Technical Tip: How to block Aadhaar and PAN number using DLP

FortiGate v7.0.x and below.
Aadhaar is a 12-digit number with the first digit not either 0 or 1.

It contains white space after every 4 digits and contains no alphabets.

Below are regular expressions that can be used to identify Aadhaar:

^[2-9]{1}[0-9]{3}\\s[0-9]{4}\\s[0-9]{4}$ <----- (^ Start of string, $ end of string).

PAN is 10 characters long, with the first 5 characters and the tenth character being upper case alphabets.

The sixth to ninth character would be any number between 0-9.

Below are regular expressions that can be used for PAN:

[A-Z]{5}[0-9]{4}[A-Z]{1}

Configuration would be as below:

config dlp sensor
    edit "PanAadhaarTest"
        set feature-set proxy
            config filter
                edit 1
                    set name "PanPattern"
                    set proto smtp pop3 imap http-get http-post ftp nntp mapi ssh cifs
                    set filter-by regexp
                    set regexp "[A-Z]{5}[0-9]{4}[A-Z]{1}"
                    set action block
                next
                edit 2
                    set name "AadhaarPattern"
                    set proto smtp pop3 imap http-get http-post ftp nntp mapi ssh cifs
                    set filter-by regexp
                    set regexp "^[2-9]{1}[0-9]{3}\\s[0-9]{4}\\s[0-9]{4}$"
                    set action block
                next
                    set extended-log enable
            next
    end

FortiGate v7.2.x and above:

The regular expression \b[2-9]{1}[0-9]{3}[0-9]{4}[0-9]{4}\b is a pattern used for matching a specific format of a 12-digit Aadhaar number.

Here is a breakdown of the components:

• \b: Asserts a word boundary to ensure that the pattern is matched as a whole word and not as part of a larger sequence of characters.
• [2-9]{1}: Specifies that the first digit of the phone number must be in the range of 2 to 9 (excluding 0 and 1).
• [0-9]{3}: Matches the next three digits, allowing any digit from 0 to 9.
• [0-9]{4}: Matches the next four digits, again allowing any digit from 0 to 9.
• [0-9]{4}: Matches the final four digits, allowing any digit from 0 to 9.
• \b: Ensures another word boundary at the end of the pattern.
  
  

Configuration would be as below:

1. Create a dlp data-type:
   
   config dlp data-type
       edit "aadhardatatype"
           set pattern "\\b[2-9]{1}[0-9]{3}[0-9]{4}[0-9]{4}\\b"
       next
   end
   
   
2. Create a dictionary and call the data-type:

config dlp dictionary
    edit "adaharD"
        set uuid 2ed699c0-7fd6-51ee-3d8f-c0b5eb5a7786
            config entries
                edit 1
                    set type "aadhardatatype"
                next
            end
    next
end

3. Create a DLP Sensor and call it in the dictionary:
   
   config dlp sensor
       edit "adaharS"
           config entries
               edit 1
                   set dictionary "adaharD"
               next
           end
       next
   end
   
   

    

4. Create a DLP Profile and call the sensors in the profile:
   
   config dlp profile
       edit "Aadhar"
           set feature-set proxy         <--
                config rule
                   edit 1
                       set name "Aadhar"
                       set severity high
                       set type message
                       set proto smtp pop3 imap http-post nntp
                       set filter-by sensor
                       set sensor "adaharS"
                       set action block
                   next
               end
       next
   end
   
   

    

5. Create a Firewall policy and add the DLP profile in this firewall policy with deep inspection enabled:
   
   config firewall policy
       edit 1
           set name "DLP"
           set uuid 3d2f855e-7fcc-51ee-bfac-7a4a39c35007
           set srcintf "port2"
           set dstintf "port1"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set inspection-mode proxy  >>>>>>>>>>>>>>>>>>>>>
           set ssl-ssh-profile "custom-deep-inspection"
           set av-profile "default"
           set webfilter-profile "default"
           set dlp-profile "Aadhar"
           set ips-sensor "default"
           set application-list "default"
           set logtraffic all
           set nat enable
       next
   end

    

   Logs can be viewed on CLI using the below command:

    

   execute log filter category
   execute log filter category 9
   execute log display

    

   The sample log on the firewall will look as below:

    

   date=2022-07-14 time=06:33:35 eventtime=1657773215509591580 tz="+0200" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="PanPattern" dlpextra="[A-Z]{5}[0-9]{4}[A-Z]{1}" filtertype="regexp" filtercat="file" severity="medium" policyid=510 poluuid="cecaa58e-fa03-51ec-bcea-8657ec4be58c" policytype="policy" sessionid=41039178 epoch=245069 eventid=0 srcip=172.31.x.x srcport=50048 srccountry="Reserved" srcintf="port2" srcintfrole="lan" srcuuid="29c7feb8-aa9b-51ec-5f54-f5baa989484f" dstip=88.99.68.112 dstport=443 dstcountry="Germany" dstintf="port1" dstintfrole="undefined" dstuuid="29c7feb8-aa9b-51ec-5f54-f5baa989484f" proto=6 service="HTTPS" filetype="unknown" direction="outgoing" action="block" hostname="convertioxx.me" url="edited out" agent="Chrome/102.0.0.0" filename="pantest.pdf" filesize=11 profile="PanAadhaarTest"

    

Note:

The inspection mode in policy has to be set to proxy.