Exact data matching

Exact Data Matching (EDM) identifies particular data values within an indexed data source that require safeguarding. It offers precise detection and handling of sensitive data based on user-defined criteria. This enhances security and improves efficiency by reducing false-positive detections.

Administrators can define a dataset in a CSV or TXT file on a server, upload file directly on FortiProxy or point FortiProxy to the external resource. See EDM template for more information.

CSV file example:

Jason	Valentino	120 Jefferson St.	Riverside	CA	92504
Marry	Baxter	415 W Willow Grove Ave	Philadelphia	PA	19118
David	Solace	555 Pierce Street APT #123	Albany	CA	94706
Thomas	Jefferson	1600 Pennsylvania Avenue NW	Washington	DC	20500

TXT file example:

213321,john,doe

201111,karen,smith

322122,rick,wong

A CSV or TXT file can have a maximum of 32 columns. Each indexed column in the external file represents data (or patterns) for a built-in data type that you want to match using EDM template.

EDM template

The EDM template is used to specify the URL location of the data threat feed file or upload the file directly on to the FortiProxy. Once the data is imported it can be utilized with an EDM template to maps individual columns of data (or patterns) from a file to built-in data types to match credit card, keyword, mip label, social insurance number (SIN), and social security number (SSN) data. When the data passing through FortiProxy matches with the EDM template, FortiProxy responds according to the preset rules.

A CSV or TXT file can be uploaded directly to FortiProxy using the File Upload option. However, this option is exclusively available through the GUI. It's important to note that file upload is only possible if your FortiProxy unit is equipped with a hard disk. In the absence of a hard disk, the File Upload option will be grayed out. Please note that if the CSV or TXT file is uploaded using the File Upload option, it will not be dynamically synchronized nor periodically updated. This means that any changes made to the file will not be imported by FortiProxy. Therefore, users are required to manually update the file again on the FortiProxy using the Update file option. This option is located under Resource Type and is only visible if the file was previously uploaded via the File Upload option.

The sequence of steps for configuring EDM is consistent with other DLP configurations. See Basic DLP settings for more information.

Data threat feed

A data threat feed is a dynamic list that contains data. The data is patterns for DLP data types. The dynamic list is stored in a text (TXT) or comma-separated value (CSV) file format on an external server and periodically updated. After FortiProxy can access the file, the patterns can be used with an EDM template.

config system external-resource
    edit <name>
        set type data
        set resource <string>
        set refresh-rate <integer>       
    next
end

set type {category | domain | malware | address | mac-address | data}	Specify the type of user resource. data: Specify a data file as the user source.
set resource <string>	Specify the URL of the external resource.
set refresh-rate <integer>	Time interval to refresh the external resource (minutes).

The size of the Data Threat Feed file varies depending on the device model. The maximum file size limit for each model is as follows:

• 128 MB for High-End (Data Center) models

• 64 MB for Mid-Range (Campus) models

• 32 MB for Entry-Level (Branch) models.

Example

This configuration will block HTTPS upload traffic that matches the DLP profile.

When utilizing commonly-used SSL-encrypted protocols such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, SSL inspection must be set to Deep Inspection. See Deep inspection for more information. Additionally, the client machine must have the corresponding deep inspection Certificate Authority (CA) certificate installed.

In this example, an EDM template named Customer SSN EDM is created on the FortiProxy. During this process, a CSV file (customer_data.csv) located on an external server is imported using the data thread feed.

Sample CSV file:

SSN	Last Name	First Name	Address	City	State	ZIP	Phone	Email	CCN
172-32-1176	Doe	John	10932 Big Rd	Malibu	CA	94025	408-497-7223	jdoe@domain.com	5270-4267-6450-5516
514-14-8905	Bard	Ashley	4469 Sher St	Golf	KS	66428	785-939-6046	abard@domain.com	5370-4638-8881-302

In this example, the EDM template specifies:

• Column index 1 in the external data threat feed file contains patterns for the g-ssn-us data type.

• Column index 3 and 9 contain patterns for the g-edm-keyword data type.

• The patterns from column index 1 must match for FortiProxy to take an action.

• The pattern from either column index 3 or 9 must match for FortiProxy to take an action.

Based on the aforementioned template, the DLP profile will match any traffic containing data that corresponds to the SSN in column 1, and either the First Name in column 3 or the Email in column 9. For instance, if the HTTPS upload traffic sent from personal computer contains '172-32-1176' AND 'John', or '172-32-1176' AND 'jdoe@domain.com', the traffic will be blocked and a DLP log is generated. See Sample log for a log sample.

To configure EDM for DLP in the GUI:

1. Create an EDM template with matching criteria:

   1. Go to Security Profiles > Data Loss Prevention > EDM Templates, and click Create New.

      

   2. Specify a name for the template, such as Customer SSN EDM.

   3. Set Resource type to External feed, and set External feed URL to the location of the file on the external server, such as https://172.18.20.226/customer_data.csv.

   4. Click +All of these fields to pair the column index of patterns with a DLP data type. All of the specified data in this section must match for FortiProxy to take an action.

      In this example, column 1 in the external resource file contains the patterns for the g-ssn-us data type.

   5. Click +Any of these fields to pair the column index of patterns with a DLP data type, and to specify how many of these pairs must match for FortiProxy to take an action.

      In this example, columns 3 and 9 in the external resource file contains the patterns for the g-edm-keyword data type. Only one pattern from the two columns must match.

      

   6. Click OK.

   7. Edit the DLP EDM template and click View Entries to view the data entries in the field.

      When viewing EDM entries, the GUI currently does not validate the entries and displays all entries as Valid. However, a Valid entry must have all values matching the data-type of the specific column. If one value does not match, the entry is invalid and will not be used for pattern matching.

2. Configure a DLP sensor for the EDM template.

   1. In Security Profiles > Data Loss Prevention, click Sensors > Create New.

   2. Specify a name for the DLP sensor, such as Sensor SSN EDM.

   3. Click Create New. The New Entry pane is displayed.

   4. From the Sensor entry list, select Customer SSN EDM, and click OK.

      

      The New DLP Sensor pane is displayed

   5. Click OK.
3. Create a DLP profile and select the DLP sensor for the EDM template.

   1. In Security Profiles > Data Loss Prevention, click Profiles > Create New.

   2. Specify a name for the DLP profile, such as Profile SSN EDM.

   3. Click Create New. The New Rule pane is displayed.

   4. Specify a name for the rule, such as Rule SSN EDM.

   5. Set Data source type to Sensor, and select Sensor SSN EDM.

   6. Set Action to Block.

   7. Set Match type to Message.

   8. Select HTTP-POST protocol.

   9. Click OK. The New DLP Profile pane is displayed.
   10. Click OK to save the profile.
4. Add the DLP profile to a policy:
   1. Go to Policy & Objects > Policy.
   2. Click Create New.
   3. In the Security Profiles section, enable DLP Profile and select Profile SSN EDM.
   4. Set SSL/SSH Inspection to deep-inspection.
   5. Configure the other settings as needed.
   6. Click OK.

To configure EDM for DLP in the CLI:

1. Add the URL for the data threat feed file to FortiProxy.

   In this example, an external resource named customer data EDM is created, and it defines the location of the data threat feed file in CSV format on an external server.

   config system external-resource
       edit "customer data EDM"
           set type data
           set resource "https://172.18.20.226/customer_data.csv"
           end
       next
   end

2. Configure the EDM template.

   In this example, an exact data-match template named Customer SSN EDM is created for the external resource named customer data EDM. The matching record must contain the pattern for the data type from column index 1 (g-ssn-us) and at least one pattern for the data type from column index 3 (g-edm-keyword) or 9 (g-edm-keyword).

   config dlp exact-data-match
       edit "Customer SSN EDM"
           set optional 1
           set data "customer data EDM"
           config columns
               edit 1
                   set type "g-ssn-us"
               next
               edit 3
                   set type "g-edm-keyword"
                   set optional enable
               next
               edit 9
                   set type "g-edm-keyword" 
                   set optional enable 
               next
           end
       next
   end

3. Add the EDM template to a DLP sensor.

   config dlp sensor
       edit "Sensor SSN EDM"      
           config entries
               edit 1
                   set dictionary "Customer SSN EDM"                
               next
           end
       next
   end

4. Configure a DLP profile to use the DLP sensor.

   config dlp profile
       edit "Profile SSN EDM" 
           set feature-set proxy
           config rule
               edit 1
                   set name "Rule SSN EDM" 
                   set type message
                   set proto http-post
                   set filter-by sensor 
                   set sensor “Sensor SSN EDM”
                   set action block
               next
           end
       next
   end

5. Add the DLP profile to a policy.

   config firewall policy
       edit 1
           set name "Internet"
           set srcintf "port3"
           set dstintf "port1"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set ssl-ssh-profile "deep-inspection"
           set dlp-profile "Profile SSN EDM"
       next
   end

To verify:

1. A user attempts to post a sensitive message through HTTPS to dlptest.com, and the message content matches the EDM template.

   

2. FortiProxy blocks the user's attempt and displays a replacement message:

   

3. FortiProxy generates a DLP log:

   

   1: date=2024-08-23 time=18:02:00 eventtime=1724461319796558635 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="Rule SSN EDM" filtertype="sensor" filtercat="message" severity="medium" policyid=113 poluuid="65885ef4-5131-51ef-cf0f-2f757f2e9aeb" policytype="policy" sessionid=1845688663 epoch=412739369 eventid=1 srcip=10.40.1.1 srcport=60850 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/https-post/" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0" httpmethod="POST" referralurl="https://dlptest.com/https-post/" profile="Profile SSN EDM"