Category Archives: FortiGate

Inspection mode feature comparison

Leave a reply

Inspection mode feature comparison

The following table shows which UTM profile can be configured on a flow mode or proxy mode inspection policy. Remember that some UTM profiles are hidden in the GUI, but can be configured by using the FortiOS CLI.

  Flow Mode Inspection Policy Proxy Mode Inspection Policy
UTM Profile GUI CLI GUI CLI
Antivirus Yes (2) Yes (2) Yes Yes
Application Control Yes Yes Yes Yes
CIFS Inspection No No No (1) Yes
Data Leak Prevention No Yes (3) Yes Yes
DNS Filter Yes Yes Yes Yes
Email Filter No Yes (4) Yes Yes
ICAP No No Yes Yes
Intrusion Prevention System Yes Yes Yes Yes
SSL/SSH Inspection Yes Yes Yes Yes
VoIP No No Yes Yes
Web Filter Yes (5) Yes (5) Yes Yes
Web Application Firewall No No Yes Yes
  1. CIFS inspection cannot be configured via GUI.
  2. Some Antivirus features are not supported in flow mode inspection. See Inspection mode differences for Antivirus on page 401.
  3. Some Data Leak Prevention features are not supported in Flow mode inspection. See Inspection mode differences for Data Leak Prevention on page 402.
  4. Some Email filter features are not supported in Flow mode inspection. See Inspection mode differences for Email Filter on page 402.
  5. Some Web filter features are not supported in Flow mode inspection. See Inspection mode differences for Web Filter on page 403.

Proxy mode inspection

Leave a reply

Proxy mode inspection

When a firewall policy’s inspection mode is set to proxy, traffic flowing through the policy will be buffered by the

FortiGate for inspection. This means that the packets for a file, email message, or web page will be held by the FortiGate until the entire payload is inspected for violations (virus, spam, or malicious web links). After FortiOS has finished the inspection, the payload is either released to the destination (if traffic is clean) or dropped and replaced with a replacement message (if traffic contains violations).

To optimize inspection, the policy can be configured to block or ignore files or messages that exceed a certain size. To prevent the receiving end user from timing out, client comforting can be applied, which allows small portions of the payload to be sent while it is undergoing inspection.

Proxy mode provides the most thorough inspection of the traffic; however, its thoroughness sacrifices performance, making its throughput slower than that of a flow-mode policy. Under normal traffic circumstances, the throughput difference between a proxy-based and flow-based policy is not significant.

Flow mode inspection (default mode)

Leave a reply

Flow mode inspection (default mode)

When a firewall policy’s inspection mode is set to flow, traffic flowing through the policy will not be buffered by the FortiGate. Unlike proxy mode, the content payload passing through the policy will be inspected on a packet by packet basis with the very last packet held by the FortiGate until the scan returns a verdict. If a violation is detected in the traffic, a reset packet is issued to the receiver, which terminates the connection, and prevents the payload from being sent successfully.

Because of this method, flow mode inspection cannot be as thorough as proxy mode inspection and will have some feature limitations. For example, flow mode inspection determines a file’s size by identifying the file size information in the protocol exchange. If a file’s size is not present in the protocol exchange, the file’s size cannot be identified. The flow-based policy will automatically block or pass the file (based on the configuration) despite the file meeting the file size requirements.

The objective of flow-based policy is to optimize performance and increase throughput. Although it is not as thorough as a proxy-based policy, flow mode inspection is still very reliable.

DLP watermarking

Leave a reply

DLP watermarking

Watermarking marks files with a digital pattern to designate them as proprietary to a specific company. A small pattern is added to the file that is recognized by the DLP watermark filter, but is invisible to the end user (except for text files).

FortiExplorer client, or a Linux-based command line tool, can be used to add a watermark to the following file types: l .txt

  • .doc and .docx
  • .pdf
  • .ppt and .pptx
  • .xls and .xlsx

The following information is covered in this section:

  • Watermarking a file with FortiExplorer. l Watermarking a file with the Linux tool. l Configuring a DLP sensor to detect watermarked files.

FortiExplorer

In this example, a watermark will be added to small text file. The content of the file is:

This is to show how DLP watermarking is done using FortiExplorer.

FortiExplorer can also be used to watermark an entire directory.

To watermark the text file with FortiExplorer:

  1. Open the FortiExplorer client.
  2. Select DLP Watermark from the left side bar.
  3. Set Apply Watermark To to Select File.
  4. Browse for the file, copy the file’s path into the Select File
  5. Set the Sensitivity Level. The available options are: Critical, Private, and Warning.
  6. Enter a company identifier in the Identifier
  7. Select the Output Directory where the watermarked file will be saved.
  8. Click Apply Watermark. The file is watermarked.
  9. The watermarked file content is changed to:

This is to show how DLP watermarking is done using FortiExplorer.=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=identifier=FortiDemo sensitivity=Critical=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=

Linux-based command line tool

A Linux-based command line tool can be used to watermark files. The tool can be executed is a Linux environment by passing in files or directories of files.

To download the tool:

  1. Log in to Fortinet Service and Support. A valid support contract is required.
  2. Go to Download > Firmware Images.
  3. Select the Download tab, and go to FortiGate/v5.00/5.0/5.0.0/WATERMARK.
  4. Download the fortinet-watermark-linux.out

To run the tool:

Enter the following to run the tool on a file:

watermark_linux_amd64 <options> -f <file name> -i <identifier> -l <sensitivity level> Enter the following to run the tool on a directory:

watermark_linux_amd64 <options> -d <directory> -i <identifier> -l <sensitivity level>

The following options are available:

-h Print this help.
-I Watermark the file in place (don’t make a copy of the file).
-o The output file or directory.
-e Encode <to non-readable>.
-i Add a watermark identifier.
-l Add a watermark sensitivity level.
-D Delete a watermark identifier.
-L Delete a watermark sensitivity level.

DLP watermark sensor

A DLP watermark sensor must be configured to detect watermarked files.

To configure a DLP watermark sensor:

config dlp sensor edit <sensor name> config filter edit <id number of filter>

set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} <– Pro-

tocol to inspect set filter-by watermark

set sensitivity {Critical | Private | Warning}

set company-identifier <string>

set action {allow | log-only | block | ban | quarantine-ip}

next

end

next end

 

DLP fingerprinting

Leave a reply

DLP fingerprinting

DLP fingerprinting can be used to detect sensitive data. The file that the DLP sensor will filter for is uploaded and the

FortiGate generates and stores a checksum fingerprint. The FortiGate unit generates a fingerprint for all of the files that

are detected in network traffic, and compares all of the checksums stored in its database. If a match is found, the configured action is taken.

Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

To use fingerprinting:

  • Select the files to be fingerprinted by targeting a document source. l Add fingerprinting filters to DLP sensors.
  • Add the sensors to firewall policies that accept traffic that the fingerprinting will be applied on.

To configure a DLP fingerprint document:

config dlp fp-doc-source edit <name_str> set server-type smb set server <string>

set period {none | daily | weekly | monthly} set vdom {mgmt | current} set scan-subdirectories {enable | disable} set remove-deleted {enable | disable} set keep-modified {enable | disable} set username <string> set password <password> set file-path <string> set file-pattern <string>

set sensitivity <Critical | Private | Warning> set tod-hour <integer> set tod-min <integer>

set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set date <integer>

next end

Command Description
server-type smb The protocol used to communicate with document server. Only Samba (SMB) servers are supported.
server <string> IPv4 or IPv6 address of the server.
period {none | daily | weekly | monthly} The frequency that the FortiGate checks the server for new or changed files.
vdom {mgmt | current} The VDOM that can communicate with the file server.
scan-subdirectories {enable | disable} Enable/disable scanning subdirectories to find files.
Command Description
remove-deleted {enable | disable} Enable/disable keeping the fingerprint database up to date when a file is deleted from the server.
keep-modified {enable | disable} Enable/disable keeping the old fingerprint and adding a new one when a file is changed on the server.
username <string> The user name required to log into the file server.
password <password> The password required to log into the file server.
file-path <string> The path on the server to the fingerprint files.
file-pattern <string> Files matching this pattern on the server are fingerprinted.
sensitivity <Critical | Private | Warning> The sensitivity or threat level for matches with this fingerprint database.
tod-hour <integer> Set the hour of the day. This option is only available when period is not none.
tod-min <integer> Set the minute of the hour. This option is only available when period is not none.
weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} Set the day of the week. This option is only available when period is weekly.
date <integer> Set the day of the month. This option is only available when period is monthly.

To configure a DLP fingerprint sensor:

config dlp sensor edit <sensor name> config filter edit <id number of filter> set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} set filter-by fingerprint

set sensitivity {Critical | Private | Warning}

set match-percentage <integer>

set action {allow | log-only | block | ban | quarantine-ip}

next

end

next end

Command Description
proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} The protocol to inspect.
filter-by fingerprint Match against a fingerprint sensitivity.
sensitivity {Critical | Private | Warning} Select a DLP file pattern sensitivity to match.
match-percentage <integer> The percentage of the checksum required to match before the sensor
Command Description
  is triggered.
action {allow | log-only | block | ban | quarantine-ip} The action to take with content that this DLP sensor matches.

View the DLP fingerprint database on the FortiGate

The CLI debug command diagnose test application dlpfingerprint can be used to display the fingerprint information that is on the FortiGate.

Fingerprint Daemon Test Usage;

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1 : This menu

  • : Dump database
  • : Dump all files
  • : Dump all chunk
  • : Refresh all doc sources in all VDOMs
  • : Show the db file size and the limit
  • : Display stats
  • : Clear stats

99 : Restart this daemon

For example, option 3 will dump all fingerprinted files:

DLP_WANOPT-CLT (global) # diagnose test application dlpfingerprint 3 DLPFP diag_test_handler called File DB:

—————————————

id, filename,                                vdom, archive, deleted, scanTime,    docSourceSrvr,
sensitivity, chunkCnt, reviseCnt,        
1, /fingerprint/upload/1.txt,                vdom1,

1,    0,

 0, 0, 1494868196,   1, 2,
2, /fingerprint/upload/30percentage.xls,     vdom1,

13,       0,

 0, 0, 1356118250,   1, 2,
3, /fingerprint/upload/50.pdf, vdom1, 122, 0, 0, 0, 1356118250,   1, 2,
4, /fingerprint/upload/50.pdf.tar.gz,        vdom1,

114,      0,

 0, 0, 1356118250,   1, 2,
5, /fingerprint/upload/check-list_AL-SIP_HA.xls,

2,       32,     0,

 vdom1, 0, 0,      1356118251, 1,
6, /fingerprint/upload/clean.zip,            vdom1,

1,    0,

 0, 0, 1356118251,   1, 2,
7, /fingerprint/upload/compare.doc,          vdom1,

18,       0,

 0, 0, 1522097410,   1, 2,
8, /fingerprint/upload/dlpsensor-watermark.pdf,

2,       11,     0,

 vdom1, 0, 0,      1356118250, 1,
9, /fingerprint/upload/eicar.com,            vdom1,

1,    0,

 0, 0, 1356118250,   1, 2,
10, /fingerprint/upload/eicar.zip,           vdom1,

1,    0,

 0, 0, 1356118250,   1, 2,
11, /fingerprint/upload/EMAIL-CONTENT-ARCHIVE.ppt,

2,       11,     0,

 vdom1, 0, 0,      1356118250, 1,
12, /fingerprint/upload/encrypt.zip,         vdom1,

77,       0,

 0, 0, 1356118250,   1, 2,
13, /fingerprint/upload/extension_7_8_1.crx,

2,       2720,   0,

 vdom1, 0, 0,      1528751781, 1,
14, /fingerprint/upload/fingerprint.txt,     vdom1, 0, 0, 1498582679,   1, 2,

 

37,       0,        
15, /fingerprint/upload/fingerprint90.txt, vdom1,

37,       0,

 0, 0, 1498582679,   1, 2,
16, /fingerprint/upload/fo2.pdf,             vdom1,

1,    0,

 0, 0, 1450488049,   1, 2,
17, /fingerprint/upload/foo.doc,             vdom1,

9,    0,

 0, 0, 1388538131,   1, 2,
18, /fingerprint/upload/fortiauto.pdf,       vdom1,

146,      0,

 0, 0, 1356118251,   1, 2,
19, /fingerprint/upload/image.out, vdom1, 5410, 0, 0, 0, 1531802940,   1, 2,
20, /fingerprint/upload/jon_file.txt,        vdom1,

1,        0,

 0, 0, 1536596091,   1, 2,
21, /fingerprint/upload/machotest, vdom1, 19, 0, 0, 0, 1528751955,   1, 2,
22, /fingerprint/upload/nntp-server.doc,     vdom1,

17,       0,

 0, 0, 1356118250,   1, 2,
23, /fingerprint/upload/notepad++.exe,       vdom1,

1061,     0,

 0, 0, 1456090734,   1, 2,
24, /fingerprint/upload/nppIExplorerShell.exe,

2,       5,      0,

 vdom1, 0, 0,      1438559930, 1,
25, /fingerprint/upload/NppShell_06.dll,     vdom1,

111,      0,

 0, 0, 1456090736,   1, 2,
26, /fingerprint/upload/PowerCollections.chm,

2,       728,    0,

 vdom1, 0, 0,      1533336889, 1,
27, /fingerprint/upload/reflector.dmg,    vdom1, 21117, 0, 0, 0, 1533336857, 1, 2,
28, /fingerprint/upload/roxio.iso,           vdom1,

49251,0,

 0, 0, 1517531765, 1, 2,
29, /fingerprint/upload/SciLexer.dll,        vdom1,

541,      0,

 0, 0, 1456090736, 1, 2,
30, /fingerprint/upload/screen.jpg, vdom1, 55, 0, 0, 0, 1356118250, 1, 2,
31, /fingerprint/upload/Spec to integrate FASE into FortiOS.doc,

1356118251,    1,      2,      31,     0,

 vdom1, 0, 0,  
32, /fingerprint/upload/subdirectory1/subdirectory2/subdirectory3/hibun.aea,

0,       1529019743,     1,      2,      1,      0,

 vdom1, 0,
33, /fingerprint/upload/test.pdf,             vdom1, 0,       0,      1356118250,

5,    0,

 1, 2,
34, /fingerprint/upload/test.tar,             vdom1, 0,       0,      1356118251,

3,    0,

 1, 2,
35, /fingerprint/upload/test.tar.gz,          vdom1, 0,       0,      1356118250,

1,        0,

 1, 2,
36, /fingerprint/upload/test1.txt,            vdom1, 0,       0,      1540317547,

1,    0,

 1, 2,
37, /fingerprint/upload/thousand-files.zip, vdom1, 0,         0,      1536611774,

241,      0,

 1, 2,
38, /fingerprint/upload/Thumbs.db,            vdom1, 0,       0,      1445878135,

3,    0,

 1, 2,
39, /fingerprint/upload/widget.pdf, vdom1, 0,     0,     1356118251, 18,      0, 1, 2,
40, /fingerprint/upload/xx00-xx01.tar,        vdom1, 0,       0,      1356118250,

5,        0,

 1, 2,
41, /fingerprint/upload/xx02-xx03.tar.gz,     vdom1, 0,       0,      1356118251,

1,        0,

 1, 2,

Basic DLP filter types

1 Reply

Basic DLP filter types

File type and name

A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list.

To configure file type and name filtering using the CLI:

  1. Create a file pattern to filter files based on the file name patter or file type:

config dlp filepattern edit <filepatern_entry_integer> set name <string> config entries edit <file pattern> set filter-type <type | pattern> set file-type <file type>

next

end

next

end

For example, to filter for GIFs and PDFs:

config dlp filepattern edit 11 set name “sample_config” config entries edit “*.gif” set filter-type pattern

next edit “pdf” set filter-type type set file-type pdf

next

end

next

end

  1. Attach the file pattern to a DLP sensor, and specify the protocols and actions:

config dlp sensor edit <string> config filter edit <integer> set name <string>

set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by file-type

set file-type 11   <– Previously configured filepattern set action <allow | log-only| block | quarantine-ip>

next

end

next end

To configure file type and name filtering using the GUI:

  1. Go to Security Profiles > Data Leak Prevention.
  2. Click Create New. The New DLP Sensor page opens.
  3. Click Add Filter in the filter table. The New Filter pane opens.
  4. Set Type to Files and select Specify File Types.
  5. Add file types by clicking in the File Types field and select file types from the side pane.
  6. Add file name patterns by clicking in the File Name Patterns field:
    1. In the side pane that opens, enter the pattern in the search bar.
    2. Click Create.
    3. Select the newly created pattern.

File size

A file size filter checks for files that exceed the specific size, and performs the DLP sensor’s configured action on them.

To configure file size filtering using the CLI:

config dlp sensor edit <string> config filter edit <integer> set name <string> set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by file-size <– Match any file over with a size over the threshold

set file-type 11  <– Previously configured filepattern set action <allow | log-only| block | quarantine-ip>

next

end

next

end

To configure file size filtering using the GUI:

  1. Go to Security Profiles > Data Leak Prevention.
  2. Click Create New. The New DLP Sensor page opens.
  3. Click Add Filter in the filter table. The New Filter pane opens.
  4. Set Type to Files and select File size over.
  5. Enter the maximum file size, in kilobytes, in the File size over field, then click OK.

Regular expression

A regular expression filter is used to filter files or messages based on the configured regular expression pattern.

To configure regular expression filtering using the CLI:

config dlp sensor edit <string> config filter edit <integer> set name <string>

set type <file | message>  <– Check contents of a file or of messages, web

pages, etc. set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by regexp  <– Use a regular expression to match content set regexp <regexp>  <– Input a regular expression pattern set action <allow | log-only| block | quarantine-ip>

next

end

next

end

To configure regular expression filtering using the GUI:

  1. Go to Security Profiles > Data Leak Prevention.
  2. Click Create New. The New DLP Sensor page opens.
  3. Click Add Filter in the filter table. The New Filter pane opens.
  4. For filtering regular expressions in files, set Type to Files. For filtering in messages, set Type to Messages.
  5. Select RegularExpression.
  6. Enter the regular expression string in the RegularExpression field, then click OK.

Credit card and SSN

The credit card sensor can match the credit card number formats used by American Express, Mastercard, and Visa. It can be used to filter files or messages.

The SSN sensor can be used to filter files or messages for Social Security Numbers.

To configure credit card or SSN filtering using the CLI:

config dlp sensor edit <string> config filter edit <integer> set name <string>

set type <file | message> <– Check contents of a file, or of messages, web

pages, etc. set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by < credit-card | ssn >  <– Match credit cards or social security

numbers

set action <allow | log-only| block | quarantine-ip>

next

end

next

end

To configure credit card or SSN filtering using the GUI:

  1. Go to Security Profiles > Data Leak Prevention.
  2. Click Create New. The New DLP Sensor page opens.
  3. Click Add Filter in the filter table. The New Filter pane opens.
  4. For filtering in files, set Type to Files. For filtering in messages, set Type to Messages.
  5. Select Containing.
  6. Select Credit Card # or SSN from the Containing drop-down list, then click OK.

Data leak prevention

1 Reply

Data leak prevention

The FortiGate Data Leak Prevention (DLP) system prevents sensitive data from leaving your network. Data matching defined sensitive data patterns are blocked, logged, or allowed when passing through the FortiGate unit.

The DLP system is configured by creating individual filters based on file type, file size, a regular expression, an advanced rule, or a compound rule in a DLP sensor, and assigning the sensor to a security policy.

A DLP sensor is made of filters that are configured within it. The filters examine traffic for:

  • Known files used DLP Fingerprints l Known files using DLP Watermark l Files of a particular type l Files with a particular name l Files larger than a specified size l Data matching a specified regular expression l Credit card and SSN numbers

When a match to a filter is detected, the possible actions include:

  • Allow: No action is taken, even if the pattern specified in the filter is matched. l Log: The filter match is logged. l Block: Traffic matching the filter is blocked. l Quarantine IP address: Traffic matching the filter is blocked, and the client initiating the traffic is soure IP banned.

The primary use of the DLP feature is to stop sensitive data from the leaving the network. It can also be used to prevent unwanted data from entering the network, and to archive some or all of the content that is passing through the FortiGate device. DLP archiving is configured per filter, allowing for a single sensor that archives only the required data.

There are two forms of DLP archiving: l Summary Only

A summary of all the activity that the sensor detected is recorded. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses the web, every URL that they visit is recorded. l Full

Detailed records of all the activity that the sensor detects is recorded. For example, when an email message is detected, the message itself, including any attachments, is recorded. When a user accesses the web, every page that they visit is archived.