Basic DLP filter types
Basic filter types can be configured using the GUI or CLI and include:
In FortiOS 6.2.2 and later, DLP can only be configured in the CLI. |
File type and name
A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list.
To configure file type and name filtering using the CLI:
- Create a file pattern to filter files based on the file name patter or file type:
config dlp filepattern edit <filepatern_entry_integer> set name <string> config entries edit <file pattern> set filter-type <type | pattern> set file-type <file type> next end next end
For example, to filter for GIFs and PDFs:
config dlp filepattern edit 11 set name “sample_config” config entries edit "*.gif" set filter-type pattern next edit "pdf" set filter-type type set file-type pdf next end next end
- Attach the file pattern to a DLP sensor, and specify the protocols and actions:
config dlp sensor edit <string> config filter edit <integer> set name <string> set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by file-type set file-type 11 <-- Previously configured filepattern set action <allow | log-only| block | quarantine-ip> next end next end
To configure file type and name filtering using the GUI:
- Go to Security Profiles > Data Leak Prevention.
- Click Create New. The New DLP Sensor page opens.
- Click Add Filter in the filter table. The New Filter pane opens.
- Set Type to Files and select Specify File Types.
- Add file types by clicking in the File Types field and select file types from the side pane.
- Add file name patterns by clicking in the File Name Patterns field:
- In the side pane that opens, enter the pattern in the search bar.
- Click Create.
- Select the newly created pattern.
File size
A file size filter checks for files that exceed the specific size, and performs the DLP sensor's configured action on them.
To configure file size filtering using the CLI:
config dlp sensor edit <string> config filter edit <integer> set name <string> set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by file-size <-- Match any file over with a size over the threshold set file-type 11 <-- Previously configured filepattern set action <allow | log-only| block | quarantine-ip> next end next end
To configure file size filtering using the GUI:
- Go to Security Profiles > Data Leak Prevention.
- Click Create New. The New DLP Sensor page opens.
- Click Add Filter in the filter table. The New Filter pane opens.
- Set Type to Files and select File size over.
- Enter the maximum file size, in kilobytes, in the File size over field, then click OK.
Regular expression
A regular expression filter is used to filter files or messages based on the configured regular expression pattern.
To configure regular expression filtering using the CLI:
config dlp sensor edit <string> config filter edit <integer> set name <string> set type <file | message> <-- Check contents of a file or of messages, web pages, etc. set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by regexp <-- Use a regular expression to match content set regexp <regexp> <-- Input a regular expression pattern set action <allow | log-only| block | quarantine-ip> next end next end
To configure regular expression filtering using the GUI:
- Go to Security Profiles > Data Leak Prevention.
- Click Create New. The New DLP Sensor page opens.
- Click Add Filter in the filter table. The New Filter pane opens.
- For filtering regular expressions in files, set Type to Files. For filtering in messages, set Type to Messages.
- Select Regular Expression.
- Enter the regular expression string in the Regular Expression field, then click OK.
Credit card and SSN
The credit card sensor can match the credit card number formats used by American Express, Mastercard, and Visa. It can be used to filter files or messages.
The SSN sensor can be used to filter files or messages for Social Security Numbers.
To configure credit card or SSN filtering using the CLI:
config dlp sensor edit <string> config filter edit <integer> set name <string> set type <file | message> <-- Check contents of a file, or of messages, web pages, etc. set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> set filter-by < credit-card | ssn > <-- Match credit cards or social security numbers set action <allow | log-only| block | quarantine-ip> next end next end
To configure credit card or SSN filtering using the GUI:
- Go to Security Profiles > Data Leak Prevention.
- Click Create New. The New DLP Sensor page opens.
- Click Add Filter in the filter table. The New Filter pane opens.
- For filtering in files, set Type to Files. For filtering in messages, set Type to Messages.
- Select Containing.
- Select Credit Card # or SSN from the Containing drop-down list, then click OK.