Fortinet white logo
Fortinet white logo

CLI Reference

config security waf data-leak-protection

config security waf data-leak-protection

Use this command to configure a DLP policy that can then be applied in a WAF profile. The Data Loss Prevention (DLP) feature allows the Web Application Firewall (WAF) to prevent information leaks, damage and loss. DLP provides desensitization and warning measures for sensitive information leaks on websites, such as SSN numbers and credit card information, as well as the leakage of sensitive keywords.

You can create a DLP Policy to match a sensor based on file content or an HTTP Payload, and the email protocol being used to attach files. It also allows you to choose the action to allow, log, or block the IP address.

Before you begin:

Syntax

config security waf data-leak-prevention

edit <name>

set status {enable|disable}

set masking {enable|disable}

set action {alert|deny|block|silent-deny|captcha|<datasource>}

set severity {high|medium|low}

config rule

edit <name>

set request-uri-pattern <string>

set type {sdt|sensors}

set sensor <datasource>

set sensitive-data-type <datasource>

set threshold <integer>

next

end

next

end

status

Enable or disable the profile; default is disable.

masking

Enable masking to replace sensitive data with asterisks (*); default is disable.

Note: When masking is enabled, all target data will be replaced by asterisks, so the threshold value won't take effect here. Masking only works when Action is Alert, because the connection will reject when action is set as Deny or Block, so no target data will be replaced.

action

Sets the action FortiADC will take if a security check detects a potential attack. This configuration comes from Action in WAF Profile.

  • alert — Let the request pass when the profile detects a potential attack, only triggering a WAF log.
  • deny — Drop the incoming request and trigger a WAF log.
  • block — Block the IP address from incoming requests for 3600 seconds and trigger a WAF log.
  • silent-deny — Drop the incoming request without triggering a WAF log.
  • captcha — Allow the traffic to pass if the client successfully fulfills the CAPTCHA request, and trigger a WAF log.

Note: You can also reference a user-defined WAF action object.

severity

Set the severity in WAF logs for potential attacks detected by DLP Policy.

  • high

  • medium

  • low

The default option is low.

config rule

request-uri-pattern

Specify the URI Pattern in the Data Loss Prevention rules. Scanning and receiving an empty value means this rule is not working.

type

Select the DLP data type to match:

  • sdt — Sensitive Data Type.

  • sensors — DLP Sensors.

sensor

The sensor option is available if type is sensors.

Specify the DLP Sensor you want to apply.

sensitive-data-type

The sensitive-data-type option is available if type is sdt.

Specify the Sensitive Data Type you want to apply.

threshold

The threshold option is available if type is sdt.

Set a threshold for the Data Loss Prevention rule.
The rule will not take effect until the target data exceeds the threshold's specified value. Range 1-10000. Default is 1. This will not work if Masking is enabled.

Example

config security waf data-leak-prevention

edit "dlp-profile-sensors"

set status enable

set masking enable

set action alert

set severity low

config rule

edit 1

set request-uri-pattern /dir1/

set type sensors

set sensor user-defined-sensor1

next

end

next

end

config security waf data-leak-prevention

edit "dlp-profile-sdt"

set status enable

set action alert

set severity low

config rule

edit 1

set type sdt

set sensitive-data-type Credit_Card_Number

set threshold 1

next

end

next

end

config security waf data-leak-protection

config security waf data-leak-protection

Use this command to configure a DLP policy that can then be applied in a WAF profile. The Data Loss Prevention (DLP) feature allows the Web Application Firewall (WAF) to prevent information leaks, damage and loss. DLP provides desensitization and warning measures for sensitive information leaks on websites, such as SSN numbers and credit card information, as well as the leakage of sensitive keywords.

You can create a DLP Policy to match a sensor based on file content or an HTTP Payload, and the email protocol being used to attach files. It also allows you to choose the action to allow, log, or block the IP address.

Before you begin:

Syntax

config security waf data-leak-prevention

edit <name>

set status {enable|disable}

set masking {enable|disable}

set action {alert|deny|block|silent-deny|captcha|<datasource>}

set severity {high|medium|low}

config rule

edit <name>

set request-uri-pattern <string>

set type {sdt|sensors}

set sensor <datasource>

set sensitive-data-type <datasource>

set threshold <integer>

next

end

next

end

status

Enable or disable the profile; default is disable.

masking

Enable masking to replace sensitive data with asterisks (*); default is disable.

Note: When masking is enabled, all target data will be replaced by asterisks, so the threshold value won't take effect here. Masking only works when Action is Alert, because the connection will reject when action is set as Deny or Block, so no target data will be replaced.

action

Sets the action FortiADC will take if a security check detects a potential attack. This configuration comes from Action in WAF Profile.

  • alert — Let the request pass when the profile detects a potential attack, only triggering a WAF log.
  • deny — Drop the incoming request and trigger a WAF log.
  • block — Block the IP address from incoming requests for 3600 seconds and trigger a WAF log.
  • silent-deny — Drop the incoming request without triggering a WAF log.
  • captcha — Allow the traffic to pass if the client successfully fulfills the CAPTCHA request, and trigger a WAF log.

Note: You can also reference a user-defined WAF action object.

severity

Set the severity in WAF logs for potential attacks detected by DLP Policy.

  • high

  • medium

  • low

The default option is low.

config rule

request-uri-pattern

Specify the URI Pattern in the Data Loss Prevention rules. Scanning and receiving an empty value means this rule is not working.

type

Select the DLP data type to match:

  • sdt — Sensitive Data Type.

  • sensors — DLP Sensors.

sensor

The sensor option is available if type is sensors.

Specify the DLP Sensor you want to apply.

sensitive-data-type

The sensitive-data-type option is available if type is sdt.

Specify the Sensitive Data Type you want to apply.

threshold

The threshold option is available if type is sdt.

Set a threshold for the Data Loss Prevention rule.
The rule will not take effect until the target data exceeds the threshold's specified value. Range 1-10000. Default is 1. This will not work if Masking is enabled.

Example

config security waf data-leak-prevention

edit "dlp-profile-sensors"

set status enable

set masking enable

set action alert

set severity low

config rule

edit 1

set request-uri-pattern /dir1/

set type sensors

set sensor user-defined-sensor1

next

end

next

end

config security waf data-leak-prevention

edit "dlp-profile-sdt"

set status enable

set action alert

set severity low

config rule

edit 1

set type sdt

set sensitive-data-type Credit_Card_Number

set threshold 1

next

end

next

end