Fortinet white logo
Fortinet white logo

Administration Guide

Advanced DLP configurations

Advanced DLP configurations

The following topic provides information on advanced DLP configurations.

DLP data type

This configuration includes pre-defined data types to match for keyword, regex, hex, credit card, and social security number (SSN). Custom data types can be added.

config dlp data-type
    edit "keyword"
        set pattern "built-in"
    next
    edit "regex"
        set pattern "built-in"
    next
    edit "hex"
        set pattern "built-in"
    next
    edit "mip-label"
        set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
        set transform "built-in"
    next
    edit "credit-card"
        set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
        set verify "built-in"
        set look-back 20
        set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
    next
    edit "ssn-us"
        set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
        set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
        set look-back 12
        set transform "\\b\\1-\\2-\\3\\b"
    next
end
To add a custom DLP data type:
config dlp data-type
    edit <name>
        set pattern <string>
        set verify <string>
        set transform <string>
    next
end

pattern <string>

Enter a regular expression pattern string without a look around.

verify <string>

Enter a regular expression pattern string used to verify the data type.

transform <string>

Enter the template to transform user input to a pattern using the capture group from pattern.

Note

To use "?" in a regex pattern, see CLI basics. This method only supports direct console connection and SSH. It does not support the CLI console in the GUI.

Built-in DLP data types and EDM

Exact data matching (EDM) can be used with built-in data types to match credit card, keyword, mip label, and social security number (SSN) data.

An EDM template maps individual columns of data from a file in CSV format on an external server to built-in data types. Each indexed column in the external file represents data for a built-in data type.

To add an external data file to FortiGate:
config system external-resource
    edit <name>
        set type data
        set resource <URL of the external resource>
        set refresh-rate <integer>       
    next
end
To use the external file in an EDM template:
config dlp exact-data-match
    edit <name>
        config columns
            edit <index>
                set type <string>
                set optional {enable | disable}
            next
        end
        set data <string>
        set optional <integer>
    next
end

config dlp exact-data-match

Configure an exact data-match template for use with DLP scans.

edit <name>

Specify the name of the table containing the exact data-match template.

config columns

Configure what columns from the external resource file, such as a data threat feed file, to use when matching data.

Each column in the external resource file contains data for a supported DLP data types.

edit <index>

Specify the index number for the column.

set type <string>

Specify the name of the DLP data type. The following data types are supported:

  • credit-card

  • edm-keyword

  • mip-label

  • ssn-us

set optional {enable | disable}

Enable optional matching for the data type.

  • enable: enable the data type for optional matching.

  • disable: disable the data type for optional matching.

Use the set optional option to specify how many of the optional data types to match.

set data <string>

Specify the name of the EDM external resource file to use for the exact data-match template.

The file must be added to FortiGate using the config system external-resource file.

set optional <integer>

Specify how many of the optional data types to match.

DLP file pattern

A DLP file pattern can block, allow, log, or quarantine a file based on the specified file type in the file filter list (see Supported file types).

To configure a DLP file pattern:
config dlp filepattern
    edit <id>
        set name <name>
        config entries
            edit <name>
                set filter-type {type | pattern}
                set file-type <file_type>
            next
        end
    next
end

Evaluation by Logical relationship

Evaluation by Logical relationship is a powerful tool used to combine multiple dictionary entries to define an accurate DLP sensor using logical expression.

Syntax example:

  1. set eval "dict(1) == 2"

    Match DLP sensor only when dictionary one match count is two.

  2. set eval "(dict(1) + dict(2)) == 3"

    Match DLP sensor only when dictionary one and dictionary two combined match count is three.

  3. set eval "(dict(1) == 2) && (dict(2) == 1)"

    Match DLP sensor only when dictionary one match count is equal to two and dictionary two match count is equal to one.

  4. set eval "(dict(1) == 2) || (dict(2) == 1)"

    Match DLP sensor only when dictionary one match count is equal to two or dictionary two match count is equal to one.

  5. set eval "dict(1) > dict(2)"

    Match DLP sensor only when dictionary one match count is greater than dictionary two match count.

See Example 4: Block HTTPS upload traffic that includes Visa or Mastercard information using evaluation via logical expression.

Key word search

Key word search allow for both the proximity keyword check and data validation check within the same data type. This enables a data type to simultaneously support two verification checks and one proximity match check, which significantly lowers the occurrence of false positives, boosting the precision and dependability of the search.

The following parameters in bold support this feature:

config dlp data-type
    edit <name>
        set look-ahead <integer>
        set look-back <integer>
        set match-ahead <integer>
        set match-around <string>
        set match-back <integer>
        set pattern <string>
        set verify <string>
        set verify2 <string>
    next
end

config dlp data-type

Configure predefined data type used by DLP scans.

edit <name>

Specify the name of the table containing the data type.

set verify2 <string>

Specify the extra regular expression pattern string used to verify the data type.

set match-back <integer>

Specify the number of characters in front for match-around (1 to 4096, default = 1).

set match-ahead <integer>

Specify the number of characters behind for match-around (1 to 4096, default = 1).

Advanced DLP configurations

Advanced DLP configurations

The following topic provides information on advanced DLP configurations.

DLP data type

This configuration includes pre-defined data types to match for keyword, regex, hex, credit card, and social security number (SSN). Custom data types can be added.

config dlp data-type
    edit "keyword"
        set pattern "built-in"
    next
    edit "regex"
        set pattern "built-in"
    next
    edit "hex"
        set pattern "built-in"
    next
    edit "mip-label"
        set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
        set transform "built-in"
    next
    edit "credit-card"
        set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
        set verify "built-in"
        set look-back 20
        set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
    next
    edit "ssn-us"
        set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
        set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
        set look-back 12
        set transform "\\b\\1-\\2-\\3\\b"
    next
end
To add a custom DLP data type:
config dlp data-type
    edit <name>
        set pattern <string>
        set verify <string>
        set transform <string>
    next
end

pattern <string>

Enter a regular expression pattern string without a look around.

verify <string>

Enter a regular expression pattern string used to verify the data type.

transform <string>

Enter the template to transform user input to a pattern using the capture group from pattern.

Note

To use "?" in a regex pattern, see CLI basics. This method only supports direct console connection and SSH. It does not support the CLI console in the GUI.

Built-in DLP data types and EDM

Exact data matching (EDM) can be used with built-in data types to match credit card, keyword, mip label, and social security number (SSN) data.

An EDM template maps individual columns of data from a file in CSV format on an external server to built-in data types. Each indexed column in the external file represents data for a built-in data type.

To add an external data file to FortiGate:
config system external-resource
    edit <name>
        set type data
        set resource <URL of the external resource>
        set refresh-rate <integer>       
    next
end
To use the external file in an EDM template:
config dlp exact-data-match
    edit <name>
        config columns
            edit <index>
                set type <string>
                set optional {enable | disable}
            next
        end
        set data <string>
        set optional <integer>
    next
end

config dlp exact-data-match

Configure an exact data-match template for use with DLP scans.

edit <name>

Specify the name of the table containing the exact data-match template.

config columns

Configure what columns from the external resource file, such as a data threat feed file, to use when matching data.

Each column in the external resource file contains data for a supported DLP data types.

edit <index>

Specify the index number for the column.

set type <string>

Specify the name of the DLP data type. The following data types are supported:

  • credit-card

  • edm-keyword

  • mip-label

  • ssn-us

set optional {enable | disable}

Enable optional matching for the data type.

  • enable: enable the data type for optional matching.

  • disable: disable the data type for optional matching.

Use the set optional option to specify how many of the optional data types to match.

set data <string>

Specify the name of the EDM external resource file to use for the exact data-match template.

The file must be added to FortiGate using the config system external-resource file.

set optional <integer>

Specify how many of the optional data types to match.

DLP file pattern

A DLP file pattern can block, allow, log, or quarantine a file based on the specified file type in the file filter list (see Supported file types).

To configure a DLP file pattern:
config dlp filepattern
    edit <id>
        set name <name>
        config entries
            edit <name>
                set filter-type {type | pattern}
                set file-type <file_type>
            next
        end
    next
end

Evaluation by Logical relationship

Evaluation by Logical relationship is a powerful tool used to combine multiple dictionary entries to define an accurate DLP sensor using logical expression.

Syntax example:

  1. set eval "dict(1) == 2"

    Match DLP sensor only when dictionary one match count is two.

  2. set eval "(dict(1) + dict(2)) == 3"

    Match DLP sensor only when dictionary one and dictionary two combined match count is three.

  3. set eval "(dict(1) == 2) && (dict(2) == 1)"

    Match DLP sensor only when dictionary one match count is equal to two and dictionary two match count is equal to one.

  4. set eval "(dict(1) == 2) || (dict(2) == 1)"

    Match DLP sensor only when dictionary one match count is equal to two or dictionary two match count is equal to one.

  5. set eval "dict(1) > dict(2)"

    Match DLP sensor only when dictionary one match count is greater than dictionary two match count.

See Example 4: Block HTTPS upload traffic that includes Visa or Mastercard information using evaluation via logical expression.

Key word search

Key word search allow for both the proximity keyword check and data validation check within the same data type. This enables a data type to simultaneously support two verification checks and one proximity match check, which significantly lowers the occurrence of false positives, boosting the precision and dependability of the search.

The following parameters in bold support this feature:

config dlp data-type
    edit <name>
        set look-ahead <integer>
        set look-back <integer>
        set match-ahead <integer>
        set match-around <string>
        set match-back <integer>
        set pattern <string>
        set verify <string>
        set verify2 <string>
    next
end

config dlp data-type

Configure predefined data type used by DLP scans.

edit <name>

Specify the name of the table containing the data type.

set verify2 <string>

Specify the extra regular expression pattern string used to verify the data type.

set match-back <integer>

Specify the number of characters in front for match-around (1 to 4096, default = 1).

set match-ahead <integer>

Specify the number of characters behind for match-around (1 to 4096, default = 1).