Handbook

Introduction
What's New
Key Concepts and Features
- Server load balancing
- Link load balancing
- Global load balancing
- Security
- High availability
- Virtual Domain (VDOM) and Administrative Domain (ADOM)
Getting Started
- Step 1: Install the appliance
- Step 2: Configure the management interface
- Step 3: Configure basic network settings
- Step 4: Test connectivity to destination servers
- Step 5: Complete product registration, licensing, and upgrades
- Step 6: Configure a basic server load balancing policy
- Step 7: Test the deployment
- Step 8: Back up the configuration
Dashboard
- Widgets
- Dashboard management tools
Security Fabric
- Automation
- Fabric connectors
- External connectors
FortiView
- Logical Topology
- Server Load Balance
- Security
- System
  - Event Logs
  - Automation
- Global Load Balance
  - Host
  - Data Analytics
- Link Load Balance
  - Gateway
- ZTNA FortiClient endpoint
System
- Settings
- Virtual Domain
- High Availability
- Traffic Group
- Administrator
- Global Resources
- WCCP
- SNMP
- Replacement Messages
- FortiGuard
  - Connecting to FortiGuard services
  - Configuring FortiGuard service settings
- Debug
- Certificate
Network
- Interface
- Routing
- NAT
  - Configuring source NAT
  - Configuring 1-to-1 NAT
- QoS
- Packet capture
Shared Resources
- Health Check
- Schedule Group
- Address
- Service
  - Creating service groups
  - Creating service objects
Server Load Balance
- Virtual Server
- Application Resources
- Application Optimization
- Real Server Pool
- Scripting
  - Using HTTP scripting
- SSL-FP Resources
Link Load Balance
- Link Policy
- Link Group
- Virtual Tunnel
Global Load Balance
- GLB Wizard
- FQDN
- Zone Tools
- Global Object
Web Application Firewall
- OWASP TOP10
- WAF Profile
- Known Web Attacks
  - Configuring a Web Attack Signature policy
  - Using the Signature Creation Wizard
- Common Attacks Detection
- Sensitive Data Protection
  - Configuring a Cookie Security policy
  - Configuring an HTTP Header Security policy
- Data Loss Prevention
- Input Validation
- Access Protection
- CORS Protection
- API Protection
- Bot Mitigation
- Web Vulnerability Scanner
Advanced Bot Protection (ABP)
- Enabling the Advanced Bot Protection connector
- Obtaining the Application ID from the FortiGuard ABP User Portal
- Configuring an Advanced Bot Protection policy
- Advanced Bot Protection troubleshooting and debugging
Network Security
- Firewall
- Intrusion Prevention
- AntiVirus
- IP Reputation
- Geo IP Protection
Zero Trust Network Access (ZTNA)
- How device identity and trust context is established with FortiClient EMS
- Configuring FortiClient EMS Connector for ZTNA
- Verifying client certificate, FortiClient endpoint and ZTNA tag synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- ZTNA troubleshooting and debugging
DoS Protection
- DoS Protection Profile
- Application
- Networking
User Authentication
- Authentication Policy
- User Group
  - Configuring user groups
  - Configuring customized authentication forms
- Local User
- Remote User
- Using Kerberos Authentication Relay
  - Using HTTP Basic SSO
- SAML
  - Configure an SAML service provider
  - Import IDP Metadata
- AD FS Proxy
  - Adding an AD FS Publish
  - Adding an AD FS Proxy
- OAuth 2.0 authentication
Log & Report
- Using the traffic log
- Using the security log
- Using the script log
- Log Setting
- Report Setting
AI Threat Analytics
- AI Threat Analytics troubleshooting and debugging
SSL Advanced Services
- SSL offloading
- SSL decryption by forward proxy
- SSL profile configurations
- Certificate guidelines
- SSL/TLS versions and cipher suites
- Exceptions list
- SSL traffic mirroring
- HSM Integration
Best Practices and Fine-tuning
- Regular backups
  - Rebooting, resetting, and shutting down the system
  - SCP support for configuration backup
- Security
- Performance tips
- High availability
Troubleshooting
- Logs
- Tools
- Solutions by issue type
- Resetting the configuration
- Restoring firmware (“clean install”)
- Additional resources
Appendices
- Port Numbers
- Scripts
- Maximum Configuration Values
Change Log

Home FortiADC 7.4.3 Handbook

7.4.3

Configuring a DLP Dictionary object

A DLP dictionary defines the patterns of data. The term "pattern" denotes a set of attributes specific to a given data type. For example, credit card numbers constitute numeric data that follow either the 14-digit or 16-digit patterns associated with credit cards. If the data adheres to these patterns, FortiADC will identify it as a match.

Before you begin:

You must have a valid FortiGuard DLP service license and have enabled the service on FortiADC. For details, see FortiGuard DLP service.

Predefined DLP Sensor objects

You can use the following predefined DLP Dictionary objects in Data Loss Prevention rules.

Predefined DLP Dictionary object	Match Type	Description
EICAR-TEST-FILE	Any	EICAR Test File for DLP
can-natl_id-pk	Any
can-natl_id-sin-dict	Any	Canadian SIN Card Number Dictionary
glb-pass-pk	Any
can-pass-dict	Any	Canadian Passport Dictionary
usa-pass-dict	Any	USA Passport Dictionary
uk-pass-dict	Any	UK Passport Dictionary
aus-pass-dict	Any	Australia Passport Dictionary
fra-pass-dict	Any	France Passport Dictionary
jpn-pass-dict	Any	Japan Passport Dictionary
can-health_service-pk	Any
can-phin-pk	Any
can-phin-dict	Any	Canadian Personal Health Identification Number Dictionary
can-health_service-dict	Any	Canadian Health Service Dictionary
glb-cc-pk	Any
glb-cc-dict	Any	Global Credit Card Dictionary
usa-natl_id-pk	Any
glb-dl-pk	Any
can-dl-dict	Any	Canadian Driver's License Dictionary
can-bank_account-pk	Any
can-bank_account-dict	Any	Canadian Bank Account Dictionary
usa-natl_id-ssn-dict	Any	USA SSN Card Number Dictionary
glb-swift-pk	Any
source_code-python	Any	Python Source Code Dictionary
source_code-c	Any	C Source Code Dictionary
source_code-java	Any	Java Source Code Dictionary

To configure a DLP Dictionary object:

Go to Web Application Firewall > Data Loss Prevention.
Click the DLP Dictionary tab.
Click Create New to display the configuration editor.

Configure the following DLP Dictionary settings:

Setting	Description
Name	Specify a name for the DLP Dictionary object. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. The configuration name cannot be edited once it has been saved.
Match Type	Select the match type: Any — Data meeting the criteria specified by any one of the dictionary entries will be identified as a match. All — Data meeting the criteria specified by all dictionary entries will be identified as a match. The default is Any.
Description	Comments about this DLP Dictionary object.

Setting

Description

Name Specify a name for the DLP Dictionary object.
Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The configuration name cannot be edited once it has been saved.

Match Type

Select the match type:

Any — Data meeting the criteria specified by any one of the dictionary entries will be identified as a match.
All — Data meeting the criteria specified by all dictionary entries will be identified as a match.

The default is Any.

Description Comments about this DLP Dictionary object.

Click Save.
After the DLP Dictionary configuration is saved, the FortiGuard Data Types section becomes available to configure.
Under the FortiGuard Data Types section, click Create New to display the configuration editor.

Configure the following FortiGuard Data Types settings for the DLP Dictionary:

Setting	Description
Status	Enable the Status if you intend to apply this data type.
FortiGuard Data Type	Select a FortiGuard Data Type from the drop-down menu.
Repeat	Enable this option if you want to match data exclusively when it appears multiple times. With this option enabled, you can specify the times of occurrence in the DLP Sensor settings.

Setting

Description

Status

Enable the Status if you intend to apply this data type.

FortiGuard Data Type

Select a FortiGuard Data Type from the drop-down menu.

Repeat

Enable this option if you want to match data exclusively when it appears multiple times.

With this option enabled, you can specify the times of occurrence in the DLP Sensor settings.

Click Save.
Once the FortiGuard Data Types configuration is saved, the editor dialog closes.
Click Save to update the DLP Sensor configuration.
Once the DLP Dictionary is saved, you can reference it in a DLP Sensor.

Configuring a DLP Dictionary object

Before you begin:

You must have a valid FortiGuard DLP service license and have enabled the service on FortiADC. For details, see FortiGuard DLP service.

Predefined DLP Sensor objects

You can use the following predefined DLP Dictionary objects in Data Loss Prevention rules.

Predefined DLP Dictionary object	Match Type	Description
EICAR-TEST-FILE	Any	EICAR Test File for DLP
can-natl_id-pk	Any
can-natl_id-sin-dict	Any	Canadian SIN Card Number Dictionary
glb-pass-pk	Any
can-pass-dict	Any	Canadian Passport Dictionary
usa-pass-dict	Any	USA Passport Dictionary
uk-pass-dict	Any	UK Passport Dictionary
aus-pass-dict	Any	Australia Passport Dictionary
fra-pass-dict	Any	France Passport Dictionary
jpn-pass-dict	Any	Japan Passport Dictionary
can-health_service-pk	Any
can-phin-pk	Any
can-phin-dict	Any	Canadian Personal Health Identification Number Dictionary
can-health_service-dict	Any	Canadian Health Service Dictionary
glb-cc-pk	Any
glb-cc-dict	Any	Global Credit Card Dictionary
usa-natl_id-pk	Any
glb-dl-pk	Any
can-dl-dict	Any	Canadian Driver's License Dictionary
can-bank_account-pk	Any
can-bank_account-dict	Any	Canadian Bank Account Dictionary
usa-natl_id-ssn-dict	Any	USA SSN Card Number Dictionary
glb-swift-pk	Any
source_code-python	Any	Python Source Code Dictionary
source_code-c	Any	C Source Code Dictionary
source_code-java	Any	Java Source Code Dictionary

To configure a DLP Dictionary object:

Go to Web Application Firewall > Data Loss Prevention.
Click the DLP Dictionary tab.
Click Create New to display the configuration editor.

Configure the following DLP Dictionary settings:

Setting	Description
Name	Specify a name for the DLP Dictionary object. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. The configuration name cannot be edited once it has been saved.
Match Type	Select the match type: Any — Data meeting the criteria specified by any one of the dictionary entries will be identified as a match. All — Data meeting the criteria specified by all dictionary entries will be identified as a match. The default is Any.
Description	Comments about this DLP Dictionary object.

Setting

Description

Name Specify a name for the DLP Dictionary object.
Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The configuration name cannot be edited once it has been saved.

Match Type

Select the match type:

Any — Data meeting the criteria specified by any one of the dictionary entries will be identified as a match.
All — Data meeting the criteria specified by all dictionary entries will be identified as a match.

The default is Any.

Description Comments about this DLP Dictionary object.

Click Save.
After the DLP Dictionary configuration is saved, the FortiGuard Data Types section becomes available to configure.
Under the FortiGuard Data Types section, click Create New to display the configuration editor.

Configure the following FortiGuard Data Types settings for the DLP Dictionary:

Setting	Description
Status	Enable the Status if you intend to apply this data type.
FortiGuard Data Type	Select a FortiGuard Data Type from the drop-down menu.
Repeat	Enable this option if you want to match data exclusively when it appears multiple times. With this option enabled, you can specify the times of occurrence in the DLP Sensor settings.

Setting

Description

Status

Enable the Status if you intend to apply this data type.

FortiGuard Data Type

Select a FortiGuard Data Type from the drop-down menu.

Repeat

Enable this option if you want to match data exclusively when it appears multiple times.

With this option enabled, you can specify the times of occurrence in the DLP Sensor settings.

Click Save.
Once the FortiGuard Data Types configuration is saved, the editor dialog closes.
Click Save to update the DLP Sensor configuration.
Once the DLP Dictionary is saved, you can reference it in a DLP Sensor.