Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Advanced DLP configurations

    Advanced DLP configurations

    The following topic provides information on advanced DLP configurations.

    Built-in DLP data type

    Built-in DLP data type includes pre-defined data types to match for keyword, regex, hex, mip label, credit card, and social security number (SSN). See Predefined data patterns for more information. The built-in DLP data type regex employs DCM to detect patterns. See Described Content Matching (DCM) for more information.

    config dlp data-type
    edit "keyword"
        set pattern "built-in"
    next
    edit "regex"
        set pattern "built-in"
    next
    edit "hex"
        set pattern "built-in"
    next
    edit "mip-label"
        set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
        set transform "built-in"
    next
    edit "credit-card"
        set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
        set verify "built-in"
        set look-back 20
        set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
    next
    edit "ssn-us"
        set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
        set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
        set look-back 12
        set transform "\\b\\1-\\2-\\3\\b"
    next
end

    Custom DLP data type

    Custom data types can be added. See Custom data classification tags (data pattern) for more information.

    Custom DLP data type allows for both the proximity keyword check and data validation check within the same data type. The data type simultaneously supports two verification checks and one proximity match check to significantly lower the occurrence of false positives, enhancing the precision and dependability of the search.

    To configure a custom DLP data type used by DLP scans:
    config dlp data-type
    edit <name>
        set verify <string>
        set verify2 <string>
        set look-ahead <integer>
        set look-back <integer>
        set match-around <string>
        set match-ahead <integer>
        set match-back <integer>
        set pattern <string>
    next
end

    <name>

    		 The name of the table containing the data type.

    pattern <string>

    		 Specify the regular expression pattern string without look around

    verify <string>

    		 Specify the regular expression pattern string used to verify the data type.

    verify2 <string>

    		 Specify the extra regular expression pattern string used to verify the data type.

    look-ahead <integer>

    		 Specify the number of character to obtain in advance for verification (1 - 255, default = 1).

    look-back <integer>

    		 Specify the number of characters required to save for verification (1 - 255, default = 1).

    match-around <string>

    		 Dictionary to check whether it has a match around (only support match-any and basic types, no repeat supported).

    match-back <integer>

    		 Specify the number of characters in front for match-around (1 - 4096, default = 1).

    match-ahead <integer>

    		 Specify the number of characters behind for match-around (1 - 4096, default = 1).
    Note

    The set pattern command can be used to define a regular expression for use with Hyperscan. However, Hyperscan does not fully support Perl Compatible Regular Expressions (PCRE), such as look-ahead and look-behind. To use advanced features supported by PCRE, you can use the set verify or set verify2 commands.
    Note

    To use "?" in a regex pattern, see CLI basics. This method only supports direct console connection and SSH. It does not support the CLI console in the GUI.

    See Proximity search for a sample configuration.

    DLP file pattern

    A DLP file pattern can block, allow, log, or quarantine a file based on the specified file type in the file filter list (see Supported file types). It employs True file type filtering to identify a file. See True file type filtering for more information.

    To configure a DLP file pattern:
    config dlp filepattern
    edit <id>
        set name <name>
        config entries
            edit <name>
                set filter-type {type | pattern}
                set file-type <file_type>
            next
        end
    next
end

    Evaluation by logical relationship

    Evaluation by logical relationship is a powerful tool used to combine multiple dictionary entries to define an accurate DLP sensor using logical expression.

    Syntax examples:

    1. set eval "dict(1) == 2"

      Match DLP sensor only when dictionary one match count is two.

    2. set eval "(dict(1) + dict(2)) == 3"

      Match DLP sensor only when dictionary one and dictionary two combined match count is three.

    3. set eval "(dict(1) == 2) && (dict(2) == 1)"

      Match DLP sensor only when dictionary one match count is equal to two and dictionary two match count is equal to one.

    4. set eval "(dict(1) == 2) || (dict(2) == 1)"

      Match DLP sensor only when dictionary one match count is equal to two or dictionary two match count is equal to one.

    5. set eval "dict(1) > dict(2)"

      Match DLP sensor only when dictionary one match count is greater than dictionary two match count.

    See Block HTTPS upload traffic that includes Visa or Mastercard information using evaluation through logical expression.

    Previous
    Next

    Advanced DLP configurations

    Advanced DLP configurations

    The following topic provides information on advanced DLP configurations.

    Built-in DLP data type

    Built-in DLP data type includes pre-defined data types to match for keyword, regex, hex, mip label, credit card, and social security number (SSN). See Predefined data patterns for more information. The built-in DLP data type regex employs DCM to detect patterns. See Described Content Matching (DCM) for more information.

    config dlp data-type
    edit "keyword"
        set pattern "built-in"
    next
    edit "regex"
        set pattern "built-in"
    next
    edit "hex"
        set pattern "built-in"
    next
    edit "mip-label"
        set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
        set transform "built-in"
    next
    edit "credit-card"
        set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
        set verify "built-in"
        set look-back 20
        set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
    next
    edit "ssn-us"
        set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
        set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
        set look-back 12
        set transform "\\b\\1-\\2-\\3\\b"
    next
end

    Custom DLP data type

    Custom data types can be added. See Custom data classification tags (data pattern) for more information.

    Custom DLP data type allows for both the proximity keyword check and data validation check within the same data type. The data type simultaneously supports two verification checks and one proximity match check to significantly lower the occurrence of false positives, enhancing the precision and dependability of the search.

    To configure a custom DLP data type used by DLP scans:
    config dlp data-type
    edit <name>
        set verify <string>
        set verify2 <string>
        set look-ahead <integer>
        set look-back <integer>
        set match-around <string>
        set match-ahead <integer>
        set match-back <integer>
        set pattern <string>
    next
end

    <name>

    		 The name of the table containing the data type.

    pattern <string>

    		 Specify the regular expression pattern string without look around

    verify <string>

    		 Specify the regular expression pattern string used to verify the data type.

    verify2 <string>

    		 Specify the extra regular expression pattern string used to verify the data type.

    look-ahead <integer>

    		 Specify the number of character to obtain in advance for verification (1 - 255, default = 1).

    look-back <integer>

    		 Specify the number of characters required to save for verification (1 - 255, default = 1).

    match-around <string>

    		 Dictionary to check whether it has a match around (only support match-any and basic types, no repeat supported).

    match-back <integer>

    		 Specify the number of characters in front for match-around (1 - 4096, default = 1).

    match-ahead <integer>

    		 Specify the number of characters behind for match-around (1 - 4096, default = 1).
    Note

    The set pattern command can be used to define a regular expression for use with Hyperscan. However, Hyperscan does not fully support Perl Compatible Regular Expressions (PCRE), such as look-ahead and look-behind. To use advanced features supported by PCRE, you can use the set verify or set verify2 commands.
    Note

    To use "?" in a regex pattern, see CLI basics. This method only supports direct console connection and SSH. It does not support the CLI console in the GUI.

    See Proximity search for a sample configuration.

    DLP file pattern

    A DLP file pattern can block, allow, log, or quarantine a file based on the specified file type in the file filter list (see Supported file types). It employs True file type filtering to identify a file. See True file type filtering for more information.

    To configure a DLP file pattern:
    config dlp filepattern
    edit <id>
        set name <name>
        config entries
            edit <name>
                set filter-type {type | pattern}
                set file-type <file_type>
            next
        end
    next
end

    Evaluation by logical relationship

    Evaluation by logical relationship is a powerful tool used to combine multiple dictionary entries to define an accurate DLP sensor using logical expression.

    Syntax examples:

    1. set eval "dict(1) == 2"

      Match DLP sensor only when dictionary one match count is two.

    2. set eval "(dict(1) + dict(2)) == 3"

      Match DLP sensor only when dictionary one and dictionary two combined match count is three.

    3. set eval "(dict(1) == 2) && (dict(2) == 1)"

      Match DLP sensor only when dictionary one match count is equal to two and dictionary two match count is equal to one.

    4. set eval "(dict(1) == 2) || (dict(2) == 1)"

      Match DLP sensor only when dictionary one match count is equal to two or dictionary two match count is equal to one.

    5. set eval "dict(1) > dict(2)"

      Match DLP sensor only when dictionary one match count is greater than dictionary two match count.

    See Block HTTPS upload traffic that includes Visa or Mastercard information using evaluation through logical expression.

    Previous
    Next