Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.0.19 Administration Guide
    7.0.19
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    DLP examples

    DLP examples

    This topic includes examples that incorporate several DLP settings:

    Example 1: Block HTTPS upload traffic that includes credit card information

    This configuration will block HTTPS upload traffic that includes credit card information. The pre-defined filter for credit card is used in the sensor.

    To block HTTPS upload traffic that includes credit card information in the GUI:

    1. Configure the DLP sensor:

      1. Go to Security Profiles > Data Loss Prevention and click Create New.

      2. Enter a name (sensor-case1).

      3. Enable DLP Log.

      4. In the Rules section, click Create New.

      5. Configure the following settings:

        Name

        1

        Severity

        Medium

        Type

        File

        Filter By

        Match Credit Card Numbers

        Protocols

        HTTP-POST, HTTP-GET

        Action

        Block

      6. Click OK.

      7. Click OK to save the sensor.

    1. Add the DLP sensor to a policy:

      1. Go to Policy & Objects > Policy and click Create New.

      2. Set the Type to any except SSH Tunnel which does not support DLP.

      3. In the Security Profiles section, enable DLP Sensor and select sensor-case1.

      4. Configure the other settings as needed.

      5. Click OK.

        When a credit card is included in HTTP POST traffic, the file is blocked and a DLP log is generated.

    To block HTTPS upload traffic that includes credit card information in the CLI:
    1. Configure the DLP sensor:
      config dlp sensor
    edit "sensor-case1"
        config filter
            edit 1
                set name "credit_card"
                set proto http-get http-post
                set action block
            next
        end
    next
end
    2. Add the DLP sensor to a policy:
      config firewall policy
    edit 1
        set uuid cda8d380-e253-51ee-d693-6d10e9eaa6ab
	 set srcintf "any"
	 set dstintf "any"
	 set srcaddr "all"
	 set dstaddr "all"
	 set action accept
	 set schedule "always"
	 set service "ALL"
	 set utm-status enable
	 set logtraffic all
	 set logtraffic-start enable
	 set log-http-transaction all
	 set ssl-ssh-profile "deep-inspection"
	 set dlp-sensor "sensor-case1"

    next
end

      When a credit card is included in HTTP POST traffic, a replacement message appears because it is blocked. A DLP log is generated.

    Sample log

    From Linux, the following command can be used to generate a sample log, using the cURL tool to post data, which contains a sample credit card number:

    # curl https://172.18.20.226 -kv -d 4024007149133315

     
    1: date=2024-03-14 time=15:44:19 eventtime=1710456260277025219 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="credit_card" filtertype="credit-card" filtercat="file" severity="medium" policyid=1 poluuid="cda8d380-e253-51ee-d693-6d10e9eaa6ab" policytype="policy" sessionid=145619901 epoch=936350951 eventid=0 srcip=10.1.2.12 srcport=48528 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.18.20.226 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="unknown" direction="outgoing" action="block" hostname="172.18.20.226" url="https://172.18.20.226/" agent="curl/7.68.0" profile="sensor-case1"

    Example 2: Block HTTPS downloads of EXE files and log HTTPS downloads of files larger than 500 KB

    This configuration will block HTTPS downloads of EXE files and log HTTPS downloads of files larger than 500 KB.

    To block HTTPS download of EXE files and log downloads larger than 500 KB:
    1. Configure the DLP file pattern:
      config dlp filepattern
    edit 3
        set name "case2-exe"
        config entries
            edit "exe"
                set filter-type type
                set file-type exe
            next
        end
    next
end
    2. Configure the DLP sensor:
      config dlp sensor
    edit "case2-type-size"
        config filter
            edit 1
                set proto http-get
                set filter-by none
                set file-type 3
                set action block
            next
            edit 2
                set proto http-get
                set filter-by none
                set file-size 500
                set action log-only
            next
        end
    next
end
    3. Add the DLP sensor to a policy:
      config firewall policy
    edit 1
        set uuid cda8d380-e253-51ee-d693-6d10e9eaa6ab
	 set srcintf "any"
	 set dstintf "any"
	 set srcaddr "all"
	 set dstaddr "all"
	 set action accept
	 set schedule "always"
	 set service "ALL"
	 set utm-status enable
	 set logtraffic all
	 set logtraffic-start enable
	 set log-http-transaction all
	 set ssl-ssh-profile "deep-inspection"
	 set dlp-sensor "case2-type-size"

    next
end

    4. Download an EXE file using HTTPS. The download is blocked, a replacement message appears, and a DLP log is generated.

      Sample log
      1: date=2024-03-14 time=15:52:44 eventtime=1710456764252076035 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 dlpextra="case3-exe" filtertype="file-type" filtercat="file" severity="medium" policyid=1 poluuid="cda8d380-e253-51ee-d693-6d10e9eaa6ab" policytype="policy" sessionid=145619906 epoch=936350955 eventid=1 srcip=10.1.2.12 srcport=39136 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.18.29.117 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="exe" direction="incoming" action="block" hostname="172.18.29.117" url="https://172.18.29.117/files/dummy.exe" agent="curl/7.68.0" filename="dummy.exe" filesize=488944 profile="case2-type-size"
    Previous
    Next

    DLP examples

    DLP examples

    This topic includes examples that incorporate several DLP settings:

    Example 1: Block HTTPS upload traffic that includes credit card information

    This configuration will block HTTPS upload traffic that includes credit card information. The pre-defined filter for credit card is used in the sensor.

    To block HTTPS upload traffic that includes credit card information in the GUI:

    1. Configure the DLP sensor:

      1. Go to Security Profiles > Data Loss Prevention and click Create New.

      2. Enter a name (sensor-case1).

      3. Enable DLP Log.

      4. In the Rules section, click Create New.

      5. Configure the following settings:

        Name

        1

        Severity

        Medium

        Type

        File

        Filter By

        Match Credit Card Numbers

        Protocols

        HTTP-POST, HTTP-GET

        Action

        Block

      6. Click OK.

      7. Click OK to save the sensor.

    1. Add the DLP sensor to a policy:

      1. Go to Policy & Objects > Policy and click Create New.

      2. Set the Type to any except SSH Tunnel which does not support DLP.

      3. In the Security Profiles section, enable DLP Sensor and select sensor-case1.

      4. Configure the other settings as needed.

      5. Click OK.

        When a credit card is included in HTTP POST traffic, the file is blocked and a DLP log is generated.

    To block HTTPS upload traffic that includes credit card information in the CLI:
    1. Configure the DLP sensor:
      config dlp sensor
    edit "sensor-case1"
        config filter
            edit 1
                set name "credit_card"
                set proto http-get http-post
                set action block
            next
        end
    next
end
    2. Add the DLP sensor to a policy:
      config firewall policy
    edit 1
        set uuid cda8d380-e253-51ee-d693-6d10e9eaa6ab
	 set srcintf "any"
	 set dstintf "any"
	 set srcaddr "all"
	 set dstaddr "all"
	 set action accept
	 set schedule "always"
	 set service "ALL"
	 set utm-status enable
	 set logtraffic all
	 set logtraffic-start enable
	 set log-http-transaction all
	 set ssl-ssh-profile "deep-inspection"
	 set dlp-sensor "sensor-case1"

    next
end

      When a credit card is included in HTTP POST traffic, a replacement message appears because it is blocked. A DLP log is generated.

    Sample log

    From Linux, the following command can be used to generate a sample log, using the cURL tool to post data, which contains a sample credit card number:

    # curl https://172.18.20.226 -kv -d 4024007149133315

     
    1: date=2024-03-14 time=15:44:19 eventtime=1710456260277025219 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="credit_card" filtertype="credit-card" filtercat="file" severity="medium" policyid=1 poluuid="cda8d380-e253-51ee-d693-6d10e9eaa6ab" policytype="policy" sessionid=145619901 epoch=936350951 eventid=0 srcip=10.1.2.12 srcport=48528 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.18.20.226 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="unknown" direction="outgoing" action="block" hostname="172.18.20.226" url="https://172.18.20.226/" agent="curl/7.68.0" profile="sensor-case1"

    Example 2: Block HTTPS downloads of EXE files and log HTTPS downloads of files larger than 500 KB

    This configuration will block HTTPS downloads of EXE files and log HTTPS downloads of files larger than 500 KB.

    To block HTTPS download of EXE files and log downloads larger than 500 KB:
    1. Configure the DLP file pattern:
      config dlp filepattern
    edit 3
        set name "case2-exe"
        config entries
            edit "exe"
                set filter-type type
                set file-type exe
            next
        end
    next
end
    2. Configure the DLP sensor:
      config dlp sensor
    edit "case2-type-size"
        config filter
            edit 1
                set proto http-get
                set filter-by none
                set file-type 3
                set action block
            next
            edit 2
                set proto http-get
                set filter-by none
                set file-size 500
                set action log-only
            next
        end
    next
end
    3. Add the DLP sensor to a policy:
      config firewall policy
    edit 1
        set uuid cda8d380-e253-51ee-d693-6d10e9eaa6ab
	 set srcintf "any"
	 set dstintf "any"
	 set srcaddr "all"
	 set dstaddr "all"
	 set action accept
	 set schedule "always"
	 set service "ALL"
	 set utm-status enable
	 set logtraffic all
	 set logtraffic-start enable
	 set log-http-transaction all
	 set ssl-ssh-profile "deep-inspection"
	 set dlp-sensor "case2-type-size"

    next
end

    4. Download an EXE file using HTTPS. The download is blocked, a replacement message appears, and a DLP log is generated.

      Sample log
      1: date=2024-03-14 time=15:52:44 eventtime=1710456764252076035 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 dlpextra="case3-exe" filtertype="file-type" filtercat="file" severity="medium" policyid=1 poluuid="cda8d380-e253-51ee-d693-6d10e9eaa6ab" policytype="policy" sessionid=145619906 epoch=936350955 eventid=1 srcip=10.1.2.12 srcport=39136 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.18.29.117 dstport=443 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" filetype="exe" direction="incoming" action="block" hostname="172.18.29.117" url="https://172.18.29.117/files/dummy.exe" agent="curl/7.68.0" filename="dummy.exe" filesize=488944 profile="case2-type-size"
    Previous
    Next