Technical Tip: How to use DLP to block traffic from messages that contain credit card information

janonuevo · ‎03-05-2024

Description

This article describes how to use DLP to block traffic from messages that contain credit card information.
In some cases, debit card and credit card formats from other regions do not match the pre-defined 'credit-card' DLP Data Type.

In this scenario, DLP using the 'regex' DLP Data Type will be configured.

Scope

FortiGate v6.4, v7.0, v7.2 and v7.4.

Solution

Note:

A DLP license is required.

In GUI:

Go to System -> Feature Visibility and enable Data Loss Prevention.

DLP 1.JPG

In FortiGate versions v7.6.x (Lower end models with 2GB RAM), the DLP (Data Loss Prevention) option is not available in the GUI under Security Profiles or Feature Visibility.

The DLP configuration can still be accessed via direct URL: https://<firewall-ip>/utm/dlp.

If multiple VDOMs are enabled, specify the VDOM in the URL like this: https://<firewall-ip>/utm/dlp?vdom=<vdom name>

Example: https://10.19.18.4/utm/dlp?vdom=root

Go to Security Profiles -> Data Loss Prevention -> Dictionaries, and create a New DLP Dictionary using the 'regex' DLP Data Type.

DLP 2.JPG

DLP 3.JPG

In this example, traffic that contains a 12-digit card pattern is blocked.

Regex Pattern A: (?:\d[ -]*?){12}<----- 12-digit card number that contains spaces and dashes in between, where {12} represents the number of digits.
example:
000123456789
0001 2345 6789
0001-2345-6789

Regex Pattern B: 9[0-9]{5}(?:-[0-9]{2})(?:-[0-9]{4}) - 12 digit card number that starts with 9 in 6-2-4 format that has dashes in between.

example:
901234-56-7890

DLP 5.JPG

Go to Security Profiles -> Data Loss Prevention -> Sensors, select Create New, and then select the DLP dictionary created in Step 2.

DLP 6.JPG

Go to Security Profiles -> Data Loss Prevention -> Profiles, select Create new, create a rule and apply the Sensor.

DLP 7.JPG

Create a Firewall Policy and apply the DLP Profile.

DLP 8.JPG
DLP works in flow-based and proxy-based inspection modes.

To check which protocols can be inspected by DLP based on the specified inspection modes, refer to: Data loss prevention

In CLI:

Fortigate # config dlp dictionary
Fortigate (dictionary) # edit "12 digit card"
config entries
edit 1
set type "regex"
set pattern "9[0-9]{5}(?:-[0-9]{2})(?:-[0-9]{4})"
next
end
next
end

Fortigate # config dlp sensor
Fortigate (sensor) # edit "Test-Sensor"
config entries
edit 1
set dictionary "12 digit card"
next
end
next
end

Fortigate # config dlp profile
Fortigate (profile) # edit "Test-Profile"
set feature-set proxy
config rule
edit 1
set name "Test-Rule"
set type message
set proto smtp pop3 imap http-post nntp mapi
set filter-by sensor
set sensor "Test-Sensor"
set action block
next
end
next
end

Testing:

The user tries to send an email that contains credit card information and gets blocked.

DLP 9.JPG

DLP 10.JPG

DLP 11.JPG

Note:

If multiple DLP rules are configured in the DLP profile, it is recommended to prioritize the rules very carefully as they are evaluated with the top to bottom approach.

Technical Tip: How to use DLP to block traffic from messages that contain credit card information

You are leaving our website