Fortinet white logo
Fortinet white logo

Handbook

Configuring sensitive data protection

Configuring sensitive data protection

The Data leak prevention (DLP) feature allows Web Application Firewall (WAF) to prevent information leaks, damage and loss. It provides desensitization and warning measures for sensitive information leaks on websites, such as SSN numbers and credit card information, as well as the leakage of sensitive keywords.

  • Detects and identifies private and sensitive data generated on the webpage, offering protective measures.
  • Provides a built-in illegal and sensitive keyword library.

Before you begin:

  • Configure a virtual server with a WAF Profile.

To configure Data Leakage Prevention

  1. Go to Web Application Firewall > Sensitive Data Protection > Sensitive Data Type.
  2. Click Create New.
  3. Complete the configuration.
  4. Name Enter the name of the Sensitive Data Type. You will use the name to select the Sensitive Data Type profile in Data Leak Prevention profiles. No spaces.
    Description Comments about this profile. Describe what this profile is used for and what kind of data this regex is used to match.
    Regex Specify the regex string used to match sensitive data. There are two pre-defined regex strings named Credit_Card_Number and US_Social_Security_Number.
  5. Click Save.
  6. Go to the Data Leak Prevention tab. Click Create New.
  7. Complete the configuration and click Save.
    Name Enter the name of the Data Leak Prevention. You will use the name to select the Data Leak Prevention profile in WAF profiles. No spaces.
    Status Enable or disable this profile. Default is disable.

    Masking

    Enable masking to replace sensitive data with asterisks(*). Default is disable.

    Note: When masking is enabled, all target data will be replaced by an asterisk(*) so the threshold value won’t take effect here. Masking only works when the action is alert. The connection will be rejected when the action is set as "deny" or "block," so no target data will be replaced.

    Action

    Select the action profile that you want to apply. See Configuring WAF Action objects. The default is Alert.

    Severity

    Set the severity level in the WAF logs for potential attacks detected by the Data Leak Prevention profile.

    • High
    • Medium
    • Low
  8. Edit the newly created Data Leak Prevention. Under Rule, click Create New.
  9. Complete the configuration and click Save.
  10. Name Enter the name of the Sensitive Data Type. You will use the name to select the Sensitive Data Type profile in Data Leak Prevention profiles. No spaces.
  11. Click Save in the Data Leak Prevention profile. You have successfully created a Data Leak Prevention. The maximum number of rules is 256 but detection will stop after matching as many as 8 rules.
Example

Create a sensitive-data-type

config security waf sensitive-data-type

edit "Credit_Card_Number"

set regex "^3(?:[47]\\d([ -]?)\\d{4}(?:\\1\\d{4}){2}|0[0-5]\\d{11}|[68]\\d{12})$|^4(?:\\d\\d\\d)?([ -]?)\\d{4}(?:\\2\\d{4}){2}$|^6011([ -]?)\\d{4}(?:\\3\\d{4}){2}$|^5[1-5]\\d\\d([ -]?)\\d{4}(?:\\4\\d{4}){2}$|^2014\\d{11}$|^2149\\d{11}$|^2131\\d{11}$|^1800\\d{11}$|^3\\d{15}$"

set description "For credit card numbers from MC, Visa, Amex, Diners/CarteBlanche, Discover/Novus, Enroute, and JCB. Matches 341-1111-1111-1111 | 5431-1111-1111-1111 | 30569309025904 Non-Matches 30-5693-0902-5904 | 5631-1111-1111-1111 | 31169309025904."

next

End

Use it in data-leak-prevention

config security waf data-leak-prevention

edit "dlp"

set status enable -> default disable

set action alert -> default alert,means pass with a security log if hit target

config rule

edit 1

set request-uri-pattern / -> default none,means do not scan the content

set sensitive-data-type Credit_Card_Number -> use data-leak-prevention

next

end

next

end

Configure the waf profile

config security waf profile

edit "WAF"

set data-leak-prevention dlp

next

end

Configuring sensitive data protection

Configuring sensitive data protection

The Data leak prevention (DLP) feature allows Web Application Firewall (WAF) to prevent information leaks, damage and loss. It provides desensitization and warning measures for sensitive information leaks on websites, such as SSN numbers and credit card information, as well as the leakage of sensitive keywords.

  • Detects and identifies private and sensitive data generated on the webpage, offering protective measures.
  • Provides a built-in illegal and sensitive keyword library.

Before you begin:

  • Configure a virtual server with a WAF Profile.

To configure Data Leakage Prevention

  1. Go to Web Application Firewall > Sensitive Data Protection > Sensitive Data Type.
  2. Click Create New.
  3. Complete the configuration.
  4. Name Enter the name of the Sensitive Data Type. You will use the name to select the Sensitive Data Type profile in Data Leak Prevention profiles. No spaces.
    Description Comments about this profile. Describe what this profile is used for and what kind of data this regex is used to match.
    Regex Specify the regex string used to match sensitive data. There are two pre-defined regex strings named Credit_Card_Number and US_Social_Security_Number.
  5. Click Save.
  6. Go to the Data Leak Prevention tab. Click Create New.
  7. Complete the configuration and click Save.
    Name Enter the name of the Data Leak Prevention. You will use the name to select the Data Leak Prevention profile in WAF profiles. No spaces.
    Status Enable or disable this profile. Default is disable.

    Masking

    Enable masking to replace sensitive data with asterisks(*). Default is disable.

    Note: When masking is enabled, all target data will be replaced by an asterisk(*) so the threshold value won’t take effect here. Masking only works when the action is alert. The connection will be rejected when the action is set as "deny" or "block," so no target data will be replaced.

    Action

    Select the action profile that you want to apply. See Configuring WAF Action objects. The default is Alert.

    Severity

    Set the severity level in the WAF logs for potential attacks detected by the Data Leak Prevention profile.

    • High
    • Medium
    • Low
  8. Edit the newly created Data Leak Prevention. Under Rule, click Create New.
  9. Complete the configuration and click Save.
  10. Name Enter the name of the Sensitive Data Type. You will use the name to select the Sensitive Data Type profile in Data Leak Prevention profiles. No spaces.
  11. Click Save in the Data Leak Prevention profile. You have successfully created a Data Leak Prevention. The maximum number of rules is 256 but detection will stop after matching as many as 8 rules.
Example

Create a sensitive-data-type

config security waf sensitive-data-type

edit "Credit_Card_Number"

set regex "^3(?:[47]\\d([ -]?)\\d{4}(?:\\1\\d{4}){2}|0[0-5]\\d{11}|[68]\\d{12})$|^4(?:\\d\\d\\d)?([ -]?)\\d{4}(?:\\2\\d{4}){2}$|^6011([ -]?)\\d{4}(?:\\3\\d{4}){2}$|^5[1-5]\\d\\d([ -]?)\\d{4}(?:\\4\\d{4}){2}$|^2014\\d{11}$|^2149\\d{11}$|^2131\\d{11}$|^1800\\d{11}$|^3\\d{15}$"

set description "For credit card numbers from MC, Visa, Amex, Diners/CarteBlanche, Discover/Novus, Enroute, and JCB. Matches 341-1111-1111-1111 | 5431-1111-1111-1111 | 30569309025904 Non-Matches 30-5693-0902-5904 | 5631-1111-1111-1111 | 31169309025904."

next

End

Use it in data-leak-prevention

config security waf data-leak-prevention

edit "dlp"

set status enable -> default disable

set action alert -> default alert,means pass with a security log if hit target

config rule

edit 1

set request-uri-pattern / -> default none,means do not scan the content

set sensitive-data-type Credit_Card_Number -> use data-leak-prevention

next

end

next

end

Configure the waf profile

config security waf profile

edit "WAF"

set data-leak-prevention dlp

next

end