Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vifi
Staff
Staff

Created on ‎07-17-2024 04:50 AM Edited on ‎07-18-2024 05:02 AM By Moderator

Article Id 326412

Troubleshooting Tip: PDF files blocked as encrypted by DLP profile

Description This article describes why PDF files are blocked as encrypted by a DLP profile.
Scope FortiOS 7.2 and above.
Solution

Assume the following example configuration:

 

config dlp profile

edit "DLP_1"

set feature-set proxy

config rule

edit 3

set proto http-get http-post ftp
set filter-by encrypted
set action block

next

 

Check the debug outputs:

 

diagnose sys scanunit debug all
diagnose sys scanunit debug level verbose
diagnose debug console timestamp enable
diagnose debug enable


In this example, note that the PDF file is encrypted and is matching rule 3.

 

In scanunit debug output, the rule count starts from the number 0. This means that rule 2 in debug output corresponds to rule 3 in the configuration.

 

2024-06-18 13:19:51 su 15155 job 789 object_name '2024-annual-report.pdf'
2024-06-18 13:19:51 su 15155 job 789 sscan content-encoding chain:
2024-06-18 13:19:51 su 15155 job 789 file-typing wanted
2024-06-18 13:19:51 su 15155 job 789 heuristic scan enabled
2024-06-18 13:19:51 su 15155 job 789 enable databases 0f (core avai mmdb extended)
2024-06-18 13:19:51 su 15155 job 789 HTTP: begin scan
2024-06-18 13:19:51 su 15155 job 789 scan file '2024-annual-report.pdf' bytes 9915858
2024-06-18 13:19:51 su 15155 job 789 DLP: start archive level 0 scan '2024-annual-report.pdf'
2024-06-18 13:19:51 su 15155 job 789 DLP: file has type 42 from 3
2024-06-18 13:19:51 su 15155 job 789 DLP: file has type 42 from 3
2024-06-18 13:19:51 su 15155 job 789 DLP: scanning file '2024-annual-report.pdf' type 42 len 9915858 buffer-type pdf decoded 0 archive_is_blocked 0 checking 4 of 4 rules
2024-06-18 13:19:51 su 15155 job 789 DLP: Matching rule 0
2024-06-18 13:19:51 su 15155 job 789 DLP: file type no match.
2024-06-18 13:19:51 su 15155 job 789 DLP: Matching rule 1
2024-06-18 13:19:51 su 15155 job 789 DLP: file type no match.
2024-06-18 13:19:51 su 15155 job 789 DLP: Matching rule 2
2024-06-18 13:19:51 su 15155 job 789 DLP: Found encrypted PDF file

 


Dump the file on Linux with the pdfinfo command. It will show the file contains encrypted content.

 

Desktop$ pdfinfo 2024-annual-report.pdf
Title:
Creator: Adobe Acrobat Pro 10.1.4
Producer: Adobe Acrobat Pro 10.1.4
CreationDate: Thu Aug 16 00:39:28 2012 CEST
ModDate: Thu Aug 16 00:39:28 2012 CEST
Custom Metadata: no
Metadata Stream: yes
Tagged: yes
UserProperties: no
Suspects: no
Form: none
Javascript: no
Pages: 25
Encrypted: yes (print:no copy:no change:no addNotes:no algorithm:AES)
Page size: 595.276 x 841.89 pts (A4)
Page rot: 0
File size: 530975 bytes
Optimized: yes
PDF version: 1.6


The PDF file is detected as encrypted, so the file will be blocked as encrypted.
498
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.