Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Release Notes

    Home FortiProxy 7.6.0 Release Notes
    7.6.0
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    2.0.14
    2.0.13
    2.0.12
    2.0.11
    2.0.10
    2.0.9
    2.0.8
    2.0.7
    2.0.6
    2.0.5
    2.0.4
    2.0.3
    2.0.2
    2.0.1
    2.0.0
    1.2.13
    1.2.12
    1.2.11
    1.2.10
    1.2.9
    1.2.8
    1.2.7
    1.2.6
    1.2.5
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2.0
    1.1.6
    1.1.5
    1.1.4
    1.1.3
    1.1.2
    1.1.1
    1.1.0
    1.0.7
    1.0.6
    1.0.5
    1.0.4
    1.0.3
    1.0.2
    1.0.1
    1.0.0

    FortiGuard managed DLP dictionaries

    FortiGuard managed DLP dictionaries

    Note

    This information is also available in the FortiProxy 7.6 Administration Guide:

    Three confidence levels are added to the DLP signature package retrieved from FortiGuard. Users can select a FortiGuard dictionary with varying confidence levels based on their specific requirements.

    • The high level provides maximum precision to minimize false positives.

    • The medium level balances match quantity and precision.

    • The low level captures the most matches, but may result in more false positives.

    A valid DLP license is required to obtain the latest package.

    To see the available confidence levels for a dictionary, go to Security Profiles > Data Loss Prevention, select the Dictionary tab, and then edit the dictionary:

    When applying a FortiGuard built-in dictionary to a custom sensor, the dictionary with the highest confidence level is selected by default.

    The confidence level of a dictionary applied to a custom sensor can be adjusted by editing the entry:

    Use case examples

    In these use case examples, various Canadian Social Insurance Number (SIN) formats are tested at different confidence levels using different protocols.

    Low Confidence

    Medium Confidence

    High Confidence

    SIN format

    Matching criteria: regular expression, data validation

    Matching criteria: regular expression, data validation SIN format validation

    Matching criteria: regular expression, data validation, SIN format validation, Match-around data

    815489034

    match

    does not match

    does not match

    193849270

    match

    match

    does not match

    sin# 193849270

    match

    match

    match
    To verify that a FortiGuard dictionary with the low confidence level will block matching message through an HTTPS post:

    1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-dict) DLP dictionary with the Confidence level set to Low and then use the profile in a policy.

    2. Test that an HTTPS message containing a SIN is blocked. DLP Test > HTTPS Post can be used to send a test message:

      The message is blocked:

    3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-low dictionary.

    4. Check the raw logs:

      1: date=2024-05-29 time=16:55:27 eventtime=1717026926501493215 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" ruleid=1 rulename="sensor_can_sin_low" dlpextra="Sensor 'sensor_can_sin_low' matching any: ('g-fg-can-natl_id-sin-dict-low'=1) >= 1; match." filtertype="sensor" filtercat="message" severity="medium" policyid=1 poluuid="a084e3dc-1d48-51ef-5286-940d89557186" policytype="policy" sessionid=64304 epoch=2100732550 eventid=1 srcip=10.1.100.241 srcport=34184 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/https-post/" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://dlptest.com/https-post/" profile="customer_can_sin"
    To verify that a FortiGuard dictionary with medium confidence level will block matching message through a FTPS post:

    1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-dict) DLP dictionary with the Confidence level set to Medium and then use the profile in a policy.

    2. Test that posting a file that contains 193849270 is blocked.

    3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-med dictionary.

    4. Check the raw logs:

      1: date=2024-09-25 time=12:25:59 eventtime=1727292359601830454 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="sensor_can_sin_med" dlpextra="Sensor 'sensor_can_sin' matching any: ('fg-can-natl_id-sin-dict-med'=1) >= 1; match." filtertype="sensor" filtercat="file" severity="medium" policyid=3 poluuid="b95909fe-7ac4-51ef-736b-ed6723925bc6" policytype="policy" sessionid=1263148728 epoch=805294546 eventid=0 srcip=10.45.1.41 srcport=48609 srccountry="Reserved" srcintf="port6" srcintfrole="undefined" dstip=10.40.1.226 dstport=6223 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="FTPS" filetype="unknown" direction="outgoing" action="block" filename="can_sin_med.txt" filesize=12 profile="default"
    To verify that the FortiGuard dictionary with a high confidence level will block matching message through an SMTP post:

    1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-dict) DLP dictionary with the Confidence level set to High and then use the profile in a policy.

    2. Test that sending email with an attached file that contains sin# 193849270 is blocked.

    3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-high dictionary.

    4. Check the raw logs:

      1: date=2024-09-25 time=13:11:00 eventtime=1727295059589158625 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="sensor_can_sin_high" dlpextra="Sensor 'sensor_can_sin' matching any: ('fg-can-natl_id-sin-dict-high'=1) >= 1; match." filtertype="sensor" filtercat="file" severity="medium" policyid=3 sessionid=168480999 epoch=1488425925 eventid=2 srcip=10.40.1.229 srcport=0 srccountry="Reserved" srcintf="unknown-0" srcintfrole="undefined" dstip=52.96.166.82 dstport=587 dstcountry="United States" dstintf="unknown-0" dstintfrole="undefined" proto=6 service="SMTPS" filetype="unknown" direction="outgoing" action="block" from="annasundayhi@outlook.com" to="annasundayhi@outlook.com" sender="annasundayhi@outlook.com" recipient="annasundayhi@outlook.com" subject="718485" attachment="yes" filename="can_sin_high.txt" filesize=15 profile="default"
    Previous
    Next

    FortiGuard managed DLP dictionaries

    FortiGuard managed DLP dictionaries

    Note

    This information is also available in the FortiProxy 7.6 Administration Guide:

    Three confidence levels are added to the DLP signature package retrieved from FortiGuard. Users can select a FortiGuard dictionary with varying confidence levels based on their specific requirements.

    • The high level provides maximum precision to minimize false positives.

    • The medium level balances match quantity and precision.

    • The low level captures the most matches, but may result in more false positives.

    A valid DLP license is required to obtain the latest package.

    To see the available confidence levels for a dictionary, go to Security Profiles > Data Loss Prevention, select the Dictionary tab, and then edit the dictionary:

    When applying a FortiGuard built-in dictionary to a custom sensor, the dictionary with the highest confidence level is selected by default.

    The confidence level of a dictionary applied to a custom sensor can be adjusted by editing the entry:

    Use case examples

    In these use case examples, various Canadian Social Insurance Number (SIN) formats are tested at different confidence levels using different protocols.

    Low Confidence

    Medium Confidence

    High Confidence

    SIN format

    Matching criteria: regular expression, data validation

    Matching criteria: regular expression, data validation SIN format validation

    Matching criteria: regular expression, data validation, SIN format validation, Match-around data

    815489034

    match

    does not match

    does not match

    193849270

    match

    match

    does not match

    sin# 193849270

    match

    match

    match
    To verify that a FortiGuard dictionary with the low confidence level will block matching message through an HTTPS post:

    1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-dict) DLP dictionary with the Confidence level set to Low and then use the profile in a policy.

    2. Test that an HTTPS message containing a SIN is blocked. DLP Test > HTTPS Post can be used to send a test message:

      The message is blocked:

    3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-low dictionary.

    4. Check the raw logs:

      1: date=2024-05-29 time=16:55:27 eventtime=1717026926501493215 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" ruleid=1 rulename="sensor_can_sin_low" dlpextra="Sensor 'sensor_can_sin_low' matching any: ('g-fg-can-natl_id-sin-dict-low'=1) >= 1; match." filtertype="sensor" filtercat="message" severity="medium" policyid=1 poluuid="a084e3dc-1d48-51ef-5286-940d89557186" policytype="policy" sessionid=64304 epoch=2100732550 eventid=1 srcip=10.1.100.241 srcport=34184 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/https-post/" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://dlptest.com/https-post/" profile="customer_can_sin"
    To verify that a FortiGuard dictionary with medium confidence level will block matching message through a FTPS post:

    1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-dict) DLP dictionary with the Confidence level set to Medium and then use the profile in a policy.

    2. Test that posting a file that contains 193849270 is blocked.

    3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-med dictionary.

    4. Check the raw logs:

      1: date=2024-09-25 time=12:25:59 eventtime=1727292359601830454 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="sensor_can_sin_med" dlpextra="Sensor 'sensor_can_sin' matching any: ('fg-can-natl_id-sin-dict-med'=1) >= 1; match." filtertype="sensor" filtercat="file" severity="medium" policyid=3 poluuid="b95909fe-7ac4-51ef-736b-ed6723925bc6" policytype="policy" sessionid=1263148728 epoch=805294546 eventid=0 srcip=10.45.1.41 srcport=48609 srccountry="Reserved" srcintf="port6" srcintfrole="undefined" dstip=10.40.1.226 dstport=6223 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="FTPS" filetype="unknown" direction="outgoing" action="block" filename="can_sin_med.txt" filesize=12 profile="default"
    To verify that the FortiGuard dictionary with a high confidence level will block matching message through an SMTP post:

    1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-dict) DLP dictionary with the Confidence level set to High and then use the profile in a policy.

    2. Test that sending email with an attached file that contains sin# 193849270 is blocked.

    3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-high dictionary.

    4. Check the raw logs:

      1: date=2024-09-25 time=13:11:00 eventtime=1727295059589158625 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="sensor_can_sin_high" dlpextra="Sensor 'sensor_can_sin' matching any: ('fg-can-natl_id-sin-dict-high'=1) >= 1; match." filtertype="sensor" filtercat="file" severity="medium" policyid=3 sessionid=168480999 epoch=1488425925 eventid=2 srcip=10.40.1.229 srcport=0 srccountry="Reserved" srcintf="unknown-0" srcintfrole="undefined" dstip=52.96.166.82 dstport=587 dstcountry="United States" dstintf="unknown-0" dstintfrole="undefined" proto=6 service="SMTPS" filetype="unknown" direction="outgoing" action="block" from="annasundayhi@outlook.com" to="annasundayhi@outlook.com" sender="annasundayhi@outlook.com" recipient="annasundayhi@outlook.com" subject="718485" attachment="yes" filename="can_sin_high.txt" filesize=15 profile="default"
    Previous
    Next