FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dfonseca_FTNT
Article Id 190232
Description
This article describes the steps to configure DLP Fingerprint in FortiGate v5.0 and v5.2.

Solution
1. Enable DLP in the FortiGate
config system global
set gui-dlp enable
end

2. Configure Manual Document Fingerprints or Document Sources Fingerprints

In 5.2.x go to Security Profiles > Advanced > DLP Fingerprinting.
In 5.0.x go to Security Profiles > DLP > DLP Fingerprinting.

If Manual Document Fingerprints will be used:

- Create New
- Choose the File(s) to Upload
- Select the Security Level (Critical, Private or Warning)
- Click OK

If Document Source is going to be used:

- Create New and fill the data according to the server address
Server address: IP address of the file server
Username: If domain credentials are required use domain/username
Path: pathname/
Filename pattern: In order to scan everything in the share use *, otherwise specify file types/names like 'example.pdf'.

From CLI (example):
config dlp fp-doc-source
    edit "test_server"
        set server "10.58.0.222"
        set username <user_name>
        set password ENC <pass>
        set file-path "path/"
        set file-pattern "*"
        set sensitivity "Critical"
    next
end

3. Configure the DLP Sensor

In 5.2.x/5.0.x go to Security Profiles > Data Leak Prevention.

- Create a new Sensor
- Create a new Rule for the Sensor
- Select Files
- Select File finger print and choose the Sensitivity
- Set the desired Action (Non, Block, Log Only, Quarantine IP)
- Click OK

From the CLI (example):
config dlp sensor
    edit "Test_DLP_Fingerprint"
            config filter
                edit 1
                    set proto smtp pop3 imap http-get http-post ftp
                    set filter-by fingerprint
                    set fp-sensitivity "Critical"
                    set action block
                next
            end
    next
end

4. Apply the DLP Sensor in the Policy

In the Policy make sure that the DLP sensor is applied
config firewall policy
    edit <Policy ID>
        set dlp-sensor "Test_DLP_Fingerprint"
    next
end

Verification of configuration and troubleshooting

From the CLI enter the commands:
diag deb application dlpfingerprint -1
diag deb en

When Using Document Sources the following message should appear when authentication is done with the server:
DLPFP smb_list called
DLPFP listCb called
DLPFP smb_read called
DLPFP readCb called
DLPFP:Adding file dlp/example.pdf to document source test_server (vdom root)
DLPFP: Step sql
DLPFP: Step sql
DLPFP:Prepare sql INSERT INTO....

If Authentication is successful in the CLI, detected documents will be seen in the shared folder of the Server.

In 5.2.x go to Security Profiles > Advanced > DLP Fingerprinting.
In 5.0.x go to Security Profiles > DLP > DLP Fingerprinting.

Select the Document Sources > Click on View

Troubleshooting
diag deb application dlpfingerprint -1
diag deb en

Logs under Log&Report > Security Log > DLP

Contributors