Fortinet black logo

CLI Reference

config security waf data-leak-protection

config security waf data-leak-protection

Use this command to configure a waf data-leak-protection profile.

Syntax

config security waf sensitive-data-type

edit <name>

set regex <regex>

next

end

config security waf data-leak-prevention

edit <name>

set status {enable | disable} (default value: disable)

set action [waf_action]

set severity [waf_severity]

config rule

edit <id>

set request-uri-pattern <regex>

set sensitive-data-type <data-type-name>

set threshold <number>

next

end

next

end

config security waf profile

set data-leak-prevention <dlp>

end

Status Enable or disable the profile; default is disable.
Masking

Enable masking to replace sensitive data with asterisks (*); default is disable.

Note: When masking is enabled, all target data will be replaced by asterisks, so the threshold value won't take effect here. Masking only works when Action is Alert, because the connection will reject when action is set as Deny or Block, so no target data will be replaced.

Action

Sets the action FortiADC will take if a security check detects a potential attack. This configuration comes from Action in WAF Profile.

  • Alert—Let the request pass when the profile detects a potential attack, only triggering a WAF log.
  • Deny—Drop the incoming request and trigger a WAF log.
  • Block—Block the IP address from incoming requests for 3600 seconds and trigger a WAF log.
  • silent-deny—Drop the incoming request without triggering a WAF log.

Note: You can also create a customized action with Create New.

Severity Set the severity in WAF logs for potential attacks detected by Data Leak Prevention.
URI Pattern Specified in Data Leak Prevention rules. Scanning and receiving an empty value means this rule is not working.
Threshold Specified in Data Leak Prevention rules. Setting a threshold for a rule means this rule will not take effect until detecting that the target data exceeds the threshold's specified value. Range 1-10000. Default is 1. This will not work if Masking is enabled.

Example

ADC-6 # config security waf sensitive-data-type

ADC-6 (sensitive-data~e) # edit 1

ADC-6 (1) # set

*regex Regular expression

description Description

ADC-6 (1) # set regex "test"

ADC-6 (1) # next

ADC-6 (sensitive-data~e) # end

ADC-6 # config security waf data-leak-prevention

ADC-6 (data-leak-prev~n) # edit 2

ADC-6 (2) # set status enable

ADC-6 (2) # set action

<datasource> Data leak prevention action

alert security waf.action

deny security waf.action

block security waf.action

silent-deny security waf.action

ADC-6 (2) # set action alert

ADC-6 (2) # set severity

high high

low low

medium medium

ADC-6 (2) # set severity high

ADC-6 (2) # config rule

ADC-6 (rule) # edit 3

ADC-6 (3) # set request-uri-pattern

<string> HTTP URI pattern

ADC-6 (3) # set request-uri-pattern "test"

ADC-6 (3) # set sensitive-data-type

<datasource> Sensitive data type

Credit_Card_Number security waf.sensitive-data-type

US_Social_Security_Number security waf.sensitive-data-type

1 security waf.sensitive-data-type

ADC-6 (3) # set sensitive-data-type 1

ADC-6 (3) # set threshold 3

ADC-6 (3) # next

ADC-6 (rule) # end

ADC-6 (2) # end

ADC-6 # config security waf profile

ADC-6 (profile) # edit 1

ADC-6 (1) # get

web-attack-signature : High-Level-Security

url-protection : url

http-protocol-constraint : 1

heuristic-sql-xss-injection-detect: High-Level-Security

bot-detection :

xml-validation : High-Level-Security

json-validation :

advanced-protection : 1

description :

exception :

brute-force-login :

cookie-security :

csrf-protection : CSRF1

input-validation-policy : 1

data-leak-prevention : 1

config security waf data-leak-protection

Use this command to configure a waf data-leak-protection profile.

Syntax

config security waf sensitive-data-type

edit <name>

set regex <regex>

next

end

config security waf data-leak-prevention

edit <name>

set status {enable | disable} (default value: disable)

set action [waf_action]

set severity [waf_severity]

config rule

edit <id>

set request-uri-pattern <regex>

set sensitive-data-type <data-type-name>

set threshold <number>

next

end

next

end

config security waf profile

set data-leak-prevention <dlp>

end

Status Enable or disable the profile; default is disable.
Masking

Enable masking to replace sensitive data with asterisks (*); default is disable.

Note: When masking is enabled, all target data will be replaced by asterisks, so the threshold value won't take effect here. Masking only works when Action is Alert, because the connection will reject when action is set as Deny or Block, so no target data will be replaced.

Action

Sets the action FortiADC will take if a security check detects a potential attack. This configuration comes from Action in WAF Profile.

  • Alert—Let the request pass when the profile detects a potential attack, only triggering a WAF log.
  • Deny—Drop the incoming request and trigger a WAF log.
  • Block—Block the IP address from incoming requests for 3600 seconds and trigger a WAF log.
  • silent-deny—Drop the incoming request without triggering a WAF log.

Note: You can also create a customized action with Create New.

Severity Set the severity in WAF logs for potential attacks detected by Data Leak Prevention.
URI Pattern Specified in Data Leak Prevention rules. Scanning and receiving an empty value means this rule is not working.
Threshold Specified in Data Leak Prevention rules. Setting a threshold for a rule means this rule will not take effect until detecting that the target data exceeds the threshold's specified value. Range 1-10000. Default is 1. This will not work if Masking is enabled.

Example

ADC-6 # config security waf sensitive-data-type

ADC-6 (sensitive-data~e) # edit 1

ADC-6 (1) # set

*regex Regular expression

description Description

ADC-6 (1) # set regex "test"

ADC-6 (1) # next

ADC-6 (sensitive-data~e) # end

ADC-6 # config security waf data-leak-prevention

ADC-6 (data-leak-prev~n) # edit 2

ADC-6 (2) # set status enable

ADC-6 (2) # set action

<datasource> Data leak prevention action

alert security waf.action

deny security waf.action

block security waf.action

silent-deny security waf.action

ADC-6 (2) # set action alert

ADC-6 (2) # set severity

high high

low low

medium medium

ADC-6 (2) # set severity high

ADC-6 (2) # config rule

ADC-6 (rule) # edit 3

ADC-6 (3) # set request-uri-pattern

<string> HTTP URI pattern

ADC-6 (3) # set request-uri-pattern "test"

ADC-6 (3) # set sensitive-data-type

<datasource> Sensitive data type

Credit_Card_Number security waf.sensitive-data-type

US_Social_Security_Number security waf.sensitive-data-type

1 security waf.sensitive-data-type

ADC-6 (3) # set sensitive-data-type 1

ADC-6 (3) # set threshold 3

ADC-6 (3) # next

ADC-6 (rule) # end

ADC-6 (2) # end

ADC-6 # config security waf profile

ADC-6 (profile) # edit 1

ADC-6 (1) # get

web-attack-signature : High-Level-Security

url-protection : url

http-protocol-constraint : 1

heuristic-sql-xss-injection-detect: High-Level-Security

bot-detection :

xml-validation : High-Level-Security

json-validation :

advanced-protection : 1

description :

exception :

brute-force-login :

cookie-security :

csrf-protection : CSRF1

input-validation-policy : 1

data-leak-prevention : 1