FortiGate v7.0.x and below. Aadhaar is a 12-digit number with the first digit not either 0 or 1.
It contains white space after every 4 digits and contains no alphabets.
Below are regular expressions that can be used to identify Aadhaar:
^[2-9]{1}[0-9]{3}\\s[0-9]{4}\\s[0-9]{4}$ <----- (^ Start of string, $ end of string).
PAN is 10 characters long, with the first 5 characters and the tenth character being upper case alphabets.
The sixth to ninth character would be any number between 0-9.
Below are regular expressions that can be used for PAN:
[A-Z]{5}[0-9]{4}[A-Z]{1}
Configuration would be as below:
config dlp sensor edit "PanAadhaarTest" set feature-set proxy config filter edit 1 set name "PanPattern" set proto smtp pop3 imap http-get http-post ftp nntp mapi ssh cifs set filter-by regexp set regexp "[A-Z]{5}[0-9]{4}[A-Z]{1}" set action block next edit 2 set name "AadhaarPattern" set proto smtp pop3 imap http-get http-post ftp nntp mapi ssh cifs set filter-by regexp set regexp "^[2-9]{1}[0-9]{3}\\s[0-9]{4}\\s[0-9]{4}$" set action block next set extended-log enable next end
FortiGate v7.2.x and above:
The regular expression \b[2-9]{1}[0-9]{3}[0-9]{4}[0-9]{4}\b is a pattern used for matching a specific format of a 12-digit Aadhaar number.
Here is a breakdown of the components:
- \b: Asserts a word boundary to ensure that the pattern is matched as a whole word and not as part of a larger sequence of characters.
- [2-9]{1}: Specifies that the first digit of the phone number must be in the range of 2 to 9 (excluding 0 and 1).
- [0-9]{3}: Matches the next three digits, allowing any digit from 0 to 9.
- [0-9]{4}: Matches the next four digits, again allowing any digit from 0 to 9.
- [0-9]{4}: Matches the final four digits, allowing any digit from 0 to 9.
- \b: Ensures another word boundary at the end of the pattern.
Configuration would be as below:
- Create a dlp data-type:
config dlp data-type edit "aadhardatatype" set pattern "\\b[2-9]{1}[0-9]{3}[0-9]{4}[0-9]{4}\\b" next end
- Create a dictionary and call the data-type:
config dlp dictionary edit "adaharD" set uuid 2ed699c0-7fd6-51ee-3d8f-c0b5eb5a7786 config entries edit 1 set type "aadhardatatype" next end next end
-
Create a DLP Sensor and call it in the dictionary:
config dlp sensor edit "adaharS" config entries edit 1 set dictionary "adaharD" next end next end
-
Create a DLP Profile and call the sensors in the profile:
config dlp profile edit "Aadhar" set feature-set proxy <-- config rule edit 1 set name "Aadhar" set severity high set type message set proto smtp pop3 imap http-post nntp set filter-by sensor set sensor "adaharS" set action block next end next end
-
Create a Firewall policy and add the DLP profile in this firewall policy with deep inspection enabled:
config firewall policy edit 1 set name "DLP" set uuid 3d2f855e-7fcc-51ee-bfac-7a4a39c35007 set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy >>>>>>>>>>>>>>>>>>>>> set ssl-ssh-profile "custom-deep-inspection" set av-profile "default" set webfilter-profile "default" set dlp-profile "Aadhar" set ips-sensor "default" set application-list "default" set logtraffic all set nat enable next end
Logs can be viewed on CLI using the below command:
execute log filter category execute log filter category 9 execute log display
The sample log on the firewall will look as below:
date=2022-07-14 time=06:33:35 eventtime=1657773215509591580 tz="+0200" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="PanPattern" dlpextra="[A-Z]{5}[0-9]{4}[A-Z]{1}" filtertype="regexp" filtercat="file" severity="medium" policyid=510 poluuid="cecaa58e-fa03-51ec-bcea-8657ec4be58c" policytype="policy" sessionid=41039178 epoch=245069 eventid=0 srcip=172.31.x.x srcport=50048 srccountry="Reserved" srcintf="port2" srcintfrole="lan" srcuuid="29c7feb8-aa9b-51ec-5f54-f5baa989484f" dstip=88.99.68.112 dstport=443 dstcountry="Germany" dstintf="port1" dstintfrole="undefined" dstuuid="29c7feb8-aa9b-51ec-5f54-f5baa989484f" proto=6 service="HTTPS" filetype="unknown" direction="outgoing" action="block" hostname="convertioxx.me" url="edited out" agent="Chrome/102.0.0.0" filename="pantest.pdf" filesize=11 profile="PanAadhaarTest"
Note:
The inspection mode in policy has to be set to proxy.
|