Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 5.4.3 Handbook
    5.4.3
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring sensitive data protection

    Configuring sensitive data protection

    The Data loss prevention (DLP) feature allows Web Application Firewall (WAF) to prevent information leaks, damage and loss. It provides desensitization and warning measures for sensitive information leaks on websites, such as SSN numbers and credit card information, as well as the leakage of sensitive keywords.

    • Detects and identifies private and sensitive data generated on the webpage, offering protective measures.
    • Provides a built-in illegal and sensitive keyword library.

    Before you begin:

    • Configure a virtual server with a WAF Profile.

    To configure Data Leakage Prevention

    1. Go to Web Application Firewall > Sensitive Data Protection > Sensitive Data Type.
    2. Click Create New.

    3. Complete the configuration.

      Name Enter the name of the Sensitive Data Type. You will use the name to select the Sensitive Data Type profile in Data Leak Prevention profiles. No spaces.
      Description Comments about this profile. Describe what this profile is used for and what kind of data this regex is used to match.
      Regex Specify the regex string used to match sensitive data. There are two pre-defined regex strings named Credit_Card_Number and US_Social_Security_Number.
    4. Click Save.
    5. Go to the Data Leak Prevention tab. Click Create New.

    6. Complete the configuration.

      Name Enter the name of the Data Leak Prevention. You will use the name to select the Data Leak Prevention profile in WAF profiles. No spaces.
      Status Enable or disable this profile. Default is disable.

      Masking

      Enable masking to replace sensitive data with asterisks(*). Default is disable.

      Note: When masking is enabled, all target data will be replaced by an asterisk(*) so the threshold value won’t take effect here. Masking only works when the action is alert. The connection will be rejected when the action is set as "deny" or "block," so no target data will be replaced.

      Action

      Sets the action FortiADC will take if a security check detects a potential attack.

      • Alert—Let the request pass when the profile detects a potential attack, only triggering a WAF log.
      • Deny—Drop the incoming request and trigger a WAF log.
      • Block—Block the ip address from the incoming request for 3600 seconds and trigger a WAF log.
      • silent-deny—Drop the incoming request without triggering a WAF log.

      Note: You can create a customized action with “Create New."

      Severity

      Set the severity level in the WAF logs for potential attacks detected by the Data Leak Prevention profile.

      • High
      • Medium
      • Low
      URI Pattern Specified in Data Leak Prevention rules. An empty URI value will prevent this rule from working.
      Sensitive Data Type Specified in Data Leak Prevention rules. Specify a profile created in “Sensitive Data Type."
      Threshold

      Specified in Data Leak Prevention rules. Set threshold. This means this rule won’t take effect until it detects the target data exceeding the specified threshold.

      For example, if you set the threshold as 3, the rules will not take effect until the target data is detected three times.

      Range 1-10000. Default 1. This value won’t work if “masking” is enabled.

    7. Click Create New to create rules in Data Leak Prevention. Max amount of rules is 256, but detection will stop after matching as many as eight rules.
    Example

    Create a sensitive-data-type

    config security waf sensitive-data-type

    edit "Credit_Card_Number"

    set regex "^3(?:[47]\\d([ -]?)\\d{4}(?:\\1\\d{4}){2}|0[0-5]\\d{11}|[68]\\d{12})$|^4(?:\\d\\d\\d)?([ -]?)\\d{4}(?:\\2\\d{4}){2}$|^6011([ -]?)\\d{4}(?:\\3\\d{4}){2}$|^5[1-5]\\d\\d([ -]?)\\d{4}(?:\\4\\d{4}){2}$|^2014\\d{11}$|^2149\\d{11}$|^2131\\d{11}$|^1800\\d{11}$|^3\\d{15}$"

    set description "For credit card numbers from MC, Visa, Amex, Diners/CarteBlanche, Discover/Novus, Enroute, and JCB. Matches 341-1111-1111-1111 | 5431-1111-1111-1111 | 30569309025904 Non-Matches 30-5693-0902-5904 | 5631-1111-1111-1111 | 31169309025904."

    next

    End

    Use it in data-leak-prevention

    config security waf data-leak-prevention

    edit "dlp"

    set status enable -> default disable

    set action alert -> default alert,means pass with a security log if hit target

    config rule

    edit 1

    set request-uri-pattern / -> default none,means do not scan the content

    set sensitive-data-type Credit_Card_Number -> use data-leak-prevention

    next

    end

    next

    end

    Configure the waf profile

    config security waf profile

    edit "WAF"

    set data-leak-prevention dlp

    next

    end

    Previous
    Next

    Configuring sensitive data protection

    Configuring sensitive data protection

    The Data loss prevention (DLP) feature allows Web Application Firewall (WAF) to prevent information leaks, damage and loss. It provides desensitization and warning measures for sensitive information leaks on websites, such as SSN numbers and credit card information, as well as the leakage of sensitive keywords.

    • Detects and identifies private and sensitive data generated on the webpage, offering protective measures.
    • Provides a built-in illegal and sensitive keyword library.

    Before you begin:

    • Configure a virtual server with a WAF Profile.

    To configure Data Leakage Prevention

    1. Go to Web Application Firewall > Sensitive Data Protection > Sensitive Data Type.
    2. Click Create New.

    3. Complete the configuration.

      Name Enter the name of the Sensitive Data Type. You will use the name to select the Sensitive Data Type profile in Data Leak Prevention profiles. No spaces.
      Description Comments about this profile. Describe what this profile is used for and what kind of data this regex is used to match.
      Regex Specify the regex string used to match sensitive data. There are two pre-defined regex strings named Credit_Card_Number and US_Social_Security_Number.
    4. Click Save.
    5. Go to the Data Leak Prevention tab. Click Create New.

    6. Complete the configuration.

      Name Enter the name of the Data Leak Prevention. You will use the name to select the Data Leak Prevention profile in WAF profiles. No spaces.
      Status Enable or disable this profile. Default is disable.

      Masking

      Enable masking to replace sensitive data with asterisks(*). Default is disable.

      Note: When masking is enabled, all target data will be replaced by an asterisk(*) so the threshold value won’t take effect here. Masking only works when the action is alert. The connection will be rejected when the action is set as "deny" or "block," so no target data will be replaced.

      Action

      Sets the action FortiADC will take if a security check detects a potential attack.

      • Alert—Let the request pass when the profile detects a potential attack, only triggering a WAF log.
      • Deny—Drop the incoming request and trigger a WAF log.
      • Block—Block the ip address from the incoming request for 3600 seconds and trigger a WAF log.
      • silent-deny—Drop the incoming request without triggering a WAF log.

      Note: You can create a customized action with “Create New."

      Severity

      Set the severity level in the WAF logs for potential attacks detected by the Data Leak Prevention profile.

      • High
      • Medium
      • Low
      URI Pattern Specified in Data Leak Prevention rules. An empty URI value will prevent this rule from working.
      Sensitive Data Type Specified in Data Leak Prevention rules. Specify a profile created in “Sensitive Data Type."
      Threshold

      Specified in Data Leak Prevention rules. Set threshold. This means this rule won’t take effect until it detects the target data exceeding the specified threshold.

      For example, if you set the threshold as 3, the rules will not take effect until the target data is detected three times.

      Range 1-10000. Default 1. This value won’t work if “masking” is enabled.

    7. Click Create New to create rules in Data Leak Prevention. Max amount of rules is 256, but detection will stop after matching as many as eight rules.
    Example

    Create a sensitive-data-type

    config security waf sensitive-data-type

    edit "Credit_Card_Number"

    set regex "^3(?:[47]\\d([ -]?)\\d{4}(?:\\1\\d{4}){2}|0[0-5]\\d{11}|[68]\\d{12})$|^4(?:\\d\\d\\d)?([ -]?)\\d{4}(?:\\2\\d{4}){2}$|^6011([ -]?)\\d{4}(?:\\3\\d{4}){2}$|^5[1-5]\\d\\d([ -]?)\\d{4}(?:\\4\\d{4}){2}$|^2014\\d{11}$|^2149\\d{11}$|^2131\\d{11}$|^1800\\d{11}$|^3\\d{15}$"

    set description "For credit card numbers from MC, Visa, Amex, Diners/CarteBlanche, Discover/Novus, Enroute, and JCB. Matches 341-1111-1111-1111 | 5431-1111-1111-1111 | 30569309025904 Non-Matches 30-5693-0902-5904 | 5631-1111-1111-1111 | 31169309025904."

    next

    End

    Use it in data-leak-prevention

    config security waf data-leak-prevention

    edit "dlp"

    set status enable -> default disable

    set action alert -> default alert,means pass with a security log if hit target

    config rule

    edit 1

    set request-uri-pattern / -> default none,means do not scan the content

    set sensitive-data-type Credit_Card_Number -> use data-leak-prevention

    next

    end

    next

    end

    Configure the waf profile

    config security waf profile

    edit "WAF"

    set data-leak-prevention dlp

    next

    end

    Previous
    Next