Proximity search
In this example, any HTTPS upload traffic containing both a keyword and a username within a specified proximity can be identified. The FortiProxy intercepts this traffic through deep inspection. When HTTPS upload traffic includes both a keyword and a username, which match the criteria defined on the data loss prevention (DLP) profile configured on the FortiProxy, the traffic is blocked. This action subsequently generates a DLP log. See Verification for a log sample.
To block HTTPS upload traffic that match the DLP profile in the GUI:
-
Configure the DLP dictionary:
-
Go to Security Profiles > Data Loss Prevention and select the Dictionaries tab.
-
Select Create New.
-
Set Name to: matcharound.
-
In the Dictionary Entries table, click Create New:
-
Set Type to keyword
-
Set Pattern to user
-
Enable Case sensitive
-
Click OK.
-
-
Click OK.
-
Select the newly created dictionary and click Edit.
-
Select Edit in CLI and enter the following command:
#set match-around enable
end -
Close the CLI Console and click Cancel.
DLP data types can only be configured in the CLI. See step 2 of To block HTTPS upload traffic that match the DLP profile in the CLI:.
-
-
Configure the DLP dictionary:
-
Go to Security Profiles > Data Loss Prevention and select the Dictionaries tab.
-
Click Create New.
-
Set Name to username.
-
In the Dictionary Entries table, click Create New:
-
Set Type to user
-
Click OK.
-
-
Click OK.
-
-
Configure the DLP sensor:
-
Go to Security Profiles > Data Loss Prevention and select the Sensors tab.
-
Click Create New.
-
Enter a name (user).
-
In the Sensor Entries section, click Create New.
-
Set the sensor entry to username and click OK.
-
Click OK to save the sensor.
-
-
Configure the DLP profile:
-
Go to Security Profiles > Data Loss Prevention and select the Profiles tab.
-
Click Create New.
-
Enter a name (keyword).
-
In the Rules section, click Create New.
-
Configure the following settings:
Name keyword Data source type Sensor Sensors user Severity Critical Action Block Match Type Message Protocol HTTP-POST -
Click OK.
-
Click OK to save the profile.
-
-
Add the DLP profile to a policy:
-
Go to Policy & Objects > Policy and click Create New.
-
In the Security Profiles section, enable DLP Profile and select keyword.
-
Set SSL/SSH Inspection to deep-inspection to inspect HTTPS traffic.
-
Configure the other settings, as needed.
-
Click OK.
-
To block HTTPS upload traffic that match the DLP profile in the CLI:
-
Configure the DLP dictionary:
config dlp dictionary edit "matcharound" set match-around enable config entries edit 1 set type "keyword" set pattern "user" set ignore-case enable next end next end
-
Configure the DLP data type:
config dlp data-type edit "user" set pattern "\\b[a-zA-Z]{6,12}\\b" set verify "(?<=@)\\w+" set match-around "matcharound" set look-back 13 set match-back 15 next end
The pattern specified using the
set pattern
command, is designed to match any word, irrespective of case sensitivity, that contains between 6 and 12 characters. On the other hand, the pattern specified using theset verify
command employs a positive lookbehind assertion. This assertion checks for the presence of the @ symbol preceding the word, without including it in the match. This is a feature supported in PCRE but not in Hyperscan. For a match to occur, the content must satisfy all parameters defined in the DLP Data type. -
Configure the DLP dictionary:
config dlp dictionary edit "username" config entries edit 1 set type "user" next end next end
-
Configure the DLP sensor:
config dlp sensor edit "user" config entries edit 1 set dictionary "username" next end next end
-
Configure the DLP profile:
config dlp profile edit "keyword" config rule edit 1 set name "keyword" set severity critical set type message set proto http-post set filter-by sensor set sensor "user" set action block next end next end
-
Add the DLP profile to a policy:
config firewall policy edit 1 set name "keyword" set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "deep-inspection" set dlp-profile "keyword" set logtraffic all set nat enable next end
Verification
-
Enter any phrase that will match the DLP profile configured on the FortiProxy and click Submit.
Example:
user: @kikinaynay -
Verify that the replacement message indicates the transfer attempt has been blocked.
-
Review the log that was generated when the attempt was made to send an HTTP POST request containing sensitive keywords:
1: date=2024-06-11 time=11:53:10 eventtime=1718131990428533349 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="keyword" filtertype="sensor" filtercat="message" severity="critical" policyid=1 poluuid="c0a2e814-7ff8-51ee-1815-054bdf34bd03" policytype="policy" sessionid=486254337 epoch=1186366517 eventid=1 srcip=10.40.1.1 srcport=65112 srccountry="Reserved" srcintf="port1" srcintfrole="undefined" srcuuid="0e3359c4-5fa7-51ed-6fd1-9862a5c10176" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="dlptest.com" url=" https://dlptest.com/http-post/" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0" httpmethod="POST" referralurl=" https://dlptest.com/http-post/" profile="keyword"