Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.4.4
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiProxy 7.4.4 Administration Guide
    7.4.4
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Configure EDM for data loss prevention NEW

    Configure EDM for data loss prevention NEW

    In this example, an exact data match (EDM) template named Customer SSN EDM is created for a data threat feed file in a CSV file (testEDM.csv) located on an external server. The data threat feed file contains data for use with the following pre-defined DLP data types:

    • credit-card

    • edm-keyword

    • mip-label

    • ssn-us

    The EDM template is used to identify the URL location of the data threat feed file and what column index in the file contains data (or patterns) for the specific DLP data types that you want to match. In this example, the EDM template specifies:

    • Column index 1 in the external data threat feed file contains patterns for the g-ssn-us data type.

    • Column index 3 and 9 contain patterns for the g-edm-keyword data type.

    • The patterns from column index 1 must match for FortiProxy to take an action.

    • The pattern from either column index 3 or 9 must match for FortiProxy to take an action.

    The patterns in the data file must be valid. If the patterns are invalid, FortiProxy cannot use them, and no warning is displayed.
    To configure EDM for DLP in the GUI:

    1. Ensure that Data Loss Prevention is enabled.

      1. Go to System > Feature Visibility.

      2. Under Security Features, enable Data Loss Prevention, and click Apply.

    2. Create an EDM template with matching criteria:

      1. Go to Security Profiles > Data Loss Prevention > EDM Templates, and click Create New.

      2. Specify a name for the template, such as Customer SSN EDM.

      3. Set Resource type to External feed, and set External feed URL to the location of the file on the external server.

      4. Click +All of these fields to pair the column index of patterns with a DLP data type. All of the specified data in this section must match for FortiProxy to take an action.

        In this example, column 1 in the external resource file contains the patterns for the g-ssn-us data type.

      5. Click +Any of these fields to pair the column index of patterns with a DLP data type, and to specify how many of these pairs must match for FortiProxy to take an action.

        In this example, columns 3 and 9 in the external resource file contains the patterns for the g-edm-keyword data type. Only one pattern from the two columns must match.

      6. Click OK.

    3. Configure a DLP sensor for the EDM template.

      1. In Security Profiles > Data Loss Prevention, click Sensors > Create New.

      2. Specify a name for the DLP sensor.

      3. Click Create New. The New Entry pane is displayed.

      4. From the Sensor entry list, select the EDM template, and click OK.

        The New DLP Sensor pane is displayed

      5. Click OK.
    4. Create a DLP profile and select the DLP sensor for the EDM template.

      1. In Security Profiles > Data Loss Prevention, click Profiles > Create New.

      2. Specify a name for the DLP profile.

      3. Click Create New. The New Rule pane is displayed.

      4. Specify a name for the rule.

      5. Set Data source type to Sensor, and select the DLP sensor that uses the EDM template.

      6. Set Action.

      7. Set Match type to File, and set File type to builtin-patterns.

      8. Select one or more protocols.

      9. Click OK. The New DLP Profile pane is displayed.
      10. Click OK to save the profile.
    To configure EDM for DLP in the CLI:

    1. Add the URL for the data threat feed file to FortiProxy.

      In this example, an external resource named customer data EDM is created, and it defines the location of the data threat feed file in CSV format on an external server. 

      config system external-resource
    edit "customer data EDM"
        set uuid 3cadb9be-f639-51ee-df8d-ea94d069c9cf
        set type data
        set resource "https://172.18.20.226/files/testEDM.csv"
        end
    next
end

    2. Configure the EDM template.

      In this example, an exact data-match template named Customer SSN EDM is created for the external resource named customer data EDM. The matching record must contain the pattern for the data type from column index 1 (g-ssn-us) and at least one pattern for the data type from column index 3 (g-edm-keyword) or 9 (g-edm-keyword).

      config dlp exact-data-match
    edit "Customer SSN EDM"
        set optional 1
        set data "customer data EDM"
        config columns
            edit 1
                set type "g-ssn-us"
            next
            edit 3
                set type "g-edm-keyword"
                set optional enable
            next
            edit 9
                set type "g-edm-keyword" 
                set optional enable 
            next
        end
    next
end

    3. Add the EDM template to a DLP sensor.

      config dlp sensor
    edit <name>        
        config entries
            edit <id>
                set dictionary Customer SSN EDM                
            next
        end
    next
end

    4. Configure a DLP profile to use the DLP sensor.

      config dlp profile
    edit <name>
        config rule
            edit <id>
                set name <name>
                set proto <protocol> <protocol> ...
                set filter-by sensor
                set sensor Customer SSN EDM
                set action {allow | log-only | block | quarantine-ip}
            next
        end
    next
end
    To verify:

    1. A user attempts to post a sensitive message through HTTPS to dlptest.com, and the message content matches the EDM template.

    2. FortiProxy blocks the user's attempt and displays a replacement message:

    3. FortiProxy generates a DLP log:

      1: date=2024-05-01 time=16:29:50 eventtime=1714606189934871347 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 filtertype="sensor" filtercat="file" severity="medium" policyid=1 poluuid="2e09d668-0750-51ef-6133-8897d1a36d2d" policytype="policy" sessionid=926212558 epoch=224041789 eventid=0 srcip=10.1.2.203 srcport=55709 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="82127bdc-21d9-51ee-c7d4-aae693c18c05" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="unknown" direction="outgoing" action="block" hostname="dlptest.com" url="
https://dlptest.com/https-post/"
agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" httpmethod="POST" referralurl="
https://dlptest.com/https-post/"
filename="item_meta[6]" filesize=24 profile="edm"
    Previous
    Next

    Configure EDM for data loss prevention NEW

    Configure EDM for data loss prevention NEW

    In this example, an exact data match (EDM) template named Customer SSN EDM is created for a data threat feed file in a CSV file (testEDM.csv) located on an external server. The data threat feed file contains data for use with the following pre-defined DLP data types:

    • credit-card

    • edm-keyword

    • mip-label

    • ssn-us

    The EDM template is used to identify the URL location of the data threat feed file and what column index in the file contains data (or patterns) for the specific DLP data types that you want to match. In this example, the EDM template specifies:

    • Column index 1 in the external data threat feed file contains patterns for the g-ssn-us data type.

    • Column index 3 and 9 contain patterns for the g-edm-keyword data type.

    • The patterns from column index 1 must match for FortiProxy to take an action.

    • The pattern from either column index 3 or 9 must match for FortiProxy to take an action.

    The patterns in the data file must be valid. If the patterns are invalid, FortiProxy cannot use them, and no warning is displayed.
    To configure EDM for DLP in the GUI:

    1. Ensure that Data Loss Prevention is enabled.

      1. Go to System > Feature Visibility.

      2. Under Security Features, enable Data Loss Prevention, and click Apply.

    2. Create an EDM template with matching criteria:

      1. Go to Security Profiles > Data Loss Prevention > EDM Templates, and click Create New.

      2. Specify a name for the template, such as Customer SSN EDM.

      3. Set Resource type to External feed, and set External feed URL to the location of the file on the external server.

      4. Click +All of these fields to pair the column index of patterns with a DLP data type. All of the specified data in this section must match for FortiProxy to take an action.

        In this example, column 1 in the external resource file contains the patterns for the g-ssn-us data type.

      5. Click +Any of these fields to pair the column index of patterns with a DLP data type, and to specify how many of these pairs must match for FortiProxy to take an action.

        In this example, columns 3 and 9 in the external resource file contains the patterns for the g-edm-keyword data type. Only one pattern from the two columns must match.

      6. Click OK.

    3. Configure a DLP sensor for the EDM template.

      1. In Security Profiles > Data Loss Prevention, click Sensors > Create New.

      2. Specify a name for the DLP sensor.

      3. Click Create New. The New Entry pane is displayed.

      4. From the Sensor entry list, select the EDM template, and click OK.

        The New DLP Sensor pane is displayed

      5. Click OK.
    4. Create a DLP profile and select the DLP sensor for the EDM template.

      1. In Security Profiles > Data Loss Prevention, click Profiles > Create New.

      2. Specify a name for the DLP profile.

      3. Click Create New. The New Rule pane is displayed.

      4. Specify a name for the rule.

      5. Set Data source type to Sensor, and select the DLP sensor that uses the EDM template.

      6. Set Action.

      7. Set Match type to File, and set File type to builtin-patterns.

      8. Select one or more protocols.

      9. Click OK. The New DLP Profile pane is displayed.
      10. Click OK to save the profile.
    To configure EDM for DLP in the CLI:

    1. Add the URL for the data threat feed file to FortiProxy.

      In this example, an external resource named customer data EDM is created, and it defines the location of the data threat feed file in CSV format on an external server. 

      config system external-resource
    edit "customer data EDM"
        set uuid 3cadb9be-f639-51ee-df8d-ea94d069c9cf
        set type data
        set resource "https://172.18.20.226/files/testEDM.csv"
        end
    next
end

    2. Configure the EDM template.

      In this example, an exact data-match template named Customer SSN EDM is created for the external resource named customer data EDM. The matching record must contain the pattern for the data type from column index 1 (g-ssn-us) and at least one pattern for the data type from column index 3 (g-edm-keyword) or 9 (g-edm-keyword).

      config dlp exact-data-match
    edit "Customer SSN EDM"
        set optional 1
        set data "customer data EDM"
        config columns
            edit 1
                set type "g-ssn-us"
            next
            edit 3
                set type "g-edm-keyword"
                set optional enable
            next
            edit 9
                set type "g-edm-keyword" 
                set optional enable 
            next
        end
    next
end

    3. Add the EDM template to a DLP sensor.

      config dlp sensor
    edit <name>        
        config entries
            edit <id>
                set dictionary Customer SSN EDM                
            next
        end
    next
end

    4. Configure a DLP profile to use the DLP sensor.

      config dlp profile
    edit <name>
        config rule
            edit <id>
                set name <name>
                set proto <protocol> <protocol> ...
                set filter-by sensor
                set sensor Customer SSN EDM
                set action {allow | log-only | block | quarantine-ip}
            next
        end
    next
end
    To verify:

    1. A user attempts to post a sensitive message through HTTPS to dlptest.com, and the message content matches the EDM template.

    2. FortiProxy blocks the user's attempt and displays a replacement message:

    3. FortiProxy generates a DLP log:

      1: date=2024-05-01 time=16:29:50 eventtime=1714606189934871347 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 filtertype="sensor" filtercat="file" severity="medium" policyid=1 poluuid="2e09d668-0750-51ef-6133-8897d1a36d2d" policytype="policy" sessionid=926212558 epoch=224041789 eventid=0 srcip=10.1.2.203 srcport=55709 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="82127bdc-21d9-51ee-c7d4-aae693c18c05" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="unknown" direction="outgoing" action="block" hostname="dlptest.com" url="
https://dlptest.com/https-post/"
agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" httpmethod="POST" referralurl="
https://dlptest.com/https-post/"
filename="item_meta[6]" filesize=24 profile="edm"
    Previous
    Next