DLP watermarking

Watermarking marks files with a digital pattern to designate them as proprietary to a specific company. A small pattern is added to the file that is recognized by the DLP watermark filter, but is invisible to the end user (except for text files).

FortiExplorer client, or a Linux-based command line tool, can be used to add a watermark to the following file types: l .txt

• .doc and .docx
• .pdf
• .ppt and .pptx
• .xls and .xlsx

The following information is covered in this section:

• Watermarking a file with FortiExplorer. l Watermarking a file with the Linux tool. l Configuring a DLP sensor to detect watermarked files.

FortiExplorer

In this example, a watermark will be added to small text file. The content of the file is:

This is to show how DLP watermarking is done using FortiExplorer.

FortiExplorer can also be used to watermark an entire directory.

To watermark the text file with FortiExplorer:

1. Open the FortiExplorer client.
2. Select DLP Watermark from the left side bar.
3. Set Apply Watermark To to Select File.
4. Browse for the file, copy the file’s path into the Select File
5. Set the Sensitivity Level. The available options are: Critical, Private, and Warning.
6. Enter a company identifier in the Identifier
7. Select the Output Directory where the watermarked file will be saved.
8. Click Apply Watermark. The file is watermarked.
9. The watermarked file content is changed to:

This is to show how DLP watermarking is done using FortiExplorer.=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=identifier=FortiDemo sensitivity=Critical=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=

Linux-based command line tool

A Linux-based command line tool can be used to watermark files. The tool can be executed is a Linux environment by passing in files or directories of files.

To download the tool:

1. Log in to Fortinet Service and Support. A valid support contract is required.
2. Go to Download > Firmware Images.
3. Select the Download tab, and go to FortiGate/v5.00/5.0/5.0.0/WATERMARK.
4. Download the fortinet-watermark-linux.out

To run the tool:

Enter the following to run the tool on a file:

watermark_linux_amd64 <options> -f <file name> -i <identifier> -l <sensitivity level> Enter the following to run the tool on a directory:

watermark_linux_amd64 <options> -d <directory> -i <identifier> -l <sensitivity level>

The following options are available:

DLP watermark sensor

A DLP watermark sensor must be configured to detect watermarked files.

To configure a DLP watermark sensor:

config dlp sensor edit <sensor name> config filter edit <id number of filter>

set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} <– Pro-

tocol to inspect set filter-by watermark

set sensitivity {Critical | Private | Warning}

set company-identifier <string>

set action {allow | log-only | block | ban | quarantine-ip}

next

end

next end

DLP fingerprinting

DLP fingerprinting can be used to detect sensitive data. The file that the DLP sensor will filter for is uploaded and the

FortiGate generates and stores a checksum fingerprint. The FortiGate unit generates a fingerprint for all of the files that

are detected in network traffic, and compares all of the checksums stored in its database. If a match is found, the configured action is taken.

Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

To use fingerprinting:

• Select the files to be fingerprinted by targeting a document source. l Add fingerprinting filters to DLP sensors.
• Add the sensors to firewall policies that accept traffic that the fingerprinting will be applied on.

To configure a DLP fingerprint document:

config dlp fp-doc-source edit <name_str> set server-type smb set server <string>

set period {none | daily | weekly | monthly} set vdom {mgmt | current} set scan-subdirectories {enable | disable} set remove-deleted {enable | disable} set keep-modified {enable | disable} set username <string> set password <password> set file-path <string> set file-pattern <string>

set sensitivity <Critical | Private | Warning> set tod-hour <integer> set tod-min <integer>

set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set date <integer>

next end

To configure a DLP fingerprint sensor:

config dlp sensor edit <sensor name> config filter edit <id number of filter> set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} set filter-by fingerprint

set sensitivity {Critical | Private | Warning}

set match-percentage <integer>

set action {allow | log-only | block | ban | quarantine-ip}

next

end

next end

View the DLP fingerprint database on the FortiGate

The CLI debug command diagnose test application dlpfingerprint can be used to display the fingerprint information that is on the FortiGate.

Fingerprint Daemon Test Usage;

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1 : This menu

• : Dump database
• : Dump all files
• : Dump all chunk
• : Refresh all doc sources in all VDOMs
• : Show the db file size and the limit
• : Display stats
• : Clear stats

99 : Restart this daemon

For example, option 3 will dump all fingerprinted files:

Basic DLP filter types

File type and name

A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list.

To configure file type and name filtering using the CLI:

1. Create a file pattern to filter files based on the file name patter or file type:

config dlp filepattern edit <filepatern_entry_integer> set name <string> config entries edit <file pattern> set filter-type <type | pattern> set file-type <file type>

next

end

next

end

For example, to filter for GIFs and PDFs:

config dlp filepattern edit 11 set name “sample_config” config entries edit “*.gif” set filter-type pattern

next edit “pdf” set filter-type type set file-type pdf

next

end

next

end

2. Attach the file pattern to a DLP sensor, and specify the protocols and actions:

config dlp sensor edit <string> config filter edit <integer> set name <string>

set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by file-type

set file-type 11   <– Previously configured filepattern set action <allow | log-only| block | quarantine-ip>

next

end

next end

To configure file type and name filtering using the GUI:

1. Go to Security Profiles > Data Leak Prevention.
2. Click Create New. The New DLP Sensor page opens.
3. Click Add Filter in the filter table. The New Filter pane opens.
4. Set Type to Files and select Specify File Types.
5. Add file types by clicking in the File Types field and select file types from the side pane.
6. Add file name patterns by clicking in the File Name Patterns field:
   1. In the side pane that opens, enter the pattern in the search bar.
   2. Click Create.
   3. Select the newly created pattern.

File size

A file size filter checks for files that exceed the specific size, and performs the DLP sensor’s configured action on them.

To configure file size filtering using the CLI:

config dlp sensor edit <string> config filter edit <integer> set name <string> set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by file-size <– Match any file over with a size over the threshold

set file-type 11  <– Previously configured filepattern set action <allow | log-only| block | quarantine-ip>

next

end

next

end

To configure file size filtering using the GUI:

1. Go to Security Profiles > Data Leak Prevention.
2. Click Create New. The New DLP Sensor page opens.
3. Click Add Filter in the filter table. The New Filter pane opens.
4. Set Type to Files and select File size over.
5. Enter the maximum file size, in kilobytes, in the File size over field, then click OK.

Regular expression

A regular expression filter is used to filter files or messages based on the configured regular expression pattern.

To configure regular expression filtering using the CLI:

config dlp sensor edit <string> config filter edit <integer> set name <string>

set type <file | message>  <– Check contents of a file or of messages, web

pages, etc. set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by regexp  <– Use a regular expression to match content set regexp <regexp>  <– Input a regular expression pattern set action <allow | log-only| block | quarantine-ip>

next

end

next

end

To configure regular expression filtering using the GUI:

1. Go to Security Profiles > Data Leak Prevention.
2. Click Create New. The New DLP Sensor page opens.
3. Click Add Filter in the filter table. The New Filter pane opens.
4. For filtering regular expressions in files, set Type to Files. For filtering in messages, set Type to Messages.
5. Select RegularExpression.
6. Enter the regular expression string in the RegularExpression field, then click OK.

Credit card and SSN

The credit card sensor can match the credit card number formats used by American Express, Mastercard, and Visa. It can be used to filter files or messages.

The SSN sensor can be used to filter files or messages for Social Security Numbers.

To configure credit card or SSN filtering using the CLI:

config dlp sensor edit <string> config filter edit <integer> set name <string>

set type <file | message> <– Check contents of a file, or of messages, web

pages, etc. set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by < credit-card | ssn >  <– Match credit cards or social security

numbers

set action <allow | log-only| block | quarantine-ip>

next

end

next

end

To configure credit card or SSN filtering using the GUI:

1. Go to Security Profiles > Data Leak Prevention.
2. Click Create New. The New DLP Sensor page opens.
3. Click Add Filter in the filter table. The New Filter pane opens.
4. For filtering in files, set Type to Files. For filtering in messages, set Type to Messages.
5. Select Containing.
6. Select Credit Card # or SSN from the Containing drop-down list, then click OK.

Data leak prevention

The FortiGate Data Leak Prevention (DLP) system prevents sensitive data from leaving your network. Data matching defined sensitive data patterns are blocked, logged, or allowed when passing through the FortiGate unit.

The DLP system is configured by creating individual filters based on file type, file size, a regular expression, an advanced rule, or a compound rule in a DLP sensor, and assigning the sensor to a security policy.

A DLP sensor is made of filters that are configured within it. The filters examine traffic for:

• Known files used DLP Fingerprints l Known files using DLP Watermark l Files of a particular type l Files with a particular name l Files larger than a specified size l Data matching a specified regular expression l Credit card and SSN numbers

When a match to a filter is detected, the possible actions include:

• Allow: No action is taken, even if the pattern specified in the filter is matched. l Log: The filter match is logged. l Block: Traffic matching the filter is blocked. l Quarantine IP address: Traffic matching the filter is blocked, and the client initiating the traffic is soure IP banned.

The primary use of the DLP feature is to stop sensitive data from the leaving the network. It can also be used to prevent unwanted data from entering the network, and to archive some or all of the content that is passing through the FortiGate device. DLP archiving is configured per filter, allowing for a single sensor that archives only the required data.

There are two forms of DLP archiving: l Summary Only

A summary of all the activity that the sensor detected is recorded. For example, when an email message is detected, the sender, recipient, message subject, and total size are recorded. When a user accesses the web, every URL that they visit is recorded. l Full

Detailed records of all the activity that the sensor detects is recorded. For example, when an email message is detected, the message itself, including any attachments, is recorded. When a user accesses the web, every page that they visit is archived.

File Filter for email filter

Introduction

File Filter is a new feature introduced in FortiOS 6.2, and provides the Email filter profile with the capability to block files passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak Prevention) Sensor.

In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is configurable in Email filter profile. In this article we will discuss Email filter File Filtering.

Currently, File Filtering in Email filter profile is based on file type (file’s meta data) only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers or regexp.

GUI configuration have yet to be implemented. In addition, Email filter File Filtering will only work on proxy mode policies.

File Types Supported

File Filter in Email filter profile supports the following file types:

Configure File Filter from CLI

Using CLI, configuration for File Filtering is nested inside Email filter profile’s configuration.

In File filtering configuration, file filtering functionality and logging is independent of the Email filter profile.

To block or log a file type, we must configure file filter entries. Within each entry we can specify a file-type, action (log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and if we should match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will take precedence over log.

In the example CLI below we want to file filter the following using Email filter profile:

1. Block EXE files from received or sent out (filter1).
2. Log the sending of document files (filter2).

config emailfilter profile edit “emailfilter-file-filter” config file-filter

set status enable                      <— Allow user to disable/enable file fil-

tering

set log enable       <— Allow user to disable/enable logging for file filtering set scan-archive-contents enable <— Allow scanning of files inside archives

such as ZIP, RAR config entries edit “filter1”

set comment “Block executable files”

set protocol smtp imap pop3  <— Inspect all email traffic set action block  <— Block file once file type is matched set encryption any       <— Inspect both encrypted and un-encrypted

files

set file-type “exe”   <— Choosing the file type to match next edit “filter2”

set comment “Log document files”

set protocol smtp                 <— Inspect only SMTP traffic

set action log  <— Log file once file type is matched set encryption any

set file-type “pdf” “msoffice” “msofficex” <— Multiple file types can be con-

figured in a single entry next

end

end

end

After configuring File Filter in Email filter profile, we must apply it to a firewall policy.

config firewall policy edit 1 set name “client-to-internet”

set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set utm-inspection-mode proxy set logtraffic all set emailfilter profile “email-file-filter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next

end

CLI Example:

File Filter action as “Block”:

1: date=2019-01-25 time=15:20:16 logid=”0554020511″ type=”utm” subtype=”emailfilter” eventtype=”file_filter” level=”warning” vd=”vdom1″ eventtime=1548458416 policyid=1 sessionid=2881 srcip=10.1.100.12 srcport=45974 srcintf=”port2″ srcintfrole=”undefined” dstip=172.16.200.56 dstport=143 dstintf=”port1″ dstintfrole=”undefined” proto=6 service=”IMAP” action=”blocked” from=”emailuser1@qa.fortinet.com” to=”emailuser2@qa.fortinet.com” recipient=”emailuser2″ direction=”incoming” subject=”EXE file block” size=”622346″ attachment=”yes” filename=”putty.exe” filtername=”filter1″ filetype=”exe” File Filter action as “Log”:

1: date=2019-01-25 time=15:23:16 logid=”0554020510″ type=”utm” subtype=”emailfilter” eventtype=”file_filter” level=”notice” vd=”vdom1″ eventtime=1548458596 policyid=1 sessionid=3205 srcip=10.1.100.12 srcport=55664 srcintf=”port2″ srcintfrole=”undefined” dstip=172.16.200.56 dstport=25 dstintf=”port1″ dstintfrole=”undefined” proto=6 service=”SMTP” pro-

file=”emailfilter-file-filter” action=”detected” from=”emailuser1@qa.fortinet.com” to=”-

“emailuser2@qa.fortinet.com” sender=”emailuser1@qa.fortinet.com” recipient=”emailuser2@qa.fortinet.com” direction=”outgoing” subject=”PDF file log” sizee=”390804″ attachment=”yes” filename=”fortiauto.pdf” filtername=”filter2″ filetype=”pdf”

Checking the log

To check the email filter log in the CLI:

execute log filter category 5 execute log display

1 logs found.

1 logs returned.

1: date=2019-04-09 time=03:41:18 logid=”0510020491″ type=”utm” subtype=”emailfilter” eventtype=”imap” level=”notice” vd=”vdom1″ eventtime=1554806478647415130 policyid=1 sessionid=439 srcip=10.1.100.22 srcport=39937 srcintf=”port21″ srcintfrole=”undefined” dstip=172.16.200.45 dstport=143 dstintf=”port17″ dstintfrole=”undefined” proto=6 service=”IMAPS” profile=”822881″ action=”blocked” from=”testpc3@qa.fortinet.com” to=”testpc3@qa.fortinet.com” recipient=”testpc3″ direction=”incoming” msg=”from ip is in ip blacklist.(path black ip 172.16.200.9)” subject=”testcase822881″ size=”525″ attachment=”no”

To check the email filter log in the GUI:

Go to Log & Report > Anti-Spam.

Webmail

The FortiGate email filter is intended to filter standard email protocols including SMTP, POP3, IMAP, and MAPI, however, it can also be configured to detect and log emails sent through some webmail interfaces. The supported webmail interfaces include Gmail and MSN-Hotmail.

To configure webmail filtering through the CLI:

config emailfilter profile edit “myWebMailDetector” set spam-filtering enable config msn-hotmail set log enable

end config gmail set log enable

end

next

end