Selective blocking based on a finger print
The following is a fairly complex example but shows what can be done by combining various components in the correct configuration.
The company has a number of copyrighted documents that it does not want “escaping” to the Internet but it does want to be able to send those documents to the printers for turning into hardcopy.
The policies and procedures regarding this issue state that:
• Only members of the group Senior_Editors can send copyrighted material to the printers.
• Every member of the company by default is included in the group employees.
• Even permitted transmission of copyrighted material should be recorded.
• All of the printers IP addresses are in a group called approved_printers.
• There is a file share called copyrighted where any file that is copyrighted is required to have a copy stored.
• It doesn’t happen often but for legal reasons sometimes these files can be changed, but all versions of a file in this directory need to be secured.
• All network connections to the Internet must have Antivirus enabled using at least the default profile.
• The SSL/SSH Inspection profile used will be default.
It is assumed for the purposes of this example that:
• Any addresses or address groups have been created.
• User accounts and groups have been created.
• The account used by the FortiGate is fgtaccess.
• The Copyrighted sensitivity level needs to be created.
• The copyrighted material is stored at \\192.168.27.50\books\copyrighted\