Advanced DLP configurations
The following topic provides information on advanced DLP configurations.
DLP data type
This configuration includes pre-defined data types to match for credit card, hex, keyword, mip-label, regex, and US social security number (SSN). Custom data types can be added.
config dlp data-type
edit "keyword"
set pattern "built-in"
next
edit "regex"
set pattern "built-in"
next
edit "hex"
set pattern "built-in"
next
edit "mip-label"
set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
set transform "built-in"
next
edit "credit-card"
set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
set verify "built-in"
set look-back 20
set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
next
edit "ssn-us"
set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
set look-back 12
set transform "\\b\\1-\\2-\\3\\b"
next
end
Built-in DLP data types and EDM
Exact data matching (EDM) can be used with pre-defined data types to match credit card, keyword, mip label, and social security number (SSN) data. See Exact Data Matching (EDM) for more information.
An EDM template maps individual columns of data from a file in CSV format on an external server to pre-defined data types. Each column in the external file represents a pre-defined data type.
To add an external data file to FortiProxy:
config system external-resource edit <name> set type data set resource <URL of the external resource> set refresh-rate <integer> next end
To use the external file in an EDM template:
config dlp exact-data-match
edit <name>
config columns
edit <index>
set type <string>
set optional {enable | disable}
next
end
set data <string>
set optional <integer>
next
end
|
config dlp exact-data-match |
Configure an exact data-match template for use with DLP scans. |
|
edit <name> |
Specify the name of the table containing the exact data-match template. |
|
config columns |
Configure what columns from the external resource file, such as a data threat feed file, to use when matching data. Each column in the external resource file contains data for a supported DLP data types. |
|
edit <index> |
Specify the index number for the column. |
|
set type <string> |
Specify the name of the DLP data type. The following data types are supported:
|
|
set optional {enable | disable} |
Enable optional matching for the data type.
Use the |
|
set data <string> |
Specify the name of the EDM external resource file to use for the exact data-match template. The file must be added to Fortiproxy using the |
|
set optional <integer> |
Specify how many of the optional data types to match. |
See Configure EDM for data loss prevention NEW.
Custom DLP data type
Custom data types can be added. See Custom data classification tags (data pattern) for more information.
Custom DLP data type allows for both the proximity keyword check and data validation check within the same data type. The data type simultaneously supports two verification checks and one proximity match check to significantly lower the occurrence of false positives, enhancing the precision and dependability of the search.
To configure a custom DLP data type:
config dlp data-type
edit <name>
set verify <string>
set verify2 <string>
set look-ahead <integer>
set look-back <integer>
set match-around <string>
set match-ahead <integer>
set match-back <integer>
set pattern <string>
next
end
config dlp data-type
|
Configure predefined data type used by DLP scans. |
edit <name>
|
Specify the name of the table containing the data type. |
set pattern
|
Regular expression pattern string without look around |
set verify <string>
|
Specify the regular expression pattern string used to verify the data type. |
set verify2 <string>
|
Specify the extra regular expression pattern string used to verify the data type. |
set look-ahead <integer>
|
Specify the number of character to obtain in advance for verification. (1 to 255, default = 1). |
set look-back <integer>
|
Specify the number of characters required to save for verification. (1 to 255, default = 1). |
set match-around <string>
|
Dictionary to check whether it has a match around (Only support match-any and basic types, no repeat supported). |
set match-back <integer>
|
Specify the number of characters in front for match-around (1 to 4096, default = 1). |
set match-ahead <integer>
|
Specify the number of characters behind for match-around (1 to 4096, default = 1). |
|
The |
|
|
To use "?" in a regex pattern, see CLI basics. This method only supports direct console connection and SSH. It does not support the CLI console in the GUI. |
See Proximity search for a sample configuration.
DLP file pattern
A DLP file pattern can block, allow, log, or quarantine a file based on the specified file type in the file filter list. Refer to Create or edit a DLP file pattern for instructions about configuring a DLP file pattern.
To configure a DLP file pattern in CLI:
config dlp filepattern
edit <id>
set name <name>
config entries
edit <name>
set filter-type {type | pattern}
set file-type <file_type>
next
end
next
end
Evaluation by Logical relationship
Evaluation by Logical relationship is a powerful tool used to combine multiple dictionary entries to define an accurate DLP sensor using logical expression.
Syntax example:
-
set eval "dict(1) == 2"Match DLP sensor only when dictionary one match count is two.
-
set eval "(dict(1) + dict(2)) == 3"Match DLP sensor only when dictionary one and dictionary two combined match count is three.
-
set eval "(dict(1) == 2) && (dict(2) == 1)"Match DLP sensor only when dictionary one match count is equal to two and dictionary two match count is equal to one.
-
set eval "(dict(1) == 2) || (dict(2) == 1)"Match DLP sensor only when dictionary one match count is equal to two or dictionary two match count is equal to one.
-
set eval "dict(1) > dict(2)"Match DLP sensor only when dictionary one match count is greater than dictionary two match count.