DLP examples

This topic includes examples that incorporate several DLP settings:

• Example 1: Block HTTPS upload traffic that includes credit card information

• Example 2: Block HTTPS downloads of EXE files and log HTTPS downloads of files larger than 500 KB

Example 1: Block HTTPS upload traffic that includes credit card information

This configuration will block HTTPS upload traffic that includes credit card information. The pre-defined filter for credit card is used in the sensor.

To block HTTPS upload traffic that includes credit card information in the GUI:

1. Configure the DLP sensor:

   1. Go to Security Profiles > Data Leak Prevention and click Create New.

   2. Enter a name (sensor-case1).

   3. Enable DLP Log.

   4. In the Rules section, click Create New.

   5. Configure the following settings:

      Name	1
      Severity	Medium
      Type	File
      Filter By	Match Credit Card Numbers
      Protocols	HTTP-POST, HTTP-GET
      Action	Block

   6. Click OK.

   7. Click OK to save the sensor.

1. Add the DLP sensor to a policy:

   1. Go to Policy & Objects > Policy and click Create New.

   2. Set the Type to any except SSH Tunnel which does not support DLP.

   3. In the Security Profiles section, enable DLP Sensor and select sensor-case1.

   4. Configure the other settings as needed.

   5. Click OK.

      When a credit card is included in HTTP POST traffic, the file is blocked and a DLP log is generated.

To block HTTPS upload traffic that includes credit card information in the CLI:

1. Configure the DLP sensor:

   config dlp sensor
       edit "sensor-case1"
           config filter
               edit 1
                   set name "credit_card"
                   set proto http-get http-post
                   set action block
               next
           end
       next
   end

2. Add the DLP sensor to a policy:

   config firewall policy
       edit 1
           set uuid cda8d380-e253-51ee-d693-6d10e9eaa6ab
   	 set srcintf "any"
   	 set dstintf "any"
   	 set srcaddr "all"
   	 set dstaddr "all"
   	 set action accept
   	 set schedule "always"
   	 set service "ALL"
   	 set utm-status enable
   	 set logtraffic all
   	 set logtraffic-start enable
   	 set log-http-transaction all
   	 set ssl-ssh-profile "deep-inspection"
   	 set dlp-sensor "sensor-case1"
   
       next
   end

   When a credit card is included in HTTP POST traffic, a replacement message appears because it is blocked. A DLP log is generated.

Sample log

From Linux, the following command can be used to generate a sample log, using the cURL tool to post data, which contains a sample credit card number:

# curl https://172.18.20.226 -kv -d 4024007149133315

1: date=2024-03-14 time=15:44:19 eventtime=1710456260277025219 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="credit_card" filtertype="credit-card" filtercat="file" severity="medium" policyid=1 poluuid="cda8d380-e253-51ee-d693-6d10e9eaa6ab" policytype="policy" sessionid=145619901 epoch=936350951 eventid=0 srcip=10.1.2.12 srcport=48528 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.18.20.226 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="unknown" direction="outgoing" action="block" hostname="172.18.20.226" url="https://172.18.20.226/" agent="curl/7.68.0" profile="sensor-case1"

Example 2: Block HTTPS downloads of EXE files and log HTTPS downloads of files larger than 500 KB

This configuration will block HTTPS downloads of EXE files and log HTTPS downloads of files larger than 500 KB.

To block HTTPS download of EXE files and log downloads larger than 500 KB:

1. Configure the DLP file pattern:

   config dlp filepattern
       edit 3
           set name "case2-exe"
           config entries
               edit "exe"
                   set filter-type type
                   set file-type exe
               next
           end
       next
   end

2. Configure the DLP sensor:

   config dlp sensor
       edit "case2-type-size"
           config filter
               edit 1
                   set proto http-get
                   set filter-by none
                   set file-type 3
                   set action block
               next
               edit 2
                   set proto http-get
                   set filter-by none
                   set file-size 500
                   set action log-only
               next
           end
       next
   end

3. Add the DLP sensor to a policy:

   config firewall policy
       edit 1
           set uuid cda8d380-e253-51ee-d693-6d10e9eaa6ab
   	 set srcintf "any"
   	 set dstintf "any"
   	 set srcaddr "all"
   	 set dstaddr "all"
   	 set action accept
   	 set schedule "always"
   	 set service "ALL"
   	 set utm-status enable
   	 set logtraffic all
   	 set logtraffic-start enable
   	 set log-http-transaction all
   	 set ssl-ssh-profile "deep-inspection"
   	 set dlp-sensor "case2-type-size"
   
       next
   end

4. Download an EXE file using HTTPS. The download is blocked, a replacement message appears, and a DLP log is generated.

   Sample log

   1: date=2024-03-14 time=15:52:44 eventtime=1710456764252076035 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 dlpextra="case3-exe" filtertype="file-type" filtercat="file" severity="medium" policyid=1 poluuid="cda8d380-e253-51ee-d693-6d10e9eaa6ab" policytype="policy" sessionid=145619906 epoch=936350955 eventid=1 srcip=10.1.2.12 srcport=39136 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.18.29.117 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="exe" direction="incoming" action="block" hostname="172.18.29.117" url="https://172.18.29.117/files/dummy.exe" agent="curl/7.68.0" filename="dummy.exe" filesize=488944 profile="case2-type-size"