Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Policies Reference Guide

    Home FortiDLP Policies 8.3.0 FortiDLP Policies Reference Guide
    8.3.0
    8.3.0
    8.2.1
    8.2.0
    8.1.0
    8.0.0
    7.1.2
    7.1.1
    7.1.0
    7.0.0

    Extended content inspection

    Extended content inspection

    FortiDLP's Unauthorized email sent or received template provides two sets of content inspection parameters, allowing you to search for different patterns, keywords, and MIP labels in different sections of an email.

    Both sets comprise all of the content inspection parameters previously mentioned, as well as the Content inspection location parameter, which defines the email sections for inspection.

    Neither set of content inspection parameters takes precedence over the other. When configured, the two sets are combined to give you more control over when detections are raised.

    Example

    For example, you could create a policy that raises a detection when a credit card number is found in the email body and attachments, and the keyword "Finance" is not found in the subject line, as follows.

    Configuration 1:

    • For the Content inspection location parameter, select Email body and Email attachments.
    • For the Content inspection patterns parameter, select the Credit or debit card number OOB asset.
    • For the Content inspection match type parameter, select Match any.
    • For the Content inspection match frequency parameter, type 1.

    Configuration 2:

    • For the Content inspection location parameter, select Email subject.
    • For the Content inspection keywords parameter, type a custom value of Finance.
    • For the Content inspection match type parameter, select Match none.
    Note

    For the Unauthorized email sent or received template, all configured parameters must be met to generate a detection or block an email. Additionally, to perform content inspection, at least one location and pattern, keyword, or MIP label is required. Specifically, when MIP labels are selected, ensure you set the Content inspection location parameter to Email attachments and/or Email headers based on where matching should occur.
    Previous
    Next

    Extended content inspection

    Extended content inspection

    FortiDLP's Unauthorized email sent or received template provides two sets of content inspection parameters, allowing you to search for different patterns, keywords, and MIP labels in different sections of an email.

    Both sets comprise all of the content inspection parameters previously mentioned, as well as the Content inspection location parameter, which defines the email sections for inspection.

    Neither set of content inspection parameters takes precedence over the other. When configured, the two sets are combined to give you more control over when detections are raised.

    Example

    For example, you could create a policy that raises a detection when a credit card number is found in the email body and attachments, and the keyword "Finance" is not found in the subject line, as follows.

    Configuration 1:

    • For the Content inspection location parameter, select Email body and Email attachments.
    • For the Content inspection patterns parameter, select the Credit or debit card number OOB asset.
    • For the Content inspection match type parameter, select Match any.
    • For the Content inspection match frequency parameter, type 1.

    Configuration 2:

    • For the Content inspection location parameter, select Email subject.
    • For the Content inspection keywords parameter, type a custom value of Finance.
    • For the Content inspection match type parameter, select Match none.
    Note

    For the Unauthorized email sent or received template, all configured parameters must be met to generate a detection or block an email. Additionally, to perform content inspection, at least one location and pattern, keyword, or MIP label is required. Specifically, when MIP labels are selected, ensure you set the Content inspection location parameter to Email attachments and/or Email headers based on where matching should occur.
    Previous
    Next