Skip to Content

How to fix PDF files blocked as encrypted by DLP profile

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how to resolve an issue where PDF files are blocked as encrypted by a DLP profile.

Scope

FortiOS 7.2+.

Solution

Assume the following example configuration:

config dlp profile
edit "DLP_1"
set feature-set proxy
config rule
edit 3
set proto http-get http-post ftp
set filter-by encrypted
set action block
next

Check the debug outputs:

diagnose sys scanunit debug all
diagnose sys scanunit debug level verbose
diagnose debug console timestamp enable
diagnose debug enable

In this example, note that the PDF file is encrypted and is matching rule 3.

In scanunit debug output, the rule count starts from the number 0. This means that rule 2 in debug output corresponds to rule 3 in the configuration.

2024-06-18 13:19:51 su 15155 job 789 object_name '2024-annual-report.pdf'
2024-06-18 13:19:51 su 15155 job 789 sscan content-encoding chain:
2024-06-18 13:19:51 su 15155 job 789 file-typing wanted
2024-06-18 13:19:51 su 15155 job 789 heuristic scan enabled
2024-06-18 13:19:51 su 15155 job 789 enable databases 0f (core avai mmdb extended)
2024-06-18 13:19:51 su 15155 job 789 HTTP: begin scan
2024-06-18 13:19:51 su 15155 job 789 scan file '2023-annual-report.pdf' bytes 9915858
2024-06-18 13:19:51 su 15155 job 789 DLP: start archive level 0 scan '2023-annual-report.pdf'
2024-06-18 13:19:51 su 15155 job 789 DLP: file has type 42 from 3
2024-06-18 13:19:51 su 15155 job 789 DLP: file has type 42 from 3
2024-06-18 13:19:51 su 15155 job 789 DLP: scanning file '2023-annual-report.pdf' type 42 len 9915858 buffer-type pdf decoded 0 archive_is_blocked 0 checking 4 of 4 rules
2024-06-18 13:19:51 su 15155 job 789 DLP: Matching rule 0
2024-06-18 13:19:51 su 15155 job 789 DLP: file type no match.
2024-06-18 13:19:51 su 15155 job 789 DLP: Matching rule 1
2024-06-18 13:19:51 su 15155 job 789 DLP: file type no match.
2024-06-18 13:19:51 su 15155 job 789 DLP: Matching rule 2
2024-06-18 13:19:51 su 15155 job 789 DLP: Found encrypted PDF file

Dump the file on Linux with the pdfinfo command. It will show the file contains encrypted content.

Desktop$ pdfinfo 2024-annual-report.pdf
Title:
Creator: Adobe Acrobat Pro 10.1.4
Producer: Adobe Acrobat Pro 10.1.4
CreationDate: Thu Aug 16 00:39:28 2012 CEST
ModDate: Thu Aug 16 00:39:28 2012 CEST
Custom Metadata: no
Metadata Stream: yes
Tagged: yes
UserProperties: no
Suspects: no
Form: none
Javascript: no
Pages: 25
Encrypted: yes (print:no copy:no change:no addNotes:no algorithm:AES)
Page size: 595.276 x 841.89 pts (A4)
Page rot: 0
File size: 530975 bytes
Optimized: yes
PDF version: 1.6

The PDF file is detected as encrypted, so the file will be blocked as encrypted.