Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.40
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Feature Administration Guide

    Home FortiSASE Feature Administration Guide
    26.1.40
    26.1.40

    Blocking HTTPS upload traffic using EDM template example

    Blocking HTTPS upload traffic using EDM template example

    Exact data matching (EDM) identifies particular data values within an indexed data source that require safeguarding. You can define a dataset in a CSV or TXT file on a server and point FortiSASE to this external resource or upload a CSV or TXT file directly to FortiSASE.

    This configuration blocks HTTPS upload traffic that matches an EDM template.

    To configure blocking HTTPS upload traffic using an EDM template:
    1. Create a profile group:
      1. Go to Security > Traffic > Security profiles.
      2. For Profile Group, select an existing profile group to edit or create a new profile group using + in the Profile Group dropdown list.
      3. In the Create Profile Group slide-in, configure the following:
        1. In the Name field, enter DLP-EDM-Profile.
        2. For Initial Configuration, select Basic.
        3. Click OK. When prompted to select the new entry, click OK.
    2. Disable all enabled security features (AntiVirus, Web Filter with Inline-CASB, DNS Filter) using these steps for each security feature:
      1. Click the toggle button next to the security feature widget to disable the feature.
      2. Click OK to confirm disabling the security feature.
    3. In the SSL inspection section at the top of the page, ensure deep inspection is enabled:
      1. For SSL inspection, click Configure SSL.
      2. For Inspection mode, select Deep inspection and configure using Fortinet_CA_SSL as the CA certificate.
      3. Click OK.

    4. Configure DLP:

      1. Create a DLP rule:
        1. In the Data Loss Prevention (DLP) widget, click the toggle button to enable this feature, and then click Customize.
        2. In the Data Loss Prevention (DLP) slide-in, click Create to create a new DLP rule.
        3. In the New Rule slide-in, configure these settings:

          Field

          Description

          Name

          DLP-EDM-1

          Data Source Type

          Sensors

          Sensor

          DLP sensors. You must create a new DLP sensor and then select it.

          Severity

          Critical

          Action

          Block

          Type

          Message

          Protocol

          HTTP-POST

      2. Create a new sensor by clicking + next to Sensor. In the Select Entries slide-in, click + to the right to create a new sensor. In the New DLP Sensor slide-in, configure these settings:

        Field

        Description

        Name

        DLP-EDM-1

        Entry matches needed to trigger sensor

        Any

        Table of entries

        Create one entry.

      3. Create a sensor entry by clicking Create. In the New Entry slide-in, configure these settings:

        Field

        Description

        ID

        1

        Sensor

        Select the EDM template for this sensor entry. You must create a new EDM template and then select it.

        Dictionary matches needed to consider traffic DLP risk

        1

        Status

        Enabled

      4. Create an EDM template by clicking the Sensor Entry field, click +, and select Create New > +DLP EDM Template. In the New DLP EDM Template slide-in, configure these settings:

        Field

        Description

        Name

        DLP-EDM-T1

        Resource settings

        Resource type

        File upload

        Upload file

        Upload the customer_data.csv file by clicking to select the file or dropping the file into area provided

        Match criteria

        +All of these fields

        Selected:

        • Column index: 1, Data type: ssn-us

        +Any of these fields

        Selected

        • Minimum number of fields matched: 1
        • Column index: 3, Data type: edm-keyword
        • Column index: 9, Data type: edm-keyword
      5. Click View Entries to view the data entries imported from the CSV file.

        When viewing EDM entries, the GUI currently does not validate the entries and displays all entries as Valid. However, a Valid entry must have all values matching the data-type of the specific column. If one value does not match, the entry is invalid and will not be used for pattern matching.

      6. Click OK several times to complete the configuration:

        1. Click OK to create the new DLP template.
        2. Click OK to create the new sensor entry.
        3. Click OK to create the new sensor. You will be prompted to select the newly created sensor.
        4. Click OK to create the new DLP rule.
        5. Click OK to complete DLP configuration customization.

    5. Configure the updated profile group in a policy:
      1. Go to Security > Traffic > Policies.
      2. Create a new policy to apply the profile group to:

        Field

        Value

        Name

        DLP-EDM-Policy-1

        Source Scope

        All

        Destination

        All Internet Traffic

        Service

        ALL

        Action

        Accept

        Profile Group

        Specify

        Select DLP-EDM-Profile

        Status

        Enable

        Log Allowed Traffic

        Enable

        Select All Sessions

      3. Click OK.
    6. Drag the DLP-EDM-Policy-1 policy to the top of the policy list. Ensure it is placed above Allow-All.

    To verify blocking HTTPS upload traffic using an EDM template is working:
    1. Ensure that your endpoint with FortiClient installed is registered with the FortiSASE Endpoint Management Service and that you have established a secure connection to FortiSASE.
    2. On the connected endpoint, open the Chrome web browser in incognito mode.
    3. In Chrome, go to https://dlptest.ai.
    4. Under Text upload to website, enter John 172-32-1176 and click Submit Text. FortiSASE blocks the upload traffic.
    5. In FortiSASE, go to Operations > Logs > Security > Data Loss Prevention (DLP) and confirm that FortiSASE generated a DLP block log entry that corresponds to your agent and visiting https://dlptest.ai.
    6. Go to Operations > Logs > Traffic > Internet Access Traffic and confirm that FortiSASE generated a DLP block log entry that corresponds to your agent and visiting https://dlptest.ai.

    Prerequisites and considerations

    • When using commonly used SSL-encrypted protocols such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, you must set SSL inspection to deep inspection. See Certificate and deep inspection modes.
    • In this example, an EDM template named DLP-EDM-T-1 is created. During this process, a CSV file (customer_data.csv) is uploaded to FortiSASE.
    • Create the following sample CSV file saved as customer_data.csv on your computer:

      SSN

      Last Name

      First Name

      Address

      City

      State

      ZIP

      Phone

      Email

      CCN

      172-32-1176

      Doe

      John

      10932 Big Rd

      Malibu

      CA

      94025

      408-497-7223

      jdoe@domain.com

      5270-4267-6450-5516

      514-14-8905

      Bard

      Ashley

      4469 Sher St

      Golf

      KS

      66428

      785-939-6046

      abard@domain.com

      5370-4638-8881-302

    • In this example, the EDM template specifies:
      • Column index 1 in the external data threat feed file contains patterns for the ssn-us data type.
      • Column index 3 and 9 contain patterns for the edm-keyword data type.
      • The patterns from column index 1 must match for FortiSASE to take an action.
      • The pattern from either column index 3 or 9 must match for FortiSASE to take an action.
    • Based on the aforementioned template, the DLP profile will match any traffic containing data that corresponds to the SSN in column 1, and either the First Name in column 3 or the Email in column 9. For instance, if the HTTPS upload traffic sent from personal computer contains '172-32-1176' AND 'John', or '172-32-1176' AND 'jdoe@domain.com', the traffic will be blocked and a DLP log is generated.
    Previous
    Next

    Blocking HTTPS upload traffic using EDM template example

    Blocking HTTPS upload traffic using EDM template example

    Exact data matching (EDM) identifies particular data values within an indexed data source that require safeguarding. You can define a dataset in a CSV or TXT file on a server and point FortiSASE to this external resource or upload a CSV or TXT file directly to FortiSASE.

    This configuration blocks HTTPS upload traffic that matches an EDM template.

    To configure blocking HTTPS upload traffic using an EDM template:
    1. Create a profile group:
      1. Go to Security > Traffic > Security profiles.
      2. For Profile Group, select an existing profile group to edit or create a new profile group using + in the Profile Group dropdown list.
      3. In the Create Profile Group slide-in, configure the following:
        1. In the Name field, enter DLP-EDM-Profile.
        2. For Initial Configuration, select Basic.
        3. Click OK. When prompted to select the new entry, click OK.
    2. Disable all enabled security features (AntiVirus, Web Filter with Inline-CASB, DNS Filter) using these steps for each security feature:
      1. Click the toggle button next to the security feature widget to disable the feature.
      2. Click OK to confirm disabling the security feature.
    3. In the SSL inspection section at the top of the page, ensure deep inspection is enabled:
      1. For SSL inspection, click Configure SSL.
      2. For Inspection mode, select Deep inspection and configure using Fortinet_CA_SSL as the CA certificate.
      3. Click OK.

    4. Configure DLP:

      1. Create a DLP rule:
        1. In the Data Loss Prevention (DLP) widget, click the toggle button to enable this feature, and then click Customize.
        2. In the Data Loss Prevention (DLP) slide-in, click Create to create a new DLP rule.
        3. In the New Rule slide-in, configure these settings:

          Field

          Description

          Name

          DLP-EDM-1

          Data Source Type

          Sensors

          Sensor

          DLP sensors. You must create a new DLP sensor and then select it.

          Severity

          Critical

          Action

          Block

          Type

          Message

          Protocol

          HTTP-POST

      2. Create a new sensor by clicking + next to Sensor. In the Select Entries slide-in, click + to the right to create a new sensor. In the New DLP Sensor slide-in, configure these settings:

        Field

        Description

        Name

        DLP-EDM-1

        Entry matches needed to trigger sensor

        Any

        Table of entries

        Create one entry.

      3. Create a sensor entry by clicking Create. In the New Entry slide-in, configure these settings:

        Field

        Description

        ID

        1

        Sensor

        Select the EDM template for this sensor entry. You must create a new EDM template and then select it.

        Dictionary matches needed to consider traffic DLP risk

        1

        Status

        Enabled

      4. Create an EDM template by clicking the Sensor Entry field, click +, and select Create New > +DLP EDM Template. In the New DLP EDM Template slide-in, configure these settings:

        Field

        Description

        Name

        DLP-EDM-T1

        Resource settings

        Resource type

        File upload

        Upload file

        Upload the customer_data.csv file by clicking to select the file or dropping the file into area provided

        Match criteria

        +All of these fields

        Selected:

        • Column index: 1, Data type: ssn-us

        +Any of these fields

        Selected

        • Minimum number of fields matched: 1
        • Column index: 3, Data type: edm-keyword
        • Column index: 9, Data type: edm-keyword
      5. Click View Entries to view the data entries imported from the CSV file.

        When viewing EDM entries, the GUI currently does not validate the entries and displays all entries as Valid. However, a Valid entry must have all values matching the data-type of the specific column. If one value does not match, the entry is invalid and will not be used for pattern matching.

      6. Click OK several times to complete the configuration:

        1. Click OK to create the new DLP template.
        2. Click OK to create the new sensor entry.
        3. Click OK to create the new sensor. You will be prompted to select the newly created sensor.
        4. Click OK to create the new DLP rule.
        5. Click OK to complete DLP configuration customization.

    5. Configure the updated profile group in a policy:
      1. Go to Security > Traffic > Policies.
      2. Create a new policy to apply the profile group to:

        Field

        Value

        Name

        DLP-EDM-Policy-1

        Source Scope

        All

        Destination

        All Internet Traffic

        Service

        ALL

        Action

        Accept

        Profile Group

        Specify

        Select DLP-EDM-Profile

        Status

        Enable

        Log Allowed Traffic

        Enable

        Select All Sessions

      3. Click OK.
    6. Drag the DLP-EDM-Policy-1 policy to the top of the policy list. Ensure it is placed above Allow-All.

    To verify blocking HTTPS upload traffic using an EDM template is working:
    1. Ensure that your endpoint with FortiClient installed is registered with the FortiSASE Endpoint Management Service and that you have established a secure connection to FortiSASE.
    2. On the connected endpoint, open the Chrome web browser in incognito mode.
    3. In Chrome, go to https://dlptest.ai.
    4. Under Text upload to website, enter John 172-32-1176 and click Submit Text. FortiSASE blocks the upload traffic.
    5. In FortiSASE, go to Operations > Logs > Security > Data Loss Prevention (DLP) and confirm that FortiSASE generated a DLP block log entry that corresponds to your agent and visiting https://dlptest.ai.
    6. Go to Operations > Logs > Traffic > Internet Access Traffic and confirm that FortiSASE generated a DLP block log entry that corresponds to your agent and visiting https://dlptest.ai.

    Prerequisites and considerations

    • When using commonly used SSL-encrypted protocols such as HTTPS, SMTPS, POP3S, IMAPS, and FTPS, you must set SSL inspection to deep inspection. See Certificate and deep inspection modes.
    • In this example, an EDM template named DLP-EDM-T-1 is created. During this process, a CSV file (customer_data.csv) is uploaded to FortiSASE.
    • Create the following sample CSV file saved as customer_data.csv on your computer:

      SSN

      Last Name

      First Name

      Address

      City

      State

      ZIP

      Phone

      Email

      CCN

      172-32-1176

      Doe

      John

      10932 Big Rd

      Malibu

      CA

      94025

      408-497-7223

      jdoe@domain.com

      5270-4267-6450-5516

      514-14-8905

      Bard

      Ashley

      4469 Sher St

      Golf

      KS

      66428

      785-939-6046

      abard@domain.com

      5370-4638-8881-302

    • In this example, the EDM template specifies:
      • Column index 1 in the external data threat feed file contains patterns for the ssn-us data type.
      • Column index 3 and 9 contain patterns for the edm-keyword data type.
      • The patterns from column index 1 must match for FortiSASE to take an action.
      • The pattern from either column index 3 or 9 must match for FortiSASE to take an action.
    • Based on the aforementioned template, the DLP profile will match any traffic containing data that corresponds to the SSN in column 1, and either the First Name in column 3 or the Email in column 9. For instance, if the HTTPS upload traffic sent from personal computer contains '172-32-1176' AND 'John', or '172-32-1176' AND 'jdoe@domain.com', the traffic will be blocked and a DLP log is generated.
    Previous
    Next