pattern. To fingerprint all files, enter an asterisk (“*”).
Sensitivity Level Select a sensitivity level. The sensitivity is a tag for your reference that is included in the log files. It does not change how fingerprinting works.
Scan Periodically To have the files on the document source scanned on a regular basis, select this option. This is useful if files are added or changed regularly. Once selected, you can choose Daily, Weekly, or Monthly update options, and enter the time of day the files are fingerprinted.
Advanced Expand the Advanced heading for additional options.
Fingerprint files in subdirectories By default, only the files in the specified path are fingerprinted. Files in subdirectories are ignored. Select this option to fingerprint files in subdirectories of the specified path.
Remove fingerprints for deleted files Select this option to retain the fingerprints of files deleted from the document source. If this option is disabled, fingerprints for deleted files will be removed when the document source is rescanned.
Keep previous fingerprints for modified files Select this option to retain the fingerprints of previous revisions of updated files. If this option is disabled, fingerprints for previous version of files will be deleted when a new fingerprint is generated.
  1. Select OK.

File filter

File filter is a DLP option that allows you to block files based on their file name or their type.

  • File patterns are a means of filtering based purely on the names of files. They may include wildcards (*). For example, blocking *.scr will stop all files with an scr file extension, which is commonly used for Windows screen saver files. Files trying to pass themselves off as

Windows screen saver files by adopting the file-naming convention will also be stopped.

  • Files can specify the full or partial file name, the full or partial file extension, or any combination. File pattern entries are not case sensitive. For example, adding *.exe to the file pattern list also blocks any files ending with .EXE.
  • Files are compared to the enabled file patterns from top to bottom, in list order.
  • In addition to the built-in patterns, you can specify more file patterns to block. For details, see “Cr eating a file filter list” on page 132.
  • File types are a means of filtering based on an examination of the file contents, regardless of the file name. If you block the file type Archive (zip), all zip archives are blocked even if they are renamed with a different file extension. The FortiGate examines the file contents to determine what type of file it is and then acts accordingly.

The FortiGate unit can take either of the following actions toward the files that match a configured file pattern or type:

  • Block: the file is blocked and a replacement message is sent to the user. If both file pattern filtering and virus scan are enabled, the FortiGate unit blocks files that match the enabled file filter and does not scan these files for viruses.
  • Allow: the file is allowed to pass.

The FortiGate unit also writes a message to the Security log and sends an alert email message if configured to do so.

General configuration steps

The following steps provide an overview of file filter configuration. For best results, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Create a file filter list.
  2. Create one or more file patterns or file types to populate the file filter list.
  3. Enable the file filter list by adding it to a filter in a DLP sensor.
  4. Select the DLP sensor in a security policy.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos