Fortinet white logo
Fortinet white logo

CLI Reference

waf dlp policy

waf dlp policy

Use this command to configure the DLP policy. The Data Loss Prevention (DLP) feature prevents sensitive data from leaving or entering your network by scanning for various patterns. Data matching defined sensitive data patterns is blocked, logged, allowed, or quarantined when it passes through FortiWeb.

The DLP feature is configured based on the following components:

Component Description
Data type Define the type of pattern that DLP is trying to match. For example, this can be a pre-defined type including credit card or US social security number (SSN), or you can use keyword, regular expression, or a hexadecimal value to match data.
Dictionary Combine multiple data type entries to match all or any.
Sensor Define which dictionaries to check. You can match any or all dictionaries. It can also count the number of dictionary matches to trigger the sensor.
DLP rule Define rules for matching a sensor based on file content or an HTTP Payload, and the email protocol being used to attach files. It also allows you to choose the action to allow, log, or block the address.

DLP policy

Define which DLP rules to check.

DLP Exception

Define conditions under which DLP rule enforcement is bypassed. Exceptions can be based on request or response attributes such as client IP, URI, headers, cookies, or payload/file hash. When traffic matches both a DLP rule and an associated exception, the rule is skipped for that request.

This feature requires FortiGuard Data Loss Prevention service to be enabled in FortiWeb.

The following command is for enabling or disabling FortiGuard DLP service database update. It's by default enabled.

config system fortiguard

set update-dldb {enable | disable}

end

Syntax

config waf dlp policy

edit <name>

config dlp-rules

edit <entry_index>

set rule <dlp-rule_name>

next

end

next

end

Variable Description Default
<name> Enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters. No default
config dlp-rules
<entry_index> Enter the index number of the individual entry in the table. The valid range is 1–9,223,372,036,854,775,807. No default
rule <dlp-rule_name> Specify a previously configured DLP rule. See waf dlp rule. No default

Example

config waf dlp policy
  edit "DLP Policy"
    config  dlp-rules
      edit 1
        set rule Rule1
      next
    end
  next
end
Related topics:

waf dlp policy

waf dlp policy

Use this command to configure the DLP policy. The Data Loss Prevention (DLP) feature prevents sensitive data from leaving or entering your network by scanning for various patterns. Data matching defined sensitive data patterns is blocked, logged, allowed, or quarantined when it passes through FortiWeb.

The DLP feature is configured based on the following components:

Component Description
Data type Define the type of pattern that DLP is trying to match. For example, this can be a pre-defined type including credit card or US social security number (SSN), or you can use keyword, regular expression, or a hexadecimal value to match data.
Dictionary Combine multiple data type entries to match all or any.
Sensor Define which dictionaries to check. You can match any or all dictionaries. It can also count the number of dictionary matches to trigger the sensor.
DLP rule Define rules for matching a sensor based on file content or an HTTP Payload, and the email protocol being used to attach files. It also allows you to choose the action to allow, log, or block the address.

DLP policy

Define which DLP rules to check.

DLP Exception

Define conditions under which DLP rule enforcement is bypassed. Exceptions can be based on request or response attributes such as client IP, URI, headers, cookies, or payload/file hash. When traffic matches both a DLP rule and an associated exception, the rule is skipped for that request.

This feature requires FortiGuard Data Loss Prevention service to be enabled in FortiWeb.

The following command is for enabling or disabling FortiGuard DLP service database update. It's by default enabled.

config system fortiguard

set update-dldb {enable | disable}

end

Syntax

config waf dlp policy

edit <name>

config dlp-rules

edit <entry_index>

set rule <dlp-rule_name>

next

end

next

end

Variable Description Default
<name> Enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters. No default
config dlp-rules
<entry_index> Enter the index number of the individual entry in the table. The valid range is 1–9,223,372,036,854,775,807. No default
rule <dlp-rule_name> Specify a previously configured DLP rule. See waf dlp rule. No default

Example

config waf dlp policy
  edit "DLP Policy"
    config  dlp-rules
      edit 1
        set rule Rule1
      next
    end
  next
end
Related topics: