Fortinet white logo
Fortinet white logo

Administration Guide

DLP fingerprinting

DLP fingerprinting

DLP fingerprinting employs Indexed Document Matching (IDM) to detect sensitive data. See Indexed Document Matching (IDM) for more information. The file that the DLP profile filters is uploaded and the FortiGate generates and stores a checksum fingerprint. The FortiGate generates a fingerprint for all the files that are detected in network traffic, and compares all the checksums stored in its database. If a match is found, the configured action is taken. Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

Using fingerprinting requires:

  1. Creating a DLP fingerprint database by allowing the FortiGate to access a file server containing files from which to create fingerprints.

  2. Adding fingerprinting filters to DLP profiles.

  3. Adding the profiles to firewall policies that accept traffic that the fingerprinting will be applied on.

See Fingerprinting example for a sample configuration.

Note

The document fingerprint feature requires a FortiGate that has internal storage.

To configure a DLP fingerprint document:
config dlp fp-doc-source
    edit <name>
        set server <string>
        set username <string>
        set password <password>
        set file-path <string>
        set sensitivity <Critical | Private | Warning>
    next
end

Command

Description

server <string>

Enter the IPv4 or IPv6 address of the file server.

username <string>

Enter the user name required to log into the file server.

password <password>

Enter the password required to log into the file server.

file-path <string>

Enter the path on the server to the fingerprint files.

sensitivity <Critical | Private | Warning>

Set the sensitivity or threat level for matches with this fingerprint database.

See config dlp fp-doc-source in the FortiOS CLI Reference for a comprehensive list of commands and supported FortiGate models.

Note

A file server is required for the user to upload files. Each uploaded file will have a fingerprint generated by FortiGate, and will be stored locally as a checksum. Currently, only servers that are using the Samba (SMB) protocol are compatible.

To configure a DLP fingerprint profile:
config dlp profile
    edit <name>
        set feature-set proxy
        config rule
            edit <id>
                set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs}
                set filter-by fingerprint
                set sensitivity {Critical | Private | Warning}
                set match-percentage <integer>
                set action {allow | log-only | block | quarantine-ip}
            next
        end
    next
end

Command

Description

proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs}

Set the protocol to inspect.

filter-by fingerprint

Set to match against a fingerprint sensitivity.

sensitivity {Critical | Private | Warning}

Set the DLP file pattern sensitivity to match.

match-percentage <integer>

Set the percentage of the checksum required to match before the profile is triggered.

action {allow | log-only | block | ban | quarantine‑ip}

Set the action to take with content that matches the DLP profile.

Fingerprinting example

This configuration will block HTTPS download traffic that matches the checksums that are stored in the FortiGate fingerprint database.

Note

When utilizing commonly-used SSL-encrypted protocols, such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Deep inspection for more information.

The client machine must also have the corresponding deep inspection Certificate Authority (CA) certificate installed.

In this example, a text document with sensitive data is being downloaded by the client using the HTTP GET method. The term Protected Server refers to the Samba file server that stores the fingerprint files. It is assumed that you already have a configured Samba file server.

The FortiGate intercepts the traffic using deep inspection and blocks the traffic as it matches the DLP profile configured on this FortiGate. See Sample log for a log sample.

To block network traffic that matches the checksums stored in the FortiGate fingerprint database:
  1. Configure the DLP fingerprint database:

    config dlp fp-doc-source
        edit "test"
            set server "172.16.200.55"
            set username "kiki"
            set password *****
            set file-path "/sambashare/upload/"
            set sensitivity "Critical"
        next
    end
    

    This step can only be configured in the CLI.

  2. Configure the DLP profile:

    config dlp profile
        edit "fingerprint"
            set feature-set proxy
            config rule
                edit 1
                    set proto http-get
                    set filter-by fingerprint
                    set sensitivity "Critical"
                    set action block
                next
            end
        next
    end
    

    DLP profiles that filter by fingerprint can only be configured in the CLI.

  3. Add the DLP profile to a firewall policy:

    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set dlp-profile "fingerprint"
            set nat enable
        next
    end
    

    This can also be configured in the GUI. See To add the DLP profile to a firewall policy.

To verify the results:
  1. Verify that the DLP fingerprint database is present on the FortiGate:

    # diagnose test application dlpfingerprint 3
    File DB:
    ---------------------------------------
    id,     filename,       vdom,   archive,        deleted,        scanTime,       docSourceSrvr,  sensitivity,    chunkCnt,       reviseCnt,
    1,      /sambashare/upload/testdlp,     root,   0,      0,      1706727347,     test,   2,      1,      0,
    2,      /sambashare/upload/testdlp.txt, root,   0,      0,      1706728230,     test,   2,      1,      0,
    
  2. Verify HTTP GET traffic that matches the checksums stored in the FortiGate fingerprint database is being blocked:

    A download attempt of a text file from a Windows device was made using Chrome browser. This text file is located on the protected server and its fingerprint is saved in the FortiGate fingerprint database.

    The download was unsuccessful, leading to the creation of a sample log. See Sample log.

Sample log

To view the sample log:
  1. Go to Log & Report > Security Events and select AntiVirus.

  2. View the log details in the GUI, or download the log file:

    1: date=2024-02-01 time=08:47:25 eventtime=1706734045777192462 tz="+1200" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 dlpextra="Critical" filtertype="fingerprint" filtercat="file" severity="medium" policyid=1 poluuid="f4fe48a4-938c-51ee-8856-3e84e3b24af4" policytype="policy" sessionid=308873 epoch=813849496 eventid=0 srcip=13.13.13.13 srcport=51058 srccountry="United States" srcintf="port2" srcintfrole="undefined" srcuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" dstip=172.16.200.55 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" proto=6 service="HTTPS" filetype="unknown" direction="incoming" action="block" hostname="172.16.200.55" url="https://172.16.200.55/testdlp.txt" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0" httpmethod="GET" filename="testdlp.txt" filesize=20 profile="fingerprint"

DLP fingerprinting

DLP fingerprinting

DLP fingerprinting employs Indexed Document Matching (IDM) to detect sensitive data. See Indexed Document Matching (IDM) for more information. The file that the DLP profile filters is uploaded and the FortiGate generates and stores a checksum fingerprint. The FortiGate generates a fingerprint for all the files that are detected in network traffic, and compares all the checksums stored in its database. If a match is found, the configured action is taken. Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated.

Using fingerprinting requires:

  1. Creating a DLP fingerprint database by allowing the FortiGate to access a file server containing files from which to create fingerprints.

  2. Adding fingerprinting filters to DLP profiles.

  3. Adding the profiles to firewall policies that accept traffic that the fingerprinting will be applied on.

See Fingerprinting example for a sample configuration.

Note

The document fingerprint feature requires a FortiGate that has internal storage.

To configure a DLP fingerprint document:
config dlp fp-doc-source
    edit <name>
        set server <string>
        set username <string>
        set password <password>
        set file-path <string>
        set sensitivity <Critical | Private | Warning>
    next
end

Command

Description

server <string>

Enter the IPv4 or IPv6 address of the file server.

username <string>

Enter the user name required to log into the file server.

password <password>

Enter the password required to log into the file server.

file-path <string>

Enter the path on the server to the fingerprint files.

sensitivity <Critical | Private | Warning>

Set the sensitivity or threat level for matches with this fingerprint database.

See config dlp fp-doc-source in the FortiOS CLI Reference for a comprehensive list of commands and supported FortiGate models.

Note

A file server is required for the user to upload files. Each uploaded file will have a fingerprint generated by FortiGate, and will be stored locally as a checksum. Currently, only servers that are using the Samba (SMB) protocol are compatible.

To configure a DLP fingerprint profile:
config dlp profile
    edit <name>
        set feature-set proxy
        config rule
            edit <id>
                set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs}
                set filter-by fingerprint
                set sensitivity {Critical | Private | Warning}
                set match-percentage <integer>
                set action {allow | log-only | block | quarantine-ip}
            next
        end
    next
end

Command

Description

proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | ssh | cifs}

Set the protocol to inspect.

filter-by fingerprint

Set to match against a fingerprint sensitivity.

sensitivity {Critical | Private | Warning}

Set the DLP file pattern sensitivity to match.

match-percentage <integer>

Set the percentage of the checksum required to match before the profile is triggered.

action {allow | log-only | block | ban | quarantine‑ip}

Set the action to take with content that matches the DLP profile.

Fingerprinting example

This configuration will block HTTPS download traffic that matches the checksums that are stored in the FortiGate fingerprint database.

Note

When utilizing commonly-used SSL-encrypted protocols, such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Deep inspection for more information.

The client machine must also have the corresponding deep inspection Certificate Authority (CA) certificate installed.

In this example, a text document with sensitive data is being downloaded by the client using the HTTP GET method. The term Protected Server refers to the Samba file server that stores the fingerprint files. It is assumed that you already have a configured Samba file server.

The FortiGate intercepts the traffic using deep inspection and blocks the traffic as it matches the DLP profile configured on this FortiGate. See Sample log for a log sample.

To block network traffic that matches the checksums stored in the FortiGate fingerprint database:
  1. Configure the DLP fingerprint database:

    config dlp fp-doc-source
        edit "test"
            set server "172.16.200.55"
            set username "kiki"
            set password *****
            set file-path "/sambashare/upload/"
            set sensitivity "Critical"
        next
    end
    

    This step can only be configured in the CLI.

  2. Configure the DLP profile:

    config dlp profile
        edit "fingerprint"
            set feature-set proxy
            config rule
                edit 1
                    set proto http-get
                    set filter-by fingerprint
                    set sensitivity "Critical"
                    set action block
                next
            end
        next
    end
    

    DLP profiles that filter by fingerprint can only be configured in the CLI.

  3. Add the DLP profile to a firewall policy:

    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set dlp-profile "fingerprint"
            set nat enable
        next
    end
    

    This can also be configured in the GUI. See To add the DLP profile to a firewall policy.

To verify the results:
  1. Verify that the DLP fingerprint database is present on the FortiGate:

    # diagnose test application dlpfingerprint 3
    File DB:
    ---------------------------------------
    id,     filename,       vdom,   archive,        deleted,        scanTime,       docSourceSrvr,  sensitivity,    chunkCnt,       reviseCnt,
    1,      /sambashare/upload/testdlp,     root,   0,      0,      1706727347,     test,   2,      1,      0,
    2,      /sambashare/upload/testdlp.txt, root,   0,      0,      1706728230,     test,   2,      1,      0,
    
  2. Verify HTTP GET traffic that matches the checksums stored in the FortiGate fingerprint database is being blocked:

    A download attempt of a text file from a Windows device was made using Chrome browser. This text file is located on the protected server and its fingerprint is saved in the FortiGate fingerprint database.

    The download was unsuccessful, leading to the creation of a sample log. See Sample log.

Sample log

To view the sample log:
  1. Go to Log & Report > Security Events and select AntiVirus.

  2. View the log details in the GUI, or download the log file:

    1: date=2024-02-01 time=08:47:25 eventtime=1706734045777192462 tz="+1200" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 dlpextra="Critical" filtertype="fingerprint" filtercat="file" severity="medium" policyid=1 poluuid="f4fe48a4-938c-51ee-8856-3e84e3b24af4" policytype="policy" sessionid=308873 epoch=813849496 eventid=0 srcip=13.13.13.13 srcport=51058 srccountry="United States" srcintf="port2" srcintfrole="undefined" srcuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" dstip=172.16.200.55 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" proto=6 service="HTTPS" filetype="unknown" direction="incoming" action="block" hostname="172.16.200.55" url="https://172.16.200.55/testdlp.txt" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0" httpmethod="GET" filename="testdlp.txt" filesize=20 profile="fingerprint"