Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 7.4.5 CLI Reference
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config security waf data-leak-protection

    config security waf data-leak-protection

    Use this command to configure a DLP policy that can then be applied in a WAF profile. The Data Loss Prevention (DLP) feature allows the Web Application Firewall (WAF) to prevent information leaks, damage and loss. DLP provides desensitization and warning measures for sensitive information leaks on websites, such as SSN numbers and credit card information, as well as the leakage of sensitive keywords.

    You can create a DLP Policy to match a sensor based on file content or an HTTP Payload, and the email protocol being used to attach files. It also allows you to choose the action to allow, log, or block the IP address.

    Before you begin:

    Syntax

    config security waf data-leak-prevention

    edit <name>

    set status {enable|disable}

    set masking {enable|disable}

    set action {alert|deny|block|silent-deny|captcha|<datasource>}

    set severity {high|medium|low}

    config rule

    edit <name>

    set request-uri-pattern <string>

    set type {sdt|sensors}

    set sensor <datasource>

    set sensitive-data-type <datasource>

    set threshold <integer>

    next

    end

    next

    end

    status

    		 Enable or disable the profile; default is disable.

    masking

    Enable masking to replace sensitive data with asterisks (*); default is disable.

    Note: When masking is enabled, all target data will be replaced by asterisks, so the threshold value won't take effect here. Masking only works when Action is Alert, because the connection will reject when action is set as Deny or Block, so no target data will be replaced.

    action

    Sets the action FortiADC will take if a security check detects a potential attack. This configuration comes from Action in WAF Profile.

    • alert — Let the request pass when the profile detects a potential attack, only triggering a WAF log.
    • deny — Drop the incoming request and trigger a WAF log.
    • block — Block the IP address from incoming requests for 3600 seconds and trigger a WAF log.
    • silent-deny — Drop the incoming request without triggering a WAF log.
    • captcha — Allow the traffic to pass if the client successfully fulfills the CAPTCHA request, and trigger a WAF log.

    Note: You can also reference a user-defined WAF action object.

    severity

    Set the severity in WAF logs for potential attacks detected by DLP Policy.

    • high

    • medium

    • low

    The default option is low.

    config rule

    request-uri-pattern

    Specify the URI Pattern in the Data Loss Prevention rules. Scanning and receiving an empty value means this rule is not working.

    type

    Select the DLP data type to match:

    • sdt — Sensitive Data Type.

    • sensors — DLP Sensors.

    sensor

    The sensor option is available if type is sensors.

    Specify the DLP Sensor you want to apply.

    sensitive-data-type

    The sensitive-data-type option is available if type is sdt.

    Specify the Sensitive Data Type you want to apply.

    threshold

    The threshold option is available if type is sdt.

    Set a threshold for the Data Loss Prevention rule.
    The rule will not take effect until the target data exceeds the threshold's specified value. Range 1-10000. Default is 1. This will not work if Masking is enabled.

    Example

    config security waf data-leak-prevention

    edit "dlp-profile-sensors"

    set status enable

    set masking enable

    set action alert

    set severity low

    config rule

    edit 1

    set request-uri-pattern /dir1/

    set type sensors

    set sensor user-defined-sensor1

    next

    end

    next

    end

    config security waf data-leak-prevention

    edit "dlp-profile-sdt"

    set status enable

    set action alert

    set severity low

    config rule

    edit 1

    set type sdt

    set sensitive-data-type Credit_Card_Number

    set threshold 1

    next

    end

    next

    end

    Previous
    Next

    config security waf data-leak-protection

    config security waf data-leak-protection

    Use this command to configure a DLP policy that can then be applied in a WAF profile. The Data Loss Prevention (DLP) feature allows the Web Application Firewall (WAF) to prevent information leaks, damage and loss. DLP provides desensitization and warning measures for sensitive information leaks on websites, such as SSN numbers and credit card information, as well as the leakage of sensitive keywords.

    You can create a DLP Policy to match a sensor based on file content or an HTTP Payload, and the email protocol being used to attach files. It also allows you to choose the action to allow, log, or block the IP address.

    Before you begin:

    Syntax

    config security waf data-leak-prevention

    edit <name>

    set status {enable|disable}

    set masking {enable|disable}

    set action {alert|deny|block|silent-deny|captcha|<datasource>}

    set severity {high|medium|low}

    config rule

    edit <name>

    set request-uri-pattern <string>

    set type {sdt|sensors}

    set sensor <datasource>

    set sensitive-data-type <datasource>

    set threshold <integer>

    next

    end

    next

    end

    status

    		 Enable or disable the profile; default is disable.

    masking

    Enable masking to replace sensitive data with asterisks (*); default is disable.

    Note: When masking is enabled, all target data will be replaced by asterisks, so the threshold value won't take effect here. Masking only works when Action is Alert, because the connection will reject when action is set as Deny or Block, so no target data will be replaced.

    action

    Sets the action FortiADC will take if a security check detects a potential attack. This configuration comes from Action in WAF Profile.

    • alert — Let the request pass when the profile detects a potential attack, only triggering a WAF log.
    • deny — Drop the incoming request and trigger a WAF log.
    • block — Block the IP address from incoming requests for 3600 seconds and trigger a WAF log.
    • silent-deny — Drop the incoming request without triggering a WAF log.
    • captcha — Allow the traffic to pass if the client successfully fulfills the CAPTCHA request, and trigger a WAF log.

    Note: You can also reference a user-defined WAF action object.

    severity

    Set the severity in WAF logs for potential attacks detected by DLP Policy.

    • high

    • medium

    • low

    The default option is low.

    config rule

    request-uri-pattern

    Specify the URI Pattern in the Data Loss Prevention rules. Scanning and receiving an empty value means this rule is not working.

    type

    Select the DLP data type to match:

    • sdt — Sensitive Data Type.

    • sensors — DLP Sensors.

    sensor

    The sensor option is available if type is sensors.

    Specify the DLP Sensor you want to apply.

    sensitive-data-type

    The sensitive-data-type option is available if type is sdt.

    Specify the Sensitive Data Type you want to apply.

    threshold

    The threshold option is available if type is sdt.

    Set a threshold for the Data Loss Prevention rule.
    The rule will not take effect until the target data exceeds the threshold's specified value. Range 1-10000. Default is 1. This will not work if Masking is enabled.

    Example

    config security waf data-leak-prevention

    edit "dlp-profile-sensors"

    set status enable

    set masking enable

    set action alert

    set severity low

    config rule

    edit 1

    set request-uri-pattern /dir1/

    set type sensors

    set sensor user-defined-sensor1

    next

    end

    next

    end

    config security waf data-leak-prevention

    edit "dlp-profile-sdt"

    set status enable

    set action alert

    set severity low

    config rule

    edit 1

    set type sdt

    set sensitive-data-type Credit_Card_Number

    set threshold 1

    next

    end

    next

    end

    Previous
    Next