DLP fingerprinting

DLP fingerprinting

DLP fingerprinting can be used to detect sensitive data. The file that the DLP sensor will filter for is uploaded and the

FortiGate generates and stores a checksum fingerprint. The FortiGate unit generates a fingerprint for all of the files that

are detected in network traffic, and compares all of the checksums stored in its database. If a match is found, the configured action is taken.

Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

To use fingerprinting:

  • Select the files to be fingerprinted by targeting a document source. l Add fingerprinting filters to DLP sensors.
  • Add the sensors to firewall policies that accept traffic that the fingerprinting will be applied on.

To configure a DLP fingerprint document:

config dlp fp-doc-source edit <name_str> set server-type smb set server <string>

set period {none | daily | weekly | monthly} set vdom {mgmt | current} set scan-subdirectories {enable | disable} set remove-deleted {enable | disable} set keep-modified {enable | disable} set username <string> set password <password> set file-path <string> set file-pattern <string>

set sensitivity <Critical | Private | Warning> set tod-hour <integer> set tod-min <integer>

set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set date <integer>

next end

Command Description
server-type smb The protocol used to communicate with document server. Only Samba (SMB) servers are supported.
server <string> IPv4 or IPv6 address of the server.
period {none | daily | weekly | monthly} The frequency that the FortiGate checks the server for new or changed files.
vdom {mgmt | current} The VDOM that can communicate with the file server.
scan-subdirectories {enable | disable} Enable/disable scanning subdirectories to find files.
Command Description
remove-deleted {enable | disable} Enable/disable keeping the fingerprint database up to date when a file is deleted from the server.
keep-modified {enable | disable} Enable/disable keeping the old fingerprint and adding a new one when a file is changed on the server.
username <string> The user name required to log into the file server.
password <password> The password required to log into the file server.
file-path <string> The path on the server to the fingerprint files.
file-pattern <string> Files matching this pattern on the server are fingerprinted.
sensitivity <Critical | Private | Warning> The sensitivity or threat level for matches with this fingerprint database.
tod-hour <integer> Set the hour of the day. This option is only available when period is not none.
tod-min <integer> Set the minute of the hour. This option is only available when period is not none.
weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} Set the day of the week. This option is only available when period is weekly.
date <integer> Set the day of the month. This option is only available when period is monthly.

To configure a DLP fingerprint sensor:

config dlp sensor edit <sensor name> config filter edit <id number of filter> set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} set filter-by fingerprint

set sensitivity {Critical | Private | Warning}

set match-percentage <integer>

set action {allow | log-only | block | ban | quarantine-ip}

next

end

next end

Command Description
proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} The protocol to inspect.
filter-by fingerprint Match against a fingerprint sensitivity.
sensitivity {Critical | Private | Warning} Select a DLP file pattern sensitivity to match.
match-percentage <integer> The percentage of the checksum required to match before the sensor
Command Description
  is triggered.
action {allow | log-only | block | ban | quarantine-ip} The action to take with content that this DLP sensor matches.

View the DLP fingerprint database on the FortiGate

The CLI debug command diagnose test application dlpfingerprint can be used to display the fingerprint information that is on the FortiGate.

Fingerprint Daemon Test Usage;

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1 : This menu

  • : Dump database
  • : Dump all files
  • : Dump all chunk
  • : Refresh all doc sources in all VDOMs
  • : Show the db file size and the limit
  • : Display stats
  • : Clear stats

99 : Restart this daemon

For example, option 3 will dump all fingerprinted files:

DLP_WANOPT-CLT (global) # diagnose test application dlpfingerprint 3 DLPFP diag_test_handler called File DB:

—————————————

id, filename,                                vdom, archive, deleted, scanTime,    docSourceSrvr,

sensitivity, chunkCnt, reviseCnt,        
1, /fingerprint/upload/1.txt,                vdom1,

1,    0,

0, 0, 1494868196,   1, 2,
2, /fingerprint/upload/30percentage.xls,     vdom1,

13,       0,

0, 0, 1356118250,   1, 2,
3, /fingerprint/upload/50.pdf, vdom1, 122, 0, 0, 0, 1356118250,   1, 2,
4, /fingerprint/upload/50.pdf.tar.gz,        vdom1,

114,      0,

0, 0, 1356118250,   1, 2,
5, /fingerprint/upload/check-list_AL-SIP_HA.xls,

2,       32,     0,

vdom1, 0, 0,      1356118251, 1,
6, /fingerprint/upload/clean.zip,            vdom1,

1,    0,

0, 0, 1356118251,   1, 2,
7, /fingerprint/upload/compare.doc,          vdom1,

18,       0,

0, 0, 1522097410,   1, 2,
8, /fingerprint/upload/dlpsensor-watermark.pdf,

2,       11,     0,

vdom1, 0, 0,      1356118250, 1,
9, /fingerprint/upload/eicar.com,            vdom1,

1,    0,

0, 0, 1356118250,   1, 2,
10, /fingerprint/upload/eicar.zip,           vdom1,

1,    0,

0, 0, 1356118250,   1, 2,
11, /fingerprint/upload/EMAIL-CONTENT-ARCHIVE.ppt,

2,       11,     0,

vdom1, 0, 0,      1356118250, 1,
12, /fingerprint/upload/encrypt.zip,         vdom1,

77,       0,

0, 0, 1356118250,   1, 2,
13, /fingerprint/upload/extension_7_8_1.crx,

2,       2720,   0,

vdom1, 0, 0,      1528751781, 1,
14, /fingerprint/upload/fingerprint.txt,     vdom1, 0, 0, 1498582679,   1, 2,

 

37,       0,        
15, /fingerprint/upload/fingerprint90.txt, vdom1,

37,       0,

0, 0, 1498582679,   1, 2,
16, /fingerprint/upload/fo2.pdf,             vdom1,

1,    0,

0, 0, 1450488049,   1, 2,
17, /fingerprint/upload/foo.doc,             vdom1,

9,    0,

0, 0, 1388538131,   1, 2,
18, /fingerprint/upload/fortiauto.pdf,       vdom1,

146,      0,

0, 0, 1356118251,   1, 2,
19, /fingerprint/upload/image.out, vdom1, 5410, 0, 0, 0, 1531802940,   1, 2,
20, /fingerprint/upload/jon_file.txt,        vdom1,

1,        0,

0, 0, 1536596091,   1, 2,
21, /fingerprint/upload/machotest, vdom1, 19, 0, 0, 0, 1528751955,   1, 2,
22, /fingerprint/upload/nntp-server.doc,     vdom1,

17,       0,

0, 0, 1356118250,   1, 2,
23, /fingerprint/upload/notepad++.exe,       vdom1,

1061,     0,

0, 0, 1456090734,   1, 2,
24, /fingerprint/upload/nppIExplorerShell.exe,

2,       5,      0,

vdom1, 0, 0,      1438559930, 1,
25, /fingerprint/upload/NppShell_06.dll,     vdom1,

111,      0,

0, 0, 1456090736,   1, 2,
26, /fingerprint/upload/PowerCollections.chm,

2,       728,    0,

vdom1, 0, 0,      1533336889, 1,
27, /fingerprint/upload/reflector.dmg,    vdom1, 21117, 0, 0, 0, 1533336857, 1, 2,
28, /fingerprint/upload/roxio.iso,           vdom1,

49251,0,

0, 0, 1517531765, 1, 2,
29, /fingerprint/upload/SciLexer.dll,        vdom1,

541,      0,

0, 0, 1456090736, 1, 2,
30, /fingerprint/upload/screen.jpg, vdom1, 55, 0, 0, 0, 1356118250, 1, 2,
31, /fingerprint/upload/Spec to integrate FASE into FortiOS.doc,

1356118251,    1,      2,      31,     0,

vdom1, 0, 0,  
32, /fingerprint/upload/subdirectory1/subdirectory2/subdirectory3/hibun.aea,

0,       1529019743,     1,      2,      1,      0,

vdom1, 0,
33, /fingerprint/upload/test.pdf,             vdom1, 0,       0,      1356118250,

5,    0,

1, 2,
34, /fingerprint/upload/test.tar,             vdom1, 0,       0,      1356118251,

3,    0,

1, 2,
35, /fingerprint/upload/test.tar.gz,          vdom1, 0,       0,      1356118250,

1,        0,

1, 2,
36, /fingerprint/upload/test1.txt,            vdom1, 0,       0,      1540317547,

1,    0,

1, 2,
37, /fingerprint/upload/thousand-files.zip, vdom1, 0,         0,      1536611774,

241,      0,

1, 2,
38, /fingerprint/upload/Thumbs.db,            vdom1, 0,       0,      1445878135,

3,    0,

1, 2,
39, /fingerprint/upload/widget.pdf, vdom1, 0,     0,     1356118251, 18,      0, 1, 2,
40, /fingerprint/upload/xx00-xx01.tar,        vdom1, 0,       0,      1356118250,

5,        0,

1, 2,
41, /fingerprint/upload/xx02-xx03.tar.gz,     vdom1, 0,       0,      1356118251,

1,        0,

1, 2,
This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.