Fortinet black logo

CLI Reference

dlp sensor

dlp sensor

Use this command to create a DLP sensor. The DLP sensor includes settings such as action, archive, and severity for each rule or compound rule. A number of preconfigured sensors are provided with your FortiGate. These can be edited to more closely match your needs. Consult the Handbook's discussion of data leak prevention concepts for more detail.

Use diagnose test application dlpfingerprint to view statistics, dump all chunks, or refresh all document sources in all VDOMs.

Command Description

set extended-log {enable | disable}

When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens.

Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for.

config dlp sensor
    edit {name}
    # Configure DLP sensors.
        set name {string}   Name of the DLP sensor. size[35]
        set comment {string}   Comment. size[255]
        set replacemsg-group {string}   Replacement message group used by this DLP sensor. size[35] - datasource(s): system.replacemsg-group.name
        config filter
            edit {id}
            # Set up DLP filters for this sensor.
                set id {integer}   ID. range[0-4294967295]
                set name {string}   Filter name. size[35]
                set severity {option}   Select the severity or threat level that matches this filter.
                        info      Informational.
                        low       Low.
                        medium    Medium.
                        high      High.
                        critical  Critical.
                set type {file | message}   Select whether to check the content of messages (an email message) or files (downloaded files or email attachments). 
                        file     Check the contents of downloaded or attached files.
                        message  Check the contents of email messages, web pages, etc.
                set proto {option}   Check messages or files over one or more of these protocols.
                        smtp       SMTP.
                        pop3       POP3.
                        imap       IMAP.
                        http-get   HTTP GET.
                        http-post  HTTP POST.
                        ftp        FTP.
                        nntp       NNTP.
                        mapi       MAPI
                        mm1        MM1
                        mm3        MM3
                        mm4        MM4
                        mm7        MM7
                set filter-by {option}   Select the type of content to match.
                        credit-card  Match credit cards.
                        ssn          Match social security numbers.
                        regexp       Use a regular expression to match content.
                        file-type    Match a DLP file pattern list.
                        file-size    Match any file over with a size over the threshold.
                        fingerprint  Match against a fingerprint sensitivity.
                        watermark    Look for defined file watermarks.
                        encrypted    Look for encrypted files.
                set file-size {integer}   Match files this size or larger (0 - 4294967295 kbytes). range[0-4294967295]
                set company-identifier {string}   Enter a company identifier watermark to match. Only watermarks that your company has placed on the files are matched. size[35]
                config fp-sensitivity
                    edit {name}
                    # Select a DLP file pattern sensitivity to match.
                        set name {string}   Select a DLP sensitivity. size[35] - datasource(s): dlp.fp-sensitivity.name
                    next
                set match-percentage {integer}   Percentage of fingerprints in the fingerprint databases designated with the selected fp-sensitivity to match. range[0-100]
                set file-type {integer}   Select the number of a DLP file pattern table to match. range[0-4294967295] - datasource(s): dlp.filepattern.id
                set regexp {string}   Enter a regular expression to match (max. 255 characters). size[255]
                set archive {disable | enable}   Enable/disable DLP archiving.
                set action {allow | log-only | block | quarantine-ip}   Action to take with content that this DLP sensor matches.
                        allow          Allow the content to pass through the FortiGate and do not create a log message.
                        log-only       Allow the content to pass through the FortiGate, but write a log message.
                        block          Block the content and write a log message.
                        quarantine-ip  Quarantine all traffic from the IP address and write a log message.
                set expiry {string}   Quarantine duration in days, hours, minutes format (dddhhmm).
            next
        set dlp-log {enable | disable}   Enable/disable DLP logging.
        set extended-log {enable | disable}   Enable/disable extended logging for data leak prevention.
        set nac-quar-log {enable | disable}   Enable/disable NAC quarantine logging.
        set flow-based {enable | disable}   Enable/disable flow-based DLP.
        set full-archive-proto {option}   Protocols to always content archive.
                smtp       SMTP.
                pop3       POP3.
                imap       IMAP.
                http-get   HTTP GET.
                http-post  HTTP POST.
                ftp        FTP.
                nntp       NNTP.
                mapi       MAPI
                mm1        MM1
                mm3        MM3
                mm4        MM4
                mm7        MM7
        set summary-proto {option}   Protocols to always log summary.
                smtp       SMTP.
                pop3       POP3.
                imap       IMAP.
                http-get   HTTP GET.
                http-post  HTTP POST.
                ftp        FTP.
                nntp       NNTP.
                mapi       MAPI
                mm1        MM1
                mm3        MM3
                mm4        MM4
                mm7        MM7
    next
end

Additional information

The following section is for those options that require additional explanation.

dlp-log {enable | disable}

Enable (by default) or disable logging for data leak prevention.

flow-based {enable | disable}

Enable or disable (by default) Flow-based DLP. It's strongly recommended to keep this set to disable, as DLP is primarily a Proxy-based security profile.

full-archive-proto {smtp | pop3 | imap | http-get | http-post ftp | nntp | mapi}

Record a full log for any of the protocols available. This can be useful for forensic investigation, however it should not be used extensively as large amounts of the FortiGate's CPU and RAM are required.

nac-quar-log {enable | disable}

Enable or disable (by default) logging for network access control (NAC) quarantine creation.

replacemsg-group <group_name>

Specify which replacement message group to use, as configured under config system replacemsg-group.

summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}

Record a summary log for any of the protocols available. Email messages, for example, would record the recipient's email address and the size of the email.

config filter

Use this configuration method to create DLP filters.

action {allow | log-only | block | quarantine-ip}

Specify action to take when a match is detected:

  • allow: No action is taken even if the patterns specified in the filter are matched (set by default).
  • log-only: The FortiGate will take no action on network traffic matching a rule with this action. The filter match is logged.
  • block: Traffic matching a filter with the block action will not be delivered.
  • quarantine-ip: Block access through the FortiGate unit for any IP address that sends traffic matching a sensor with this action. The IP address is added to the Banned User list for a duration of time that is determined by set expiry.

company-identifier <id>

Note: This entry is only available when type is set to file and filter-by is set to watermark.

Company identifier for watermarking. Ensures that you are only blocking watermarks that your company has placed on the files, not watermarks with the same name but placed by other companies.

expiry <###d##h##m>

Note: This entry is only available if action is set to quarantine-ip.

Set the duration of the quarantine in the days, hours, minutes format of ###d##h#m. Set the range between 0d0h1m-364d23h59m. The default is set to 5m.

file-size <kb>

Note: This entry is only available when type is set to file and filter-by is set to file-size.

Set the file size in KB. Files over this size will match with the filter. Set the range between 0-4294967295. The default is set to 0.

file-type <integer>

Note: This entry is only available when type is set to file and filter-by is set to file-type.

File pattern table for files to match in this filter. Set the range between 0-4294967295. The default is set to 0. There are two predefined options available by default: 1 (builtin-patterns) and 2 (all_executables).

filter-by {credit-card | ssn | regexp | file-type | file-size | fingerprint | watermark | encrypted}

Select a filter for the sensor.

  • credit-card: Preconfigured sensor that logs the traffic, both files and messages, that contain credit card numbers in the formats used by American Express, MasterCard and Visa (set by default).
  • ssn: Preconfigured sensor that logs the traffic containing Social Security numbers (with the exception of WebEx invitation emails).
  • regexp: Match defined regular expression, as determined by set gexp.
  • file-type: Match defined file type.
  • file-size: Match any file over a certain size threshold.
  • fingerprint: Match defined fingerprint sensitivity, as determined by set fp-sensitivity.
  • watermark: Match defined file watermarks. Fortinet provides a Linux-based utility that applies a digital watermark to files. The utility adds a small (approximately 100 byte) pattern to the file that is recognized by the DLP watermark filter. The pattern is invisible to the end user. Consult the Handbook's discussion of data leak prevention concepts for more detail.
  • encrypted: Look for encrypted files. The filter is a binary one. If the files going through the policy is encrypted, the action is triggered.

fp-sensitivity <sensitivity-level>

Note: This entry is only available when type is set to file and filter-by is set to either fingerprint or watermark.

Match against a fingerprint sensitivity, as configured under config dlp fp-sensitivity.

match-percentage <percentage>

Note: This entry is only available when type is set to file and filter-by is set to fingerprint.

Percentage of chunks required to constitute a match. Set the range between 0-100. The default is set to 0.

proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}

Identify the protocols to detect.

gexp <string>

Note: This entry is only available when type is set to file and filter-by is set to either regexp.

The FortiGate checks network traffic for the regular expression specified in this regular expression filter. The regular expression library used by Fortinet is a variation of a library called PCRE (Perl Compatible Regular Expressions).

severity {info | low | medium | high | critical}

Set the event severity. The default is set to medium.

type {file | message}

Select whether to check messages (e.g. content of an email message) or files (e.g. downloaded files or the content of files attached to an email). The default is set to message.

dlp sensor

Use this command to create a DLP sensor. The DLP sensor includes settings such as action, archive, and severity for each rule or compound rule. A number of preconfigured sensors are provided with your FortiGate. These can be edited to more closely match your needs. Consult the Handbook's discussion of data leak prevention concepts for more detail.

Use diagnose test application dlpfingerprint to view statistics, dump all chunks, or refresh all document sources in all VDOMs.

Command Description

set extended-log {enable | disable}

When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens.

Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for.

config dlp sensor
    edit {name}
    # Configure DLP sensors.
        set name {string}   Name of the DLP sensor. size[35]
        set comment {string}   Comment. size[255]
        set replacemsg-group {string}   Replacement message group used by this DLP sensor. size[35] - datasource(s): system.replacemsg-group.name
        config filter
            edit {id}
            # Set up DLP filters for this sensor.
                set id {integer}   ID. range[0-4294967295]
                set name {string}   Filter name. size[35]
                set severity {option}   Select the severity or threat level that matches this filter.
                        info      Informational.
                        low       Low.
                        medium    Medium.
                        high      High.
                        critical  Critical.
                set type {file | message}   Select whether to check the content of messages (an email message) or files (downloaded files or email attachments). 
                        file     Check the contents of downloaded or attached files.
                        message  Check the contents of email messages, web pages, etc.
                set proto {option}   Check messages or files over one or more of these protocols.
                        smtp       SMTP.
                        pop3       POP3.
                        imap       IMAP.
                        http-get   HTTP GET.
                        http-post  HTTP POST.
                        ftp        FTP.
                        nntp       NNTP.
                        mapi       MAPI
                        mm1        MM1
                        mm3        MM3
                        mm4        MM4
                        mm7        MM7
                set filter-by {option}   Select the type of content to match.
                        credit-card  Match credit cards.
                        ssn          Match social security numbers.
                        regexp       Use a regular expression to match content.
                        file-type    Match a DLP file pattern list.
                        file-size    Match any file over with a size over the threshold.
                        fingerprint  Match against a fingerprint sensitivity.
                        watermark    Look for defined file watermarks.
                        encrypted    Look for encrypted files.
                set file-size {integer}   Match files this size or larger (0 - 4294967295 kbytes). range[0-4294967295]
                set company-identifier {string}   Enter a company identifier watermark to match. Only watermarks that your company has placed on the files are matched. size[35]
                config fp-sensitivity
                    edit {name}
                    # Select a DLP file pattern sensitivity to match.
                        set name {string}   Select a DLP sensitivity. size[35] - datasource(s): dlp.fp-sensitivity.name
                    next
                set match-percentage {integer}   Percentage of fingerprints in the fingerprint databases designated with the selected fp-sensitivity to match. range[0-100]
                set file-type {integer}   Select the number of a DLP file pattern table to match. range[0-4294967295] - datasource(s): dlp.filepattern.id
                set regexp {string}   Enter a regular expression to match (max. 255 characters). size[255]
                set archive {disable | enable}   Enable/disable DLP archiving.
                set action {allow | log-only | block | quarantine-ip}   Action to take with content that this DLP sensor matches.
                        allow          Allow the content to pass through the FortiGate and do not create a log message.
                        log-only       Allow the content to pass through the FortiGate, but write a log message.
                        block          Block the content and write a log message.
                        quarantine-ip  Quarantine all traffic from the IP address and write a log message.
                set expiry {string}   Quarantine duration in days, hours, minutes format (dddhhmm).
            next
        set dlp-log {enable | disable}   Enable/disable DLP logging.
        set extended-log {enable | disable}   Enable/disable extended logging for data leak prevention.
        set nac-quar-log {enable | disable}   Enable/disable NAC quarantine logging.
        set flow-based {enable | disable}   Enable/disable flow-based DLP.
        set full-archive-proto {option}   Protocols to always content archive.
                smtp       SMTP.
                pop3       POP3.
                imap       IMAP.
                http-get   HTTP GET.
                http-post  HTTP POST.
                ftp        FTP.
                nntp       NNTP.
                mapi       MAPI
                mm1        MM1
                mm3        MM3
                mm4        MM4
                mm7        MM7
        set summary-proto {option}   Protocols to always log summary.
                smtp       SMTP.
                pop3       POP3.
                imap       IMAP.
                http-get   HTTP GET.
                http-post  HTTP POST.
                ftp        FTP.
                nntp       NNTP.
                mapi       MAPI
                mm1        MM1
                mm3        MM3
                mm4        MM4
                mm7        MM7
    next
end

Additional information

The following section is for those options that require additional explanation.

dlp-log {enable | disable}

Enable (by default) or disable logging for data leak prevention.

flow-based {enable | disable}

Enable or disable (by default) Flow-based DLP. It's strongly recommended to keep this set to disable, as DLP is primarily a Proxy-based security profile.

full-archive-proto {smtp | pop3 | imap | http-get | http-post ftp | nntp | mapi}

Record a full log for any of the protocols available. This can be useful for forensic investigation, however it should not be used extensively as large amounts of the FortiGate's CPU and RAM are required.

nac-quar-log {enable | disable}

Enable or disable (by default) logging for network access control (NAC) quarantine creation.

replacemsg-group <group_name>

Specify which replacement message group to use, as configured under config system replacemsg-group.

summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}

Record a summary log for any of the protocols available. Email messages, for example, would record the recipient's email address and the size of the email.

config filter

Use this configuration method to create DLP filters.

action {allow | log-only | block | quarantine-ip}

Specify action to take when a match is detected:

  • allow: No action is taken even if the patterns specified in the filter are matched (set by default).
  • log-only: The FortiGate will take no action on network traffic matching a rule with this action. The filter match is logged.
  • block: Traffic matching a filter with the block action will not be delivered.
  • quarantine-ip: Block access through the FortiGate unit for any IP address that sends traffic matching a sensor with this action. The IP address is added to the Banned User list for a duration of time that is determined by set expiry.

company-identifier <id>

Note: This entry is only available when type is set to file and filter-by is set to watermark.

Company identifier for watermarking. Ensures that you are only blocking watermarks that your company has placed on the files, not watermarks with the same name but placed by other companies.

expiry <###d##h##m>

Note: This entry is only available if action is set to quarantine-ip.

Set the duration of the quarantine in the days, hours, minutes format of ###d##h#m. Set the range between 0d0h1m-364d23h59m. The default is set to 5m.

file-size <kb>

Note: This entry is only available when type is set to file and filter-by is set to file-size.

Set the file size in KB. Files over this size will match with the filter. Set the range between 0-4294967295. The default is set to 0.

file-type <integer>

Note: This entry is only available when type is set to file and filter-by is set to file-type.

File pattern table for files to match in this filter. Set the range between 0-4294967295. The default is set to 0. There are two predefined options available by default: 1 (builtin-patterns) and 2 (all_executables).

filter-by {credit-card | ssn | regexp | file-type | file-size | fingerprint | watermark | encrypted}

Select a filter for the sensor.

  • credit-card: Preconfigured sensor that logs the traffic, both files and messages, that contain credit card numbers in the formats used by American Express, MasterCard and Visa (set by default).
  • ssn: Preconfigured sensor that logs the traffic containing Social Security numbers (with the exception of WebEx invitation emails).
  • regexp: Match defined regular expression, as determined by set gexp.
  • file-type: Match defined file type.
  • file-size: Match any file over a certain size threshold.
  • fingerprint: Match defined fingerprint sensitivity, as determined by set fp-sensitivity.
  • watermark: Match defined file watermarks. Fortinet provides a Linux-based utility that applies a digital watermark to files. The utility adds a small (approximately 100 byte) pattern to the file that is recognized by the DLP watermark filter. The pattern is invisible to the end user. Consult the Handbook's discussion of data leak prevention concepts for more detail.
  • encrypted: Look for encrypted files. The filter is a binary one. If the files going through the policy is encrypted, the action is triggered.

fp-sensitivity <sensitivity-level>

Note: This entry is only available when type is set to file and filter-by is set to either fingerprint or watermark.

Match against a fingerprint sensitivity, as configured under config dlp fp-sensitivity.

match-percentage <percentage>

Note: This entry is only available when type is set to file and filter-by is set to fingerprint.

Percentage of chunks required to constitute a match. Set the range between 0-100. The default is set to 0.

proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}

Identify the protocols to detect.

gexp <string>

Note: This entry is only available when type is set to file and filter-by is set to either regexp.

The FortiGate checks network traffic for the regular expression specified in this regular expression filter. The regular expression library used by Fortinet is a variation of a library called PCRE (Perl Compatible Regular Expressions).

severity {info | low | medium | high | critical}

Set the event severity. The default is set to medium.

type {file | message}

Select whether to check messages (e.g. content of an email message) or files (e.g. downloaded files or the content of files attached to an email). The default is set to message.