Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Blocking ChatGPT using keywords and FQDN example

Blocking ChatGPT using keywords and FQDN example

Large language models (LLMs), such as GPT, which are a type of Generative AI (GenAI), are widely used in applications like chatbots.

This configuration blocks HTTPS upload traffic to the OpenAI ChatGPT application that includes a sensitive keyword. The predefined data type, keyword, is used in the DLP dictionary.

Note

This example enables Application Control With Inline-CASB and configures it to block QUIC so that the OpenAI server uses TLS 1.3 instead of QUIC. FortiSASE can inspect TLS 1.3 traffic using SSL deep inspection.
Note

You must enable Intrusion Prevention for internet access traffic because Application Control With Inline-CASB features require it to be enabled.
To configure blocking HTTPS upload traffic that includes sensitive keywords:
  1. Go to Configuration > Security.
  2. For Profile Group, create a new profile group using + in the Profile Group dropdown list.
    1. In the Create Profile Group slide-in configure these settings:
      1. In the Name field, enter ChatGPT.
      2. For Initial Configuration, select Basic.
    2. Click OK.
    3. When prompted to select the new entry, click OK.
  3. Disable AntiVirus, Web Filter with Inline-CASB, and DNS Filter using these steps for each security feature:
    1. Click the toggle button next to the security feature widget to disable the feature.
    2. Click OK to confirm disabling the security feature.
  4. In the SSL Inspection widget, ensure deep inspection is enabled:
    1. For SSL inspection, click Customize:
    2. Select Deep Inspection.
    3. Click OK.
  5. Configure Intrusion Prevention:
    1. Enable Intrusion Prevention.
    2. In the Intrusion Prevention widget, click Customize.
    3. Select an IPS profile to apply to traffic. See Intrusion prevention.
  6. Configure Application Control With Inline-CASB:
    1. Enable Application Control With Inline-CASB.
    2. In the Application Control With Inline-CASB widget, click Customize. Do the following:
      1. In the Application Control With Inline-CASB slide-in, in the Application Overrides section, click +Create.
      2. In the Application Overrides slide-in, in the search box, enter QUIC and press Enter.
      3. Select the QUIC entry and click +Add Selected. You should see a green checkmark next to the QUIC entry.
      4. Click OK.
      5. Click OK to save the Application Control settings.
  7. Enable Data Loss Prevention (DLP).
  8. Create a DLP rule:
    1. In the Data Loss Prevention (DLP) widget, click Customize.
    2. In the DLP slide-in, click Create to create a new DLP rule.
    3. In the New Rule slide-in, configure these settings:

      Field

      Value

      Name

      		chatgpt

      Sensors

      		Select DLP sensors. You must create a new DLP sensor and then select it.

      Severity

      		Critical

      Action

      		Block

      Type

      		Message

      Protocol

      		HTTP-POST
    4. Create a new sensor:
      1. Create a new sensor by clicking + next to Sensor.
      2. In the Select Entries slide-in, click + Create to the right to create a new sensor.
      3. In the New Sensor slide-in, configure these settings:

        Field

        Value

        Name

        chatgpt

        Entry matches needed to trigger sensor

        Any

        Table of entries

        Create a new entry.

    5. Create a sensor entry:
      1. Create a new sensor entry by clicking +Create.
      2. In the New Entry slide-in, configure these settings:

        Field

        Value

        ID

        1

        Dictionary

        Select the dictionary for this sensor entry. You must create a new dictionary and then select it.

        Dictionary matches needed to consider traffic DLP risk

        1

        Status

        Enabled

    6. Create a dictionary:
      1. Click the Dictionary field and click +Create to create a new DLP dictionary.
      2. In the New DLP Dictionary slide-in, configure these settings:

        Field

        Value

        Name

        chatgpt

        Entry matches needed to trigger sensor

        All

        Table of Dictionary Entries

        Create two dictionary entries as follows.

    7. Create a dictionary entry with the fortinet keyword by doing the following:
      1. Create a new dictionary entry by clicking +Create.
      2. In the New Entry slide-in, configure these settings:

        Field

        Value

        Type

        keyword

        Pattern

        fortinet

        Case sensitive

        Enable

        Repeat

        Disable

        Status

        Enabled

        The configuration enables Case sensitive to enable ignoring letter case when pattern matching.

    8. Create a dictionary entry with the source code keyword by doing the following:
      1. Create a new dictionary entry by clicking +Create.
      2. In the New Entry slide-in, configure these settings:

        Field

        Value

        Type

        keyword

        Pattern

        source code

        Case sensitive

        Enable

        Repeat

        Disable

        Status

        Enabled

        The configuration enables Case sensitive to enable ignoring letter case when pattern matching.

    9. Click OK several times to complete the customization:
      1. Click OK to create the new dictionary entry.
      2. Click OK to create the DLP dictionary. Click OK when prompted to select the newly created dictionary.
      3. Click OK to create the new sensor entry.
      4. Click OK to create the new sensor. Click OK when prompted to select the newly created sensor. Click Close.
      5. Click OK to create the new DLP rule.
      6. Click OK to complete DLP configuration customization.
  9. Configure the updated profile group in a policy:
    1. Go to Configuration > Policies.
    2. Configure a new policy with these settings:

      Field

      Value

      Name

      ChatGPT

      Source Scope

      All

      Destination

      Specify:

      1. Click +.
      2. In the Select Entries slide-in, click + and create new + IPv4 Host.
      3. In the New Host slide-in, configure these settings:
        1. Location: Unspecified
        2. Name: OpenAI
        3. Type: FQDN
        4. FQDN: chat.openai.com
      4. Click OK to create the new host.
      5. Click OK when prompted to select the newly created host.
      6. Click Close.

      Service

      ALL

      Action

      Accept

      Profile Group

      Specify

      Select ChatGPT

      Status

      Enable

      Log Allowed Traffic

      Enable

      Select All Sessions

    3. Click OK.

  10. Drag the ChatGPT policy to the top of the policy list. Ensure it is placed above Allow-All.

To verify blocking HTTPS upload traffic that includes sensitive keywords is working:
  1. Ensure that your endpoint with FortiClient installed is registered with FortiSASE Endpoint Management Service and that you have established a secure connection to FortiSASE.
  2. On the connected endpoint, open the Chrome web browser in incognito mode.
  3. In the web browser, go to https://chat.openai.com.
  4. Search for any phrase that includes the keywords set up in the DLP dictionary. Since the phrase in HTTP POST traffic includes both sensitive keywords, FortiSASE blocks this traffic to OpenAI and generates a DLP log. Verify the request fails in ChatGPT and an error is generated.

  5. In FortiSASE, go to Analytics > Security > Data Loss Prevention (DLP) and confirm that FortiSASE generated a DLP block log entry that corresponds to your VPN user and visiting https://chat.openai.com.

  6. Go to Analytics > Security > Traffic > Internet Access Traffic and confirm that FortiSASE generated a DLP block log entry that corresponds to your VPN user and visiting https://chat.openai.com.

Previous
Next

Blocking ChatGPT using keywords and FQDN example

Large language models (LLMs), such as GPT, which are a type of Generative AI (GenAI), are widely used in applications like chatbots.

This configuration blocks HTTPS upload traffic to the OpenAI ChatGPT application that includes a sensitive keyword. The predefined data type, keyword, is used in the DLP dictionary.

Note

This example enables Application Control With Inline-CASB and configures it to block QUIC so that the OpenAI server uses TLS 1.3 instead of QUIC. FortiSASE can inspect TLS 1.3 traffic using SSL deep inspection.
Note

You must enable Intrusion Prevention for internet access traffic because Application Control With Inline-CASB features require it to be enabled.
To configure blocking HTTPS upload traffic that includes sensitive keywords:
  1. Go to Configuration > Security.
  2. For Profile Group, create a new profile group using + in the Profile Group dropdown list.
    1. In the Create Profile Group slide-in configure these settings:
      1. In the Name field, enter ChatGPT.
      2. For Initial Configuration, select Basic.
    2. Click OK.
    3. When prompted to select the new entry, click OK.
  3. Disable AntiVirus, Web Filter with Inline-CASB, and DNS Filter using these steps for each security feature:
    1. Click the toggle button next to the security feature widget to disable the feature.
    2. Click OK to confirm disabling the security feature.
  4. In the SSL Inspection widget, ensure deep inspection is enabled:
    1. For SSL inspection, click Customize:
    2. Select Deep Inspection.
    3. Click OK.
  5. Configure Intrusion Prevention:
    1. Enable Intrusion Prevention.
    2. In the Intrusion Prevention widget, click Customize.
    3. Select an IPS profile to apply to traffic. See Intrusion prevention.
  6. Configure Application Control With Inline-CASB:
    1. Enable Application Control With Inline-CASB.
    2. In the Application Control With Inline-CASB widget, click Customize. Do the following:
      1. In the Application Control With Inline-CASB slide-in, in the Application Overrides section, click +Create.
      2. In the Application Overrides slide-in, in the search box, enter QUIC and press Enter.
      3. Select the QUIC entry and click +Add Selected. You should see a green checkmark next to the QUIC entry.
      4. Click OK.
      5. Click OK to save the Application Control settings.
  7. Enable Data Loss Prevention (DLP).
  8. Create a DLP rule:
    1. In the Data Loss Prevention (DLP) widget, click Customize.
    2. In the DLP slide-in, click Create to create a new DLP rule.
    3. In the New Rule slide-in, configure these settings:

      Field

      Value

      Name

      		chatgpt

      Sensors

      		Select DLP sensors. You must create a new DLP sensor and then select it.

      Severity

      		Critical

      Action

      		Block

      Type

      		Message

      Protocol

      		HTTP-POST
    4. Create a new sensor:
      1. Create a new sensor by clicking + next to Sensor.
      2. In the Select Entries slide-in, click + Create to the right to create a new sensor.
      3. In the New Sensor slide-in, configure these settings:

        Field

        Value

        Name

        chatgpt

        Entry matches needed to trigger sensor

        Any

        Table of entries

        Create a new entry.

    5. Create a sensor entry:
      1. Create a new sensor entry by clicking +Create.
      2. In the New Entry slide-in, configure these settings:

        Field

        Value

        ID

        1

        Dictionary

        Select the dictionary for this sensor entry. You must create a new dictionary and then select it.

        Dictionary matches needed to consider traffic DLP risk

        1

        Status

        Enabled

    6. Create a dictionary:
      1. Click the Dictionary field and click +Create to create a new DLP dictionary.
      2. In the New DLP Dictionary slide-in, configure these settings:

        Field

        Value

        Name

        chatgpt

        Entry matches needed to trigger sensor

        All

        Table of Dictionary Entries

        Create two dictionary entries as follows.

    7. Create a dictionary entry with the fortinet keyword by doing the following:
      1. Create a new dictionary entry by clicking +Create.
      2. In the New Entry slide-in, configure these settings:

        Field

        Value

        Type

        keyword

        Pattern

        fortinet

        Case sensitive

        Enable

        Repeat

        Disable

        Status

        Enabled

        The configuration enables Case sensitive to enable ignoring letter case when pattern matching.

    8. Create a dictionary entry with the source code keyword by doing the following:
      1. Create a new dictionary entry by clicking +Create.
      2. In the New Entry slide-in, configure these settings:

        Field

        Value

        Type

        keyword

        Pattern

        source code

        Case sensitive

        Enable

        Repeat

        Disable

        Status

        Enabled

        The configuration enables Case sensitive to enable ignoring letter case when pattern matching.

    9. Click OK several times to complete the customization:
      1. Click OK to create the new dictionary entry.
      2. Click OK to create the DLP dictionary. Click OK when prompted to select the newly created dictionary.
      3. Click OK to create the new sensor entry.
      4. Click OK to create the new sensor. Click OK when prompted to select the newly created sensor. Click Close.
      5. Click OK to create the new DLP rule.
      6. Click OK to complete DLP configuration customization.
  9. Configure the updated profile group in a policy:
    1. Go to Configuration > Policies.
    2. Configure a new policy with these settings:

      Field

      Value

      Name

      ChatGPT

      Source Scope

      All

      Destination

      Specify:

      1. Click +.
      2. In the Select Entries slide-in, click + and create new + IPv4 Host.
      3. In the New Host slide-in, configure these settings:
        1. Location: Unspecified
        2. Name: OpenAI
        3. Type: FQDN
        4. FQDN: chat.openai.com
      4. Click OK to create the new host.
      5. Click OK when prompted to select the newly created host.
      6. Click Close.

      Service

      ALL

      Action

      Accept

      Profile Group

      Specify

      Select ChatGPT

      Status

      Enable

      Log Allowed Traffic

      Enable

      Select All Sessions

    3. Click OK.

  10. Drag the ChatGPT policy to the top of the policy list. Ensure it is placed above Allow-All.

To verify blocking HTTPS upload traffic that includes sensitive keywords is working:
  1. Ensure that your endpoint with FortiClient installed is registered with FortiSASE Endpoint Management Service and that you have established a secure connection to FortiSASE.
  2. On the connected endpoint, open the Chrome web browser in incognito mode.
  3. In the web browser, go to https://chat.openai.com.
  4. Search for any phrase that includes the keywords set up in the DLP dictionary. Since the phrase in HTTP POST traffic includes both sensitive keywords, FortiSASE blocks this traffic to OpenAI and generates a DLP log. Verify the request fails in ChatGPT and an error is generated.

  5. In FortiSASE, go to Analytics > Security > Data Loss Prevention (DLP) and confirm that FortiSASE generated a DLP block log entry that corresponds to your VPN user and visiting https://chat.openai.com.

  6. Go to Analytics > Security > Traffic > Internet Access Traffic and confirm that FortiSASE generated a DLP block log entry that corresponds to your VPN user and visiting https://chat.openai.com.

Previous
Next