Fortinet white logo
Fortinet white logo

Administration Guide

Log FTP upload traffic with a specific pattern

Log FTP upload traffic with a specific pattern

This configuration will log FTP upload traffic with the following patterns:

  • keyword = demo
  • regex = demo(regex){1,5}
  • hex = e6b58be8af95

The dictionary entries have repeat match enabled. The DLP sensor is set so this is repeated five times.

To log FTP upload traffic that has specific keyword, regex, and hex patterns repeated for five times in the GUI:
  1. Configure the DLP dictionary with three entries:

    1. Go to Security Profiles > Data Loss Prevention, select the Dictionaries tab, and click Create New.

    2. Enter a name (dic-case2).

    3. In the Dictionary Entries section, click Create New.

    4. Set the Type to keyword and the Pattern to demo.

    5. Enable Repeats and click OK.

    6. Repeat these steps to add dictionary entries for the following (with Repeats enabled):

      1. Set the Type to regex and the Pattern to demo(regex){1,5}.

      2. Set the Type to hex and the Pattern to e6b58be8af95.

    7. Click OK to save the dictionary.

  2. Configure the DLP sensor:

    1. Go to Security Profiles > Data Loss Prevention, select the Sensors tab, and click Create New.

    2. Enter a name (sensor-case2).

    3. In the Sensor Entries section, click Create New.

    4. Set the Dictionary to dic-case2, set the Count to 5, and click OK.

    5. Click OK to save the sensor.

  3. Configure the DLP profile:

    1. Go to Security Profiles > Data Loss Prevention, select the Profiles tab, and click Create New.

    2. Enter a name (profile-case2).

    3. In the Rules section, click Create New.

    4. Configure the following settings:

      Name

      1

      Sensors

      sensor-case2

      Severity

      Medium

      Action

      Block

      Type

      File

      File type

      builtin-patterns

      Protocol

      FTP

    5. Click OK.

    6. Click OK to save the profile.

  4. Add the DLP profile to a policy:

    1. Go to Policy & Objects > Policy and click Create New.

    2. Set the Type to any except SSH Tunnel which does not support DLP.

    3. In the Security Profiles section, enable DLP Profile and select profile-case2.

    4. Configure the other settings as needed.

    5. Click OK.

  5. Upload a Word document that contains "demo, demo, demo, demoregexregex," using FTP.

    A DLP log is generated after the FTP traffic passes.

To log FTP upload traffic that has specific keyword, regex, and hex patterns repeated for five times in the CLI:
  1. Configure the DLP dictionary:
    config dlp dictionary
        edit "dic-case2"
            config entries
                edit 1
                    set type "keyword"
                    set pattern "demo"
                    set repeat enable
                next
                edit 2
                    set type "regex"
                    set pattern "demo(regex){1,5}"
                    set repeat enable
                next
                edit 3
                    set type "hex"
                    set pattern "e6b58be8af95"
                    set repeat enable
                next
            end
        next
    end
  2. Configure the DLP sensor:
    config dlp sensor
        edit "sensor-case2"
            config entries
                edit 1
                    set dictionary "dic-case2"
                    set count 5
                next
            end
        next
    end
  3. Configure the DLP profile:
    config dlp profile
        edit "profile-case2"
            set feature-set proxy
            config rule
                edit 1 
                    set proto ftp
                    set filter-by sensor
                    set file-type 1
                    set sensor "sensor-case2"
                    set action block
                next
            end
        next
    end
  4. Add the DLP profile to a policy:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "protocols"
            set dlp-profile "profile-case2"
        next
    end
  5. Upload a Word document that contains "demo, demo, demo, demoregexregex," using FTP.

    A DLP log is generated after the FTP traffic passes.

    Sample log
    1: date=2022-10-26 time=12:37:57 eventtime=1666813077679725858 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="1" dlpextra="builtin-patterns;sensor-case2" filtertype="sensor" filtercat="file" severity="medium" policyid=1 poluuid="891a526a-51cd-51ed-577a-6505bec88af9" policytype="policy" sessionid=6267 epoch=909159520 eventid=0 srcip=10.1.100.11 srcport=52858 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="502d2c8e-51cd-51ed-a24e-a091f4ff6fed" dstip=172.16.200.55 dstport=43411 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="502d2c8e-51cd-51ed-a24e-a091f4ff6fed" proto=6 service="FTP" filetype="msoffice" direction="outgoing" action="block" filename="realizedDoc.doc" filesize=26624 profile="profile-case2"

Log FTP upload traffic with a specific pattern

Log FTP upload traffic with a specific pattern

This configuration will log FTP upload traffic with the following patterns:

  • keyword = demo
  • regex = demo(regex){1,5}
  • hex = e6b58be8af95

The dictionary entries have repeat match enabled. The DLP sensor is set so this is repeated five times.

To log FTP upload traffic that has specific keyword, regex, and hex patterns repeated for five times in the GUI:
  1. Configure the DLP dictionary with three entries:

    1. Go to Security Profiles > Data Loss Prevention, select the Dictionaries tab, and click Create New.

    2. Enter a name (dic-case2).

    3. In the Dictionary Entries section, click Create New.

    4. Set the Type to keyword and the Pattern to demo.

    5. Enable Repeats and click OK.

    6. Repeat these steps to add dictionary entries for the following (with Repeats enabled):

      1. Set the Type to regex and the Pattern to demo(regex){1,5}.

      2. Set the Type to hex and the Pattern to e6b58be8af95.

    7. Click OK to save the dictionary.

  2. Configure the DLP sensor:

    1. Go to Security Profiles > Data Loss Prevention, select the Sensors tab, and click Create New.

    2. Enter a name (sensor-case2).

    3. In the Sensor Entries section, click Create New.

    4. Set the Dictionary to dic-case2, set the Count to 5, and click OK.

    5. Click OK to save the sensor.

  3. Configure the DLP profile:

    1. Go to Security Profiles > Data Loss Prevention, select the Profiles tab, and click Create New.

    2. Enter a name (profile-case2).

    3. In the Rules section, click Create New.

    4. Configure the following settings:

      Name

      1

      Sensors

      sensor-case2

      Severity

      Medium

      Action

      Block

      Type

      File

      File type

      builtin-patterns

      Protocol

      FTP

    5. Click OK.

    6. Click OK to save the profile.

  4. Add the DLP profile to a policy:

    1. Go to Policy & Objects > Policy and click Create New.

    2. Set the Type to any except SSH Tunnel which does not support DLP.

    3. In the Security Profiles section, enable DLP Profile and select profile-case2.

    4. Configure the other settings as needed.

    5. Click OK.

  5. Upload a Word document that contains "demo, demo, demo, demoregexregex," using FTP.

    A DLP log is generated after the FTP traffic passes.

To log FTP upload traffic that has specific keyword, regex, and hex patterns repeated for five times in the CLI:
  1. Configure the DLP dictionary:
    config dlp dictionary
        edit "dic-case2"
            config entries
                edit 1
                    set type "keyword"
                    set pattern "demo"
                    set repeat enable
                next
                edit 2
                    set type "regex"
                    set pattern "demo(regex){1,5}"
                    set repeat enable
                next
                edit 3
                    set type "hex"
                    set pattern "e6b58be8af95"
                    set repeat enable
                next
            end
        next
    end
  2. Configure the DLP sensor:
    config dlp sensor
        edit "sensor-case2"
            config entries
                edit 1
                    set dictionary "dic-case2"
                    set count 5
                next
            end
        next
    end
  3. Configure the DLP profile:
    config dlp profile
        edit "profile-case2"
            set feature-set proxy
            config rule
                edit 1 
                    set proto ftp
                    set filter-by sensor
                    set file-type 1
                    set sensor "sensor-case2"
                    set action block
                next
            end
        next
    end
  4. Add the DLP profile to a policy:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "protocols"
            set dlp-profile "profile-case2"
        next
    end
  5. Upload a Word document that contains "demo, demo, demo, demoregexregex," using FTP.

    A DLP log is generated after the FTP traffic passes.

    Sample log
    1: date=2022-10-26 time=12:37:57 eventtime=1666813077679725858 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="1" dlpextra="builtin-patterns;sensor-case2" filtertype="sensor" filtercat="file" severity="medium" policyid=1 poluuid="891a526a-51cd-51ed-577a-6505bec88af9" policytype="policy" sessionid=6267 epoch=909159520 eventid=0 srcip=10.1.100.11 srcport=52858 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="502d2c8e-51cd-51ed-a24e-a091f4ff6fed" dstip=172.16.200.55 dstport=43411 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="502d2c8e-51cd-51ed-a24e-a091f4ff6fed" proto=6 service="FTP" filetype="msoffice" direction="outgoing" action="block" filename="realizedDoc.doc" filesize=26624 profile="profile-case2"