Description |
This article explains why, under certain conditions, the built-in credit card DLP data type does not match valid credit card numbers when testing Data Loss Prevention (DLP) policies with ChatGPT. Specifically, when a message contains multiple credit card numbers separated by new lines, only the first line is detected. The built-in credit card data type fails to identify valid credit card numbers in the subsequent lines. |
Scope | FortiGate, FortiSASE. |
Solution |
To reproduce this issue, a policy must be applied to ChatGPT traffic with a DLP security profile and SSL deep inspection enabled. The expected behavior is that the system filters posts containing credit card numbers by leveraging the built-in credit card data type to match the traffic, including cases where the credit card numbers are presented as a list separated by new lines.
Steps to reproduce:
Root Cause:
Upon analysis, it was found that this behavior is related to how ChatGPT formats data before sending it to the server.
\b([2-6]{1}\d{3})[- ]?(\d{4})[- ]?(\d{2})[- ]?(\d{2})[- ]?(\d{2,4})\b
Solution / Workaround:
To address this, a custom dictionary data type can be created for credit card detection without using the \b boundary included in the built-in data type. This ensures that credit card numbers within ChatGPT traffic are detected correctly, even when separated by new lines. Example configuration with the fix:
With this configuration, traffic is matched by DLP sensor and it is blocked correctly:
CLI Configuration with solution applied:
Important considerations:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.