Proximity search

In this example, any HTTPS upload traffic containing both a keyword and a username within a specified proximity can be identified. The FortiProxy intercepts this traffic through deep inspection. When HTTPS upload traffic includes both a keyword and a username, which match the criteria defined on the data loss prevention (DLP) profile configured on the FortiProxy, the traffic is blocked. This action subsequently generates a DLP log. See Verification for a log sample.

To block HTTPS upload traffic that match the DLP profile in the GUI:

1. Configure the DLP dictionary:

   1. Go to Security Profiles > Data Loss Prevention and select the Dictionaries tab.

   2. Select Create New.

   3. Set Name to: matcharound.

   4. In the Dictionary Entries table, click Create New:

      1. Set Type to keyword

      2. Set Pattern to user

      3. Enable Case sensitive

      4. Click OK.

   5. Click OK.

   6. Select the newly created dictionary and click Edit.

   7. Select Edit in CLI and enter the following command:
      #set match-around enable
end

   8. Close the CLI Console and click Cancel.

      DLP data types can only be configured in the CLI. See step 2 of To block HTTPS upload traffic that match the DLP profile in the CLI:.

2. Configure the DLP dictionary:

   1. Go to Security Profiles > Data Loss Prevention and select the Dictionaries tab.

   2. Click Create New.

   3. Set Name to username.

   4. In the Dictionary Entries table, click Create New:

      1. Set Type to user

      2. Click OK.

   5. Click OK.

3. Configure the DLP sensor:

   1. Go to Security Profiles > Data Loss Prevention and select the Sensors tab.

   2. Click Create New.

   3. Enter a name (user).

   4. In the Sensor Entries section, click Create New.

   5. Set the sensor entry to username and click OK.

   6. Click OK to save the sensor.

4. Configure the DLP profile:

   1. Go to Security Profiles > Data Loss Prevention and select the Profiles tab.

   2. Click Create New.

   3. Enter a name (keyword).

   4. In the Rules section, click Create New.

   5. Configure the following settings:

      Name	keyword
      Data source type	Sensor
      Sensors	user
      Severity	Critical
      Action	Block
      Match Type	Message
      Protocol	HTTP-POST

   6. Click OK.

   7. Click OK to save the profile.

5. Add the DLP profile to a policy:

   1. Go to Policy & Objects > Policy and click Create New.

   2. In the Security Profiles section, enable DLP Profile and select keyword.

   3. Set SSL/SSH Inspection to deep-inspection to inspect HTTPS traffic.

   4. Configure the other settings, as needed.

   5. Click OK.

To block HTTPS upload traffic that match the DLP profile in the CLI:

1. Configure the DLP dictionary:

   config dlp dictionary
   	edit "matcharound"
   	set match-around enable
   		config entries
   			edit 1
   				set type "keyword"
   				set pattern "user"
   				set ignore-case enable
   			next
   		end
   	next
   end

2. Configure the DLP data type:

   config dlp data-type
   	edit "user"
   		set pattern "\\b[a-zA-Z]{6,12}\\b"
   		set verify "(?<=@)\\w+"
   		set match-around "matcharound"
   		set look-back 13
   		set match-back 15
   	next
   end

   The pattern specified using the set pattern command, is designed to match any word, irrespective of case sensitivity, that contains between 6 and 12 characters. On the other hand, the pattern specified using the set verify command employs a positive lookbehind assertion. This assertion checks for the presence of the @ symbol preceding the word, without including it in the match. This is a feature supported in PCRE but not in Hyperscan. For a match to occur, the content must satisfy all parameters defined in the DLP Data type.

3. Configure the DLP dictionary:

   config dlp dictionary
   	edit "username"
   		config entries
   			edit 1
   				set type "user"
   			next
   		end
   	next
   end

4. Configure the DLP sensor:

   config dlp sensor
   	edit "user"
   		config entries
   			edit 1
   			set dictionary "username"
   		next
   	end
    next
   end

5. Configure the DLP profile:

   config dlp profile
   	edit "keyword"
   		config rule
   		edit 1
   			set name "keyword"
   			set severity critical
   			set type message
   			set proto http-post
   			set filter-by sensor
   			set sensor "user"
   			set action block
   		next
   	end
    next
   end

6. Add the DLP profile to a policy:

   config firewall policy
   	edit 1
   		set name "keyword"
   		set srcintf "port2"
   		set dstintf "port1"
   		set action accept
   		set srcaddr "all"
   		set dstaddr "all"
   		set schedule "always"
   		set service "ALL"
   		set utm-status enable
   		set ssl-ssh-profile "deep-inspection"
   		set dlp-profile "keyword"
   		set logtraffic all
   		set nat enable
   	next
   end

Verification

1. Visit https://dlptest.com/http-post/com.

2. Enter any phrase that will match the DLP profile configured on the FortiProxy and click Submit.
   Example:
   user: @kikinaynay

3. Verify that the replacement message indicates the transfer attempt has been blocked.

4. Review the log that was generated when the attempt was made to send an HTTP POST request containing sensitive keywords:
   1: date=2024-06-11 time=11:53:10 eventtime=1718131990428533349 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="keyword" filtertype="sensor" filtercat="message" severity="critical" policyid=1 poluuid="c0a2e814-7ff8-51ee-1815-054bdf34bd03" policytype="policy" sessionid=486254337 epoch=1186366517 eventid=1 srcip=10.40.1.1 srcport=65112 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" srcuuid="0e3359c4-5fa7-51ed-6fd1-9862a5c10176" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="dlptest.com" url=" https://dlptest.com/http-post/" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0" httpmethod="POST" referralurl=" https://dlptest.com/http-post/" profile="keyword"