Technical Tip: DLP regex for blocking Ontario OHIP...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 426410

Description

This article describes how to block Ontario OHIP card numbers using DLP local regex.

Scope

FortiGate.

Solution

Below regex pattern below can be used to block Ontario health card numbers:

config dlp dictionary
edit "regex"

set uuid 123444
config entries
edit 1

set type "g-regex"

set pattern "(?i:\\b[0-9]{4} [0-9]{3} [0-9]{3}[A-Z]{0,2}\\b)"

set repeat enable

next
edit 2

set type "g-regex"

set pattern "(?i:\\b[0-9]{4}-[0-9]{3}-[0-9]{3}[A-Z]{0,2}\\b)"

set repeat enable

next
edit 3

set type "g-regex"

set pattern "(?i:\\b[0-9]{10}[A-Z]{0,2}\\b)"

set repeat enable

end

Note: If the sensor count value is set to 4, it will require 4 matches and trigger the DLP action.

Below is the dictionary 'regex' in the DLP sensor :

config dlp sensor
edit "ohip"
config entries
edit 1
set dictionary "regex"
next
end
next
end

Now, put the sensor below in the DLP profile:

config dlp profile
edit "ontario-ohip"
set feature-set proxy
config rule
edit 1
set name "ohip"
set severity high
set type message
set proto smtp pop3 imap http-post nntp
set filter-by sensor
set sensor "ohip"
set action block
next
end
next
end

The above DLP profile 'ontario-ohip' can be used in the Proxy base firewall policy to block the OHIP card numbers.

112

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: DLP regex for blocking Ontario OHIP card numbers

You are leaving our website