Wednesday, 11 February 2015

How-to: Configure DLP fingerprinting on a FortiGate

The following how-to guide will take you through the steps to configure DLP fingerprinting on the FortiGates.

Before we begin we need to confirm two things.

Firstly, the FortiGate model you are configuring has a storage drive. Models like the FG80C have no storage so DLP fingerprinting won't work.

Secondly DLP has been enabled in the web-gui. If it's not you can enable it via the CLI with the following commands:

config system global
set gui-dlp enable
end

For FortiGates running 5.2 you'll need to goto Security Profiles > Advanced > DLP Fingerprinting. If you're running 5.0 it will be found under Security Profiles > DLP > DLP Fingerprinting.

Click on 'Create New' for document sources and fill out the details mirroring the example below. For this example I have a shared drive named 'Shared' on a Windows server.

Server address: IP address of the file server
Username: If domain credentials are required use domain/username (note the forwardslash)
Path: pathname/ (note forwardslash at the end)
Filename pattern: If you want to scan everything in the share use the asterix '*', otherwise you can specify filetypes like '8.txt'.

The end result should look something like this.


This will only scan the share once. To have it scan on a schedule, enable the 'Scan Periodically' option and select from daily/weekly/monthly.

Once this is done, give the FortiGate a few moments to start scanning the folder and creating the hashes. You should now see the value under '# Documents' increase as the files get hashed.


To see which files have been hashed, tick the document source (in this example 'ad-server') and select 'View'.


That's pretty much it. From here on you would configure the DLP sensors to allow/block/log any attempts to transfer a file that has been hashed.

If you don't see the document count increasing then you can run the following diagnostic command to help troubleshoot the issue:

diagnose debug application dlpfingerprint -1
diagnose debug enable

Below we can see two outputs. The first one is because of incorrect user credentials:


This second one shows a successfully connect and the FortiGate beginning to hash the files (all the fpHaBindStep calls we can see):





No comments: