Exact data matching
Exact Data Matching (EDM) identifies particular data values within an indexed data source that require safeguarding. It offer precise detection and handling of sensitive data based on user-defined criteria. This enhances security and improves efficiency by reducing false-positive detections.
Administrators can define a dataset in a CSV or TXT file on a server, upload file directly on FortiGate or point FortiGate to the external resource. See EDM template for more information.
CSV file example:
Jason |
Valentino |
120 Jefferson St. |
Riverside |
CA |
92504 |
Marry |
Baxter |
415 W Willow Grove Ave |
Philadelphia |
PA |
19118 |
David |
Solace |
555 Pierce Street APT #123 |
Albany |
CA |
94706 |
Thomas |
Jefferson |
1600 Pennsylvania Avenue NW |
Washington |
DC |
20500 |
TXT file example:
213321,john,doe
201111,karen,smith
322122,rick,wong
A CSV or TXT file can have a maximum of 32 columns. Each indexed column in the external file represents data (or patterns) for a built-in data type that you want to match using EDM template.
EDM template
The EDM template is used to specify the URL location of the data threat feed file or upload the file directly on to the FortiGate. Once the data is imported it can be utilized with an EDM template to maps individual columns of data (or patterns) from a file to built-in data types to match credit card, keyword, mip label, social insurance number (SIN), and social security number (SSN) data. When the data passing through FortiGate matches with the EDM template, FortiGate responds according to the preset rules.
A CSV or TXT file can be uploaded directly to FortiGate using the File Upload option. However, this option is exclusively available through the GUI. It's important to note that file upload is only possible if your FortiGate unit is equipped with a hard disk. In the absence of a hard disk, the File Upload option will be grayed out. See Feature Platform Matrix. Please note that if the CSV or TXT file is uploaded using the File Upload option, it will not be dynamically synchronized nor periodically updated. This means that any changes made to the file will not be imported by FortiOS. Therefore, users are required to manually update the file again on the FortiGate using the Update file option. This option is located under Resource Type and is only visible if the file was previously uploaded via the File Upload option. |
The sequence of steps for configuring EDM is consistent with other DLP configurations. See Basic DLP settings for more information.
Data threat feed
A data threat feed is a dynamic list that contains data. The data is patterns for DLP data types. The dynamic list is stored in a text (TXT) or comma-separated value (CSV) file format on an external server and periodically updated. After FortiGate can access the file, the patterns can be used with an EDM template.
config system external-resource edit <name> set type data set resource <string> set refresh-rate <integer> next end
set type {category | domain | malware | address | mac-address | data} |
Specify the type of user resource.
|
set resource <string> |
Specify the URL of the external resource. |
set refresh-rate <integer> |
Time interval to refresh the external resource (minutes). |
The size of the Data Threat Feed file varies depending on the device model. The maximum file size limit for each model is as follows:
-
128 MB for High-End (Data Center) models
-
64 MB for Mid-Range (Campus) models
-
32 MB for Entry-Level (Branch) models.
Example
This configuration will block HTTPS upload traffic that matches the DLP profile.
When utilizing commonly-used SSL-encrypted protocols such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Deep inspection for more information. Additionally, the client machine must have the corresponding deep inspection Certificate Authority (CA) certificate installed. |
In this example, an EDM template named Customer SSN EDM is created on the FortiGate. During this process, a CSV file (customer_data.csv) located on an external server is imported using the data thread feed.
Sample CSV file:
SSN |
Last Name |
First Name |
Address |
City |
State |
ZIP |
Phone |
|
CCN |
---|---|---|---|---|---|---|---|---|---|
172-32-1176 | Doe | John | 10932 Big Rd | Malibu | CA | 94025 | 408-497-7223 | jdoe@domain.com | 5270-4267-6450-5516 |
514-14-8905 | Bard | Ashley | 4469 Sher St | Golf | KS | 66428 | 785-939-6046 | abard@domain.com | 5370-4638-8881-302 |
In this example, the EDM template specifies:
-
Column index 1 in the external data threat feed file contains patterns for the
ssn-us
data type. -
Column index 3 and 9 contain patterns for the
edm-keyword
data type. -
The patterns from column index 1 must match for FortiGate to take an action.
-
The pattern from either column index 3 or 9 must match for FortiGate to take an action.
Based on the aforementioned template, the DLP profile will match any traffic containing data that corresponds to the SSN in column 1, and either the First Name in column 3 or the Email in column 9. For instance, if the HTTPS upload traffic sent from personal computer contains '172-32-1176' AND 'John', or '172-32-1176' AND 'jdoe@domain.com', the traffic will be blocked and a DLP log is generated. See Sample log for a log sample.
To configure EDM for DLP in the GUI:
-
Ensure that Data Loss Prevention is enabled.
-
Go to System > Feature Visibility.
-
Under Security Features, enable Data Loss Prevention, and click Apply.
-
-
Create an EDM template with matching criteria:
-
Go to Security Profiles > Data Loss Prevention > EDM Template, and click Create New.
-
Specify a name for the template, such as Customer SSN EDM.
-
Set Resource type to External feed, and set External feed URL to the location of the file on the external server, such as https://172.16.200.175/customer_data.csv.
-
Click +All of these fields to pair the column index of patterns with a DLP data type. All of the specified data in this section must match for FortiGate to take an action.
In this example, column 1 in the external resource file contains the patterns for the ssn-us data type.
-
Click +Any of these fields to pair the column index of patterns with a DLP data type, and to specify how many of these pairs must match for FortiGate to take an action.
In this example, columns 3 and 9 in the external resource file contains the patterns for the edm-keyword data type. Only one pattern from the two columns must match.
-
Click OK.
-
Edit the DLP EDM template and click View Entries to view the data entries in the field.
When viewing EDM entries, the GUI currently does not validate the entries and displays all entries as Valid. However, a Valid entry must have all values matching the data-type of the specific column. If one value does not match, the entry is invalid and will not be used for pattern matching.
-
- Configure a DLP sensor for the EDM template.
In Security Profiles > Data Loss Prevention, click Sensor > Create New.
Specify a name for the DLP sensor, such as Sensor SSN EDM.
Click Add. The Select Entries pane is displayed.
Select Managed Locally from the dropdown menu.
From the list, select Customer SSN EDM, and click Apply.
- Click OK.
- Create a DLP profile and select the DLP sensor for the EDM template.
In Security Profiles > Data Loss Prevention, click Profile > Create New.
Specify a name for the DLP profile, such as Profile SSN EDM.
Click Create New. The New Rule pane is displayed.
Specify a name for the rule, such as Rule SSN EDM.
Set Data source type to Sensor, and select Sensor SSN EDM.
Set Action to Block.
Set Match type to Message.
Select HTTP-POST protocol.
- Click OK. The New DLP Profile pane is displayed.
- Click OK to save the profile.
- Add the DLP profile to a firewall policy:
- Go to Policy & Objects > Firewall Policy.
- Click Create New.
- Set the Inspection Mode to Proxy-based.
- In the Security Profiles section, enable DLP Profile and select Profile SSN EDM.
- Set SSL Inspection to deep-inspection.
- Configure the other settings as needed.
- Click OK.
To configure EDM for DLP in the CLI:
-
Add the URL for the data threat feed file to FortiGate.
In this example, an external resource named
customer data EDM
is created, and it defines the location of the data threat feed file in CSV format on an external server.config system external-resource edit "customer data EDM" set type data set resource "https://172.16.200.175/customer_data.csv" end next end
-
Configure the EDM template.
In this example, an exact data-match template named
Customer SSN EDM
is created for the external resource namedcustomer data EDM
. The matching record must contain the pattern for the data type from column index 1 (ssn-us
) and at least one pattern for the data type from column index 3 (edm-keyword
) or 9 (edm-keyword
).config dlp exact-data-match edit "Customer SSN EDM" set optional 1 set data "customer data EDM" config columns edit 1 set type "ssn-us" next edit 3 set type "edm-keyword" set optional enable next edit 9 set type "edm-keyword" set optional enable next end next end
-
Add the EDM template to a DLP sensor.
config dlp sensor edit "Sensor SSN EDM" config entries edit 1set dictionary "Customer SSN EDM" next end next end
-
Configure a DLP profile to use the DLP sensor.
config dlp profile edit "Profile SSN EDM" set feature-set proxy config rule edit 1 set name "Rule SSN EDM" set type message set proto http-post set filter-by sensor set sensor “Sensor SSN EDM” set action block next end next end
-
Add the DLP profile to a firewall policy.
config firewall policy edit 1 set name "Internet" set srcintf "port3" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "deep-inspection" set dlp-profile "Profile SSN EDM" next end
To verify:
-
A user attempts to post a sensitive message through HTTPS to dlptest.com, and the message content matches the EDM template.
-
FortiGate blocks the user's attempt and displays a replacement message:
-
FortiGate generates a DLP log:
1: date=2024-07-31 time=09:24:44 eventtime=1722443083953870602 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="Rule SSN EDM" dlpextra="Sensor 'Sensor SSN EDM' matching any: ('Customer SSN EDM'=1) >= 1; match." filtertype="sensor" filtercat="message" severity="medium" policyid=1 poluuid="1696f98a-3413-51ef-ed16-01791b5b8127" policytype="policy" sessionid=18087 transid=1 epoch=959760595 eventid=1 srcip=13.13.13.13 srcport=62595 srccountry="United States" srcintf="port3" srcintfrole="undefined" srcuuid="93edbd62-33d5-51ef-2497-b193994b4d2e" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="93edbd62-33d5-51ef-2497-b193994b4d2e" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/https-post/" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://dlptest.com/https-post/" profile="Profile SSN EDM"