Yearly Archives: 2019

Inspection mode differences for Data Leak Prevention

Leave a reply

Inspection mode differences for Data Leak Prevention

This section identifies the behavioral differences between Data Leak Prevention (DLP) operating in flow and proxy inspection.

Feature comparison between DLP inspection modes

The following table indicates which DLP filters are supported by their designated inspection modes.

  Credit

Card

Filter

 SSN Filter Regex

Filter

 File-

Type

Filter

 File-Pattern Filter Fingerprint

Filter

 Watermark

Filter

 Encrypted

Filter

 FileSize

Filter
Proxy Yes Yes Yes Yes Yes Yes Yes Yes Yes
Flow Yes Yes Yes No Yes No No Yes Yes*

*File-size filtering will only work if file size is present in the protocol exchange.

Protocol comparison between DLP inspection modes

The following table indicates which protocols can be inspected by DLP based on the specified inspection modes.

  HTTP FTP IMAP POP3 SMTP NNTP MAPI CIFS
Proxy Yes Yes Yes Yes Yes Yes Yes No
Flow Yes Yes Yes Yes Yes No No No

Inspection mode differences for Antivirus

Leave a reply

Inspection mode differences for Antivirus

This section identifies the behavioral differences between Antivirus operating in flow and proxy inspection.

Feature comparison between Antivirus inspection modes

The following table indicates which Antivirus features are supported by their designated scan modes.

Part1 Replacement Message Content Disarm Mobile Malware Virus

Outbreak

 Sandbox Inspection NAC Quar-

antine
Proxy Yes Yes Yes Yes Yes Yes
Flow Full Mode Yes* No Yes Yes Yes Yes
Flow Quick Mode Yes* No No No Yes Yes

*IPS Engine caches the URL and a replacement message will be presented after the second attempt.

Part 2 Archive Blocking Emulator Client Com- Infection forting Quarantine Heuristics Treat

EXE as

Virus
Proxy Yes Yes Yes                Yes (1) Yes Yes (2)
Flow Full Mode Yes Yes No                 Yes (1) Yes Yes (2)
Flow Quick Mode No No No                 No No No
  1. Only available on FortiGate models with HDD or when FortiAnalyzer or FortiCloud is connected and enabled.
  2. Only applies to inspection on IMAP, POP3, SMTP, and MAPI protocols.

Protocol comparison between Antivirus inspection modes

The following table indicates which protocols can be inspected by the designated Antivirus scan modes.

  HTTP FTP IMAP POP3 SMTP NNTP MAPI CIFS
Proxy Yes Yes Yes Yes Yes Yes Yes Yes*
Flow Full Mode Yes Yes Yes Yes Yes No No Yes
Flow Quick Mode Yes Yes Yes Yes Yes No No Yes

* Proxy mode Antivirus inspection on CIFS protocol has the following limitations:

  • Cannot detect infections within archive files l Cannot detect oversized files
  • Will block special archive types by default l IPv6 is not supported yet (at the time of FOS v6.2.0 GA)

Other Antivirus differences between inspection modes

Flow Quick mode uses a separate pre-filtering database for malware detection as opposed to the full AV signature database that Flow Full and Proxy mode inspection use.

Proxy mode uses pre-scanning and stream-based scanning for HTTP traffic. This allows archive files that exceed the oversize limit to be uncompressed and scanned for infections.

Inspection mode feature comparison

Leave a reply

Inspection mode feature comparison

The following table shows which UTM profile can be configured on a flow mode or proxy mode inspection policy. Remember that some UTM profiles are hidden in the GUI, but can be configured by using the FortiOS CLI.

  Flow Mode Inspection Policy Proxy Mode Inspection Policy
UTM Profile GUI CLI GUI CLI
Antivirus Yes (2) Yes (2) Yes Yes
Application Control Yes Yes Yes Yes
CIFS Inspection No No No (1) Yes
Data Leak Prevention No Yes (3) Yes Yes
DNS Filter Yes Yes Yes Yes
Email Filter No Yes (4) Yes Yes
ICAP No No Yes Yes
Intrusion Prevention System Yes Yes Yes Yes
SSL/SSH Inspection Yes Yes Yes Yes
VoIP No No Yes Yes
Web Filter Yes (5) Yes (5) Yes Yes
Web Application Firewall No No Yes Yes
  1. CIFS inspection cannot be configured via GUI.
  2. Some Antivirus features are not supported in flow mode inspection. See Inspection mode differences for Antivirus on page 401.
  3. Some Data Leak Prevention features are not supported in Flow mode inspection. See Inspection mode differences for Data Leak Prevention on page 402.
  4. Some Email filter features are not supported in Flow mode inspection. See Inspection mode differences for Email Filter on page 402.
  5. Some Web filter features are not supported in Flow mode inspection. See Inspection mode differences for Web Filter on page 403.

Proxy mode inspection

Leave a reply

Proxy mode inspection

When a firewall policy’s inspection mode is set to proxy, traffic flowing through the policy will be buffered by the

FortiGate for inspection. This means that the packets for a file, email message, or web page will be held by the FortiGate until the entire payload is inspected for violations (virus, spam, or malicious web links). After FortiOS has finished the inspection, the payload is either released to the destination (if traffic is clean) or dropped and replaced with a replacement message (if traffic contains violations).

To optimize inspection, the policy can be configured to block or ignore files or messages that exceed a certain size. To prevent the receiving end user from timing out, client comforting can be applied, which allows small portions of the payload to be sent while it is undergoing inspection.

Proxy mode provides the most thorough inspection of the traffic; however, its thoroughness sacrifices performance, making its throughput slower than that of a flow-mode policy. Under normal traffic circumstances, the throughput difference between a proxy-based and flow-based policy is not significant.

Flow mode inspection (default mode)

Leave a reply

Flow mode inspection (default mode)

When a firewall policy’s inspection mode is set to flow, traffic flowing through the policy will not be buffered by the FortiGate. Unlike proxy mode, the content payload passing through the policy will be inspected on a packet by packet basis with the very last packet held by the FortiGate until the scan returns a verdict. If a violation is detected in the traffic, a reset packet is issued to the receiver, which terminates the connection, and prevents the payload from being sent successfully.

Because of this method, flow mode inspection cannot be as thorough as proxy mode inspection and will have some feature limitations. For example, flow mode inspection determines a file’s size by identifying the file size information in the protocol exchange. If a file’s size is not present in the protocol exchange, the file’s size cannot be identified. The flow-based policy will automatically block or pass the file (based on the configuration) despite the file meeting the file size requirements.

The objective of flow-based policy is to optimize performance and increase throughput. Although it is not as thorough as a proxy-based policy, flow mode inspection is still very reliable.

DLP watermarking

Leave a reply

DLP watermarking

Watermarking marks files with a digital pattern to designate them as proprietary to a specific company. A small pattern is added to the file that is recognized by the DLP watermark filter, but is invisible to the end user (except for text files).

FortiExplorer client, or a Linux-based command line tool, can be used to add a watermark to the following file types: l .txt

  • .doc and .docx
  • .pdf
  • .ppt and .pptx
  • .xls and .xlsx

The following information is covered in this section:

  • Watermarking a file with FortiExplorer. l Watermarking a file with the Linux tool. l Configuring a DLP sensor to detect watermarked files.

FortiExplorer

In this example, a watermark will be added to small text file. The content of the file is:

This is to show how DLP watermarking is done using FortiExplorer.

FortiExplorer can also be used to watermark an entire directory.

To watermark the text file with FortiExplorer:

  1. Open the FortiExplorer client.
  2. Select DLP Watermark from the left side bar.
  3. Set Apply Watermark To to Select File.
  4. Browse for the file, copy the file’s path into the Select File
  5. Set the Sensitivity Level. The available options are: Critical, Private, and Warning.
  6. Enter a company identifier in the Identifier
  7. Select the Output Directory where the watermarked file will be saved.
  8. Click Apply Watermark. The file is watermarked.
  9. The watermarked file content is changed to:

This is to show how DLP watermarking is done using FortiExplorer.=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=identifier=FortiDemo sensitivity=Critical=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=

Linux-based command line tool

A Linux-based command line tool can be used to watermark files. The tool can be executed is a Linux environment by passing in files or directories of files.

To download the tool:

  1. Log in to Fortinet Service and Support. A valid support contract is required.
  2. Go to Download > Firmware Images.
  3. Select the Download tab, and go to FortiGate/v5.00/5.0/5.0.0/WATERMARK.
  4. Download the fortinet-watermark-linux.out

To run the tool:

Enter the following to run the tool on a file:

watermark_linux_amd64 <options> -f <file name> -i <identifier> -l <sensitivity level> Enter the following to run the tool on a directory:

watermark_linux_amd64 <options> -d <directory> -i <identifier> -l <sensitivity level>

The following options are available:

-h Print this help.
-I Watermark the file in place (don’t make a copy of the file).
-o The output file or directory.
-e Encode <to non-readable>.
-i Add a watermark identifier.
-l Add a watermark sensitivity level.
-D Delete a watermark identifier.
-L Delete a watermark sensitivity level.

DLP watermark sensor

A DLP watermark sensor must be configured to detect watermarked files.

To configure a DLP watermark sensor:

config dlp sensor edit <sensor name> config filter edit <id number of filter>

set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} <– Pro-

tocol to inspect set filter-by watermark

set sensitivity {Critical | Private | Warning}

set company-identifier <string>

set action {allow | log-only | block | ban | quarantine-ip}

next

end

next end

 

DLP fingerprinting

Leave a reply

DLP fingerprinting

DLP fingerprinting can be used to detect sensitive data. The file that the DLP sensor will filter for is uploaded and the

FortiGate generates and stores a checksum fingerprint. The FortiGate unit generates a fingerprint for all of the files that

are detected in network traffic, and compares all of the checksums stored in its database. If a match is found, the configured action is taken.

Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

To use fingerprinting:

  • Select the files to be fingerprinted by targeting a document source. l Add fingerprinting filters to DLP sensors.
  • Add the sensors to firewall policies that accept traffic that the fingerprinting will be applied on.

To configure a DLP fingerprint document:

config dlp fp-doc-source edit <name_str> set server-type smb set server <string>

set period {none | daily | weekly | monthly} set vdom {mgmt | current} set scan-subdirectories {enable | disable} set remove-deleted {enable | disable} set keep-modified {enable | disable} set username <string> set password <password> set file-path <string> set file-pattern <string>

set sensitivity <Critical | Private | Warning> set tod-hour <integer> set tod-min <integer>

set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set date <integer>

next end

Command Description
server-type smb The protocol used to communicate with document server. Only Samba (SMB) servers are supported.
server <string> IPv4 or IPv6 address of the server.
period {none | daily | weekly | monthly} The frequency that the FortiGate checks the server for new or changed files.
vdom {mgmt | current} The VDOM that can communicate with the file server.
scan-subdirectories {enable | disable} Enable/disable scanning subdirectories to find files.
Command Description
remove-deleted {enable | disable} Enable/disable keeping the fingerprint database up to date when a file is deleted from the server.
keep-modified {enable | disable} Enable/disable keeping the old fingerprint and adding a new one when a file is changed on the server.
username <string> The user name required to log into the file server.
password <password> The password required to log into the file server.
file-path <string> The path on the server to the fingerprint files.
file-pattern <string> Files matching this pattern on the server are fingerprinted.
sensitivity <Critical | Private | Warning> The sensitivity or threat level for matches with this fingerprint database.
tod-hour <integer> Set the hour of the day. This option is only available when period is not none.
tod-min <integer> Set the minute of the hour. This option is only available when period is not none.
weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} Set the day of the week. This option is only available when period is weekly.
date <integer> Set the day of the month. This option is only available when period is monthly.

To configure a DLP fingerprint sensor:

config dlp sensor edit <sensor name> config filter edit <id number of filter> set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} set filter-by fingerprint

set sensitivity {Critical | Private | Warning}

set match-percentage <integer>

set action {allow | log-only | block | ban | quarantine-ip}

next

end

next end

Command Description
proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} The protocol to inspect.
filter-by fingerprint Match against a fingerprint sensitivity.
sensitivity {Critical | Private | Warning} Select a DLP file pattern sensitivity to match.
match-percentage <integer> The percentage of the checksum required to match before the sensor
Command Description
  is triggered.
action {allow | log-only | block | ban | quarantine-ip} The action to take with content that this DLP sensor matches.

View the DLP fingerprint database on the FortiGate

The CLI debug command diagnose test application dlpfingerprint can be used to display the fingerprint information that is on the FortiGate.

Fingerprint Daemon Test Usage;

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1 : This menu

  • : Dump database
  • : Dump all files
  • : Dump all chunk
  • : Refresh all doc sources in all VDOMs
  • : Show the db file size and the limit
  • : Display stats
  • : Clear stats

99 : Restart this daemon

For example, option 3 will dump all fingerprinted files:

DLP_WANOPT-CLT (global) # diagnose test application dlpfingerprint 3 DLPFP diag_test_handler called File DB:

—————————————

id, filename,                                vdom, archive, deleted, scanTime,    docSourceSrvr,
sensitivity, chunkCnt, reviseCnt,        
1, /fingerprint/upload/1.txt,                vdom1,

1,    0,

 0, 0, 1494868196,   1, 2,
2, /fingerprint/upload/30percentage.xls,     vdom1,

13,       0,

 0, 0, 1356118250,   1, 2,
3, /fingerprint/upload/50.pdf, vdom1, 122, 0, 0, 0, 1356118250,   1, 2,
4, /fingerprint/upload/50.pdf.tar.gz,        vdom1,

114,      0,

 0, 0, 1356118250,   1, 2,
5, /fingerprint/upload/check-list_AL-SIP_HA.xls,

2,       32,     0,

 vdom1, 0, 0,      1356118251, 1,
6, /fingerprint/upload/clean.zip,            vdom1,

1,    0,

 0, 0, 1356118251,   1, 2,
7, /fingerprint/upload/compare.doc,          vdom1,

18,       0,

 0, 0, 1522097410,   1, 2,
8, /fingerprint/upload/dlpsensor-watermark.pdf,

2,       11,     0,

 vdom1, 0, 0,      1356118250, 1,
9, /fingerprint/upload/eicar.com,            vdom1,

1,    0,

 0, 0, 1356118250,   1, 2,
10, /fingerprint/upload/eicar.zip,           vdom1,

1,    0,

 0, 0, 1356118250,   1, 2,
11, /fingerprint/upload/EMAIL-CONTENT-ARCHIVE.ppt,

2,       11,     0,

 vdom1, 0, 0,      1356118250, 1,
12, /fingerprint/upload/encrypt.zip,         vdom1,

77,       0,

 0, 0, 1356118250,   1, 2,
13, /fingerprint/upload/extension_7_8_1.crx,

2,       2720,   0,

 vdom1, 0, 0,      1528751781, 1,
14, /fingerprint/upload/fingerprint.txt,     vdom1, 0, 0, 1498582679,   1, 2,

 

37,       0,        
15, /fingerprint/upload/fingerprint90.txt, vdom1,

37,       0,

 0, 0, 1498582679,   1, 2,
16, /fingerprint/upload/fo2.pdf,             vdom1,

1,    0,

 0, 0, 1450488049,   1, 2,
17, /fingerprint/upload/foo.doc,             vdom1,

9,    0,

 0, 0, 1388538131,   1, 2,
18, /fingerprint/upload/fortiauto.pdf,       vdom1,

146,      0,

 0, 0, 1356118251,   1, 2,
19, /fingerprint/upload/image.out, vdom1, 5410, 0, 0, 0, 1531802940,   1, 2,
20, /fingerprint/upload/jon_file.txt,        vdom1,

1,        0,

 0, 0, 1536596091,   1, 2,
21, /fingerprint/upload/machotest, vdom1, 19, 0, 0, 0, 1528751955,   1, 2,
22, /fingerprint/upload/nntp-server.doc,     vdom1,

17,       0,

 0, 0, 1356118250,   1, 2,
23, /fingerprint/upload/notepad++.exe,       vdom1,

1061,     0,

 0, 0, 1456090734,   1, 2,
24, /fingerprint/upload/nppIExplorerShell.exe,

2,       5,      0,

 vdom1, 0, 0,      1438559930, 1,
25, /fingerprint/upload/NppShell_06.dll,     vdom1,

111,      0,

 0, 0, 1456090736,   1, 2,
26, /fingerprint/upload/PowerCollections.chm,

2,       728,    0,

 vdom1, 0, 0,      1533336889, 1,
27, /fingerprint/upload/reflector.dmg,    vdom1, 21117, 0, 0, 0, 1533336857, 1, 2,
28, /fingerprint/upload/roxio.iso,           vdom1,

49251,0,

 0, 0, 1517531765, 1, 2,
29, /fingerprint/upload/SciLexer.dll,        vdom1,

541,      0,

 0, 0, 1456090736, 1, 2,
30, /fingerprint/upload/screen.jpg, vdom1, 55, 0, 0, 0, 1356118250, 1, 2,
31, /fingerprint/upload/Spec to integrate FASE into FortiOS.doc,

1356118251,    1,      2,      31,     0,

 vdom1, 0, 0,  
32, /fingerprint/upload/subdirectory1/subdirectory2/subdirectory3/hibun.aea,

0,       1529019743,     1,      2,      1,      0,

 vdom1, 0,
33, /fingerprint/upload/test.pdf,             vdom1, 0,       0,      1356118250,

5,    0,

 1, 2,
34, /fingerprint/upload/test.tar,             vdom1, 0,       0,      1356118251,

3,    0,

 1, 2,
35, /fingerprint/upload/test.tar.gz,          vdom1, 0,       0,      1356118250,

1,        0,

 1, 2,
36, /fingerprint/upload/test1.txt,            vdom1, 0,       0,      1540317547,

1,    0,

 1, 2,
37, /fingerprint/upload/thousand-files.zip, vdom1, 0,         0,      1536611774,

241,      0,

 1, 2,
38, /fingerprint/upload/Thumbs.db,            vdom1, 0,       0,      1445878135,

3,    0,

 1, 2,
39, /fingerprint/upload/widget.pdf, vdom1, 0,     0,     1356118251, 18,      0, 1, 2,
40, /fingerprint/upload/xx00-xx01.tar,        vdom1, 0,       0,      1356118250,

5,        0,

 1, 2,
41, /fingerprint/upload/xx02-xx03.tar.gz,     vdom1, 0,       0,      1356118251,

1,        0,

 1, 2,