Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.8
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiWeb 7.6.8 CLI Reference
    7.6.8
    8.0.5
    8.0.4
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.9
    7.6.8
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0

    waf dlp rule

    waf dlp rule

    Use this command to create a DLP (Data Loss Prevention) rule to match a sensor based on file content or an HTTP Payload, and the email protocol being used to attach files. It also allows you to choose the action to allow, log, or block the IP address.

    Syntax

    config waf dlp rule

    edit <name>

    set host-status {enable | disable}

    set waf dlp rule

    set waf dlp rule

    set waf dlp rule

    set waf dlp rule

    set direction {request | response | both}

    set waf dlp rule

    set email-attachments {enable | disable}

    set owa-protocol {enable | disable}

    set activesync-protocol {enable | disable}

    set mapi-protocol {enable | disable}

    set action {alert | alert_deny | block-period}

    set block-period <integer>

    set severity {High | Medium | Low | Info}

    set trigger <trigger-policy>

    next

    end

    Variable Description Default
    <name> Enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters. No default
    host-status {enable | disable}

    Enable Host Status if you want to apply this DLP rule to a specific web host.

    		 disable
    host <protected-host_name>

    Enter the IP address or FQDN of the host to which the DLP rule will be applied.

    Only available if Host Status is enabled. This becomes unavailable if email-attachments is enabled.

    		 No default
    url-type {plain | regular}

    If you want to apply this DLP rule to specific URLs, you can use either a simple string or regular expression to specify the URL.

    • plain — The literal URL, such as /index.php, that the HTTP request must contain in order to match the DLP rule. The URL must begin with a backslash ( / ).
      You can also use wildcards to match multiple URLs, such as /folder1/* ,or /folder1/*/index.htm

    • regular — A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    		 plain
    url <url_pattern>

    Specify the request URL.

    Do not include the domain name, such as www.example.com, which is configured separately in Host.

    This becomes unavailable if email-attachments is enabled.

    		 No default
    sensor <dlp-sensor_name> Specify the DLP sensor. No default
    direction {request | response | both} Select whether to safeguard the data when it enters (Request) or leaves (Response) FortiWeb, or for both directions. request
    type {http-payload | files}
    • http-payloadFortiWeb will scan the HTTP payload to identify any match.

    • filesFortiWeb will scan files in a request or response to identify any match.

    Please note that DLP only process the non-binary data in the HTTP payload or files, for example, the HTML body and XML body, or the multipart/form-data, multipart/related, and application/octet-stream files.

    		 http-payload

    email-attachments {enable | disable}

    Enable Attachments in Email to restrict the file scan exclusively to attachments in emails.
    Available only when files is selected in type.

    disable

    owa-protocol {enable | disable}

    Available only if email-attachments is enabled.

    Enable OWA protocol to allow FortiWeb to scan attachments in Emails sent and received via a web browser login.

    disable

    activesync-protocol {enable | disable}

    Available only if email-attachments is enabled.

    Enable ActiveSync protocol to allow FortiWeb to scan attachments in Emails sent and received via a mobile phone login.

    disable

    mapi-protocol {enable | disable}

    Available only if email-attachments is enabled.

    Email MAPI protocol to allow FortiWeb to scan attachments in Emails sent and received via the Messaging Application Programming Interface (MAPI), a transport protocol implemented in Microsoft Exchange Server 2013 Service Pack 1 (SP1).

    disable

    action {alert | alert_deny | block-period}

    Select which action FortiWeb will take when it detects a violation of the rule:

    • alert—Accept the connection and generate an alert email and/or log message.

    • alert_deny—Block the request and generate an alert email and/or log message.

    • block-period—Block subsequent requests from the same IP address for a number of seconds.

    alert

    block-period <integer>

    Available only if action is block-period.

    Enter the amount of time (in seconds) that you want to block subsequent requests from the same IP address after FortiWeb detects a DLP rule violation.

    The valid range is 1–3,600 seconds (1 hour).

    600

    severity {High | Medium | Low | Info}

    When FortiWeb records DLP rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is vioated:

    • Informative
    • Low
    • Medium
    • High

    Medium
    trigger <trigger-policy> Select the trigger policy, if any, that FortiWeb carries out when it logs and/or sends an alert email about a DLP rule violation. No default

    Example

    config waf dlp rule
  edit "Rule1"
    set sensor Sensor1
    set direction both
    set url /*
    set action alert_deny
    set severity High
  next
end
    Related topics:
    Previous
    Next

    waf dlp rule

    waf dlp rule

    Use this command to create a DLP (Data Loss Prevention) rule to match a sensor based on file content or an HTTP Payload, and the email protocol being used to attach files. It also allows you to choose the action to allow, log, or block the IP address.

    Syntax

    config waf dlp rule

    edit <name>

    set host-status {enable | disable}

    set waf dlp rule

    set waf dlp rule

    set waf dlp rule

    set waf dlp rule

    set direction {request | response | both}

    set waf dlp rule

    set email-attachments {enable | disable}

    set owa-protocol {enable | disable}

    set activesync-protocol {enable | disable}

    set mapi-protocol {enable | disable}

    set action {alert | alert_deny | block-period}

    set block-period <integer>

    set severity {High | Medium | Low | Info}

    set trigger <trigger-policy>

    next

    end

    Variable Description Default
    <name> Enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters. No default
    host-status {enable | disable}

    Enable Host Status if you want to apply this DLP rule to a specific web host.

    		 disable
    host <protected-host_name>

    Enter the IP address or FQDN of the host to which the DLP rule will be applied.

    Only available if Host Status is enabled. This becomes unavailable if email-attachments is enabled.

    		 No default
    url-type {plain | regular}

    If you want to apply this DLP rule to specific URLs, you can use either a simple string or regular expression to specify the URL.

    • plain — The literal URL, such as /index.php, that the HTTP request must contain in order to match the DLP rule. The URL must begin with a backslash ( / ).
      You can also use wildcards to match multiple URLs, such as /folder1/* ,or /folder1/*/index.htm

    • regular — A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    		 plain
    url <url_pattern>

    Specify the request URL.

    Do not include the domain name, such as www.example.com, which is configured separately in Host.

    This becomes unavailable if email-attachments is enabled.

    		 No default
    sensor <dlp-sensor_name> Specify the DLP sensor. No default
    direction {request | response | both} Select whether to safeguard the data when it enters (Request) or leaves (Response) FortiWeb, or for both directions. request
    type {http-payload | files}
    • http-payloadFortiWeb will scan the HTTP payload to identify any match.

    • filesFortiWeb will scan files in a request or response to identify any match.

    Please note that DLP only process the non-binary data in the HTTP payload or files, for example, the HTML body and XML body, or the multipart/form-data, multipart/related, and application/octet-stream files.

    		 http-payload

    email-attachments {enable | disable}

    Enable Attachments in Email to restrict the file scan exclusively to attachments in emails.
    Available only when files is selected in type.

    disable

    owa-protocol {enable | disable}

    Available only if email-attachments is enabled.

    Enable OWA protocol to allow FortiWeb to scan attachments in Emails sent and received via a web browser login.

    disable

    activesync-protocol {enable | disable}

    Available only if email-attachments is enabled.

    Enable ActiveSync protocol to allow FortiWeb to scan attachments in Emails sent and received via a mobile phone login.

    disable

    mapi-protocol {enable | disable}

    Available only if email-attachments is enabled.

    Email MAPI protocol to allow FortiWeb to scan attachments in Emails sent and received via the Messaging Application Programming Interface (MAPI), a transport protocol implemented in Microsoft Exchange Server 2013 Service Pack 1 (SP1).

    disable

    action {alert | alert_deny | block-period}

    Select which action FortiWeb will take when it detects a violation of the rule:

    • alert—Accept the connection and generate an alert email and/or log message.

    • alert_deny—Block the request and generate an alert email and/or log message.

    • block-period—Block subsequent requests from the same IP address for a number of seconds.

    alert

    block-period <integer>

    Available only if action is block-period.

    Enter the amount of time (in seconds) that you want to block subsequent requests from the same IP address after FortiWeb detects a DLP rule violation.

    The valid range is 1–3,600 seconds (1 hour).

    600

    severity {High | Medium | Low | Info}

    When FortiWeb records DLP rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is vioated:

    • Informative
    • Low
    • Medium
    • High

    Medium
    trigger <trigger-policy> Select the trigger policy, if any, that FortiWeb carries out when it logs and/or sends an alert email about a DLP rule violation. No default

    Example

    config waf dlp rule
  edit "Rule1"
    set sensor Sensor1
    set direction both
    set url /*
    set action alert_deny
    set severity High
  next
end
    Related topics:
    Previous
    Next