Technical Tip: How to block Aadhaar and PAN number using DLP

FortiGate v7.0.x and below.
Aadhaar is a 12-digit number with the first digit not either 0 or 1.

It contains white space after every 4 digits and contains no alphabets.

Below are regular expressions that can be used to identify Aadhaar:

^[2-9]{1}[0-9]{3}\\s[0-9]{4}\\s[0-9]{4}$ <----- (^ Start of string, $ end of string).

PAN is 10 characters long, with the first 5 characters and the tenth character being upper-case letters.

The sixth to ninth characters would be any number between 0 and 9.

Below are regular expressions that can be used for PAN:

[A-Z]{5}[0-9]{4}[A-Z]{1}

Configuration would be as follows:

config dlp sensor
    edit "PanAadhaarTest"
        set feature-set proxy
            config filter
                edit 1
                    set name "PanPattern"
                    set proto smtp pop3 imap http-get http-post ftp nntp mapi ssh cifs
                    set filter-by regexp
                    set regexp "[A-Z]{5}[0-9]{4}[A-Z]{1}"
                    set action block
                next
                edit 2
                    set name "AadhaarPattern"
                    set proto smtp pop3 imap http-get http-post ftp nntp mapi ssh cifs
                    set filter-by regexp
                    set regexp "^[2-9]{1}[0-9]{3}\\s[0-9]{4}\\s[0-9]{4}$"
                    set action block
                next
                    set extended-log enable
            next
    end

FortiGate v7.2.x and above:

The regular expression \b[2-9]{1}[0-9]{3}\s[0-9]{4}\s[0-9]{4}\b is a pattern used for matching a specific format of a 12-digit Aadhaar number.

Here is a breakdown of the components:

• \b: Asserts a word boundary to ensure that the pattern is matched as a whole word and not as part of a larger sequence of characters.
• [2-9]{1}: Specifies that the first digit of the phone number must be in the range of 2 to 9 (excluding 0 and 1).
• [0-9]{3}: Matches the next three digits, allowing any digit from 0 to 9.
• [0-9]{4}: Matches the next four digits, again allowing any digit from 0 to 9.
• [0-9]{4}: Matches the final four digits, allowing any digit from 0 to 9.
• \b: Ensures another word boundary at the end of the pattern.
• \s: For space between numbers.

If space is not required between numbers, '\s' can be omitted.

Configuration would be as follows:

1. Create a dlp data-type:

config dlp data-type
    edit "aadhardatatype"
        set pattern "\\b[2-9]{1}[0-9]{3}\\s[0-9]{4}\\s[0-9]{4}\\b"
    next
end

2. Create a dictionary and call the data-type:

config dlp dictionary
    edit "adaharD"
        set uuid 2ed699c0-7fd6-51ee-3d8f-c0b5eb5a7786
            config entries
                edit 1
                    set type "aadhardatatype"
                next
            end
    next
end

3. Create a DLP Sensor and call it in the dictionary:

config dlp sensor
    edit "adaharS"
        config entries
            edit 1
                set dictionary "adaharD"
            next
        end
    next
end

4. Create a DLP Profile and call the sensors in the profile:

config dlp profile
    edit "Aadhar"
        set feature-set proxy         <--
             config rule
                edit 1
                    set name "Aadhar"
                    set severity high
                    set type message
                    set proto smtp pop3 imap http-post nntp
                    set filter-by sensor
                    set sensor "adaharS"
                    set action block
                next
            end
    next
end

5. Create a Firewall policy and add the DLP profile to this firewall policy with deep inspection enabled:
   
   

config firewall policy
    edit 1
        set name "DLP"
        set uuid 3d2f855e-7fcc-51ee-bfac-7a4a39c35007
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy  >>>>>>>>>>>>>>>>>>>>>
        set ssl-ssh-profile "custom-deep-inspection"
        set av-profile "default"
        set webfilter-profile "default"
        set dlp-profile "Aadhar"
        set ips-sensor "default"
        set application-list "default"
        set logtraffic all
        set nat enable
    next
end

Logs can be viewed on the CLI using the following command:

execute log filter category
execute log filter category 9
execute log display

The sample log on the firewall will look as follows:

date=2022-07-14 time=06:33:35 eventtime=1657773215509591580 tz="+0200" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="PanPattern" dlpextra="[A-Z]{5}[0-9]{4}[A-Z]{1}" filtertype="regexp" filtercat="file" severity="medium" policyid=510 poluuid="cecaa58e-fa03-51ec-bcea-8657ec4be58c" policytype="policy" sessionid=41039178 epoch=245069 eventid=0 srcip=172.31.x.x srcport=50048 srccountry="Reserved" srcintf="port2" srcintfrole="lan" srcuuid="29c7feb8-aa9b-51ec-5f54-f5baa989484f" dstip=88.99.68.112 dstport=443 dstcountry="Germany" dstintf="port1" dstintfrole="undefined" dstuuid="29c7feb8-aa9b-51ec-5f54-f5baa989484f" proto=6 service="HTTPS" filetype="unknown" direction="outgoing" action="block" hostname="convertioxx.me" url="edited out" agent="Chrome/102.0.0.0" filename="pantest.pdf" filesize=11 profile="PanAadhaarTest"

Note:

The inspection mode in policy has to be set to proxy.