GUI support for exact data match (EDM) for data loss prevention 7.4.4
|
This information is also available in the FortiOS 7.4 Administration Guide: |
FortiOS GUI now supports exact data match (EDM) for data loss prevention (DLP).
Example
In this example, an EDM template (named Customer SSN EDM) is created for a data threat feed file in CSV format (customer_data.csv) located on an external server. The data threat feed file contains data (or patterns) that can be used with the following FortiGate DLP data types:
-
credit-card
-
edm-keyword
-
mip-label
-
ssn-us
You use the EDM template to identify the data threat feed file and to identify what column index contains data (or patterns) for the specific DLP data types that you want to match. In this example, the EDM template specifies:
-
Column index 1 in the external data threat feed file contains patterns for the
g-ssn-usdata type. -
Column index 3 and 9 contain patterns for the
g-edm-keyworddata type. -
The patterns from column index 1 must match for FortiGate to take an action.
-
The pattern from either column index 3 or 9 must match for FortiGate to take an action.
|
|
The patterns in the data file must be valid. If the patterns are invalid, FortiGate cannot use them, and no warning is displayed. |
To configure EDM for DLP in the GUI:
-
Ensure that Data Loss Prevention is enabled.
-
Go to System > Feature Visibility.
-
Under Security Features, enable Data Loss Prevention, and click Apply.
-
-
Create an EDM template with matching criteria:
-
Go to Security Profiles > Data Loss Prevention > EDM Templates, and click Create New.
-
Specify a name for the template, such as Customer SSN EDM.
-
Set Resource type to External feed, and set External feed URL to the location of the file on the external server.
Alternately you can upload a file to FortiGate.
-
Click +All of these fields to pair the column index of patterns with a DLP data type. All of the specified data in this section must match for FortiGate to take an action.
In this example, column 1 in the external resource file contains the patterns for the g-ssn-us data type.
-
Click +Any of these fields to pair the column index of patterns with a DLP data type, and to specify how many of these pairs must match for FortiGate to take an action.
In this example, columns 3 and 9 in the external resource file contains the patterns for the g-edm-keyword data type. Only one pattern from the two columns must match.
-
Click OK.
-
- Configure a DLP sensor for the EDM template.
In Security Profiles > Data Loss Prevention, click Sensors > Create New.
Specify a name for the DLP sensor.
Click Create New. The New Entry pane is displayed.
From the Sensor entry list, select the EDM template, and click OK.
The New DLP Sensor pane is displayed
- Click OK.
- Create a DLP profile and select the DLP sensor for the EDM template.
In Security Profiles > Data Loss Prevention, click Profiles > Create New.
Specify a name for the DLP profile.
Click Create New. The New Rule pane is displayed.
Specify a name for the rule.
Set Data source type to Sensor, and select the DLP sensor that uses the EDM template.
Set Action.
Set Match type to File, and set File type to builtin-patterns.
Select one or more protocols.
- Click OK. The New DLP Profile pane is displayed.
- Click OK to save the profile.
To configure EDM for DLP in the CLI:
-
Add the URL for the data threat feed file to FortiGate.
In this example, an external resource named
customer data EDMis created, and it defines the location of the data threat feed file in CSV format on an external server.config system external-resource edit "customer data EDM" set uuid 3cadb9be-f639-51ee-df8d-ea94d069c9cf set type data set resource "http://172.16.200.175/customer_data.csv" end next end -
Configure the EDM template.
In this example, an exact data-match template named
Customer SSN EDMis created for the external resource namedcustomer data EDM. The matching record must contain the pattern for the data type from column index 1 (g-ssn-us) and at least one pattern for the data type from column index 3 (g-edm-keyword) or 9 (g-edm-keyword).config dlp exact-data-match edit "Customer SSN EDM" set optional 1 set data "customer data EDM" config columns edit 1 set type "g-ssn-us" next edit 3 set type "g-edm-keyword" set optional enable next edit 9 set type "g-edm-keyword" set optional enable next end next end -
Add the EDM template to a DLP sensor.
config dlp sensor edit <name> config entries edit <id> set dictionary Customer SSN EDM next end next end -
Configure a DLP profile to use the DLP sensor.
config dlp profile edit <name> set feature-set {flow | proxy} config rule edit <id> set proto <protocol> <protocol> ... set sensor Customer SSN EDM set action {allow | log-only | block | quarantine-ip} next end next end
To verify:
-
A user attempts to post a sensitive message through HTTPS to dlptest.com, and the message content matches the EDM template.
-
FortiGate blocks the user's attempt and displays a replacement message:
-
FortiGate generates a DLP log:
1: date=2024-04-04 time=22:26:22 eventtime=1712294782390021786 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" ruleid=2 rulename="Customer SSN Protection" dlpextra="Sensor 'Customer SSN Sensor' matching any: ('Customer SSN EDM'=2) >= 1; match." filtertype="sensor" filtercat="message" severity="critical" policyid=1 poluuid="0c618860-dd90-51ee-fb75-d3ac9e3273ca" policytype="policy" sessionid=42841 epoch=1737800403 eventid=1 srcip=10.1.100.241 srcport=53618 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="c6298bd6-dd8f-51ee-3ff9-a2db2178027a" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="c6298bd6-dd8f-51ee-3ff9-a2db2178027a" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/https-post/" agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0" httpmethod="POST" referralurl="https://dlptest.com/https-post/" profile="Customer Data Protection"