Implementing the Data Loss Prevention (DLP) WAF Module in FortiADC

LoGan070raGnaRLoGan070raGnaR
11 min read

Data Loss Prevention

  • DLP module prevents sensitive data from leaving or entering your network by scanning for various patterns while inspecting traffic passing through the FortiADC

  • The DLP module is configured based on the following components:

    • DLP Policy

    • Sensitive Data Type

    • DLP Sensor

      • Note: This DLP component requires the FortiGuard DLP service to be enabled.

    • DLP Dictionary

      • Note: This DLP component requires the FortiGuard DLP service to be enabled.

  • Note:

    • Data Loss Prevention can still function without the FortiGuard DLP service. You can still configure a DLP Policy to defend against data loss using only Sensitive Data Type.

    • In the backend, DLP uses Hyperscan to perform a one-parse algorithm for scanning multiple patterns. This allows DLP to scale up without any performance downgrade.

  • For more information

To deploy Data Loss Prevention, follow the workflow below:

  1. Configure the DLP Dictionary to define the collection of data type entries to use in the DLP Sensor.

  2. Configure the DLP Sensor to define which dictionary to check.

  3. Configure the Sensitive Data Type to define the type of pattern that DLP is trying to match.

  4. Configure the DLP Policy to define the rules for matching a sensor or sensitive data type.

  5. Apply the DLP Policy to a WAF profile.

FortiGuard DLP service

  • This service allow FortiADC to download DLP signatures directly from FortiGuard to enrich the FortiADC DLP signature data types.

    • It uses a customizable database of more than 500 predefined data patterns and policies

    • It has database of predefined DLP patterns such as data types, dictionaries, and sensors.

  • If the HTTP payload or files passing through FortiADC contain data that matches the patterns defined in these dictionaries, FortiADC will initiate specified actions to safeguard the data.

  • Note:

    • To check the version of FortiGuard DLP database

      • System > FortiGuard > Data Loss Prevention (DLP)

Configure the DLP Dictionary to define the collection of data type entries to use in the DLP Sensor

  • A DLP dictionary defines the patterns of data. The term "pattern" denotes a set of attributes specific to a given data type

  • E.g.,

    • Credit card numbers constitute numeric data that follow either the 14-digit or 16-digit patterns associated with credit cards. If the data adheres to these patterns, FortiADC will identify it as a match.

  • Predefined DLP Dictionary object & FortiGuard Data Types

DLP Dictionary objectFortiGuard Data TypesDescription
aus-abn-dictaus-abnAustralia Business Number Dictionary
aus-health_id-dictaus-health_idAustralia Health account number Dictionary
aus-pass-dictaus-passAustralia Passport Dictionary
aus-tin-dictaus-tinAustralia Tax File Number (TFN) Dictionary
aut-pass-dictaut-passAustria Passport Dictionary
aut-ssn-dictaut-ssnAustria Social Security Number Dictionary
aut-tin-dictaut-tinAustria tax identification number Dictionary
aut-vatin-dictaut-vatinAustria VATIN Dictionary
balkans-natl_id-umcn-dictbalkans-natl_id-umcnUnique Master Citizen Number (Various countries in Balkan region [Former Yugoslavia])
bel-natl_id-dictbel-natl_idBelgium National Identification number Dictionary
bel-tin-dictbel-tinBelgium Tax Identification Number Dictionary
bel-vatin-dictbel-vatinBelgium value added tax number (VATIN) Dictionary
bgr-ucn_id-dictbgr-ucn_idBulgaria Uniform Civil Number Dictionary
bra-cnpj-dictbra-cnpjBrazil CNPJ Number Dictionary
bra-cpf-dictbra-cpfBrazil Cadastro de Pessoas Físicas (CPF) Number Dictionary
bra-dl-dictbra-dlBrazil Driver's License Number (CNH) Dictionary
can-bank_account-dictcan-bank_accountCanadian Bank Account Dictionary
can-dl-dictcan-dl-ab, can-dl-bc, can-dl-mb, can-dl-nb, can-dl-nl-1, can-dl-nl-2, can-dl-ns, can-dl-nt, can-dl-nu, can-dl-on, can-dl-pe-1, can-dl-pe-2, can-dl-qc, can-dl-sk, can-dl-ytCanadian Driver's License Dictionary
can-health_service-dictcan-health_serviceCanadian Health Service Dictionary
can-natl_id-sin-dictcan-natl_id-sinCanadian SIN Card Number Dictionary
can-pass-dictcan-passCanadian Passport Dictionary
can-phin-dictcan-phin, can-phin-ab, can-phin-bc, can-phin-mb, can-phin-nb, can-phin-nl, can-phin-ns, can-phin-nt, can-phin-nu, can-phin-on, can-phin-pe, can-phin-qc, can-phin-sk, can-phin-ytCanadian Personal Health Identification Number Dictionary
che-natl_id-ahv-dictche-natl_id-ahvSwiss Social Security Number (AHV/AVS Number) Dictionary
chn-dl-dictchn-dlChina Driver's License Number Dictionary
chn-license-plate-dictchn-license-plateChina License Plate Number
chn-natl_id-dictchn-natl_idChina National ID Card
deu-dl-dictdeu-dlGermany driving license number Dictionary
deu-tin-dictdeu-tinGermany tax identification number/ Steuerliche Identifikationsnummer Dictionary
deu-vatin-dictdeu-vatinGermany VAT/Umsatzsteuer Identifikationsnummer Dictionary
dnk-natl_id-dictdnk-natl_idDenmark national ID number (CPR) Dictionary
esp-natl_id-dictesp-natl_idSpain national ID number Dictionary
esp-pass-dictesp-passSpain Passport Dictionary
esp-tin-cif-dictesp-tin-cifSpain Tax Identification Certificate (CIF) Dictionary
esp-tin-dictesp-tinSpain Tax Identification Number Dictionary
fin-natl_id-dictfin-natl_idFinland Personal Identity Codes/Numbers Dictionary
fin-tin-dictfin-tinFinland Tax Identification Number Dictionary
fra-dl-dictfra-dlFrance Driver's License Number Dictionary
fra-natl_id-dictfra-natl_idFrance National ID Dictionary
fra-pass-dictfra-passFrance Passport Dictionary
fra-tin-dictfra-tinFrance tax identification number Dictionary
fra-vatin-dictfra-vatinFrance VAT Dictionary
gbr-nino-dictgbr-ninoUK National Insurance Number Dictionary
glb-cc-dictglb-cc-amex, glb-cc-bcgl, glb-cc-cabl, glb-cc-dinr, glb-cc-disc, glb-cc-inst, glb-cc-jcb, glb-cc-kloc, glb-cc-lasr, glb-cc-maes, glb-cc-mc, glb-cc-solo, glb-cc-unionpay, glb-cc-visa, glb-cc-vsmcGlobal Credit Card Dictionary
glb-swift-dictaus-swift, chn-swift, deu-swift, fra-swift, jpn-swift, uk-swift, usa-swiftGlobal SWIFT Codes Dictionary
grc-tin-dictgrc-tinDictionary for Greece Tax Identification Number (AFM)
hkg-natl_id-dicthkg-natl_idHong Kong Citizen ID Card Number Dictionary
hrv-tin-dicthrv-tinCroatia tax identification number Dictionary
hun-tin-dicthun-tinHungary Tax Identification Number dictionary
idn-tin-dictidn-tinIndonesia tax identification number Dictionary
ind-natl_id-dictind-natl_idIndian National ID Number Dictionary
irl-tin-ppsn-dictirl-tin-ppsnIreland tax identification number /Personal Public Service Number(PPSN) Dictionary
irl-vatin-dictirl-vatinIreland VAT/CBL dictionary
isl-natl_id-dictisl-natl_idIceland Personal Identification Number Dictionary
isr-natl_id-dictisr-natl_idIsrael National ID Number (Teudat Zehut) Dictionary
ita-dl-dictita-dlItaly driving license number Dictionary
ita-fiscal-code-dictita-fiscal-codeItaly Fiscal Code Dictionary
ita-pass-dictita-passItaly Passport Dictionary
jpn-cn-dictjpn-cnJapan Corporate Number Dictionary
jpn-dl-dictjpn-dlJapan driving license number Dictionary
jpn-health_id-dictjpn-health_idJapan Health Insurance Number
jpn-mn-dictjpn-mnJapan My Number Dictionary
jpn-pass-dictjpn-passJapan Passport Dictionary
jpn-rrn-dictjpn-rrnJapan Resident Registration Number Dictionary
kor-dl-dictkor-dlKorea driving license number Dictionary
kor-natl_id-dictkor-natl_idKorean national ID number Dictionary
kor-pass-dictkor-passSouth Korea Passport Dictionary
lux-tin-dictlux-tinLuxembourg tax identification number Dictionary
lux-vatin-dictlux-vatinLuxembourg VAT Dictionary
mex-bank_code-dictmex-bank_codeMexico standardized bank code number (CLABE)
mex-curp-dictmex-curpMexico Unique Population Code (CURP) Dictionary
mys-natl_id-dictmys-natl_idMalaysia national ID number Dictionary
nld-natl_id-bsn-dictnld-natl_id-bsnNetherlands Burgerservicenummer (BSN) Dictionary
nld-vatin-dictnld-vatinNetherland VAT
nzl-health_id-dictnzl-health_idNew Zealand National Health Index Number(NHI)
nzl-tin-dictnzl-tinNew Zealand tax identification number Dictionary
per-tin-dictper-tinPeru tax identification number Dictionary
pol-krs-dictpol-krsPoland KRS Number
pol-natl_id-dictpol-natl_idPoland national ID number Dictionary
pol-regon-dictpol-regonPoland REGON Number Dictionary
pol-tin-dictpol-tinPoland Tax Identification Number (NIP Number) Dictionary
prt-tin-dictprt-tinPortugal tax identification number/Número de Identificação Fiscal(NIF) Dictionary
sec-cisco_configCisco configuration file dictionary
sec-fortigate_configFortiGate Configuration File Dictionary
sgp-natl_id-dictsgp-natl_idSingapore National Registration Identity Card (NRIC) Dictionary
source_code-cC Source Code Dictionary
source_code-goGolang Source Code Dictionary
source_code-javaJava Source Code Dictionary
source_code-powershellPowershell Source Code Dictionary
source_code-pythonPython Source Code Dictionary
swe-natl_id-dictswe-natl_idSweden Personal Identity Number Dictionary
swe-tin-dictswe-tinSweden Tax Identification Number Dictionary
tha-natl_id-dicttha-natl_idThai national ID number Dictionary
twn-natl_id-dicttwn-natl_idTaiwan ID Number Dictionary
uk-dl-dictuk-dlUK driving license number Dictionary
uk-pass-dictuk-passUK Passport Dictionary
usa-aba_rtn-dictusa-aba_rtnUSA ABA Routing Number Dictionary
usa-dl-dictusa-dl-ak, usa-dl-al, usa-dl-ar, usa-dl-az, usa-dl-ca, usa-dl-co, usa-dl-ct, usa-dl-dc, usa-dl-de, usa-dl-fl, usa-dl-ga, usa-dl-hi, usa-dl-ia, usa-dl-id, usa-dl-il, usa-dl-in, usa-dl-ks, usa-dl-ky, usa-dl-la, usa-dl-ma, usa-dl-md, usa-dl-me, usa-dl-mi, usa-dl-mn, usa-dl-mo, usa-dl-ms, usa-dl-mt, usa-dl-nc, usa-dl-nd, usa-dl-ne, usa-dl-nh, usa-dl-nj, usa-dl-nm, usa-dl-nv, usa-dl-ny, usa-dl-oh, usa-dl-ok, usa-dl-or, usa-dl-pa, usa-dl-ri, usa-dl-sc, usa-dl-sd, usa-dl-tn, usa-dl-tx, usa-dl-ut, usa-dl-va, usa-dl-vt, usa-dl-wa, usa-dl-wi, usa-dl-wv, usa-dl-wyUSA Driver's License Dictionary
usa-mbi-dictusa-mbiUSA Medicare Beneficiary Identifier Dictionary
usa-natl_id-ssn-dictusa-natl_id-ssnUSA SSN Card Number Dictionary
usa-npi-dictusa-npiUSA National Provider Identifier (NPI) Dictionary
usa-pass-dictusa-pass-1, usa-pass-2USA Passport Dictionary
usa-tin-itin-dictusa-tin-itinUSA individual taxpayer identification umber (ITIN)
Some missingdeu-iban, fra-iban, gbr-health_id, hrv-natl_id, sec-jwt_token, uk-iban, usa-natl_id-prox
  • Setting in FortiADC (Web Applicatin Firewall > Data Loss Prevention > DLP Dictionary)

  • config security waf dlp-dictionary
config security waf dlp-dictionary
    edit <name>
        set match-type {any|all}
        set description <string>
        config entries
            edit <name>
                set status {enable|disable}
                set fg-data-type {uk-iban|can-natl_id-sin|luhn-algo|can-natl_id-prox|can-pass|usa-pass-1|usa-pass-2|uk-pass|aus-pass|fra-pass|jpn-pass|can-health_service|can-phin|glb-cc-amex|glb-cc-bcgl|glb-cc-cabl|glb-cc-dinr|glb-cc-inst|glb-cc-jcb|glb-cc-kloc|glb-cc-lasr|glb-cc-maes|glb-cc-solo|glb-cc-disc|glb-cc-mc|glb-cc-visa|glb-cc-vsmc|usa-natl_id-ssn|can-dl-ab|can-dl-bc|can-dl-mb|can-dl-nb|can-dl-nl-2|can-dl-nl-1|can-dl-nt|can-dl-nu|can-dl-pe-1|can-dl-pe-2|can-dl-qc|can-dl-sk|can-dl-yt|usa-dl-al|usa-dl-ak|usa-dl-az|usa-dl-ar|usa-dl-co|usa-dl-ct|usa-dl-de|usa-dl-dc|usa-dl-fl|usa-dl-ga|usa-dl-hi|usa-dl-id|usa-dl-il|usa-dl-in|usa-dl-ia|usa-dl-ks|usa-dl-ky|usa-dl-la|usa-dl-me|usa-dl-md|usa-dl-ma|usa-dl-mi|usa-dl-mn|usa-dl-ms|usa-dl-mo|usa-dl-ne|usa-dl-nv|usa-dl-nh|usa-dl-nj|usa-dl-nm|usa-dl-ny|usa-dl-nc|usa-dl-oh|usa-dl-ok|usa-dl-or|usa-dl-pa|usa-dl-ri|usa-dl-sc|usa-dl-sd|usa-dl-tn|usa-dl-tx|usa-dl-ut|usa-dl-vt|usa-dl-va|usa-dl-wv|usa-dl-wi|usa-dl-wy|can-bank_account|usa-natl_id-prox|can-dl-ns|can-dl-on|usa-dl-ca|jpn-swift|usa-swift|usa-dl-nd|usa-dl-wa|uk-swift|deu-swift|fra-swift|aus-swift|chn-swift|can-sin}
                set repeat {enable|disable}
            next
        end
    next
end

  • status - Enable it if you intend to apply this data type

  • Repeat - Enable this option if you want to match data exclusively when it appears multiple times. With this option enabled, you can specify the times of occurrence in the DLP Sensor settings.

Configure the DLP Sensor to define which dictionary to check

  • A DLP Sensor defines which dictionaries to check. You can match any dictionary or all dictionaries. It can also count the number of dictionary matches to trigger the sensor.

  • Setting in FortiADC (Web Applicatin Firewall > Data Loss Prevention > DLP Sensor)

  • count - Specify the occurrence threshold for the dictionary match. The sensor will be triggered when the dictionary match reaches the specified number of times. Default: 1 Range: 1-255.

    • For example, if the dictionary applies to credit card numbers and the count is set to 4, the sensor will be triggered when credit card number occurs four times in the HTTP request or response.

  • config security waf dlp-sensors

config security waf dlp-sensors
    edit <name>
        set match-type {any|all}
        set description <string>
        config entries
            edit <name>
                set status {enable|disable}
                set dlp-dictionary <datasource>
                set count <integer>
            next
        end
    next
end

Configure the Sensitive Data Type to define the type of pattern that DLP is trying to match

  • A Sensitive Data Type object is referenced as part of the DLP policy to prevent information, damage and loss by specifying strings as sensitive data.

  • Predefined Sensitive Data Type objects

  • To define your own

  • config security waf sensitive-data-type
config security waf sensitive-data-type
    edit <name>
        set regex <string>
        set description <string>
    next
end

Configure the DLP Policy to define the rules for matching a sensor or sensitive data type

  • The Data Loss Prevention (DLP) feature allows the Web Application Firewall (WAF) to prevent information leaks, damage and loss. DLP provides desensitization and warning measures for sensitive information leaks on websites, such as SSN numbers and credit card information, as well as the leakage of sensitive keywords.

  • You can create a DLP Policy to match a sensor based on file content or an HTTP Payload, and the email protocol being used to attach files. It also allows you to choose the action to allow, log, or block the IP address.

  • Setting in FortiADC (Web Applicatin Firewall > Data Loss Prevention > DLP Policy)

  • URI Pattern - Specify the URI Pattern in the Data Loss Prevention rules. Scanning and receiving an empty value means this rule is not working.

  • Threshold - The rule will not take effect until the target data exceeds the threshold's specified value. This will not work if Masking is enabled.

  • Masking - Enable masking to replace sensitive data with asterisks(*). Default is disable. When masking is enabled, all target data will be replaced by an asterisk(*) so the threshold value won’t take effect here. Masking only works when the action is alert. The connection will be rejected when the action is set as "deny" or "block," so no target data will be replaced.

  • config security waf data-leak-prevention

config security waf data-leak-prevention
    edit <name>
        set status {enable|disable}
        set masking {enable|disable}
        set action {alert|deny|block|silent-deny|captcha|<datasource>}
        set severity {high|medium|low}
        config rule
            edit <name>
                set request-uri-pattern <string>
                set type {sdt|sensors}
                set sensor <datasource>
                set sensitive-data-type <datasource>
                set threshold <integer>
            next
        end
    next
end

Apply the DLP Policy to a WAF Profile

  • Setting in FortiADC (Web Applicatin Firewall > WAF Profile)

Apply the WAF Profile to a Virtual Server

  • Setting in FortiADC (Server Load Balance > Virtual Server > Security > WAF Profile)
0
Subscribe to my newsletter

Read articles from LoGan070raGnaR directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Fortinet FortiADCDLPwafcybersecurityinformation security

Written by

LoGan070raGnaR
LoGan070raGnaR