waf dlp policy
Use this command to configure the DLP policy. The Data Loss Prevention (DLP) feature prevents sensitive data from leaving or entering your network by scanning for various patterns. Data matching defined sensitive data patterns is blocked, logged, allowed, or quarantined when it passes through FortiWeb.
The DLP feature is configured based on the following components:
| Component | Description |
|---|---|
| Data type | Define the type of pattern that DLP is trying to match. For example, this can be a pre-defined type including credit card or US social security number (SSN), or you can use keyword, regular expression, or a hexadecimal value to match data. |
| Dictionary | Combine multiple data type entries to match all or any. |
| Sensor | Define which dictionaries to check. You can match any or all dictionaries. It can also count the number of dictionary matches to trigger the sensor. |
| DLP rule | Define rules for matching a sensor based on file content or an HTTP Payload, and the email protocol being used to attach files. It also allows you to choose the action to allow, log, or block the address. |
|
DLP policy |
Define which DLP rules to check. |
|
DLP Exception |
Define conditions under which DLP rule enforcement is bypassed. Exceptions can be based on request or response attributes such as client IP, URI, headers, cookies, or payload/file hash. When traffic matches both a DLP rule and an associated exception, the rule is skipped for that request. |
|
|
This feature requires FortiGuard Data Loss Prevention service to be enabled in FortiWeb. The following command is for enabling or disabling FortiGuard DLP service database update. It's by default enabled. config system fortiguard set update-dldb {enable | disable} end |
Syntax
config waf dlp policy
edit <name>
config dlp-rules
edit <entry_index>
next
end
next
end
| Variable | Description | Default |
|---|---|---|
| <name> | Enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters. | No default |
| config dlp-rules | ||
| <entry_index> | Enter the index number of the individual entry in the table. The valid range is 1–9,223,372,036,854,775,807. | No default |
| rule <dlp-rule_name> | Specify a previously configured DLP rule. See waf dlp rule. | No default |
Example
config waf dlp policy
edit "DLP Policy"
config dlp-rules
edit 1
set rule Rule1
next
end
next
end