Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.6 Administration Guide
    7.6.6
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Basic DLP settings

    Basic DLP settings

    DLP settings can be configured for data types, dictionaries, EDM templates, sensors, file patterns, and profiles. DLP can be configured in both the CLI and the GUI irrespective of firewall policy inspection mode.

    Note

    To use DLP profile in a flow-based firewall policy, set feature-set flow must be set from the CLI. See Configuring DLP from the CLI for more information.

    DLP profiles can only be added to a flow-based firewall policy from the CLI.

    On the Security Profiles > Data Loss Prevention page, there are Profile, Sensor, Dictionary, and EDM Template tabs to configure those DLP settings. DLP profiles can be added to proxy-based firewall policies and proxy policies from the GUI.

    Tooltip

    If Data Loss Prevention is not visible in the tree menu, go to System > Feature Visibility and enable it.

    This section breaks down the DLP configuration into a sequence of steps:

    1. Configure the DLP dictionary, DLP labels, and/or EDM template:

      • A DLP dictionary is a collection of data type entries. See Built-in DLP data type for more information.

      • A DLP label is used to configure MPIP labels, which help classify and protect sensitive information.

      • An EDM template pairs the data from an external file, such as a data external feed file, with built-in data types.

    2. Configure the DLP sensor:

      • A DLP sensor defines which dictionary and/or EDM template to check. It counts the number of matches to trigger the sensor.

    3. Configure the DLP profile:

      • A DLP profile allows for filtering by size and file type. See DLP file pattern for custom file type.

    4. Add the DLP profile to a firewall policy.

    Note

    All the steps mentioned above should be configured in the exact order given for ease of configuration.

    Configuring DLP from the GUI

    Use the following steps to configure DLP from the GUI.

    To configure a DLP dictionary:

    1. Go to Security Profiles > Data Loss Prevention.

    2. Select the Dictionary tab and click Create New.

    3. Enter a name.

    4. In the Dictionary Entries section, click Create New.

    5. Set the Type and click OK.

    6. Click OK to save the dictionary.

    To configure an EDM template:

    1. Go to Security Profiles > Data Loss Prevention.

    2. Select the EDM Template tab and click Create New.

    3. Enter a name.

    4. In the Resource settings section, select one of the following:

      File upload

      Select to upload an external file of data to use with built-in data types. The external file can be in text (TXT) or comma-separated value (CSV) format.

      External feed

      Select to provide the URL to a file of data on an external server to use with built-in data types. The external file must be in comma-separated value (CSV) format. FortiGate will periodically fetch entries from the external file using HTTPS.

      External feed URL

      Specify the URL to the data file in CSV format on the external server.

      HTTP basic authentication

      Enable to use basic HTTP authentication when accessing the file on the external server. Specify the username and password for the external server.

      Refresh rate

      Specify the time interval to refresh the external resource (minutes).

    5. Set the Match criteria section:

      Each column in the external file represents data for a built-in data type. The patterns in the data file must be valid for the data type. If the patterns are invalid, FortiGate cannot use them, and no warning is displayed.

      +All of these fields

      Click to pair each column in the external data file with a built-in data type.

      All of the specified data in this section must match for FortiGate to take an action.

      Column index

      Specify the column number in the external file that contains the data.

      Data type

      Indicate which built-in data type pairs with the column index. Choose from:

      • credit-card

      • edm-keyword

      • mip-label

      • ssn-us

      +Any of these fields

      Click to pair the column in the external data file with a built-in data type, and to specify how many of these pairs must match for FortiGate to take an action.

      Minimum number of fields matched

      Specify how many of the fields in the Any of these fields section must match for FortiGate to take an action.

      Column index

      Specify the column number in the external file that contains the data.

      Data type

      Indicate which built-in data type pairs with the column index. Choose from:

      • credit-card

      • edm-keyword

      • mip-label

      • ssn-us

      • fg-edm-can-natl_id-sin

      Note

      The data type fg-edm-can-natl_id-sin, which represents the Canadian Social Insurance Number (SIN), is dynamically managed by FortiGuard. It is available for use as one of the data types in EDM templates, provided the user has a valid FortiGuard DLP service license.

    6. Click OK to save the EDM template.

    To configure a DLP sensor:

    1. Go to Security Profiles > Data Loss Prevention.

    2. Select the Sensor tab and click Create New.

    3. Enter a name.

    4. In the Sensors Entries section, click Add. The Select Entries pane is displayed.

    5. Select the management method from the dropdown menu.

    6. From the list, select the dictionary or EDM template.

    7. Click Apply.

    8. Click OK to save the sensor.

    To configure a DLP profile:

    1. Go to Security Profiles > Data Loss Prevention.

    2. Select the Profile tab and click Create New.

    3. Enter a name.

    4. In the Rules table, click Create New.

    5. Configure the following settings:

      Name

      Filter name.

      Type

      Specify what type of data source to use:

      • Sensor: Use DLP sensors, such as dictionaries or EDM templates to match content.

      • Label: Use DLP label to match content.

      Sensors

      Select one or more DLP sensors when Type is set to Sensor.

      DLP label

      Select one of the DLP label from the drop-down list when Type is set to Label.

      Severity

      Select the severity or threat level that matches this filter.

      Action

      Action to take with content that this DLP profile matches.

      Match type

      Select whether to check the content of messages (an email message) or files (downloaded files or email attachments).

      File type

      Select the number of a DLP file pattern table to match.

      Protocol

      Check messages or files over one or more of these protocols.

    6. Click OK.

    7. Click OK to save the profile.

    To add the DLP profile to a firewall policy:

    1. Go to Policy & Objects > Firewall Policy.

    2. Click Create New.

    3. Set the Inspection Mode to Proxy-based.

    4. In the Security Profiles section, enable DLP Profile and select the desired profile.

    5. Configure the other settings as needed.

    6. Click OK.

    Configuring DLP from the CLI

    Use the following steps to configure DLP from the CLI.

    To configure a DLP dictionary:
    config dlp dictionary
    edit <name>
        config entries
            edit 1
                set type {credit-card | hex | keyword | regex | ssn-us}
                set pattern <string>
                set repeat {enable | disable}
                set status {enable | disable}
            next
        end
    next
end
    To configure a DLP label:
    config dlp label
    edit <name>
        set type mpip
        set mpip-type {remote | local}
        set connector <string>
        config entries
            edit <id>
                set guid <string>
                set mpip-label-name <string>
            next
        end
    next
end

    guid is only configurable when mpip-type is set to local. mpip-label-name is only configurable when mpip-type is set to remote.

    For the remote MPIP label, the Azure SDN connector needs to be configured with Microsoft 365 enabled. See Azure SDN connector using service principal for more information.

    To configure an EDM template:

    When configuring an EDM template from the CLI, you must link to a data file in CSV format on an external server; you cannot upload the data file to FortiGate.

    1. Add the URL for the data external feed file to FortiGate.

      config system external-resource
    edit <name>        
        set type data
        set resource <URL to resource file on external server>
        end
    next
end

    2. Configure the EDM template.

      config dlp exact-data-match
    edit <name>
        set optional <number of optional columns that must match>
        set data <name of external resource file>
        config columns
            edit <column index number>
                set type {credit-card | edm-keyword | mip-label | ssn-us | fg-edm-can-natl_id-sin}
            next
        end
    next
end
      Note

      The data type fg-edm-can-natl_id-sin, which represents the Canadian Social Insurance Number (SIN), is dynamically managed by FortiGuard. It is available for use as one of the data types in EDM templates, provided the user has a valid FortiGuard DLP service license.
    To configure a DLP sensor:
    config dlp sensor
    edit <name>
        set match-type {match-all | match-any | match-eval}
        set eval <string>
        config entries
            edit <id>
                set dictionary <dlp dictionary or EDM template>
                set count <integer>
                set status {enable | disable}
            next
        end
    next
end

    See Evaluation by logical relationship for more information about match-eval.

    To configure a DLP profile:
    config dlp profile
    edit <name>
        set feature-set {flow | proxy}
        config rule
            edit <id>
                set proto <protocol> <protocol> ...
                set sensor <dlp_sensor>
                set action {allow | log-only | block | quarantine-ip}
            next
        end
    next
end
    To add the DLP profile to a firewall policy:
    config firewall policy
    edit <id>
        set srcintf <interface>
        set dstintf <interface>
        set action accept
        set srcaddr <address>
        set dstaddr <address>
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set dlp-profile <string>
    next
end

    See DLP examples for sample configurations.

    Previous
    Next

    Basic DLP settings

    Basic DLP settings

    DLP settings can be configured for data types, dictionaries, EDM templates, sensors, file patterns, and profiles. DLP can be configured in both the CLI and the GUI irrespective of firewall policy inspection mode.

    Note

    To use DLP profile in a flow-based firewall policy, set feature-set flow must be set from the CLI. See Configuring DLP from the CLI for more information.

    DLP profiles can only be added to a flow-based firewall policy from the CLI.

    On the Security Profiles > Data Loss Prevention page, there are Profile, Sensor, Dictionary, and EDM Template tabs to configure those DLP settings. DLP profiles can be added to proxy-based firewall policies and proxy policies from the GUI.

    Tooltip

    If Data Loss Prevention is not visible in the tree menu, go to System > Feature Visibility and enable it.

    This section breaks down the DLP configuration into a sequence of steps:

    1. Configure the DLP dictionary, DLP labels, and/or EDM template:

      • A DLP dictionary is a collection of data type entries. See Built-in DLP data type for more information.

      • A DLP label is used to configure MPIP labels, which help classify and protect sensitive information.

      • An EDM template pairs the data from an external file, such as a data external feed file, with built-in data types.

    2. Configure the DLP sensor:

      • A DLP sensor defines which dictionary and/or EDM template to check. It counts the number of matches to trigger the sensor.

    3. Configure the DLP profile:

      • A DLP profile allows for filtering by size and file type. See DLP file pattern for custom file type.

    4. Add the DLP profile to a firewall policy.

    Note

    All the steps mentioned above should be configured in the exact order given for ease of configuration.

    Configuring DLP from the GUI

    Use the following steps to configure DLP from the GUI.

    To configure a DLP dictionary:

    1. Go to Security Profiles > Data Loss Prevention.

    2. Select the Dictionary tab and click Create New.

    3. Enter a name.

    4. In the Dictionary Entries section, click Create New.

    5. Set the Type and click OK.

    6. Click OK to save the dictionary.

    To configure an EDM template:

    1. Go to Security Profiles > Data Loss Prevention.

    2. Select the EDM Template tab and click Create New.

    3. Enter a name.

    4. In the Resource settings section, select one of the following:

      File upload

      Select to upload an external file of data to use with built-in data types. The external file can be in text (TXT) or comma-separated value (CSV) format.

      External feed

      Select to provide the URL to a file of data on an external server to use with built-in data types. The external file must be in comma-separated value (CSV) format. FortiGate will periodically fetch entries from the external file using HTTPS.

      External feed URL

      Specify the URL to the data file in CSV format on the external server.

      HTTP basic authentication

      Enable to use basic HTTP authentication when accessing the file on the external server. Specify the username and password for the external server.

      Refresh rate

      Specify the time interval to refresh the external resource (minutes).

    5. Set the Match criteria section:

      Each column in the external file represents data for a built-in data type. The patterns in the data file must be valid for the data type. If the patterns are invalid, FortiGate cannot use them, and no warning is displayed.

      +All of these fields

      Click to pair each column in the external data file with a built-in data type.

      All of the specified data in this section must match for FortiGate to take an action.

      Column index

      Specify the column number in the external file that contains the data.

      Data type

      Indicate which built-in data type pairs with the column index. Choose from:

      • credit-card

      • edm-keyword

      • mip-label

      • ssn-us

      +Any of these fields

      Click to pair the column in the external data file with a built-in data type, and to specify how many of these pairs must match for FortiGate to take an action.

      Minimum number of fields matched

      Specify how many of the fields in the Any of these fields section must match for FortiGate to take an action.

      Column index

      Specify the column number in the external file that contains the data.

      Data type

      Indicate which built-in data type pairs with the column index. Choose from:

      • credit-card

      • edm-keyword

      • mip-label

      • ssn-us

      • fg-edm-can-natl_id-sin

      Note

      The data type fg-edm-can-natl_id-sin, which represents the Canadian Social Insurance Number (SIN), is dynamically managed by FortiGuard. It is available for use as one of the data types in EDM templates, provided the user has a valid FortiGuard DLP service license.

    6. Click OK to save the EDM template.

    To configure a DLP sensor:

    1. Go to Security Profiles > Data Loss Prevention.

    2. Select the Sensor tab and click Create New.

    3. Enter a name.

    4. In the Sensors Entries section, click Add. The Select Entries pane is displayed.

    5. Select the management method from the dropdown menu.

    6. From the list, select the dictionary or EDM template.

    7. Click Apply.

    8. Click OK to save the sensor.

    To configure a DLP profile:

    1. Go to Security Profiles > Data Loss Prevention.

    2. Select the Profile tab and click Create New.

    3. Enter a name.

    4. In the Rules table, click Create New.

    5. Configure the following settings:

      Name

      Filter name.

      Type

      Specify what type of data source to use:

      • Sensor: Use DLP sensors, such as dictionaries or EDM templates to match content.

      • Label: Use DLP label to match content.

      Sensors

      Select one or more DLP sensors when Type is set to Sensor.

      DLP label

      Select one of the DLP label from the drop-down list when Type is set to Label.

      Severity

      Select the severity or threat level that matches this filter.

      Action

      Action to take with content that this DLP profile matches.

      Match type

      Select whether to check the content of messages (an email message) or files (downloaded files or email attachments).

      File type

      Select the number of a DLP file pattern table to match.

      Protocol

      Check messages or files over one or more of these protocols.

    6. Click OK.

    7. Click OK to save the profile.

    To add the DLP profile to a firewall policy:

    1. Go to Policy & Objects > Firewall Policy.

    2. Click Create New.

    3. Set the Inspection Mode to Proxy-based.

    4. In the Security Profiles section, enable DLP Profile and select the desired profile.

    5. Configure the other settings as needed.

    6. Click OK.

    Configuring DLP from the CLI

    Use the following steps to configure DLP from the CLI.

    To configure a DLP dictionary:
    config dlp dictionary
    edit <name>
        config entries
            edit 1
                set type {credit-card | hex | keyword | regex | ssn-us}
                set pattern <string>
                set repeat {enable | disable}
                set status {enable | disable}
            next
        end
    next
end
    To configure a DLP label:
    config dlp label
    edit <name>
        set type mpip
        set mpip-type {remote | local}
        set connector <string>
        config entries
            edit <id>
                set guid <string>
                set mpip-label-name <string>
            next
        end
    next
end

    guid is only configurable when mpip-type is set to local. mpip-label-name is only configurable when mpip-type is set to remote.

    For the remote MPIP label, the Azure SDN connector needs to be configured with Microsoft 365 enabled. See Azure SDN connector using service principal for more information.

    To configure an EDM template:

    When configuring an EDM template from the CLI, you must link to a data file in CSV format on an external server; you cannot upload the data file to FortiGate.

    1. Add the URL for the data external feed file to FortiGate.

      config system external-resource
    edit <name>        
        set type data
        set resource <URL to resource file on external server>
        end
    next
end

    2. Configure the EDM template.

      config dlp exact-data-match
    edit <name>
        set optional <number of optional columns that must match>
        set data <name of external resource file>
        config columns
            edit <column index number>
                set type {credit-card | edm-keyword | mip-label | ssn-us | fg-edm-can-natl_id-sin}
            next
        end
    next
end
      Note

      The data type fg-edm-can-natl_id-sin, which represents the Canadian Social Insurance Number (SIN), is dynamically managed by FortiGuard. It is available for use as one of the data types in EDM templates, provided the user has a valid FortiGuard DLP service license.
    To configure a DLP sensor:
    config dlp sensor
    edit <name>
        set match-type {match-all | match-any | match-eval}
        set eval <string>
        config entries
            edit <id>
                set dictionary <dlp dictionary or EDM template>
                set count <integer>
                set status {enable | disable}
            next
        end
    next
end

    See Evaluation by logical relationship for more information about match-eval.

    To configure a DLP profile:
    config dlp profile
    edit <name>
        set feature-set {flow | proxy}
        config rule
            edit <id>
                set proto <protocol> <protocol> ...
                set sensor <dlp_sensor>
                set action {allow | log-only | block | quarantine-ip}
            next
        end
    next
end
    To add the DLP profile to a firewall policy:
    config firewall policy
    edit <id>
        set srcintf <interface>
        set dstintf <interface>
        set action accept
        set srcaddr <address>
        set dstaddr <address>
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set dlp-profile <string>
    next
end

    See DLP examples for sample configurations.

    Previous
    Next