Basic DLP settings

DLP settings can be configured for data types, dictionaries, EDM templates, sensors, file patterns, and profiles. This topic includes three examples that incorporate several DLP settings. DLP can be configured in both the CLI and the GUI.

The Security Profiles > Data Loss Prevention page includes the Profiles, Sensors, Dictionaries, and EDM templates tabs for configuring those DLP settings. DLP profiles can be added to policies from the GUI.

This section breaks down the DLP configuration into a sequence of steps:

Configure the DLP dictionary and/or EDM template:
- A DLP dictionary is a collection of data type entries. See DLP data type for more information.
- An EDM template pairs pairs the data from an external file, such as a data threat feed file, with pre-defined FortiProxy data types. See Exact data matching for more information.
Configure the DLP sensor:
- A DLP sensor defines which dictionary to check. It counts the number of dictionary and/or EDM template to check. It counts the number of matches to trigger the sensor.
Configure the DLP profile:
- A DLP profile allows for filtering by size and file type. See DLP file pattern for custom file type.
Add the DLP profile to a policy.

All the steps mentioned above should be configured in the exact order given for ease of configuration.

Configuring DLP from the GUI

Use the following steps to configure DLP from the GUI.

To configure a DLP dictionary:

Go to Security Profiles > Data Loss Prevention.
Select the Dictionaries tab and click Create New.
Enter a name.
In the Dictionary Entries section, click Create New.
Set the Type and click OK.
Click OK to save the dictionary.

To configure an EDM template:

Go to Security Profiles > Data Loss Prevention.
Select the EDM Templates tab and click Create New.
Enter a name.

In the Resource settings section, select one of the following:

Each column in the external file represents a pre-defined data type.

File upload	Select to upload an external file of data to use with pre-defined data types. The external file can be in text (TXT) or comma-separated value (CSV) format.
External feed	Select to provide the URL to a file of data on an external server to use with pre-defined data types. The external file must be in comma-separated value (CSV) format. FortiProxy will periodically fetch entries from the external file using HTTPS.
External feed URL	Specify the URL to the data file in CSV format on the external server.
HTTP basic authentication	Enable to use basic HTTP authentication when accessing the feed file on the external server. Specify the username and password for the external server.
Refresh rate	Specify the time interval to refresh the external resource (minutes).

Set the Match criteria section:

The patterns in the data file must be valid. If the patterns are invalid, FortiProxy cannot use them, and no warning is displayed.

+All of these fields

Click to pair each column in the external data file with a DLP data type.

All of the specified data in this section must match for FortiProxy to take an action.

Column index

Specify the column number in the external file that contains the data.

Column data type

Indicate which DLP data type pairs with the column index. Choose from:

credit-card
edm-keyword
mip-label
ssn-us

+Any of these fields

Click to pair the column in the external data file with a DLP data type, and to specify how many of these pairs must match for FortiProxy to take an action.

Minimum number of fields matched

Specify how many of the fields in the Any of these fields section must match for FortiProxy to take an action.

Column index

Specify the column number in the external file that contains the data.

Column data type

Indicate which DLP data type pairs with the column index. Choose from:

credit-card
edm-keyword
mip-label
ssn-us

fg-edm-can-natl_is-sin

The data type fg-edm-can-natl_id-sin, which represents the Canadian Social Insurance Number (SIN), is dynamically managed by FortiGuard. It is available for use as one of the data types in EDM templates, provided the user has a valid FortiGuard DLP service license.

Click OK to save the EDM template.

To configure a DLP sensor:

Go to Security Profiles > Data Loss Prevention.
Select the Sensors tab and click Create New.
Enter a name.
In the Sensors Entries section, click Create New.
In the Sensor entry list, select a dictionary and/or EDM template and click OK.
Click OK to save the sensor.

To configure a DLP profile:

Go to Security Profiles > Data Loss Prevention.
Select the Profiles tab and click Create New.
Enter a name.
In the Rules section, click Create New.

Configure the following settings:

Name	Filter name.
Data source type	Specify what type of data source to use: Sensor: Use DLP sensors, such as dictionaries or EDM templates to match content. MIP label: Use MIP label dictionaries to match content.
Sensors	Select DLP sensors or MIP labels: Sensor: Select one or more DLP sensors when Data source type is set to Sensor. MIP label: Select one or more MIP label dictionaries when Data source type is set to MIP label.
Severity	Select the severity or threat level that matches this filter.
Action	Action to take with content that this DLP profile matches.
Type	Select whether to check the content of messages (an email message) or files (downloaded files or email attachments).
File type	Select the number of a DLP file pattern table to match.
Protocol	Check messages or files over one or more of these protocols.

Click OK.
Click OK to save the profile.

To add the DLP profile to a policy:

Go to Policy & Objects > Policy.
Click Create New.
Set the Type to any except SSH Tunnel which does not support DLP.
In the Security Profiles section, enable DLP Profile and select the desired profile.
Configure the other settings as needed.
Click OK.

Configuring DLP from the CLI

Use the following steps to configure DLP from the CLI.

To configure a DLP dictionary:

config dlp dictionary
    edit <name>
        config entries
            edit 1
                set type {credit-card | hex | keyword | mip-label | regex | ssn-us}
                set pattern <string>
                set repeat {enable | disable}
                set status {enable | disable}
            next
        end
    next
end

To configure an EDM template:

When configuring an EDM template from the CLI, you must link to a data file in CSV format on an external server.

Add the URL for the data threat feed file to FortiProxy.

In this example, an external resource named customer data EDM is created, and it defines the location of the data threat feed file in CSV format on an external server.
```
config system external-resource
	edit "customer data EDM"
	 set uuid 3cadb9be-f639-51ee-df8d-ea94d069c9cf
	 set type data
	 set resource "http://172.16.200.175/customer_data.csv"
```
```
 end 
 next
end
```

Configure the EDM template.

In this example, an exact data-match template named Customer SSN EDM is created for the external resource named customer data EDM. The matching record must contain the pattern for the data type from column index 1 (g-ssn-us) and at least one pattern for the data type from column index 3 (g-edm-keyword) or 9 (g-edm-keyword).

config dlp exact-data-match
	edit "Customer SSN EDM"
		set optional 1
		set data "customer data EDM"
			config columns
				edit 1
				set type {credit-card | edm-keyword | mip-label | ssn-us | fg-edm-can-natl_id-sin}
			next
		end
	next
end

The data type fg-edm-can-natl_id-sin, which represents the Canadian Social Insurance Number (SIN), is dynamically managed by FortiGuard. It is available for use as one of the data types in EDM templates, provided the user has a valid FortiGuard DLP service license.

To configure a DLP sensor:

config dlp sensor
    edit <name>
        set match-type {match-all | match-any | match-eval}
        set eval <string>
        config entries
            edit <id>
                set dictionary <dlp_dictionary or EDM template>
                set count <integer>
                set status {enable | disable}
            next
        end
    next
end

See Evaluation by Logical relationship for more information about match-eval.

To configure a DLP profile:

config dlp profile
    edit <name>
        set feature-set {flow | proxy}
        config rule
            edit <id>
                set proto <protocol> <protocol> ...
                set sensor <dlp_sensor>
                set action {allow | log-only | block | quarantine-ip}
            next
        end
    next
end

To add the DLP profile to a policy:

config firewall policy
    edit <id>
        set srcintf <interface>
        set dstintf <interface>
        set action accept
        set srcaddr <address>
        set dstaddr <address>
        set schedule "always"
        set service "ALL"
        set utm-status enable
	set dlp-profile <string>
    next
end

See DLP examples for sample configurations.

Basic DLP settings

This section breaks down the DLP configuration into a sequence of steps:

Configure the DLP dictionary and/or EDM template:
- A DLP dictionary is a collection of data type entries. See DLP data type for more information.
- An EDM template pairs pairs the data from an external file, such as a data threat feed file, with pre-defined FortiProxy data types. See Exact data matching for more information.
Configure the DLP sensor:
- A DLP sensor defines which dictionary to check. It counts the number of dictionary and/or EDM template to check. It counts the number of matches to trigger the sensor.
Configure the DLP profile:
- A DLP profile allows for filtering by size and file type. See DLP file pattern for custom file type.
Add the DLP profile to a policy.

All the steps mentioned above should be configured in the exact order given for ease of configuration.

Configuring DLP from the GUI

Use the following steps to configure DLP from the GUI.

To configure a DLP dictionary:

Go to Security Profiles > Data Loss Prevention.
Select the Dictionaries tab and click Create New.
Enter a name.
In the Dictionary Entries section, click Create New.
Set the Type and click OK.
Click OK to save the dictionary.

To configure an EDM template:

Go to Security Profiles > Data Loss Prevention.
Select the EDM Templates tab and click Create New.
Enter a name.

In the Resource settings section, select one of the following:

Each column in the external file represents a pre-defined data type.

File upload	Select to upload an external file of data to use with pre-defined data types. The external file can be in text (TXT) or comma-separated value (CSV) format.
External feed	Select to provide the URL to a file of data on an external server to use with pre-defined data types. The external file must be in comma-separated value (CSV) format. FortiProxy will periodically fetch entries from the external file using HTTPS.
External feed URL	Specify the URL to the data file in CSV format on the external server.
HTTP basic authentication	Enable to use basic HTTP authentication when accessing the feed file on the external server. Specify the username and password for the external server.
Refresh rate	Specify the time interval to refresh the external resource (minutes).

Set the Match criteria section:

The patterns in the data file must be valid. If the patterns are invalid, FortiProxy cannot use them, and no warning is displayed.

+All of these fields

Click to pair each column in the external data file with a DLP data type.

All of the specified data in this section must match for FortiProxy to take an action.

Column index

Specify the column number in the external file that contains the data.

Column data type

Indicate which DLP data type pairs with the column index. Choose from:

credit-card
edm-keyword
mip-label
ssn-us

+Any of these fields

Click to pair the column in the external data file with a DLP data type, and to specify how many of these pairs must match for FortiProxy to take an action.

Minimum number of fields matched

Specify how many of the fields in the Any of these fields section must match for FortiProxy to take an action.

Column index

Specify the column number in the external file that contains the data.

Column data type

Indicate which DLP data type pairs with the column index. Choose from:

credit-card
edm-keyword
mip-label
ssn-us

fg-edm-can-natl_is-sin

Click OK to save the EDM template.

To configure a DLP sensor:

Go to Security Profiles > Data Loss Prevention.
Select the Sensors tab and click Create New.
Enter a name.
In the Sensors Entries section, click Create New.
In the Sensor entry list, select a dictionary and/or EDM template and click OK.
Click OK to save the sensor.

To configure a DLP profile:

Go to Security Profiles > Data Loss Prevention.
Select the Profiles tab and click Create New.
Enter a name.
In the Rules section, click Create New.

Configure the following settings:

Name	Filter name.
Data source type	Specify what type of data source to use: Sensor: Use DLP sensors, such as dictionaries or EDM templates to match content. MIP label: Use MIP label dictionaries to match content.
Sensors	Select DLP sensors or MIP labels: Sensor: Select one or more DLP sensors when Data source type is set to Sensor. MIP label: Select one or more MIP label dictionaries when Data source type is set to MIP label.
Severity	Select the severity or threat level that matches this filter.
Action	Action to take with content that this DLP profile matches.
Type	Select whether to check the content of messages (an email message) or files (downloaded files or email attachments).
File type	Select the number of a DLP file pattern table to match.
Protocol	Check messages or files over one or more of these protocols.

Click OK.
Click OK to save the profile.

To add the DLP profile to a policy:

Go to Policy & Objects > Policy.
Click Create New.
Set the Type to any except SSH Tunnel which does not support DLP.
In the Security Profiles section, enable DLP Profile and select the desired profile.
Configure the other settings as needed.
Click OK.

Configuring DLP from the CLI

Use the following steps to configure DLP from the CLI.

To configure a DLP dictionary:

config dlp dictionary
    edit <name>
        config entries
            edit 1
                set type {credit-card | hex | keyword | mip-label | regex | ssn-us}
                set pattern <string>
                set repeat {enable | disable}
                set status {enable | disable}
            next
        end
    next
end

To configure an EDM template:

When configuring an EDM template from the CLI, you must link to a data file in CSV format on an external server.

Add the URL for the data threat feed file to FortiProxy.

In this example, an external resource named customer data EDM is created, and it defines the location of the data threat feed file in CSV format on an external server.
```
config system external-resource
	edit "customer data EDM"
	 set uuid 3cadb9be-f639-51ee-df8d-ea94d069c9cf
	 set type data
	 set resource "http://172.16.200.175/customer_data.csv"
```
```
 end 
 next
end
```

Configure the EDM template.

config dlp exact-data-match
	edit "Customer SSN EDM"
		set optional 1
		set data "customer data EDM"
			config columns
				edit 1
				set type {credit-card | edm-keyword | mip-label | ssn-us | fg-edm-can-natl_id-sin}
			next
		end
	next
end

To configure a DLP sensor:

config dlp sensor
    edit <name>
        set match-type {match-all | match-any | match-eval}
        set eval <string>
        config entries
            edit <id>
                set dictionary <dlp_dictionary or EDM template>
                set count <integer>
                set status {enable | disable}
            next
        end
    next
end

See Evaluation by Logical relationship for more information about match-eval.

To configure a DLP profile:

config dlp profile
    edit <name>
        set feature-set {flow | proxy}
        config rule
            edit <id>
                set proto <protocol> <protocol> ...
                set sensor <dlp_sensor>
                set action {allow | log-only | block | quarantine-ip}
            next
        end
    next
end

To add the DLP profile to a policy:

config firewall policy
    edit <id>
        set srcintf <interface>
        set dstintf <interface>
        set action accept
        set srcaddr <address>
        set dstaddr <address>
        set schedule "always"
        set service "ALL"
        set utm-status enable
	set dlp-profile <string>
    next
end

See DLP examples for sample configurations.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

Basic DLP settings

Basic DLP settings

Configuring DLP from the GUI

To configure a DLP dictionary:

To configure an EDM template:

To configure a DLP sensor:

To configure a DLP profile:

To add the DLP profile to a policy:

Configuring DLP from the CLI

To configure a DLP dictionary:

To configure an EDM template:

To configure a DLP sensor:

To configure a DLP profile: