Log FTP upload traffic with a specific pattern
This configuration will log FTP upload traffic with the following patterns:
- keyword = demo
- regex = demo(regex){1,5}
- hex = e6b58be8af95
The dictionary entries have repeat match enabled. The DLP sensor is set so this is repeated five times.
To log FTP upload traffic that has specific keyword, regex, and hex patterns repeated for five times in the GUI:
-
Configure the DLP dictionary with three entries:
-
Go to Security Profiles > Data Loss Prevention, select the Dictionaries tab, and click Create New.
-
Enter a name (dic-case2).
-
In the Dictionary Entries section, click Create New.
-
Set the Type to keyword and the Pattern to demo.
-
Enable Repeats and click OK.
-
Repeat these steps to add dictionary entries for the following (with Repeats enabled):
-
Set the Type to regex and the Pattern to demo(regex){1,5}.
-
Set the Type to hex and the Pattern to e6b58be8af95.
-
-
Click OK to save the dictionary.
-
-
Configure the DLP sensor:
-
Go to Security Profiles > Data Loss Prevention, select the Sensors tab, and click Create New.
-
Enter a name (sensor-case2).
-
In the Sensor Entries section, click Create New.
-
Set the Dictionary to dic-case2, set the Count to 5, and click OK.
-
Click OK to save the sensor.
-
-
Configure the DLP profile:
-
Go to Security Profiles > Data Loss Prevention, select the Profiles tab, and click Create New.
-
Enter a name (profile-case2).
-
In the Rules section, click Create New.
-
Configure the following settings:
Name
1
Sensors
sensor-case2
Severity
Medium
Action
Block
Type
File
File type
builtin-patterns
Protocol
FTP
-
Click OK.
-
Click OK to save the profile.
-
-
Add the DLP profile to a policy:
-
Go to Policy & Objects > Policy and click Create New.
-
Set the Type to any except SSH Tunnel which does not support DLP.
-
In the Security Profiles section, enable DLP Profile and select profile-case2.
-
Configure the other settings as needed.
-
Click OK.
-
-
Upload a Word document that contains "demo, demo, demo, demoregexregex," using FTP.
A DLP log is generated after the FTP traffic passes.
To log FTP upload traffic that has specific keyword, regex, and hex patterns repeated for five times in the CLI:
- Configure the DLP dictionary:
config dlp dictionary edit "dic-case2" config entries edit 1 set type "keyword" set pattern "demo" set repeat enable next edit 2 set type "regex" set pattern "demo(regex){1,5}" set repeat enable next edit 3 set type "hex" set pattern "e6b58be8af95" set repeat enable next end next end
- Configure the DLP sensor:
config dlp sensor edit "sensor-case2" config entries edit 1 set dictionary "dic-case2" set count 5 next end next end
- Configure the DLP profile:
config dlp profile edit "profile-case2" set feature-set proxy config rule edit 1 set proto ftp set filter-by sensor set file-type 1 set sensor "sensor-case2" set action block next end next end
- Add the DLP profile to a policy:
config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set utm-status enable set profile-protocol-options "protocol" set ssl-ssh-profile "protocols" set dlp-profile "profile-case2" next end
- Upload a Word document that contains "demo, demo, demo, demoregexregex," using FTP.
A DLP log is generated after the FTP traffic passes.
Sample log
1: date=2022-10-26 time=12:37:57 eventtime=1666813077679725858 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="1" dlpextra="builtin-patterns;sensor-case2" filtertype="sensor" filtercat="file" severity="medium" policyid=1 poluuid="891a526a-51cd-51ed-577a-6505bec88af9" policytype="policy" sessionid=6267 epoch=909159520 eventid=0 srcip=10.1.100.11 srcport=52858 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="502d2c8e-51cd-51ed-a24e-a091f4ff6fed" dstip=172.16.200.55 dstport=43411 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="502d2c8e-51cd-51ed-a24e-a091f4ff6fed" proto=6 service="FTP" filetype="msoffice" direction="outgoing" action="block" filename="realizedDoc.doc" filesize=26624 profile="profile-case2"