Create Fingerprint Rules
Create Fingerprint Rules
DLP Fingerprints enable you to protect confidential information by generating a unique DNA (classification) for sensitive files. To create a fingerprint, first create an archive of sensitive files that contain the types of data you want to protect. The contents for these files will be used to find sensitive data. A DLP policy then uses the classification in a rule to capture variants or modified versions of your classified sensitive data.
To create a fingerprint:
- Go to Policies > Profiles > DLP, hover over Edit Rules, and then click Fingerprint Classification.
- Select Fingerprints, and then click on New Fingerprint.
- Enter a fingerprint name and click Save.
- Click Apply Changes, add a short description, and then click Apply.
- Click Fingerprints and locate the fingerprint you just created and click the adjacent menu icon (ellipses), then click the Upload Fingerprint icon.
Note
You can also upload the document archive of your sensitive files from your Virtual Appliance to the cloud tenant. For information, see Upload a Fingerprint File from a Virtual Appliance.
- Click Select File. Locate and select the document archive of your sensitive files.
- Click Open, and then click Upload.
- Click Apply Changes, add a short description, and then click Apply.
Upload a Fingerprint File from a Virtual Appliance
You can upload your archive of sensitive files from your Virtual Appliance to the Netskope Cloud.
The first method is to upload the files directly to the Netskope tenant via the Fingerprinting UI and a hash is generated based on the similarity match config.
- Using
nstransfer
account, transfer the fingerprint file to thepdd_data
directory on the Virtual Appliance:scp <fingerprint_file> nstransfer@<virtual_appliance_host>:/home/nstransfer/pdd_data
The location of the
pdd_data
directory varies between thenstransfer
andnsadmin
user accounts. When using thenstransfer
account to copy the file to the appliance, the location of thepdd_data
directory is/home/nstransfer/pdd_data
. When you log in to the appliance using thensadmin
account, thepdd_data
directory is located at/var/ns/docker/mounts/lclw/mountpoint/nslogs/user/pdd_data
. - After the file is successfully transferred, log in to the appliance using the
nsadmin
account. - Upload the file to Netskope cloud. If your file name contains special characters, then you may need to use
/
or" "
to escape the characters in the argument. To learn more: List of special characters to be escaped in command line argument.Run the following command at the Netskope shell prompt to upload the file:
request dlpfingerprint generate classification <fingerprint-classification> path /var/ns/docker/mounts/lclw/mountpoint/nslogs/user/pdd_data/upload/<file-name>
The command returns:
Process with pid 15642 for generating fingerprint has started Please use <request dlpfingerprint status> command for checking status
- Check the status of the upload:
request dlpfingerprint status
The command returns:
Uploaded classification journal file Uploaded md5 classification journal file Uploaded fingerprint keys journal file Fingerprint generation complete (1/1)
The other method is to use a VM to generate a hash and only the hash is uploaded to Netskope. Original files are never uploaded to Netskope for fingerprinting/ hash generation using this method.
Create Fingerprint Rules
- Go to Policies > Profiles > DLP, hover over Edit Rules, and then click Rules.
- Click New Fingerprint Rule. Under Settings, select the fingerprint you created previously, and then click Next.
- Set the threshold level, which determines how much of the sensitive content in the archive needs to match files being scanned for policy violations. The recommended default value is 85%. Click Next.
- Enter a name for this fingerprint rule and click Save.
- Click Apply Changes, add a brief description, and then click Apply.
- When creating a DLP profile, the fingerprint rule can be selected on the Rule or Classification screen of the DLP Profiles workflow.
List of Special Characters to be Escaped in a Command Line Argument
When providing file names with special characters in a command line argument, you may need to use /
or " "
to escape the characters. The following table provides the list of special characters.
Character | Unicode | Name |
---|---|---|
` | U+0060 (Grave Accent) | Backtick |
~ | U+007E | Tilde |
! | U+0021 | Exclamation mark |
# | U+0023 Number sign | Hash |
$ | U+0024 | Dollar sign |
& | U+0026 | Ampersand |
* | U+002A | Asterisk |
( | U+0028 | Left Parenthesis |
) | U+0029 | Right Parenthesis |
U+0009 | Tab | |
{ | U+007B Left Curly Bracket | Left brace |
[ | U+005B | Left Square Bracket |
| | U+007C Vertical Line | Vertical bar |
| U+005C Reverse Solidus | Backslash |
; | U+003B | Semicolon |
' | U+0027 Apostrophe | Single quote |
" | U+0022 Quotation Mark | Double quote |
â© | U+000A Line Feed | Newline |
< | U+003C | Less than |
> | U+003E | Greater than |
? | U+003F | Question mark |
U+0020 | Space |