Selective blocking based on a finger print
The following is a fairly complex example but shows what can be done by combining various components in the correct configuration.
The company has a number of copyrighted documents that it does not want “escaping” to the Internet but it does want to be able to send those documents to the printers for turning into hardcopy.
The policies and procedures regarding this issue state that:
• Only members of the group Senior_Editors can send copyrighted material to the printers.
• Every member of the company by default is included in the group employees.
• Even permitted transmission of copyrighted material should be recorded.
• All of the printers IP addresses are in a group called approved_printers.
• There is a file share called copyrighted where any file that is copyrighted is required to have a copy stored.
• It doesn’t happen often but for legal reasons sometimes these files can be changed, but all versions of a file in this directory need to be secured.
• All network connections to the Internet must have Antivirus enabled using at least the default profile.
• The SSL/SSH Inspection profile used will be default.
It is assumed for the purposes of this example that:
• Any addresses or address groups have been created.
• User accounts and groups have been created.
• The account used by the FortiGate is fgtaccess.
• The Copyrighted sensitivity level needs to be created.
• The copyrighted material is stored at \\192.168.27.50\books\copyrighted\
1. Add a new Sensitivity Level by running the following commands in the CLI
config dlp fp-sensitivity
edit copyrighted
end
2. Apply files to the fingerprint database
a. Go to Security Profiles > Advanced > DLP Fingerprint.
b. In the Document Sources section select Create New
Use the following field values
Name | copyrighted_material |
Server Type | Windows Share |
Server Address | 192.168.27.50 |
User Name | fgtaccess |
Password | ****** |
Path | books/copyrighted/ |
Filename Pattern | *.pdf |
Sensitivity | copyrighted |
Scan Periodically | enabled |
<Frequency> | Daily, Hour: 2, Min: 0 |
Advanced | |
Fingerprint files in subdirectories | enabled |
Remove fingerprints for deleted files | not enabled |
Keep previous fingerprints for modified files | enabled |
Two Sensors need to be created. One for blocking the transmission of copyrighted material and a second for allowing the passing of copyrighted material under specific circumstances.
3. Create the first DLP Sensor
• Go to Security Profile > Data Leak Prevention.
• Create a new sensor.
Use the following field values:
Name | block_copyrighted |
Comment | <optional> |
• In the Filter table, select Create New.
Use the following values
Filter
Filter | Files |
Filter option | File Finger Print |
Finger print value from dropdown | “copyrighted” |
Examine the Following Services
Make sure all of the services are being examined.
Action
From the drop down menu choose Block
4. Create the second DLP Sensor
• Go to Security Profile > Data Leak Prevention.
• Create a new sensor.
Use the following field values:
Name | allow_copyrighted |
Comment | <optional> |
• In the Filter table, select Create New.
Use the following values
Filter
Filter | Files |
Filter option | File Finger Print |
Finger print value from dropdown | “copyrighted” |
Examine the Following Services
Make sure all of the services are being examined.
Action
From the drop down menu choose Log Only
5. Create a policy to allow transmission of copyrighted material.
a. Go to Policy & Objects > Policy > IPv4
b. Select Create New
c. Use the following values in the Policy:
Incoming Interface | LAN |
Source Address | all |
Outgoing Interface | wan1 |
Destination Address | all |
Schedule | always |
Service | all |
Action | ACCEPT |
Enable NAT | enabled -- Use Destination Interface Address |
Antivirus | <ON> default |
DLP | <ON> Copyrighted |
SSL/SSH Inspection | <ON> default |
Enable this policy | <ON> |
This policy should be place as close to the beginning of the list of policies so the it is among the first tested against.
6. Create a policy to block transmission of copyrighted material.
This will in effect be the default template for all following policies in that they will have to use the DLP profile that blocks the transmission of the copyrighted material.
a. Go to Policy & Objects > Policy > IPv4
b. Select Create New or Edit an existing policy.
c. Use the following values in the Policy:
The fields should include what ever values you need to accomplish your requirements are but each policy should include the DLP sensor block_copyrighted or if a different DLP configuration is required it should include a filter that blocks copyrighted fingerprinted file.
If you need to create a policy that is identity based make sure that there is an Authentication rule for the group employees that uses the DLP sensor that blocks copyrighted material.