Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.2.7 Administration Guide
7.2.7
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Block ChatGPT using keywords and FQDN

Block ChatGPT using keywords and FQDN

This configuration will block HTTPS upload traffic to the OpenAI server that includes a sensitive keyword. The pre-defined data type, keyword, is used in the Data Leak Prevention (DLP) dictionary.

Note

When utilizing commonly-used SSL-encrypted protocols such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Deep inspection for more information.

Additionally, the client machine must have the corresponding deep inspection Certificate Authority (CA) certificate installed.

Example

In this example, a user is conducting a search on CHATGPT through the Chrome browser on Office computer, using a sensitive keyword that has been configured in the DLP dictionary. The FortiGate intercepts this traffic using deep inspection and prevent the search which contain sensitive keywords because it matches the DLP profile that has been set up on this FortiGate.

When a sensitive keyword is included in HTTPS upload traffic, the request is blocked and a DLP log is generated. See Sample log for a log sample.

Sample topology

To block HTTPS upload traffic that includes sensitive keywords in the GUI:

  1. Configure the DLP dictionary:

    1. Go to Security Profiles > Data Leak Prevention, select the Dictionaries tab, and click Create New.

    2. Set Name to chatgpt.

    3. In the Dictionary Entries table click Create New:

      1. Set Type to keyword.

      2. Set Pattern to fortinet.

      3. Enable Case sensitive.

      4. Click OK.

    4. Repeat step c and set Pattern to source code.

    5. Click OK.

  2. Configure the DLP sensor:

    1. Go to Security Profiles > Data Leak Prevention, select the Sensors tab, and click Create New.

    2. Set Name to chatgpt.

    3. In the Sensor Entries section, click Create New.

    4. Set the Dictionary to chatgpt and click OK.

    5. Click OK.

  3. Configure the DLP profile:

    1. Go to Security Profiles > Data Leak Prevention, select the Profiles tab, and click Create New.

    2. Set Name to chatgpt.

    3. In the Rules section, click Create New.

    4. Configure the following settings:

      Name chatgpt
      Sensors chatgpt
      Severity Critical
      Action Block
      Type Message
      Protocol HTTP-POST

    5. Click OK.

    6. Click OK to save the profile.

  4. Configure the firewall address for the OpenAI:

    1. Go to Policy & Objects > Addresses and click Create New.

    2. Fill out the fields with the following information:

      Name chatgpt
      Type FQDN
      FQDN chat.openai.com

    3. Select OK.

  5. Add the DLP profile and the FQDN address to a firewall policy.

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Set the Inspection Mode to Proxy-based.

    3. Set the Destination to chatgpt.

    4. In the Security Profiles section, enable DLP Profile and select chatgpt.

    5. Set SSL Inspection to deep-inspection.

    6. Configure the other settings as needed.

    7. Click OK.

To block HTTPS upload traffic that includes sensitive keywords in the CLI:

  1. Configure the DLP dictionary:

    config dlp dictionary
    edit "chatgpt"
        config entries
            edit 1
                set type "keyword"
                set pattern "source code"
                set ignore-case enable
            next
            edit 2
                set type "keyword"
                set pattern "fortinet"
                set ignore-case enable
            next
        end
    next
end

  2. Configure the DLP sensor:

    config dlp sensor
    edit "chatgpt"
        config entries
            edit 1
                set dictionary "chatgpt"
            next
        end
    next
end

  3. Configure the DLP profile:

    config dlp profile
    edit "chatgpt"
        set feature-set proxy
        config rule
            edit 1
                set name "chatgpt"
                set severity critical
                set type message
                set proto http-post 
                set filter-by sensor
                set sensor "chatgpt"
                set action block
            next
        end
    next
end

  4. Configure the firewall address for the OpenAI:

    config firewall address
    edit "chatgpt"
        set type fqdn
        set fqdn "chat.openai.com"
    next
end

  5. Add the DLP profile and the FQDN address to a firewall policy:

    config firewall policy
    edit 1
        set name "chatgpt"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "chatgpt"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "deep-inspection"
        set dlp-profile "chatgpt"
        set nat enable
    next
end
Verification:

  1. Visit https://chat.openai.com.

  2. Search for any phrase that includes keywords set up in the DLP dictionary.

  3. Verify that the request failed and an error was generated.

Sample log

An attempt was made to send an HTTP POST request containing sensitive keywords. The request failed, resulting in the generation of a sample log.

1: date=2024-02-08 time=09:01:35 eventtime=1707339694791154478 tz="+1200" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="chatgpt" dlpextra="Sensor 'chatgpt' matching any: ('chatgpt'=1) >= 1; match." filtertype="sensor" filtercat="message" severity="critical" policyid=2 poluuid="5ab6e22a-c5f9-51ee-280f-1660c776d2a5" policytype="policy" sessionid=727210 epoch=813929908 eventid=1 srcip=13.13.13.13 srcport=56324 srccountry="United States" srcintf="port2" srcintfrole="undefined" srcuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" dstip=104.18.37.228 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="3881afe6-c5f9-51ee-d384-71da7790e153" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="chat.openai.com" url="https://chat.openai.com/backend-api/conversation" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://chat.openai.com/c/5c4aa8f6-cb0b-4ab6-81d9-855a7d2223a4" profile="chatgpt"
Previous
Next

Block ChatGPT using keywords and FQDN

This configuration will block HTTPS upload traffic to the OpenAI server that includes a sensitive keyword. The pre-defined data type, keyword, is used in the Data Leak Prevention (DLP) dictionary.

Note

When utilizing commonly-used SSL-encrypted protocols such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Deep inspection for more information.

Additionally, the client machine must have the corresponding deep inspection Certificate Authority (CA) certificate installed.

Example

In this example, a user is conducting a search on CHATGPT through the Chrome browser on Office computer, using a sensitive keyword that has been configured in the DLP dictionary. The FortiGate intercepts this traffic using deep inspection and prevent the search which contain sensitive keywords because it matches the DLP profile that has been set up on this FortiGate.

When a sensitive keyword is included in HTTPS upload traffic, the request is blocked and a DLP log is generated. See Sample log for a log sample.

Sample topology

To block HTTPS upload traffic that includes sensitive keywords in the GUI:

  1. Configure the DLP dictionary:

    1. Go to Security Profiles > Data Leak Prevention, select the Dictionaries tab, and click Create New.

    2. Set Name to chatgpt.

    3. In the Dictionary Entries table click Create New:

      1. Set Type to keyword.

      2. Set Pattern to fortinet.

      3. Enable Case sensitive.

      4. Click OK.

    4. Repeat step c and set Pattern to source code.

    5. Click OK.

  2. Configure the DLP sensor:

    1. Go to Security Profiles > Data Leak Prevention, select the Sensors tab, and click Create New.

    2. Set Name to chatgpt.

    3. In the Sensor Entries section, click Create New.

    4. Set the Dictionary to chatgpt and click OK.

    5. Click OK.

  3. Configure the DLP profile:

    1. Go to Security Profiles > Data Leak Prevention, select the Profiles tab, and click Create New.

    2. Set Name to chatgpt.

    3. In the Rules section, click Create New.

    4. Configure the following settings:

      Name chatgpt
      Sensors chatgpt
      Severity Critical
      Action Block
      Type Message
      Protocol HTTP-POST

    5. Click OK.

    6. Click OK to save the profile.

  4. Configure the firewall address for the OpenAI:

    1. Go to Policy & Objects > Addresses and click Create New.

    2. Fill out the fields with the following information:

      Name chatgpt
      Type FQDN
      FQDN chat.openai.com

    3. Select OK.

  5. Add the DLP profile and the FQDN address to a firewall policy.

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Set the Inspection Mode to Proxy-based.

    3. Set the Destination to chatgpt.

    4. In the Security Profiles section, enable DLP Profile and select chatgpt.

    5. Set SSL Inspection to deep-inspection.

    6. Configure the other settings as needed.

    7. Click OK.

To block HTTPS upload traffic that includes sensitive keywords in the CLI:

  1. Configure the DLP dictionary:

    config dlp dictionary
    edit "chatgpt"
        config entries
            edit 1
                set type "keyword"
                set pattern "source code"
                set ignore-case enable
            next
            edit 2
                set type "keyword"
                set pattern "fortinet"
                set ignore-case enable
            next
        end
    next
end

  2. Configure the DLP sensor:

    config dlp sensor
    edit "chatgpt"
        config entries
            edit 1
                set dictionary "chatgpt"
            next
        end
    next
end

  3. Configure the DLP profile:

    config dlp profile
    edit "chatgpt"
        set feature-set proxy
        config rule
            edit 1
                set name "chatgpt"
                set severity critical
                set type message
                set proto http-post 
                set filter-by sensor
                set sensor "chatgpt"
                set action block
            next
        end
    next
end

  4. Configure the firewall address for the OpenAI:

    config firewall address
    edit "chatgpt"
        set type fqdn
        set fqdn "chat.openai.com"
    next
end

  5. Add the DLP profile and the FQDN address to a firewall policy:

    config firewall policy
    edit 1
        set name "chatgpt"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "chatgpt"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "deep-inspection"
        set dlp-profile "chatgpt"
        set nat enable
    next
end
Verification:

  1. Visit https://chat.openai.com.

  2. Search for any phrase that includes keywords set up in the DLP dictionary.

  3. Verify that the request failed and an error was generated.

Sample log

An attempt was made to send an HTTP POST request containing sensitive keywords. The request failed, resulting in the generation of a sample log.

1: date=2024-02-08 time=09:01:35 eventtime=1707339694791154478 tz="+1200" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="chatgpt" dlpextra="Sensor 'chatgpt' matching any: ('chatgpt'=1) >= 1; match." filtertype="sensor" filtercat="message" severity="critical" policyid=2 poluuid="5ab6e22a-c5f9-51ee-280f-1660c776d2a5" policytype="policy" sessionid=727210 epoch=813929908 eventid=1 srcip=13.13.13.13 srcport=56324 srccountry="United States" srcintf="port2" srcintfrole="undefined" srcuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" dstip=104.18.37.228 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="3881afe6-c5f9-51ee-d384-71da7790e153" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="chat.openai.com" url="https://chat.openai.com/backend-api/conversation" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://chat.openai.com/c/5c4aa8f6-cb0b-4ab6-81d9-855a7d2223a4" profile="chatgpt"
Previous
Next