Configuring sensitive data protection
The Data leak prevention (DLP) feature allows Web Application Firewall (WAF) to prevent information leaks, damage and loss. It provides desensitization and warning measures for sensitive information leaks on websites, such as SSN numbers and credit card information, as well as the leakage of sensitive keywords.
- Detects and identifies private and sensitive data generated on the webpage, offering protective measures.
- Provides a built-in illegal and sensitive keyword library.
Before you begin:
- Configure a virtual server with a WAF Profile.
To configure Data Leakage Prevention
- Go to Web Application Firewall > Sensitive Data Protection > Sensitive Data Type.
- Click Create New.
-
Complete the configuration.
Name Enter the name of the Sensitive Data Type. You will use the name to select the Sensitive Data Type profile in Data Leak Prevention profiles. No spaces. Description Comments about this profile. Describe what this profile is used for and what kind of data this regex is used to match. Regex Specify the regex string used to match sensitive data. There are two pre-defined regex strings named Credit_Card_Number and US_Social_Security_Number. - Click Save.
- Go to the Data Leak Prevention tab. Click Create New.
-
Complete the configuration and click Save.
Name Enter the name of the Data Leak Prevention. You will use the name to select the Data Leak Prevention profile in WAF profiles. No spaces. Status Enable or disable this profile. Default is disable. Masking
Enable masking to replace sensitive data with asterisks(*). Default is disable.
Note: When masking is enabled, all target data will be replaced by an asterisk(*) so the threshold value won’t take effect here. Masking only works when the action is alert. The connection will be rejected when the action is set as "deny" or "block," so no target data will be replaced.
Action Select the action profile that you want to apply. See Configuring WAF Action objects. The default is Alert.
Severity Set the severity level in the WAF logs for potential attacks detected by the Data Leak Prevention profile.
- High
- Medium
- Low
- Edit the newly created Data Leak Prevention. Under Rule, click Create New.
- Complete the configuration and click Save.
-
Name Enter the name of the Sensitive Data Type. You will use the name to select the Sensitive Data Type profile in Data Leak Prevention profiles. No spaces. - Click Save in the Data Leak Prevention profile. You have successfully created a Data Leak Prevention. The maximum number of rules is 256 but detection will stop after matching as many as 8 rules.
Example
Create a sensitive-data-type
config security waf sensitive-data-type
edit "Credit_Card_Number"
set regex "^3(?:[47]\\d([ -]?)\\d{4}(?:\\1\\d{4}){2}|0[0-5]\\d{11}|[68]\\d{12})$|^4(?:\\d\\d\\d)?([ -]?)\\d{4}(?:\\2\\d{4}){2}$|^6011([ -]?)\\d{4}(?:\\3\\d{4}){2}$|^5[1-5]\\d\\d([ -]?)\\d{4}(?:\\4\\d{4}){2}$|^2014\\d{11}$|^2149\\d{11}$|^2131\\d{11}$|^1800\\d{11}$|^3\\d{15}$"
set description "For credit card numbers from MC, Visa, Amex, Diners/CarteBlanche, Discover/Novus, Enroute, and JCB. Matches 341-1111-1111-1111 | 5431-1111-1111-1111 | 30569309025904 Non-Matches 30-5693-0902-5904 | 5631-1111-1111-1111 | 31169309025904."
next
End
Use it in data-leak-prevention
config security waf data-leak-prevention
edit "dlp"
set status enable -> default disable
set action alert -> default alert,means pass with a security log if hit target
config rule
edit 1
set request-uri-pattern / -> default none,means do not scan the content
set sensitive-data-type Credit_Card_Number -> use data-leak-prevention
next
end
next
end
Configure the waf profile
config security waf profile
edit "WAF"
set data-leak-prevention dlp
next
end