Fortinet white logo
Fortinet white logo

Administration Guide

Exact data matching

Exact data matching

Exact Data Matching (EDM) identifies particular data values within an indexed data source that require safeguarding. It offer precise detection and handling of sensitive data based on user-defined criteria. This enhances security and improves efficiency by reducing false-positive detections.

Administrators can define a dataset in a CSV or TXT file on a server, upload file directly on FortiGate or point FortiGate to the external resource. See EDM template for more information.

CSV file example:

Jason

Valentino

120 Jefferson St.

Riverside

CA

92504

Marry

Baxter

415 W Willow Grove Ave

Philadelphia

PA

19118

David

Solace

555 Pierce Street APT #123

Albany

CA

94706

Thomas

Jefferson

1600 Pennsylvania Avenue NW

Washington

DC

20500

TXT file example:

213321,john,doe

201111,karen,smith

322122,rick,wong

A CSV or TXT file can have a maximum of 32 columns. Each indexed column in the external file represents data (or patterns) for a built-in data type that you want to match using EDM template.

EDM template

The EDM template is used to specify the URL location of the data threat feed file or upload the file directly on to the FortiGate. Once the data is imported it can be utilized with an EDM template to maps individual columns of data (or patterns) from a file to built-in data types to match credit card, keyword, mip label, social insurance number (SIN), and social security number (SSN) data. When the data passing through FortiGate matches with the EDM template, FortiGate responds according to the preset rules.

Note

A CSV or TXT file can be uploaded directly to FortiGate using the File Upload option. However, this option is exclusively available through the GUI. It's important to note that file upload is only possible if your FortiGate unit is equipped with a hard disk. In the absence of a hard disk, the File Upload option will be grayed out. See Feature Platform Matrix.

Please note that if the CSV or TXT file is uploaded using the File Upload option, it will not be dynamically synchronized nor periodically updated. This means that any changes made to the file will not be imported by FortiOS. Therefore, users are required to manually update the file again on the FortiGate using the Update file option. This option is located under Resource Type and is only visible if the file was previously uploaded via the File Upload option.

The sequence of steps for configuring EDM is consistent with other DLP configurations. See Basic DLP settings for more information.

Data threat feed

A data threat feed is a dynamic list that contains data. The data is patterns for DLP data types. The dynamic list is stored in a text (TXT) or comma-separated value (CSV) file format on an external server and periodically updated. After FortiGate can access the file, the patterns can be used with an EDM template.

config system external-resource
    edit <name>
        set type data
        set resource <string>
        set refresh-rate <integer>       
    next
end

set type {category | domain | malware | address | mac-address | data}

Specify the type of user resource.

  • data: Specify a data file as the user source.

set resource <string>

Specify the URL of the external resource.

set refresh-rate <integer>

Time interval to refresh the external resource (minutes).

The size of the Data Threat Feed file varies depending on the device model. The maximum file size limit for each model is as follows:

  • 128 MB for High-End (Data Center) models

  • 64 MB for Mid-Range (Campus) models

  • 32 MB for Entry-Level (Branch) models.

Example

This configuration will block HTTPS upload traffic that matches the DLP profile.

Note

When utilizing commonly-used SSL-encrypted protocols such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Deep inspection for more information.

Additionally, the client machine must have the corresponding deep inspection Certificate Authority (CA) certificate installed.

In this example, an EDM template named Customer SSN EDM is created on the FortiGate. During this process, a CSV file (customer_data.csv) located on an external server is imported using the data thread feed.

Sample CSV file:

SSN

Last Name

First Name

Address

City

State

ZIP

Phone

Email

CCN

172-32-1176 Doe John 10932 Big Rd Malibu CA 94025 408-497-7223 jdoe@domain.com 5270-4267-6450-5516
514-14-8905 Bard Ashley 4469 Sher St Golf KS 66428 785-939-6046 abard@domain.com 5370-4638-8881-302

In this example, the EDM template specifies:

  • Column index 1 in the external data threat feed file contains patterns for the ssn-us data type.

  • Column index 3 and 9 contain patterns for the edm-keyword data type.

  • The patterns from column index 1 must match for FortiGate to take an action.

  • The pattern from either column index 3 or 9 must match for FortiGate to take an action.

Based on the aforementioned template, the DLP profile will match any traffic containing data that corresponds to the SSN in column 1, and either the First Name in column 3 or the Email in column 9. For instance, if the HTTPS upload traffic sent from personal computer contains '172-32-1176' AND 'John', or '172-32-1176' AND 'jdoe@domain.com', the traffic will be blocked and a DLP log is generated. See Sample log for a log sample.

To configure EDM for DLP in the GUI:
  1. Ensure that Data Loss Prevention is enabled.

    1. Go to System > Feature Visibility.

    2. Under Security Features, enable Data Loss Prevention, and click Apply.

  2. Create an EDM template with matching criteria:

    1. Go to Security Profiles > Data Loss Prevention > EDM Template, and click Create New.

    2. Specify a name for the template, such as Customer SSN EDM.

    3. Set Resource type to External feed, and set External feed URL to the location of the file on the external server, such as https://172.16.200.175/customer_data.csv.

    4. Click +All of these fields to pair the column index of patterns with a DLP data type. All of the specified data in this section must match for FortiGate to take an action.

      In this example, column 1 in the external resource file contains the patterns for the ssn-us data type.

    5. Click +Any of these fields to pair the column index of patterns with a DLP data type, and to specify how many of these pairs must match for FortiGate to take an action.

      In this example, columns 3 and 9 in the external resource file contains the patterns for the edm-keyword data type. Only one pattern from the two columns must match.

    6. Click OK.

    7. Edit the DLP EDM template and click View Entries to view the data entries in the field.

      Note

      When viewing EDM entries, the GUI currently does not validate the entries and displays all entries as Valid. However, a Valid entry must have all values matching the data-type of the specific column. If one value does not match, the entry is invalid and will not be used for pattern matching.

  3. Configure a DLP sensor for the EDM template.
    1. In Security Profiles > Data Loss Prevention, click Sensor > Create New.

    2. Specify a name for the DLP sensor, such as Sensor SSN EDM.

    3. Click Add. The Select Entries pane is displayed.

    4. Select Managed Locally from the dropdown menu.

    5. From the list, select Customer SSN EDM, and click Apply.

    6. Click OK.
  4. Create a DLP profile and select the DLP sensor for the EDM template.
    1. In Security Profiles > Data Loss Prevention, click Profile > Create New.

    2. Specify a name for the DLP profile, such as Profile SSN EDM.

    3. Click Create New. The New Rule pane is displayed.

    4. Specify a name for the rule, such as Rule SSN EDM.

    5. Set Data source type to Sensor, and select Sensor SSN EDM.

    6. Set Action to Block.

    7. Set Match type to Message.

    8. Select HTTP-POST protocol.

    9. Click OK. The New DLP Profile pane is displayed.
    10. Click OK to save the profile.
  5. Add the DLP profile to a firewall policy:
    1. Go to Policy & Objects > Firewall Policy.
    2. Click Create New.
    3. Set the Inspection Mode to Proxy-based.
    4. In the Security Profiles section, enable DLP Profile and select Profile SSN EDM.
    5. Set SSL Inspection to deep-inspection.
    6. Configure the other settings as needed.
    7. Click OK.
To configure EDM for DLP in the CLI:
  1. Add the URL for the data threat feed file to FortiGate.

    In this example, an external resource named customer data EDM is created, and it defines the location of the data threat feed file in CSV format on an external server.

    config system external-resource
        edit "customer data EDM"
            set type data
            set resource "https://172.16.200.175/customer_data.csv"
            end
        next
    end
  2. Configure the EDM template.

    In this example, an exact data-match template named Customer SSN EDM is created for the external resource named customer data EDM. The matching record must contain the pattern for the data type from column index 1 (ssn-us) and at least one pattern for the data type from column index 3 (edm-keyword) or 9 (edm-keyword).

    config dlp exact-data-match
        edit "Customer SSN EDM"
            set optional 1
            set data "customer data EDM"
            config columns
                edit 1
                    set type "ssn-us"
                next
                edit 3
                    set type "edm-keyword"
                    set optional enable
                next
                edit 9
                    set type "edm-keyword" 
                    set optional enable 
                next
            end
        next
    end
  3. Add the EDM template to a DLP sensor.

    config dlp sensor
        edit "Sensor SSN EDM"      
            config entries
                edit 1set dictionary "Customer SSN EDM"                
                next
            end
        next
    end
  4. Configure a DLP profile to use the DLP sensor.

    config dlp profile
        edit "Profile SSN EDM" 
            set feature-set proxy
            config rule
                edit 1
                    set name "Rule SSN EDM" 
                    set type message
                    set proto http-post
                    set filter-by sensor 
                    set sensor “Sensor SSN EDM”
                    set action block
                next
            end
        next
    end
  5. Add the DLP profile to a firewall policy.

    config firewall policy
        edit 1
            set name "Internet"
            set srcintf "port3"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set dlp-profile "Profile SSN EDM"
        next
    end
To verify:
  1. A user attempts to post a sensitive message through HTTPS to dlptest.com, and the message content matches the EDM template.

  2. FortiGate blocks the user's attempt and displays a replacement message:

  3. FortiGate generates a DLP log:

    1: date=2024-07-31 time=09:24:44 eventtime=1722443083953870602 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="Rule SSN EDM" dlpextra="Sensor 'Sensor SSN EDM' matching any: ('Customer SSN EDM'=1) >= 1; match." filtertype="sensor" filtercat="message" severity="medium" policyid=1 poluuid="1696f98a-3413-51ef-ed16-01791b5b8127" policytype="policy" sessionid=18087 transid=1 epoch=959760595 eventid=1 srcip=13.13.13.13 srcport=62595 srccountry="United States" srcintf="port3" srcintfrole="undefined" srcuuid="93edbd62-33d5-51ef-2497-b193994b4d2e" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="93edbd62-33d5-51ef-2497-b193994b4d2e" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/https-post/" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://dlptest.com/https-post/" profile="Profile SSN EDM"

Exact data matching

Exact data matching

Exact Data Matching (EDM) identifies particular data values within an indexed data source that require safeguarding. It offer precise detection and handling of sensitive data based on user-defined criteria. This enhances security and improves efficiency by reducing false-positive detections.

Administrators can define a dataset in a CSV or TXT file on a server, upload file directly on FortiGate or point FortiGate to the external resource. See EDM template for more information.

CSV file example:

Jason

Valentino

120 Jefferson St.

Riverside

CA

92504

Marry

Baxter

415 W Willow Grove Ave

Philadelphia

PA

19118

David

Solace

555 Pierce Street APT #123

Albany

CA

94706

Thomas

Jefferson

1600 Pennsylvania Avenue NW

Washington

DC

20500

TXT file example:

213321,john,doe

201111,karen,smith

322122,rick,wong

A CSV or TXT file can have a maximum of 32 columns. Each indexed column in the external file represents data (or patterns) for a built-in data type that you want to match using EDM template.

EDM template

The EDM template is used to specify the URL location of the data threat feed file or upload the file directly on to the FortiGate. Once the data is imported it can be utilized with an EDM template to maps individual columns of data (or patterns) from a file to built-in data types to match credit card, keyword, mip label, social insurance number (SIN), and social security number (SSN) data. When the data passing through FortiGate matches with the EDM template, FortiGate responds according to the preset rules.

Note

A CSV or TXT file can be uploaded directly to FortiGate using the File Upload option. However, this option is exclusively available through the GUI. It's important to note that file upload is only possible if your FortiGate unit is equipped with a hard disk. In the absence of a hard disk, the File Upload option will be grayed out. See Feature Platform Matrix.

Please note that if the CSV or TXT file is uploaded using the File Upload option, it will not be dynamically synchronized nor periodically updated. This means that any changes made to the file will not be imported by FortiOS. Therefore, users are required to manually update the file again on the FortiGate using the Update file option. This option is located under Resource Type and is only visible if the file was previously uploaded via the File Upload option.

The sequence of steps for configuring EDM is consistent with other DLP configurations. See Basic DLP settings for more information.

Data threat feed

A data threat feed is a dynamic list that contains data. The data is patterns for DLP data types. The dynamic list is stored in a text (TXT) or comma-separated value (CSV) file format on an external server and periodically updated. After FortiGate can access the file, the patterns can be used with an EDM template.

config system external-resource
    edit <name>
        set type data
        set resource <string>
        set refresh-rate <integer>       
    next
end

set type {category | domain | malware | address | mac-address | data}

Specify the type of user resource.

  • data: Specify a data file as the user source.

set resource <string>

Specify the URL of the external resource.

set refresh-rate <integer>

Time interval to refresh the external resource (minutes).

The size of the Data Threat Feed file varies depending on the device model. The maximum file size limit for each model is as follows:

  • 128 MB for High-End (Data Center) models

  • 64 MB for Mid-Range (Campus) models

  • 32 MB for Entry-Level (Branch) models.

Example

This configuration will block HTTPS upload traffic that matches the DLP profile.

Note

When utilizing commonly-used SSL-encrypted protocols such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Deep inspection for more information.

Additionally, the client machine must have the corresponding deep inspection Certificate Authority (CA) certificate installed.

In this example, an EDM template named Customer SSN EDM is created on the FortiGate. During this process, a CSV file (customer_data.csv) located on an external server is imported using the data thread feed.

Sample CSV file:

SSN

Last Name

First Name

Address

City

State

ZIP

Phone

Email

CCN

172-32-1176 Doe John 10932 Big Rd Malibu CA 94025 408-497-7223 jdoe@domain.com 5270-4267-6450-5516
514-14-8905 Bard Ashley 4469 Sher St Golf KS 66428 785-939-6046 abard@domain.com 5370-4638-8881-302

In this example, the EDM template specifies:

  • Column index 1 in the external data threat feed file contains patterns for the ssn-us data type.

  • Column index 3 and 9 contain patterns for the edm-keyword data type.

  • The patterns from column index 1 must match for FortiGate to take an action.

  • The pattern from either column index 3 or 9 must match for FortiGate to take an action.

Based on the aforementioned template, the DLP profile will match any traffic containing data that corresponds to the SSN in column 1, and either the First Name in column 3 or the Email in column 9. For instance, if the HTTPS upload traffic sent from personal computer contains '172-32-1176' AND 'John', or '172-32-1176' AND 'jdoe@domain.com', the traffic will be blocked and a DLP log is generated. See Sample log for a log sample.

To configure EDM for DLP in the GUI:
  1. Ensure that Data Loss Prevention is enabled.

    1. Go to System > Feature Visibility.

    2. Under Security Features, enable Data Loss Prevention, and click Apply.

  2. Create an EDM template with matching criteria:

    1. Go to Security Profiles > Data Loss Prevention > EDM Template, and click Create New.

    2. Specify a name for the template, such as Customer SSN EDM.

    3. Set Resource type to External feed, and set External feed URL to the location of the file on the external server, such as https://172.16.200.175/customer_data.csv.

    4. Click +All of these fields to pair the column index of patterns with a DLP data type. All of the specified data in this section must match for FortiGate to take an action.

      In this example, column 1 in the external resource file contains the patterns for the ssn-us data type.

    5. Click +Any of these fields to pair the column index of patterns with a DLP data type, and to specify how many of these pairs must match for FortiGate to take an action.

      In this example, columns 3 and 9 in the external resource file contains the patterns for the edm-keyword data type. Only one pattern from the two columns must match.

    6. Click OK.

    7. Edit the DLP EDM template and click View Entries to view the data entries in the field.

      Note

      When viewing EDM entries, the GUI currently does not validate the entries and displays all entries as Valid. However, a Valid entry must have all values matching the data-type of the specific column. If one value does not match, the entry is invalid and will not be used for pattern matching.

  3. Configure a DLP sensor for the EDM template.
    1. In Security Profiles > Data Loss Prevention, click Sensor > Create New.

    2. Specify a name for the DLP sensor, such as Sensor SSN EDM.

    3. Click Add. The Select Entries pane is displayed.

    4. Select Managed Locally from the dropdown menu.

    5. From the list, select Customer SSN EDM, and click Apply.

    6. Click OK.
  4. Create a DLP profile and select the DLP sensor for the EDM template.
    1. In Security Profiles > Data Loss Prevention, click Profile > Create New.

    2. Specify a name for the DLP profile, such as Profile SSN EDM.

    3. Click Create New. The New Rule pane is displayed.

    4. Specify a name for the rule, such as Rule SSN EDM.

    5. Set Data source type to Sensor, and select Sensor SSN EDM.

    6. Set Action to Block.

    7. Set Match type to Message.

    8. Select HTTP-POST protocol.

    9. Click OK. The New DLP Profile pane is displayed.
    10. Click OK to save the profile.
  5. Add the DLP profile to a firewall policy:
    1. Go to Policy & Objects > Firewall Policy.
    2. Click Create New.
    3. Set the Inspection Mode to Proxy-based.
    4. In the Security Profiles section, enable DLP Profile and select Profile SSN EDM.
    5. Set SSL Inspection to deep-inspection.
    6. Configure the other settings as needed.
    7. Click OK.
To configure EDM for DLP in the CLI:
  1. Add the URL for the data threat feed file to FortiGate.

    In this example, an external resource named customer data EDM is created, and it defines the location of the data threat feed file in CSV format on an external server.

    config system external-resource
        edit "customer data EDM"
            set type data
            set resource "https://172.16.200.175/customer_data.csv"
            end
        next
    end
  2. Configure the EDM template.

    In this example, an exact data-match template named Customer SSN EDM is created for the external resource named customer data EDM. The matching record must contain the pattern for the data type from column index 1 (ssn-us) and at least one pattern for the data type from column index 3 (edm-keyword) or 9 (edm-keyword).

    config dlp exact-data-match
        edit "Customer SSN EDM"
            set optional 1
            set data "customer data EDM"
            config columns
                edit 1
                    set type "ssn-us"
                next
                edit 3
                    set type "edm-keyword"
                    set optional enable
                next
                edit 9
                    set type "edm-keyword" 
                    set optional enable 
                next
            end
        next
    end
  3. Add the EDM template to a DLP sensor.

    config dlp sensor
        edit "Sensor SSN EDM"      
            config entries
                edit 1set dictionary "Customer SSN EDM"                
                next
            end
        next
    end
  4. Configure a DLP profile to use the DLP sensor.

    config dlp profile
        edit "Profile SSN EDM" 
            set feature-set proxy
            config rule
                edit 1
                    set name "Rule SSN EDM" 
                    set type message
                    set proto http-post
                    set filter-by sensor 
                    set sensor “Sensor SSN EDM”
                    set action block
                next
            end
        next
    end
  5. Add the DLP profile to a firewall policy.

    config firewall policy
        edit 1
            set name "Internet"
            set srcintf "port3"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set dlp-profile "Profile SSN EDM"
        next
    end
To verify:
  1. A user attempts to post a sensitive message through HTTPS to dlptest.com, and the message content matches the EDM template.

  2. FortiGate blocks the user's attempt and displays a replacement message:

  3. FortiGate generates a DLP log:

    1: date=2024-07-31 time=09:24:44 eventtime=1722443083953870602 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="Rule SSN EDM" dlpextra="Sensor 'Sensor SSN EDM' matching any: ('Customer SSN EDM'=1) >= 1; match." filtertype="sensor" filtercat="message" severity="medium" policyid=1 poluuid="1696f98a-3413-51ef-ed16-01791b5b8127" policytype="policy" sessionid=18087 transid=1 epoch=959760595 eventid=1 srcip=13.13.13.13 srcport=62595 srccountry="United States" srcintf="port3" srcintfrole="undefined" srcuuid="93edbd62-33d5-51ef-2497-b193994b4d2e" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="93edbd62-33d5-51ef-2497-b193994b4d2e" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/https-post/" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://dlptest.com/https-post/" profile="Profile SSN EDM"