DLP watermarking
Watermarking marks files with a digital pattern to designate them as proprietary to a specific company. A small pattern is added to the file that is recognized by the DLP watermark filter, but is invisible to the end user (except for text files).
FortiExplorer client, or a Linux-based command line tool, can be used to add a watermark to the following file types: l .txt
- .doc and .docx
- .ppt and .pptx
- .xls and .xlsx
The following information is covered in this section:
- Watermarking a file with FortiExplorer. l Watermarking a file with the Linux tool. l Configuring a DLP sensor to detect watermarked files.
FortiExplorer
In this example, a watermark will be added to small text file. The content of the file is:
This is to show how DLP watermarking is done using FortiExplorer.
FortiExplorer can also be used to watermark an entire directory.
To watermark the text file with FortiExplorer:
- Open the FortiExplorer client.
- Select DLP Watermark from the left side bar.
- Set Apply Watermark To to Select File.
- Browse for the file, copy the file’s path into the Select File
- Set the Sensitivity Level. The available options are: Critical, Private, and Warning.
- Enter a company identifier in the Identifier
- Select the Output Directory where the watermarked file will be saved.
- Click Apply Watermark. The file is watermarked.
- The watermarked file content is changed to:
This is to show how DLP watermarking is done using FortiExplorer.=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=identifier=FortiDemo sensitivity=Critical=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=
Linux-based command line tool
A Linux-based command line tool can be used to watermark files. The tool can be executed is a Linux environment by passing in files or directories of files.
To download the tool:
- Log in to Fortinet Service and Support. A valid support contract is required.
- Go to Download > Firmware Images.
- Select the Download tab, and go to FortiGate/v5.00/5.0/5.0.0/WATERMARK.
- Download the fortinet-watermark-linux.out
To run the tool:
Enter the following to run the tool on a file:
watermark_linux_amd64 <options> -f <file name> -i <identifier> -l <sensitivity level> Enter the following to run the tool on a directory:
watermark_linux_amd64 <options> -d <directory> -i <identifier> -l <sensitivity level>
The following options are available:
| -h | Print this help. |
| -I | Watermark the file in place (don’t make a copy of the file). |
| -o | The output file or directory. |
| -e | Encode <to non-readable>. |
| -i | Add a watermark identifier. |
| -l | Add a watermark sensitivity level. |
| -D | Delete a watermark identifier. |
| -L | Delete a watermark sensitivity level. |
DLP watermark sensor
A DLP watermark sensor must be configured to detect watermarked files.
To configure a DLP watermark sensor:
config dlp sensor edit <sensor name> config filter edit <id number of filter>
set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} <– Pro-
tocol to inspect set filter-by watermark
set sensitivity {Critical | Private | Warning}
set company-identifier <string>
set action {allow | log-only | block | ban | quarantine-ip}
next
end
next end