Fortinet black logo

Handbook

Configuring sensitive data protection

Configuring sensitive data protection

The Data loss prevention (DLP) feature allows Web Application Firewall (WAF) to prevent information leaks, damage and loss. It provides desensitization and warning measures for sensitive information leaks on websites, such as SSN numbers and credit card information, as well as the leakage of sensitive keywords.

  • Detects and identifies private and sensitive data generated on the webpage, offering protective measures.
  • Provides a built-in illegal and sensitive keyword library.

Before you begin:

  • Configure a virtual server with a WAF Profile.

To configure Data Leakage Prevention

  1. Go to Web Application Firewall > Sensitive Data Protection > Sensitive Data Type.
  2. Click Create New.
  3. Complete the configuration.

    Name Enter the name of the Sensitive Data Type. You will use the name to select the Sensitive Data Type profile in Data Leak Prevention profiles. No spaces.
    Description Comments about this profile. Describe what this profile is used for and what kind of data this regex is used to match.
    Regex Specify the regex string used to match sensitive data. There are two pre-defined regex strings named Credit_Card_Number and US_Social_Security_Number.
  4. Click Save.
  5. Go to the Data Leak Prevention tab. Click Create New.
  6. Complete the configuration.

    Name Enter the name of the Data Leak Prevention. You will use the name to select the Data Leak Prevention profile in WAF profiles. No spaces.
    Status Enable or disable this profile. Default is disable.

    Masking

    Enable masking to replace sensitive data with asterisks(*). Default is disable.

    Note: When masking is enabled, all target data will be replaced by an asterisk(*) so the threshold value won’t take effect here. Masking only works when the action is alert. The connection will be rejected when the action is set as "deny" or "block," so no target data will be replaced.

    Action

    Sets the action FortiADC will take if a security check detects a potential attack.

    • Alert—Let the request pass when the profile detects a potential attack, only triggering a WAF log.
    • Deny—Drop the incoming request and trigger a WAF log.
    • Block—Block the ip address from the incoming request for 3600 seconds and trigger a WAF log.
    • silent-deny—Drop the incoming request without triggering a WAF log.

    Note: You can create a customized action with “Create New."

    Severity

    Set the severity level in the WAF logs for potential attacks detected by the Data Leak Prevention profile.

    • High
    • Medium
    • Low
    URI Pattern Specified in Data Leak Prevention rules. An empty URI value will prevent this rule from working.
    Sensitive Data Type Specified in Data Leak Prevention rules. Specify a profile created in “Sensitive Data Type."
    Threshold

    Specified in Data Leak Prevention rules. Set threshold. This means this rule won’t take effect until it detects the target data exceeding the specified threshold.

    For example, if you set the threshold as 3, the rules will not take effect until the target data is detected three times.

    Range 1-10000. Default 1. This value won’t work if “masking” is enabled.

  7. Click Create New to create rules in Data Leak Prevention. Max amount of rules is 256, but detection will stop after matching as many as eight rules.
Example

Create a sensitive-data-type

config security waf sensitive-data-type

edit "Credit_Card_Number"

set regex "^3(?:[47]\\d([ -]?)\\d{4}(?:\\1\\d{4}){2}|0[0-5]\\d{11}|[68]\\d{12})$|^4(?:\\d\\d\\d)?([ -]?)\\d{4}(?:\\2\\d{4}){2}$|^6011([ -]?)\\d{4}(?:\\3\\d{4}){2}$|^5[1-5]\\d\\d([ -]?)\\d{4}(?:\\4\\d{4}){2}$|^2014\\d{11}$|^2149\\d{11}$|^2131\\d{11}$|^1800\\d{11}$|^3\\d{15}$"

set description "For credit card numbers from MC, Visa, Amex, Diners/CarteBlanche, Discover/Novus, Enroute, and JCB. Matches 341-1111-1111-1111 | 5431-1111-1111-1111 | 30569309025904 Non-Matches 30-5693-0902-5904 | 5631-1111-1111-1111 | 31169309025904."

next

End

Use it in data-leak-prevention

config security waf data-leak-prevention

edit "dlp"

set status enable -> default disable

set action alert -> default alert,means pass with a security log if hit target

config rule

edit 1

set request-uri-pattern / -> default none,means do not scan the content

set sensitive-data-type Credit_Card_Number -> use data-leak-prevention

next

end

next

end

Configure the waf profile

config security waf profile

edit "WAF"

set data-leak-prevention dlp

next

end

Configuring sensitive data protection

The Data loss prevention (DLP) feature allows Web Application Firewall (WAF) to prevent information leaks, damage and loss. It provides desensitization and warning measures for sensitive information leaks on websites, such as SSN numbers and credit card information, as well as the leakage of sensitive keywords.

  • Detects and identifies private and sensitive data generated on the webpage, offering protective measures.
  • Provides a built-in illegal and sensitive keyword library.

Before you begin:

  • Configure a virtual server with a WAF Profile.

To configure Data Leakage Prevention

  1. Go to Web Application Firewall > Sensitive Data Protection > Sensitive Data Type.
  2. Click Create New.
  3. Complete the configuration.

    Name Enter the name of the Sensitive Data Type. You will use the name to select the Sensitive Data Type profile in Data Leak Prevention profiles. No spaces.
    Description Comments about this profile. Describe what this profile is used for and what kind of data this regex is used to match.
    Regex Specify the regex string used to match sensitive data. There are two pre-defined regex strings named Credit_Card_Number and US_Social_Security_Number.
  4. Click Save.
  5. Go to the Data Leak Prevention tab. Click Create New.
  6. Complete the configuration.

    Name Enter the name of the Data Leak Prevention. You will use the name to select the Data Leak Prevention profile in WAF profiles. No spaces.
    Status Enable or disable this profile. Default is disable.

    Masking

    Enable masking to replace sensitive data with asterisks(*). Default is disable.

    Note: When masking is enabled, all target data will be replaced by an asterisk(*) so the threshold value won’t take effect here. Masking only works when the action is alert. The connection will be rejected when the action is set as "deny" or "block," so no target data will be replaced.

    Action

    Sets the action FortiADC will take if a security check detects a potential attack.

    • Alert—Let the request pass when the profile detects a potential attack, only triggering a WAF log.
    • Deny—Drop the incoming request and trigger a WAF log.
    • Block—Block the ip address from the incoming request for 3600 seconds and trigger a WAF log.
    • silent-deny—Drop the incoming request without triggering a WAF log.

    Note: You can create a customized action with “Create New."

    Severity

    Set the severity level in the WAF logs for potential attacks detected by the Data Leak Prevention profile.

    • High
    • Medium
    • Low
    URI Pattern Specified in Data Leak Prevention rules. An empty URI value will prevent this rule from working.
    Sensitive Data Type Specified in Data Leak Prevention rules. Specify a profile created in “Sensitive Data Type."
    Threshold

    Specified in Data Leak Prevention rules. Set threshold. This means this rule won’t take effect until it detects the target data exceeding the specified threshold.

    For example, if you set the threshold as 3, the rules will not take effect until the target data is detected three times.

    Range 1-10000. Default 1. This value won’t work if “masking” is enabled.

  7. Click Create New to create rules in Data Leak Prevention. Max amount of rules is 256, but detection will stop after matching as many as eight rules.
Example

Create a sensitive-data-type

config security waf sensitive-data-type

edit "Credit_Card_Number"

set regex "^3(?:[47]\\d([ -]?)\\d{4}(?:\\1\\d{4}){2}|0[0-5]\\d{11}|[68]\\d{12})$|^4(?:\\d\\d\\d)?([ -]?)\\d{4}(?:\\2\\d{4}){2}$|^6011([ -]?)\\d{4}(?:\\3\\d{4}){2}$|^5[1-5]\\d\\d([ -]?)\\d{4}(?:\\4\\d{4}){2}$|^2014\\d{11}$|^2149\\d{11}$|^2131\\d{11}$|^1800\\d{11}$|^3\\d{15}$"

set description "For credit card numbers from MC, Visa, Amex, Diners/CarteBlanche, Discover/Novus, Enroute, and JCB. Matches 341-1111-1111-1111 | 5431-1111-1111-1111 | 30569309025904 Non-Matches 30-5693-0902-5904 | 5631-1111-1111-1111 | 31169309025904."

next

End

Use it in data-leak-prevention

config security waf data-leak-prevention

edit "dlp"

set status enable -> default disable

set action alert -> default alert,means pass with a security log if hit target

config rule

edit 1

set request-uri-pattern / -> default none,means do not scan the content

set sensitive-data-type Credit_Card_Number -> use data-leak-prevention

next

end

next

end

Configure the waf profile

config security waf profile

edit "WAF"

set data-leak-prevention dlp

next

end