Fortinet white logo
Fortinet white logo

Administration Guide

Advanced DLP configurations

Advanced DLP configurations

The following topic provides information on advanced DLP configurations.

Built-in DLP data type

Built-in DLP data type includes pre-defined data types to match for keyword, regex, hex, mip label, credit card, and social security number (SSN). See Predefined data patterns for more information. The built-in DLP data type regex employs DCM to detect patterns. See Described Content Matching (DCM) for more information.

config dlp data-type
    edit "keyword"
        set pattern "built-in"
    next
    edit "regex"
        set pattern "built-in"
    next
    edit "hex"
        set pattern "built-in"
    next
    edit "mip-label"
        set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
        set transform "built-in"
    next
    edit "credit-card"
        set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
        set verify "built-in"
        set look-back 20
        set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
    next
    edit "ssn-us"
        set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
        set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
        set look-back 12
        set transform "\\b\\1-\\2-\\3\\b"
    next
end

Custom DLP data type

Custom data types can be added. See Custom data classification tags (data pattern) for more information.

To add a custom DLP data type:
config dlp data-type
    edit <name>
        set pattern <string>
        set verify <string>
        set transform <string>
    next
end

pattern <string>

Enter a regular expression pattern string without a look around.

verify <string>

Enter a regular expression pattern string used to verify the data type.

transform <string>

Enter the template to transform user input to a pattern using the capture group from pattern.

Note

To use "?" in a regex pattern, see CLI basics. This method only supports direct console connection and SSH. It does not support the CLI console in the GUI.

DLP file pattern

A DLP file pattern can block, allow, log, or quarantine a file based on the specified file type in the file filter list (see Supported file types). It employs True file type filtering to identify a file. See True file type filtering for more information.

To configure a DLP file pattern:
config dlp filepattern
    edit <id>
        set name <name>
        config entries
            edit <name>
                set filter-type {type | pattern}
                set file-type <file_type>
            next
        end
    next
end

Evaluation by Logical relationship

Evaluation by Logical relationship is a powerful tool used to combine multiple dictionary entries to define an accurate DLP sensor using logical expression.

Syntax example:

  1. set eval "dict(1) == 2"

    Match DLP sensor only when dictionary one match count is two.

  2. set eval "(dict(1) + dict(2)) == 3"

    Match DLP sensor only when dictionary one and dictionary two combined match count is three.

  3. set eval "(dict(1) == 2) && (dict(2) == 1)"

    Match DLP sensor only when dictionary one match count is equal to two and dictionary two match count is equal to one.

  4. set eval "(dict(1) == 2) || (dict(2) == 1)"

    Match DLP sensor only when dictionary one match count is equal to two or dictionary two match count is equal to one.

  5. set eval "dict(1) > dict(2)"

    Match DLP sensor only when dictionary one match count is greater than dictionary two match count.

See Block HTTPS upload traffic that includes Visa or Mastercard information using evaluation through logical expression.

Advanced DLP configurations

Advanced DLP configurations

The following topic provides information on advanced DLP configurations.

Built-in DLP data type

Built-in DLP data type includes pre-defined data types to match for keyword, regex, hex, mip label, credit card, and social security number (SSN). See Predefined data patterns for more information. The built-in DLP data type regex employs DCM to detect patterns. See Described Content Matching (DCM) for more information.

config dlp data-type
    edit "keyword"
        set pattern "built-in"
    next
    edit "regex"
        set pattern "built-in"
    next
    edit "hex"
        set pattern "built-in"
    next
    edit "mip-label"
        set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
        set transform "built-in"
    next
    edit "credit-card"
        set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
        set verify "built-in"
        set look-back 20
        set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
    next
    edit "ssn-us"
        set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
        set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
        set look-back 12
        set transform "\\b\\1-\\2-\\3\\b"
    next
end

Custom DLP data type

Custom data types can be added. See Custom data classification tags (data pattern) for more information.

To add a custom DLP data type:
config dlp data-type
    edit <name>
        set pattern <string>
        set verify <string>
        set transform <string>
    next
end

pattern <string>

Enter a regular expression pattern string without a look around.

verify <string>

Enter a regular expression pattern string used to verify the data type.

transform <string>

Enter the template to transform user input to a pattern using the capture group from pattern.

Note

To use "?" in a regex pattern, see CLI basics. This method only supports direct console connection and SSH. It does not support the CLI console in the GUI.

DLP file pattern

A DLP file pattern can block, allow, log, or quarantine a file based on the specified file type in the file filter list (see Supported file types). It employs True file type filtering to identify a file. See True file type filtering for more information.

To configure a DLP file pattern:
config dlp filepattern
    edit <id>
        set name <name>
        config entries
            edit <name>
                set filter-type {type | pattern}
                set file-type <file_type>
            next
        end
    next
end

Evaluation by Logical relationship

Evaluation by Logical relationship is a powerful tool used to combine multiple dictionary entries to define an accurate DLP sensor using logical expression.

Syntax example:

  1. set eval "dict(1) == 2"

    Match DLP sensor only when dictionary one match count is two.

  2. set eval "(dict(1) + dict(2)) == 3"

    Match DLP sensor only when dictionary one and dictionary two combined match count is three.

  3. set eval "(dict(1) == 2) && (dict(2) == 1)"

    Match DLP sensor only when dictionary one match count is equal to two and dictionary two match count is equal to one.

  4. set eval "(dict(1) == 2) || (dict(2) == 1)"

    Match DLP sensor only when dictionary one match count is equal to two or dictionary two match count is equal to one.

  5. set eval "dict(1) > dict(2)"

    Match DLP sensor only when dictionary one match count is greater than dictionary two match count.

See Block HTTPS upload traffic that includes Visa or Mastercard information using evaluation through logical expression.