Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
janonuevo
Staff
Staff

Created on ā€Ž03-05-2024 10:16 PM Edited on ā€Ž04-09-2025 07:35 AM By Moderator

Article Id 302999

Technical Tip: How to use DLP to block traffic from messages that contain credit card information

Description

This article describes how to use DLP to block traffic from messages that contain credit card information.
In some cases, debit card and credit card formats from other regions do not match the pre-defined 'credit-card' DLP Data Type.

In this scenario, DLP using the 'regex' DLP Data Type will be configured.
Scope FortiGate v6.4, v7.0, v7.2 and v7.4.
Solution

Note:

ADLP license is required.

 

In GUI:

  1. Go to System -> Feature Visibility and enable Data Loss Prevention.


DLP 1.JPG

 

  1. Go to Security Profiles -> Data Loss Prevention -> Dictionaries, and create a New DLP Dictionary using the 'regex' DLP Data Type.


DLP 2.JPG


DLP 3.JPG

 

In this example, traffic that contains a 12-digit card pattern is blocked.

Regex Pattern A: (?:\d[ -]*?){12} - 12 digit card number that contains spaces and dashes in between where {12} represents the number of digits. 
example:
000123456789
0001 2345 6789
0001-2345-6789

Regex Pattern B: 9[0-9]{5}(?:-[0-9]{2})(?:-[0-9]{4}) - 12 digit card number that starts with 9 in 6-2-4 format that has dashes in between.

example:
901234-56-7890


DLP 5.JPG

 

  1. Go to Security Profiles -> Data Loss Prevention -> Sensors, select Create New, and then select the DLP dictionary created in Step 2.

 

DLP 6.JPG

 

  1. Go to Security Profiles -> Data Loss Prevention -> Profiles, select Create new then create a rule and apply the Sensor.

 

DLP 7.JPG

 

  1. Create a Firewall Policy and apply the DLP Profile.


DLP 8.JPG
DLP works in flow-based and proxy-based inspection modes.

To check which protocols can be inspected by DLP based on the specified inspection modes, refer to:
Data loss prevention

In CLI:

 

Fortigate # config dlp dictionary
    Fortigate (dictionary) # edit "12 digit card"
        config entries
            edit 1
                set type "regex"
                set pattern "9[0-9]{5}(?:-[0-9]{2})(?:-[0-9]{4})"
            next
        end
    next
end

 

Fortigate # config dlp sensor
    Fortigate (sensor) # edit "Test-Sensor"
        config entries
            edit 1
                set dictionary "12 digit card"
            next
        end
    next
end

 

Fortigate # config dlp profile
    Fortigate (profile) # edit "Test-Profile"
        set feature-set proxy
            config rule
                edit 1
                    set name "Test-Rule"
                    set type message
                    set proto smtp pop3 imap http-post nntp mapi
                    set filter-by sensor
                    set sensor "Test-Sensor"
                    set action block
                next
            end
    next
end

 

Testing:

The user tries to send an email that contains credit card information and gets blocked.

 

DLP 9.JPG

 

DLP 10.JPG

 

DLP 11.JPG

 

Note: If multiple DLP rules are configured in the DLP profile it is recommended to prioritize the rules very carefully as they are evaluated with the top to bottom approach.

 

2730
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.