FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
GGMACHAIN
Staff
Staff
Article Id 330863
Description

This article describes how to solve the problem of DLP regex blocking words with the (') character in the '100F' line equipment in v7.2.8.

The steps below are the correct procedure for blocking words such as 'pepitá' using regular expressions via DLP FortiGate.

Scope

FortiGate.

Solution

In this example, the word 'pepitá' will be blocked.

 

  1. Create a new 'Dictionary' in Security Profile -> Data Leak Prevention -> Dictionaries and select 'Create New'.

image.png

 

  1. Create a new 'Sensor' in Security Profile -> Data Leak Prevention -> Sensor and select 'Create New'.

 

image.png

 

  1. Create a DLP Profile using the 'Sensor' profile created in step 2 with action 'Block', Type 'Message', and protocol 'HTTP-POST'.

 

image.png

 

Important note:

Use the DLP profile and policy in 'Proxy' mode and also enable 'deep-inspection' in the firewall policy.

 

Via CLI change DLP profile to 'set feature-set proxy'Via CLI change DLP profile to 'set feature-set proxy'

 

Workaround for equipment on the '100F' line and v7.2.8:

 

The steps above are correct for blocking the example word 'pepitá', but it does not work for equipment on the '100F' line and v7.2.8. It is necessary to adjust it by changing the Pattern in the Dictionary from '/pepitá/i' to only 'pepitá'.

 

image.png

 

There are several websites for word tests on DLP systems:
Example: https://dlptest.com/http-post/

 

This is an example of how FortiGate should behave and what message is displayed:

 

image.png