Technical Tip: DLP regex for blocking Ontario OHIP card numbers

Below regex pattern below can be used to block Ontario health card numbers:

config dlp dictionary
    edit "regex"

        set uuid 123444
            config entries
                edit 1

                    set type "g-regex"

                    set pattern "(?i:\\b[0-9]{4} [0-9]{3} [0-9]{3}[A-Z]{0,2}\\b)"

                    set repeat enable

                next
                edit 2

                    set type "g-regex"

                    set pattern "(?i:\\b[0-9]{4}-[0-9]{3}-[0-9]{3}[A-Z]{0,2}\\b)"

                    set repeat enable

                next
                edit 3

                    set type "g-regex"

                    set pattern "(?i:\\b[0-9]{10}[A-Z]{0,2}\\b)"

                    set repeat enable

                next

            end

    next

end

Note: If the sensor count value is set to 4, it will require 4 matches and trigger the DLP action.

Below is the dictionary 'regex' in the DLP sensor :

config dlp sensor
    edit "ohip"
        config entries
            edit 1
                set dictionary "regex"
            next
        end
    next
end

Now, put the sensor below in the DLP profile:

config dlp profile
    edit "ontario-ohip"
        set feature-set proxy
            config rule
                edit 1
                    set name "ohip"
                    set severity high
                    set type message
                    set proto smtp pop3 imap http-post nntp
                    set filter-by sensor
                    set sensor "ohip"
                    set action block
                next
            end
    next
end

The above DLP profile 'ontario-ohip' can be used in the Proxy base firewall policy to block the OHIP card numbers.