Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Policies Reference Guide

    Home FortiDLP Policies 8.0.0 FortiDLP Policies Reference Guide
    8.0.0
    8.0.0
    7.1.2
    7.1.1
    7.1.0
    7.0.0

    Content inspection patterns

    Content inspection patterns

    The Content inspection patterns template parameter uses regexes to match data within files, emails, and so on.

    When setting the Content inspection patterns parameter, ECMAScript syntax is required. Both custom values (configured in the template editor) and assets (configured in the asset editor) are supported.

    Example

    Let's say you are using the Sensitive file written to USB storage device template. If you set the Content inspection patterns parameter to the out-of-box (OOB) US passport number asset, which is preconfigured with the regex (\d{9})|([a-zA-Z]\d{8}), this would detect user attempts to transfer files containing US passport numbers to USB storage devices.

    To help you avoid misconfigurations when providing custom values or creating custom assets, the FortiDLP Console indicates when an invalid regex has been entered.

    Invalid custom value (template editor)

    Invalid custom asset (asset editor)

    You can also use third-party regex validators, such as regex101.com, to verify your patterns.

    Wide and narrow breadth detection

    For flexibility, the Content inspection patterns parameter can be configured to use either wide breadth detection or narrow breadth detection with assets:

    • With wide breadth detection, a pattern defined for a Content inspection patterns asset must be matched for a detection to be generated.
      • Example

      For example, if you set the Content inspection patterns template parameter to use wide breadth detection and select an asset that specifies a regex to match US passport numbers in its Pattern field, a detection would be generated if a US passport number was found during inspection.
    • With narrow breadth detection, a pattern and an associated keyword/keyphrase defined for a Content inspection patterns asset must be matched for a detection to be generated. This is supported for OOB and custom assets.
      • Example

      For example, if you set the Content inspection patterns template parameter to use narrow breadth detection and select an asset that specifies a regex to match US passport numbers in its Pattern field, and also specifies passport in its Keywords field, a detection would only be generated if both the pattern and the keyword were found in the same document during inspection.

    In the following figure, you can see our US passport number OOB asset that is preconfigured with a regex pattern and keywords, and can be used for narrow breadth detection.

    OOB US passport number asset with pattern and keywords

    Remember, narrow breadth detection is only supported for Content inspection patterns assets set for the Content inspection patterns template parameter. That is, it does not apply to:

    • Custom values set for the Content inspection patterns template parameter.
    • Content inspection keyword list assets or custom values set for the Content inspection keywords template parameter.
    Known limitations

    Be mindful of the following limitations:

    • For Agent versions earlier than 11.3.1, on macOS, content inspection patterns expected to match spaces cannot be matched to files or email attachments. Words are separated and matched individually.
    • Regex pattern matches cannot be detected by the Unauthorized email sent or received policy template when content that is separated by line breaks is pasted into the email body of New Outlook. This limitation does not apply to Classic Outlook.
    Previous
    Next

    Content inspection patterns

    Content inspection patterns

    The Content inspection patterns template parameter uses regexes to match data within files, emails, and so on.

    When setting the Content inspection patterns parameter, ECMAScript syntax is required. Both custom values (configured in the template editor) and assets (configured in the asset editor) are supported.

    Example

    Let's say you are using the Sensitive file written to USB storage device template. If you set the Content inspection patterns parameter to the out-of-box (OOB) US passport number asset, which is preconfigured with the regex (\d{9})|([a-zA-Z]\d{8}), this would detect user attempts to transfer files containing US passport numbers to USB storage devices.

    To help you avoid misconfigurations when providing custom values or creating custom assets, the FortiDLP Console indicates when an invalid regex has been entered.

    Invalid custom value (template editor)

    Invalid custom asset (asset editor)

    You can also use third-party regex validators, such as regex101.com, to verify your patterns.

    Wide and narrow breadth detection

    For flexibility, the Content inspection patterns parameter can be configured to use either wide breadth detection or narrow breadth detection with assets:

    • With wide breadth detection, a pattern defined for a Content inspection patterns asset must be matched for a detection to be generated.
      • Example

      For example, if you set the Content inspection patterns template parameter to use wide breadth detection and select an asset that specifies a regex to match US passport numbers in its Pattern field, a detection would be generated if a US passport number was found during inspection.
    • With narrow breadth detection, a pattern and an associated keyword/keyphrase defined for a Content inspection patterns asset must be matched for a detection to be generated. This is supported for OOB and custom assets.
      • Example

      For example, if you set the Content inspection patterns template parameter to use narrow breadth detection and select an asset that specifies a regex to match US passport numbers in its Pattern field, and also specifies passport in its Keywords field, a detection would only be generated if both the pattern and the keyword were found in the same document during inspection.

    In the following figure, you can see our US passport number OOB asset that is preconfigured with a regex pattern and keywords, and can be used for narrow breadth detection.

    OOB US passport number asset with pattern and keywords

    Remember, narrow breadth detection is only supported for Content inspection patterns assets set for the Content inspection patterns template parameter. That is, it does not apply to:

    • Custom values set for the Content inspection patterns template parameter.
    • Content inspection keyword list assets or custom values set for the Content inspection keywords template parameter.
    Known limitations

    Be mindful of the following limitations:

    • For Agent versions earlier than 11.3.1, on macOS, content inspection patterns expected to match spaces cannot be matched to files or email attachments. Words are separated and matched individually.
    • Regex pattern matches cannot be detected by the Unauthorized email sent or received policy template when content that is separated by line breaks is pasted into the email body of New Outlook. This limitation does not apply to Classic Outlook.
    Previous
    Next