Category Archives: FortiOS 5.4 Handbook

The complete handbook for FortiOS 5.4

Example ICAP sequence

Leave a reply

Example ICAP sequence

This example is for an ICAP server performing web URL filtering on HTTP requests

1. A user opens a web browser and sends an HTTP request to connect to a web server.

2. The FortiGate unit intercepts the HTTP request and forwards it to an ICAP server.

3. The ICAP server receives the request and determines if the request is for URL that should be blocked or allowed.

  • If the URL should be blocked the ICAP server sends a response to the FortiGate unit. The FortiGate unit returns this response to the user’s web browser. This response could be a message informing the user that their request was blocked.
  • If the URL should be allowed the ICAP server sends a request to the FortiGate unit. The FortiGate unit forwards the request to the web server that the user originally attempted to connect to.
  • When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.

 

Example Scenario

Information relavent to the following example:

  • The ICAP server is designed to do proprietary content filtering specific to the organization so it will have to receive the messages and sent back appropriate responses.
  • The content filter is a required security precaution so it if the message cannot be processed it is not allowed through.
  • Resources on both the FortiGate and the ICAP server are considerable so the maximum connections setting will set at a double the default value to analyze the impact on performance.
  • The ICAP server’s IP address is 172.16.100. 55.
  • The path to the processing component is “/proprietary_code/content-filter/”.
  • Streaming media is not something that the filter considers, but is allowed through the policy so processing it would be a waste of resources.
  • The ICAP profile is to be added to an existing firewall policy.
  • It is assumed that the display of the policies has already been configured to show the column “ID”.

1. Enter the following to configure the ICAP server:

 

Go to Security Profiles > ICAP Servers. Use the following values:

Name                                           content-filtration-server4

IP Type                                       IPv4

IP Address                                 172.16.100.55

Port                                             1344

 

Use the CLI to set the max-connections value.

config icap server

edit content-filtration-server4 set max-connections 200

end

2. Enter the following to configure the ICAP profile to then apply to a security policy:

Use the following values:

Name                                           Prop-Content-Filtration

Enable Request Processing    enable

Server                                         content-filtration-server4

Path                                             /proprietary_code/content-filter/

On Failure                                  Error

Enable Response Pro- cessing enable

Server                                         content-filtration-server4

Path                                             /proprietary_code/content-filter/

On Failure                                  Error

Enable Streaming Media Bypasenable

3. Apply the ICAP profile to policy:

The purposes of this particular ICAP profile is to filter the content of the traffic coming through the firewall via policy ID#17.

a. Go to Policy & Objects > IPv4 Policy. b. Open the existing policy ID# 17 for editing. c.  Go to the section Security Profiles.

d. Select the button next to ICAP so that it indicates that it’s status is ON.

e. Select the field with the profile name and use the drop down menu to select PropContentFiltration.

f. Select OK.

Offloading using ICAP

Leave a reply

 

Offloading using ICAP

If you enable ICAP in a security policy, HTTP traffic intercepted by the policy is transferred to an ICAP server in the ICAP profile added to the policy. Responses from the ICAP server are returned to the FortiGate unit which forwards them to an HTTP client or server.

You can offload HTTP responses or HTTP requests (or both) to the same or different ICAP servers.

If the FortiGate unit supports HTTPS inspection, HTTPS traffic intercepted by a policy that includes an ICAP profile is also offloaded to the ICAP server in the same way as HTTP traffic.

When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.

 

Configuration Settings

There are two sections where ICAP is configured:

 

Servers

Go to Security Profiles > ICAP Servers.

 

The available settings to be configured regarding the server are

  • Name
  • IP Type (in the GUI) or IP address version ( in the CLI) The options for this field in the GUI are 2 radio buttons labelled “IPv4” and “IPv4”. In the CLI the approach is slightly different. There is a field “ip-version” that can be set to “4” or “6”.
  • IP Address Depending on whether you’ve set the IP version to 4 or 6 will determine the format that the content of this field will be set into. In the GUI it looks like the same field with a different format but in the CLI it is actually 2 different fields named “ip-address” and ip6-address.
  • Por1344 is default TCP port used for the ICAP traffic. The range can be from 1 to 65535.

 

Maximum Connections

This value refers to the maximum number of concurrent connections that can be made to the ICAP server. The default setting is 100. This setting can only be configured in the CLI.

 

The syntax is:

config icap server

edit <icap_server_name>

set max-connections <integer>

end

 

Profiles

 

Name

Just like any other profile each of the ICAP profiles needs to be assigned a name.

 

Enable Request Processing

Enabling this setting allows the ICAP server to process request messages. If enabled this setting will also require:

  • Server – This is the name of the ICAP server. It is chosen from the drop down menu in the field. The servers are configure in the Security Profiles > ICAP > Server section.
  • Path – This is the path on the server to the processing compent. For instance if the Windows share name was “Processes” and the directory within the share was “Content-Filter” the path would be “/Processes/Content-Filter/”
  • On Failure – There are 2 options. You can choose by the use of radio buttons either Error or Bypass.

 

Enable Response Processing

Enabling this setting allows the ICAP server to process response messages. If enabled this setting will also require:

  • Server – This is the name of the ICAP server. It is chosen from the drop down menu in the field. The servers are configure in the Security Profiles > ICAP > Server section.
  • Path – This is the path on the server to the processing compent. For instance if the Windows share name was “Processes” and the directory within the share was “Content-Filter” the path would be “/Processes/Content-Filter/”
  • On Failure – There are 2 options. You can choose by the use of radio buttons either Error or Bypass.

 

Enable Streaming Media Bypass

Enabling this setting allows streaming media to ignore offloading to the ICAP server.

ICAP support

Leave a reply

ICAP support

ICAP is the acronym for Internet Content Adaptation Protocol The purpose of the feature is to off load work that would normally take place on the firewall to a separate server specifically set up for the specialized processing of the incoming traffic. This takes some of the resource strain off of the FortiGate firewall leaving it to concentrate its resources on things that only it can do.

Off-loading value-added services from Web servers to ICAP servers allows those same web servers to be scaled according to raw HTTP throughput versus having to handle these extra tasks.

 

ICAP servers are focused on a specific function, for example:

  • Ad insertion
  • Virus scanning
  • Content translation
  • HTTP header or URL manipulation
  • Language translation
  • Content filtering

 

ICAP does not appear by default in the web-based manager. You must enable it in System > Settings to display ICAP in the web-based manager.

The following topics are included in this section:

  • The Protocol
  • Offloading using ICAP
  • Configuration Settings
  • Example ICAP sequence
  • Example Scenario

 

The Protocol

The protocol is a lightweight member of the TCP/IP suite of protocols. It is an Application layer protocol and its specifications are set out in RFC 3507. The default TCP that is assigned to it is 1344. Its purpose is to support HTTP content adaptation by providing simple object-based content vectoring for HTTP services. ICAP is usually used to implement virus scanning and content filters in transparent HTTP proxy caches. Content Adaptation refers to performing the particular value added service, or content manipulation, for an associated client request/response.

Essentially it allows an ICAP client, in this case the FortiGate firewall, to pass HTTP messages to an ICAP server like a remote procedure call for the purposes of some sort of transformation or other processing adaptation. Once the ICAP server has finished processing the the content, the modified content is sent back to the client.

The messages going back and forth between the client and server are typically HTTP requests or HTTP responses. While ICAP is a request/response protocol similar in semantics and usage to HTTP/1.1 it is not HTTP nor does it run over HTTP, as such it cannot be treated as if it were HTTP. For instance ICAP messages can not be forwarded by HTTP surrogates.

DLP examples

Leave a reply

DLP examples

To view or modify the replacement message text, go to System > Replacement Messages.

 

Blocking content with credit card numbers

When the objective is to block credit card numbers one of the important things to remember is that 2 filters will need to be used in the sensor.

In the default Credit-Card sensor, you will notice a few things.

  • The Action is set to Log Only
  • In the Files filter not all of the services are being examined.

If you wish to block as much content as possible with credit card numbers in it instead of just logging most the traffic that has it, the existing sensor will have to be edited.

1. Go to Security Profiles > Data Leak Prevention.

Some configurations will have a preconfigured Credit Card sensor where you can use the drop down menu to select CreditCard. If your configuration doesn’t already have one create a new sensor.

2. Use the Create New icon to add a new sensor.

3. Create/edit the first filter. Use the following settings:

Filter

Filter                                           Messages

Filter option                               Credit Card #

 

Examine the Following Services

Make sure all of the services are being examined.

 

Action

Set action to Block. Select OK or Apply.

4. Create/edit the first filter. Use the following settings:

Filter

Filter                                           Files

Filter option                               Credit Card #

Examine the Following Services

Make sure all of the services are being examined.

Action

Set action to Block. Select OK or Apply

5. Edit the appropriate policies so that under Security Profiles, DLP is turned on and the CreditCard sensor is selected.

 

Blocking emails larger than 15 MB and logging emails from 5 MB to 15 MB

Multiple filters will have to be used in this case and the order that they are used is important. Because there is no mechanism to move the filters within the sensor the order that they are added to the sensor is important.

1. Go to Security Profiles > Data Leak Prevention.

2. Use the Create New icon to add a new sensor.

Use the following values:

Name                                           large_emails

Comment                                    <optional>

 

Once the Sensor has been created, a new filter will need to be added.

3. Create the filter to block the emails over 15 MB. In the filters table select Create New.

 

Use the following values:

Filter

Filter                                           Messages

Filter option                               File Size >=

KB                                               15360 (1MB = 1024KB, 15 MB = 15 x 1024KB = 15360KB)

 

Examine the Following Services

Make sure all of the Email services are being examined.

 

Action

Set action to Block. Select OK.

4. Create the filter to log emails between 5 MB and 10 MB. In the filters table select Create New.

Use the following values

Filter

Filter                                           Messages

Filter option                               File Size >=

KB                                               5120 (1MB = 1024KB, 5 MB = 5 x 1024KB = 5124 KB)

 

Examine the Following Services

Make sure all of the Email services are being examined.

 

Action

Set action to Block. Select OK.

The reason that the block filter is placed first is because the filters are applied in sequence and once the traffic triggers a filter the action is applied and then the traffic is passed on to the next test. If the Log Only filter which checks for anything over 1MB is triggered this would include traffic over 15MB, so a 16 MB file would only be logged. In the described order, the 16 MB file will be blocked and the 3 MB file will be logged.

 

Selective blocking based on a finger print

The following is a fairly complex example but shows what can be done by combining various components in the correct configuration.

The company has a number of copyrighted documents that it does not want “escaping” to the Internet but it does want to be able to send those documents to the printers for turning into hardcopy.

The policies and procedures regarding this issue state that:

  • Only members of the group Senior_Editors can send copyrighted material to the printers.
  • Every member of the company by default is included in the group employees.
  • Even permitted transmission of copyrighted material should be recorded.
  • All of the printers IP addresses are in a group called approved_printers.
  • There is a file share called copyrighted where any file that is copyrighted is required to have a copy stored.
  • It doesn’t happen often but for legal reasons sometimes these files can be changed, but all versions of a file in this directory need to be secured.
  • All network connections to the Internet must have Antivirus enabled using at least the default profile.
  • The SSL/SSH Inspection profile used will be default. It is assumed for the purposes of this example that:
  • Any addresses or address groups have been created.
  • User accounts and groups have been created.
  • The account used by the FortiGate is fgtaccess.
  • The copyrighted sensitivity level needs to be created.
  • The copyrighted material is stored at \\192.168.27.50\books\copyrighted\

1. Add a new Sensitivity Level by running the following commands in the CLI

config dlp fp-sensitivity edit copyrighted

end

2. Apply files to the fingerprint database

a. Go to Security Profiles > DLP Fingerprint.

b. In the Document Sources section select Create New.

 

Use the following field values:

Name                                           copyrighted_material

Server Type                               Windows Share

Server Address                         192.168.27.50

User Name                                 fgtaccess

Password                                   ******

Path                                             books/copyrighted/

Filename Pattern                       *.pdf

Sensitivity                                  copyrighted

Scan Periodically                      enabled

<Frequency>                              Daily, Hour: 2, Min: 0

Advanced

Fingerprint files in sub- directories enabled

Remove fingerprints for deleted files not enabled

Keep previous fingerprints for modified files enabled

Two Sensors need to be created. One for blocking the transmission of copyrighted material and a second for allowing the passing of copyrighted material under specific circumstances.

3. Create the first DLP Sensor

  • Go to Security Profiles > Data Leak Prevention.
  • Create a new sensor.

Use the following field values:

Name                                           block_copyrighted

Comment                                    <optional>

  • In the Filter table, select Create New.

Use the following values

 

Filter

Filter                                           Files

Filter option                               File Finger Print

Finger print value from dropdown “copyrighted”

Examine the Following Services

Make sure all of the services are being examined.

Action

From the drop down menu choose Block

4. Create the second DLP Sensor

  • Go to Security Profiles > Data Leak Prevention.
  • Create a new sensor.

Use the following field values:

Name                                           allow_copyrighted

Comment                                    <optional>

  • In the Filter table, select Create New.

 

Use the following values

Filter

Filter                                           Files

Filter option                               File Finger Print

Finger print value from dropdown “copyrighted”

Examine the Following Services Make sure all of the services are being examined.

Action

From the drop down menu choose Log Only

5. Create a policy to allow transmission of copyrighted material.

a. Go to Policy & Objects > IPv4 Policy.

b. Select Create New.

c. Use the following values in the Policy:

 

Incoming Interface                   LAN

Source Address                        all

Outgoing Interface                   wan1

Destination Address                 all

Schedule                                    always

Service                                       all

Action                                         ACCEPT

Enable NAT                                enabled — Use Destination Interface Address

Antivirus                                    <ON> default

DLP                                             <ON> Copyrighted

SSL/SSH Inspection                 <ON> default

Enable this policy                     <ON>

 

This policy should be place as close to the beginning of the list of policies so the it is among the first tested against.

6. Create a policy to block transmission of copyrighted material.

This will in effect be the default template for all following policies in that they will have to use the DLP profile that blocks the transmission of the copyrighted material.

a. Go to Policy & Objects > IPv4 Policy.

b. Select Create New or Edit an existing policy.

c. Use the following values in the Policy:

The fields should include what ever values you need to accomplish your requirements are but each policy should include the DLP sensor block_copyrighted or if a different DLP configuration is required it should include a filter that blocks copyrighted fingerprinted file.

If you need to create a policy that is identity based make sure that there is an Authentication rule for the group employees that uses the DLP sensor that blocks copyrighted material.

Creating/editing a DLP sensor

Leave a reply

Creating/editing a DLP sensor

DLP sensors are collections of filters. You must also specify an action for the filter when you create it in a sensor. Once a DLP sensor is configured, you can select it a security policy profile. Any traffic handled by the security policy will be examined according to the DLP sensor configuration.

 

To create/edit a DLP sensor

1. Go to Security Profiles > Data Leak Prevention.

2. Choose whether you want to edit an exiting sensor or create a new one.

  • The default sensor will be the one displayed by default.
  • If you are going to edit an existing sensor, selecting it can be done by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, if resembles a page with some lines on it), and then selecting the profile you want to edit from the list.
  • If you need to create a new sensor you can either select the Create New icon (a plus sign within a circle) or select the List icon and then select the Create New link in the upper left of the window that appears.

3. Enter a name in the Name field for any new DLP sensors.

4. Optionally, you may also enter a comment. The comment appears in the DLP sensor list and can remind you of the details of the sensor.

5. At this point you can add filters to the sensor (see adding filters to a DLP sensor) or select OK to save the sensor. Without filters, the DLP sensor will do nothing.

 

Adding filters to a DLP sensor

Once you have created a DLP sensor, you need to add filters.

1. To add filters to a DLP sensor

2. Go to Security Profiles > Data Leak Prevention.

3. Select the Sensor you wish to edit using the drop down menu or the sensor list window.

4. Within the Edit DLP Sensor window select Create New. A New Filter window should pop up.

5. Select the type of filter. You can choose either Messages or Files. Depending on which of these two are chosen different options will be available.

 

Message filter will have these configuration options:

  • [radio button] Containing: [drop down menu including: Credit Card # or SSN]
  • [radio button] Regular Expression [input field] Examine the following Services:

Web Access

  • HTTP-POST

 

Email

  • [check box] SMTP
  • [check box] POP3
  • [check box] IMAP
  • [check box] MAPI

 

Others

  • [check box] NNTP

 

Action [from drop down menu]

  • None
  • Log Only,
  • Block
  • Quarantine IP address

 

Files filter will have these options:

  • [radio button] Containing: drop down menu including: Credit Card # or SSN
  • [radio button] File Size >= [ ]KB
  • [radio button] Specify File Types

File Types: [“Click to add…”drop down menu of File extensions] File Name Patterns:[“Click to add…”drop down menu]

  • [radio button] File Finger Print : [drop down menu]
  • [radio button] Watermark Sensitivity: [drop down menu] and Corporate Identifier [id field]
  • [radio button] Regular Expression [input field]
  • [radio button] Encrypted Examine the following Services: Web Access
  • [check box] HTTP-POST
  • [check box] HTTP-GET

Email

  • [check box] SMTP
  • [check box] POP3
  • [check box] IMAP
  • [check box] MAPI

 

Others

  • [check box] FTP
  • [check box] NNTP

 

Action [from drop down menu]

  • None
  • Log Only,
  • Block
  • Quarantine IP address

6. Select OK.

7. Repeat Steps 6 and 7 for each filter.

8. Select Apply to confirm the settings of the sensor.

If you have configured DLP to block IP addresses and if the FortiGate unit receives ses- sions that have passed through a NAT device, all traffic from that NAT device — not just traffic from individual users — could be blocked. You can avoid this problem by implementing authentication.

Enable data leak prevention

Leave a reply

Enable data leak prevention

DLP examines your network traffic for data patterns you specify. The FortiGate unit then performs an action based on the which pattern is found and a configuration set for each filter trigger.

 

General configuration steps

Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Create a DLP sensor.

New DLP sensors are empty. You must create one or more filters in a sensor before it can examine network traffic.

2. Add one or more filters to the DLP sensor.

Each filter searches for a specific data pattern. When a pattern in the active DLP sensor appears in the traffic, the FortiGate unit takes the action configured in the matching filter. Because the order of filters within a sensor cannot be changed, you must configure DLP in sequence.

3. Add the DLP sensor to one or more firewall policies that control the traffic to be examined.

DLP archiving

Leave a reply

DLP archiving

DLP is typically used to prevent sensitive information from getting out of your company network, but it can also be used to record network use. This is called DLP archiving. The DLP engine examines email, FTP, IM, NNTP, and web traffic. Enabling archiving for rules when you add them to sensors directs the FortiGate unit to record all occurrences of these traffic types when they are detected by the sensor.

Since the archive setting is configured for each rule in a sensor, you can have a single sensor that archives only the things you want.

You can archive Email, FTP, HTTP, IM, and session control content:

  • Email content includes IMAP, POP3, and SMTP sessions. Email content can also include email messages tagged as spam by Email filtering. If your unit supports SSL content scanning and inspection, Email content can also include IMAPS, POP3S, and SMTPS sessions.
  • HTTP content includes HTTP sessions. If your unit supports SSL content scanning and inspection HTTP content can also include HTTPS sessions.
  • IM content includes AIM, ICQ, MSN, and Yahoo! sessions. DLP archiving comes in two forms: Summary Only, and Full.

Summary archiving records information about the supported traffic types. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses the Web, every URL the user visits recorded. The result is a summary of all activity the sensor detected.

For more detailed records, full archiving is necessary. When an email message is detected, the message itself, including any attachments, is archived. When a user accesses the Web, every page the user visits is archived. Far more detailed than a summary, full DLP archives require more storage space and processing.

Because both types of DLP archiving require additional resources, DLP archives are saved to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service (subscription required).

You can use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service. DLP archiving is available for FortiAnalyzer when you add a FortiAnalyzer unit to the Fortinet configuration. The FortiGuard Analysis server becomes available when you subscribe to the FortiGuard Analysis and Management Service.

Two sample DLP sensors are provided with DLP archiving capabilities enabled. If you select the Content_ Summary sensor in a security policy, it will save a summary DLP archive of all traffic the security policy handles. Similarly, the Content_Archive sensor will save a full DLP archive of all traffic handled the security policy you apply it to. These two sensors are configured to detect all traffic of the supported types and archive them.

DLP archiving is set in the CLI only. To set the archive to Full

config dlp sensor

edit <name of sensor>

set full-archive-proto smtp pop3 imap http ftp nntp aim icq msn yahoo mapi end

 

To set the archive to Summary Only

config dlp sensor

edit <name of sensor>

set summary-proto smtp pop3 imap http ftp nntp aim icq msn yahoo mapi end

Data leak prevention concepts

Leave a reply

Data leak prevention concepts

Data leak prevention examines network traffic for data patterns you specify. You define whatever patterns you want the FortiGate unit to look for in network traffic. The DLP feature is broken down into a number of parts.

 

DLP sensor

A DLP sensor is a package of filters. To use DLP, you must enable it in a security policy and select the DLP sensor to use. The traffic controlled by the security policy will be searched for the patterns defined in the filters contained in the DLP sensor. Matching traffic will be passed or blocked according to how you configured the filters.

 

DLP filter

Each DLP sensor has one or more filters configured within it. Filters can examine traffic for known files using DLP fingerprints, for files of a particular type or name, for files larger than a specified size, for data matching a specified regular expression, or for traffic matching an advanced rule or compound rule.

 

You can configure the action taken when a match is detected. The actions include:

  • None
  • Log Only
  • Block
  • Quarantine IP address

Log Only is enabled by default.

 

DLP Filter Actions

 

None

No action is taken if filter even if filter is triggered

 

Log Only

The FortiGate unit will take no action on network traffic matching a rule with this action. The filter match is logged, however. Other matching filters in the same sensor may still operate on matching traffic.

 

Block

Traffic matching a filter with the block action will not be delivered. The matching message or download is replaced with the data leak prevention replacement message.

 

Quarantine IP Address/ Source IP ban

Starting in FortiOS 5.2, the quarantine, as a place where traffic content was held in storage where it couldn’t interact with the network or system was removed, but the term quarantine was kept to describe keeping selected source IPs from interacting with the network and protected systems. This source IP ban is kept in the kernel rather than in any specific application engine and can be queried by APIs. The features that can use the APIs to access and use the banned source IP addresses are antivirus, DLP, DoS and IPS. Both IPv4 and IPv6 version are included in this feature.

If the quarantine-ip action is used, the additional variable of expiry time will become available. This variable determines for how long the source IP adddress will be blocked. In the GUI it is shown as a field before minutes. In the CLI the option is called expiry and the duration is in the format <###d##h##m>. The maximum days value is 364. The maximum hour value is 23 and the maximum minute value is 59. The default is 5 minutes.

 

Configure using the CLI

To configure the DLP sensor to add the source IP address of the sender of a protected file to the quarantine or list of banned source IP addresses edit the DLP Filter, in the CLI. as follows:

config dlp sensor

edit <sensor name>

config filter

edit <id number of filter> set action quarantine-ip set expiry 5m

end end

 

Preconfigured sensors

A number of preconfigured sensors are provided with your FortiGate unit. These can be edited or added to more closely match your needs.

Some of the preconfigured sensors with filters ready to go are:

  • Credit-Card – This sensor logs the traffic, both files and messages, that contain credit card numbers in the formates used by American Express, MasterCard and Visa.
  • SSN-Sensor – This sensor logs the traffic, both files and messages, that contain Social Security Numbers with the exception of those that are WebEx invitation emails.

These rules affect only unencrypted traffic types. If you are using a FortiGate unit that can decrypt and examine encrypted traffic, you can enable those traffic types in these rules to extend their functionality if required.

Before using the rules, examine them closely to ensure you understand how they will affect the traffic on your network.

 

DLP document fingerprinting

One of the DLP techniques to detect sensitive data is fingerprinting (also called document fingerprinting). Most DLP techniques rely on you providing a characteristic of the file you want to detect, whether it’s the file type, the file name, or part of the file contents. Fingerprinting is different in that you provide the file itself. The FortiGate unit then generates a checksum fingerprint and stores it. The FortiGate unit generates a fingerprint for all files detected in network traffic, and it is compared to all of the fingerprints stored in its fingerprint database. If a match is found, the configured action is taken.

The document fingerprint feature requires a FortiGate unit with internal storage. The document fingerprinting menu item does not appear on models without internal storage.

Any type of file can be detected by DLP fingerprinting and fingerprints can be saved for each revision of your files as they are updated.

To use fingerprinting you select the documents to be fingerprinted and then add fingerprinting filters to DLP sensors and add the sensors to firewall policies that accept the traffic to which to apply fingerprinting.

 

Fingerprinting

Fingerprint scanning allows you to create a library of files for the FortiGate unit to examine. It will create checksum fingerprints so each file can be easily identified. Then, when files appear in network traffic, the FortiGate will generate a checksum fingerprint and compare it to those in the fingerprint database. A match triggers the configured action.

You must configure a document source or uploaded documents to the FortiGate unit for fingerprint scanning to work.

 

Fingerprinted Documents

The FortiGate unit must have access to the documents for which it generates fingerprints. One method is to manually upload documents to be fingerprinted directly to the FortiGate unit. The other is to allow the FortiGate unit to access a network share that contains the documents to be fingerprinted.

If only a few documents are to be fingerprinted, a manual upload may be the easiest solution. If many documents require fingerprinting, or if the fingerprinted documents are frequently revised, using a network share makes user access easier to manage.

 

Fingerprinting by document source

To configure a fingerprint document source

1. Go to Security Profiles > DLP Fingerprint.

2. In the Document Sources section, select Create New.

3. Configure the settings:

Name                                           Enter a descriptive name for the document source.

Server Type                               This refers to the type of server share that is being accessed. The default is Windows Share but this will also work on Samba shares.

Server Address                         Enter the IP address of the server.

User Name                                 Enter the user name of the account the FortiGate unit uses to access the server network share.

Password                                   Enter the password for the account being used to access the network share.

Path                                             Enter the path to the document folder.

Filename Pattern                       You may enter a filename pattern to restrict fingerprinting to only those files that match the pattern. To fingerprint all files, enter an asterisk (“*”).

Sensitivity Level                        Select a sensitivity level. The sensitivity is a tag for your reference that is included in the log files. It does not change how fingerprinting works.

Scan Periodically                      To have the files on the document source scanned on a regular basis, select this option. This is useful if files are added or changed regularly. Once selected, you can choose Daily, Weekly, or Monthly update option- s.The Hour and Min fields are for determining, in a 24 hour clock, the time that the source shares will be scanned.

Advanced                                   Expand the Advanced heading for additional options.

Fingerprint files in sub- directories

By default, only the files in the specified path are fingerprinted. Files in sub- directories are ignored. Select this option to fingerprint files in sub- directories of the specified path.

Remove fingerprints for deleted files

Select this option to retain the fingerprints of files deleted from the doc- ument source. If this option is disabled, fingerprints for deleted files will be removed when the document source is rescanned.

Keep previous fingerprints for modified files

Select this option to retain the fingerprints of previous revisions of updated files. If this option is disabled, fingerprints for previous version of files will be deleted when a new fingerprint is generated.

4. Select OK.

 

Fingerprinting manually by document

To configure manual document fingerprints

1. Go to Security Profiles > DLP Fingerprint.

2. In the Manual Document Fingerprints section, select Create New.

3. Use the Browse feature for the File field to select the file to be fingerprinted. The selection will be limited to network resourses

4. Choose a Sensitivity level. The default choices are Critical, Private and Warning, but more can be added in the CLI.

5. If the file is an archive containing other files, select Process files inside archive if you also want the individual files inside the archive to have fingerprints generated in addition to the archive itself.

6. Select OK.

The file is uploaded and a fingerprint generated.

 

File size

This filter-type checks for files exceeding a configured size. All files larger than the specified size are subject to the configured action. The value of the field is measured in Kilobytes.

 

DLP filtering by specific file types

File filters use file filter lists to examine network traffic for files that match either file names or file types. For example, you can create a file filter list that will find files called secret.* and also all JPEG graphic files. You can create multiple file filter lists and use them in filters in multiple DLP sensors as required.

 

Specify File Types is a DLP option that allows you to block files based on their file name or their type.

  • File types are a means of filtering based on an examination of the file contents, regardless of the file name. If you block the file type Archive (zip), all zip archives are blocked even if they are renamed with a different file extension. The FortiGate examines the file contents to determine what type of file it is and then acts accordingly.
  • File Name patterns are a means of filtering based purely on the names of files. They may include wildcards (*).

For example, blocking *.scr will stop all files with an scr file extension, which is commonly used for Windows screen saver files. Files trying to pass themselves off as Windows screen saver files by adopting the file-naming convention will also be stopped.

  • Files can specify the full or partial file name, the full or partial file extension, or any combination. File pattern entries are not case sensitive. For example, adding *.exe to the file pattern list also blocks any files ending with .EXE.
  • Files are compared to the enabled file patterns from top to bottom, in list order.

File filter does not detect files within archives. You can use file filter to block or allow the archives themselves, but not the contents of the archives.

 

Watermarking

Watermarking is essentially marking files with a digital pattern to mark the file as being proprietary to a specific company. Fortinet has a utility that will apply a digital watermark to files. The utility adds a small (approx. 100 byte) pattern to the file that is recognised by the DLP Watermark filter. the pattern is invisible to the end user.

When watermarking a file it should be verified that the pattern matches up to a category found on the FortiGate firewall. For example, if you are going to watermark a file with the sensitivity level of “Secret” you should verify that “Secret” is a sensitivity level that has been assigned in the FortiGate unit.

 

Watermark Sensitivity

If you are using watermarking on your files you can use this filter to check for watermarks that correspond to sensitivity categories that you have set up.

The Corporate Identifier is to make sure that you are only blocking watermarks that your company has place on the files, not watermarks with the same name by other companies.

 

Software Versions

Before planning on using watermarking software it is always best to verify that the software will work with your OS. Currently, the only utility available to watermark files is within the FortiExplorer software and that is only only available for the Windows operating system. There was an older version of software that is for Linux and is Commandline only, but is has been discontinued.

 

File types

The Watermark tool does not work with every file type. The following file types are supported by the watermark tool:

  • .txt
  • .pdf
  • .doc
  • .xls
  • .ppt
  • .docx
  • .pptx
  • .xlsx

Currently the DLP only works with Fortinet’s watermarking software.

 

Using the FortiExplorer Watermark tool

The FortiExplorer software can be downloaded from the Fortinet Support Site.

1. Choose whether to “Apply Watermark To:”

  • Select File
  • Entire Directory

2. Fill in the fields:

a. Select File

This Field has a browse icon next to it which will allow the user to browse to and select a single file or directory to apply the water mark to.

b. Sensitivity Level

This field is a drop down menu that lists the available sensitivity levels that the FortiGate can scan for

c. Identifier

This is a unique identifier string of characters to identify the company that the document belongs to.

d. Output Directory

This Field has a browse icon next to it which will allow the user to browse to a directory where the altered file will be placed. If the output directory is the same as the source directory the original file will be overwritten. If the output directory is different than the source directory then the watermarked version of the file will be place there and the unaltered original will be left in the source directory.

3. Select Apply Watermark to start the process.

 

Regular expression

The FortiGate unit checks network traffic for the regular expression specified in a regular expression filter. The regular expression library used by Fortinet is a variation of a library called PCRE (Perl Compatible Regular Expressions). A number of these filters can be added to a sensor making a sort of ‘dictionary’ subset within the sensor.

Some other, more limited DLP implementations, use a list of words in a text file to define what words are searched for. While the format used here is slightly different than what some people are used to, the resulting effect is similar. Each Regular Expression filter can be thought of as a more versatile word to be searched against. In this dictionary (or sensor), the list of words is not limited to just predefined words. It can include expressions that can accommodate complex variations on those words and even target phrases. Another advantage of the individual filter model of this dictionary over the list is that each word can be assigned its own action, making this implementation much more granular.

 

Encrypted

This filter is a binary one. If the file going through the policy is encrypted the action is triggered.

 

Examining specific services

To assist in optimizing the performance of the firewall, the option exists to select which services/protocol traffic will be checked for the targeted content.This setting gives you a tool to save the resources of the FortiGate unit by only using processing cycles on the relevant traffic. Just check the boxes associated with the service / protocol that you want to have checked for filter triggers.