Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 7.1.4 CLI Reference
    7.1.4
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config security waf data-leak-protection

    config security waf data-leak-protection

    Use this command to configure a waf data-leak-protection profile.

    Syntax

    config security waf sensitive-data-type

    edit <name>

    set regex <regex>

    next

    end

    config security waf data-leak-prevention

    edit <name>

    set status {enable | disable} (default value: disable)

    set action [waf_action]

    set severity [waf_severity]

    config rule

    edit <id>

    set request-uri-pattern <regex>

    set sensitive-data-type <data-type-name>

    set threshold <number>

    next

    end

    next

    end

    config security waf profile

    set data-leak-prevention <dlp>

    end

    Status Enable or disable the profile; default is disable.
    Masking

    Enable masking to replace sensitive data with asterisks (*); default is disable.

    Note: When masking is enabled, all target data will be replaced by asterisks, so the threshold value won't take effect here. Masking only works when Action is Alert, because the connection will reject when action is set as Deny or Block, so no target data will be replaced.

    Action

    Sets the action FortiADC will take if a security check detects a potential attack. This configuration comes from Action in WAF Profile.

    • Alert—Let the request pass when the profile detects a potential attack, only triggering a WAF log.
    • Deny—Drop the incoming request and trigger a WAF log.
    • Block—Block the IP address from incoming requests for 3600 seconds and trigger a WAF log.
    • silent-deny—Drop the incoming request without triggering a WAF log.

    Note: You can also create a customized action with Create New.

    Severity Set the severity in WAF logs for potential attacks detected by Data Leak Prevention.
    URI Pattern Specified in Data Leak Prevention rules. Scanning and receiving an empty value means this rule is not working.
    Threshold Specified in Data Leak Prevention rules. Setting a threshold for a rule means this rule will not take effect until detecting that the target data exceeds the threshold's specified value. Range 1-10000. Default is 1. This will not work if Masking is enabled.

    Example

    ADC-6 # config security waf sensitive-data-type

    ADC-6 (sensitive-data~e) # edit 1

    ADC-6 (1) # set

    *regex Regular expression

    description Description

    ADC-6 (1) # set regex "test"

    ADC-6 (1) # next

    ADC-6 (sensitive-data~e) # end

    ADC-6 # config security waf data-leak-prevention

    ADC-6 (data-leak-prev~n) # edit 2

    ADC-6 (2) # set status enable

    ADC-6 (2) # set action

    <datasource> Data leak prevention action

    alert security waf.action

    deny security waf.action

    block security waf.action

    silent-deny security waf.action

    ADC-6 (2) # set action alert

    ADC-6 (2) # set severity

    high high

    low low

    medium medium

    ADC-6 (2) # set severity high

    ADC-6 (2) # config rule

    ADC-6 (rule) # edit 3

    ADC-6 (3) # set request-uri-pattern

    <string> HTTP URI pattern

    ADC-6 (3) # set request-uri-pattern "test"

    ADC-6 (3) # set sensitive-data-type

    <datasource> Sensitive data type

    Credit_Card_Number security waf.sensitive-data-type

    US_Social_Security_Number security waf.sensitive-data-type

    1 security waf.sensitive-data-type

    ADC-6 (3) # set sensitive-data-type 1

    ADC-6 (3) # set threshold 3

    ADC-6 (3) # next

    ADC-6 (rule) # end

    ADC-6 (2) # end

    ADC-6 # config security waf profile

    ADC-6 (profile) # edit 1

    ADC-6 (1) # get

    web-attack-signature : High-Level-Security

    url-protection : url

    http-protocol-constraint : 1

    heuristic-sql-xss-injection-detect: High-Level-Security

    bot-detection :

    xml-validation : High-Level-Security

    json-validation :

    advanced-protection : 1

    description :

    exception :

    brute-force-login :

    cookie-security :

    csrf-protection : CSRF1

    input-validation-policy : 1

    data-leak-prevention : 1

    Previous
    Next

    config security waf data-leak-protection

    config security waf data-leak-protection

    Use this command to configure a waf data-leak-protection profile.

    Syntax

    config security waf sensitive-data-type

    edit <name>

    set regex <regex>

    next

    end

    config security waf data-leak-prevention

    edit <name>

    set status {enable | disable} (default value: disable)

    set action [waf_action]

    set severity [waf_severity]

    config rule

    edit <id>

    set request-uri-pattern <regex>

    set sensitive-data-type <data-type-name>

    set threshold <number>

    next

    end

    next

    end

    config security waf profile

    set data-leak-prevention <dlp>

    end

    Status Enable or disable the profile; default is disable.
    Masking

    Enable masking to replace sensitive data with asterisks (*); default is disable.

    Note: When masking is enabled, all target data will be replaced by asterisks, so the threshold value won't take effect here. Masking only works when Action is Alert, because the connection will reject when action is set as Deny or Block, so no target data will be replaced.

    Action

    Sets the action FortiADC will take if a security check detects a potential attack. This configuration comes from Action in WAF Profile.

    • Alert—Let the request pass when the profile detects a potential attack, only triggering a WAF log.
    • Deny—Drop the incoming request and trigger a WAF log.
    • Block—Block the IP address from incoming requests for 3600 seconds and trigger a WAF log.
    • silent-deny—Drop the incoming request without triggering a WAF log.

    Note: You can also create a customized action with Create New.

    Severity Set the severity in WAF logs for potential attacks detected by Data Leak Prevention.
    URI Pattern Specified in Data Leak Prevention rules. Scanning and receiving an empty value means this rule is not working.
    Threshold Specified in Data Leak Prevention rules. Setting a threshold for a rule means this rule will not take effect until detecting that the target data exceeds the threshold's specified value. Range 1-10000. Default is 1. This will not work if Masking is enabled.

    Example

    ADC-6 # config security waf sensitive-data-type

    ADC-6 (sensitive-data~e) # edit 1

    ADC-6 (1) # set

    *regex Regular expression

    description Description

    ADC-6 (1) # set regex "test"

    ADC-6 (1) # next

    ADC-6 (sensitive-data~e) # end

    ADC-6 # config security waf data-leak-prevention

    ADC-6 (data-leak-prev~n) # edit 2

    ADC-6 (2) # set status enable

    ADC-6 (2) # set action

    <datasource> Data leak prevention action

    alert security waf.action

    deny security waf.action

    block security waf.action

    silent-deny security waf.action

    ADC-6 (2) # set action alert

    ADC-6 (2) # set severity

    high high

    low low

    medium medium

    ADC-6 (2) # set severity high

    ADC-6 (2) # config rule

    ADC-6 (rule) # edit 3

    ADC-6 (3) # set request-uri-pattern

    <string> HTTP URI pattern

    ADC-6 (3) # set request-uri-pattern "test"

    ADC-6 (3) # set sensitive-data-type

    <datasource> Sensitive data type

    Credit_Card_Number security waf.sensitive-data-type

    US_Social_Security_Number security waf.sensitive-data-type

    1 security waf.sensitive-data-type

    ADC-6 (3) # set sensitive-data-type 1

    ADC-6 (3) # set threshold 3

    ADC-6 (3) # next

    ADC-6 (rule) # end

    ADC-6 (2) # end

    ADC-6 # config security waf profile

    ADC-6 (profile) # edit 1

    ADC-6 (1) # get

    web-attack-signature : High-Level-Security

    url-protection : url

    http-protocol-constraint : 1

    heuristic-sql-xss-injection-detect: High-Level-Security

    bot-detection :

    xml-validation : High-Level-Security

    json-validation :

    advanced-protection : 1

    description :

    exception :

    brute-force-login :

    cookie-security :

    csrf-protection : CSRF1

    input-validation-policy : 1

    data-leak-prevention : 1

    Previous
    Next