Fortinet white logo
Fortinet white logo

Cookbook

Basic DLP filter types

Basic DLP filter types

Basic filter types can be configured using the GUI or CLI and include:

Note

In FortiOS 6.2.2 and later, DLP can only be configured in the CLI.

File type and name

A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list.

To configure file type and name filtering using the CLI:
  1. Create a file pattern to filter files based on the file name patter or file type:
    config dlp filepattern
        edit <filepatern_entry_integer>
            set name <string>
            config entries
                edit <file pattern>
                    set filter-type <type | pattern>
                    set file-type <file type>
                next
            end
        next
    end

    For example, to filter for GIFs and PDFs:

    config dlp filepattern
        edit 11
            set name “sample_config”
            config entries
                edit "*.gif"
                    set filter-type pattern
                next
                edit "pdf"
                    set filter-type type
                    set file-type pdf
                next
            end
        next
    end
  2. Attach the file pattern to a DLP sensor, and specify the protocols and actions:
    config dlp sensor
       edit <string>
          config filter
             edit <integer>
                set name <string>
                set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> 
                set filter-by file-type
                set file-type 11    <-- Previously configured filepattern 
                set action <allow | log-only| block | quarantine-ip>
             next
          end
       next
    end
To configure file type and name filtering using the GUI:
  1. Go to Security Profiles > Data Leak Prevention.
  2. Click Create New. The New DLP Sensor page opens.
  3. Click Add Filter in the filter table. The New Filter pane opens.
  4. Set Type to Files and select Specify File Types.

  5. Add file types by clicking in the File Types field and select file types from the side pane.

  6. Add file name patterns by clicking in the File Name Patterns field:
    1. In the side pane that opens, enter the pattern in the search bar.
    2. Click Create.
    3. Select the newly created pattern.

File size

A file size filter checks for files that exceed the specific size, and performs the DLP sensor's configured action on them.

To configure file size filtering using the CLI:
config dlp sensor
   edit <string>
      config filter
         edit <integer>
            set name <string>
            set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> 
            set filter-by file-size  <-- Match any file over with a size over the threshold
            set file-type 11   <-- Previously configured filepattern 
            set action <allow | log-only| block | quarantine-ip>
         next
      end
   next
end
To configure file size filtering using the GUI:
  1. Go to Security Profiles > Data Leak Prevention.
  2. Click Create New. The New DLP Sensor page opens.
  3. Click Add Filter in the filter table. The New Filter pane opens.
  4. Set Type to Files and select File size over.
  5. Enter the maximum file size, in kilobytes, in the File size over field, then click OK.

Regular expression

A regular expression filter is used to filter files or messages based on the configured regular expression pattern.

To configure regular expression filtering using the CLI:
config dlp sensor
   edit <string>
      config filter
         edit <integer>
            set name <string>
            set type <file | message>   <-- Check contents of a file or of messages, web pages, etc.
            set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> 
            set filter-by regexp   <-- Use a regular expression to match content
            set regexp <regexp>   <-- Input a regular expression pattern
            set action <allow | log-only| block | quarantine-ip>
         next
      end
   next
end
To configure regular expression filtering using the GUI:
  1. Go to Security Profiles > Data Leak Prevention.
  2. Click Create New. The New DLP Sensor page opens.
  3. Click Add Filter in the filter table. The New Filter pane opens.
  4. For filtering regular expressions in files, set Type to Files. For filtering in messages, set Type to Messages.
  5. Select Regular Expression.
  6. Enter the regular expression string in the Regular Expression field, then click OK.

Credit card and SSN

The credit card sensor can match the credit card number formats used by American Express, Mastercard, and Visa. It can be used to filter files or messages.

The SSN sensor can be used to filter files or messages for Social Security Numbers.

To configure credit card or SSN filtering using the CLI:
config dlp sensor
   edit <string>
      config filter
         edit <integer>
            set name <string>
            set type <file | message>  <-- Check contents of a file, or of messages, web pages, etc.
            set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> 
            set filter-by < credit-card | ssn >   <-- Match credit cards or social security numbers
            set action <allow | log-only| block | quarantine-ip>
         next
      end
   next
end
To configure credit card or SSN filtering using the GUI:
  1. Go to Security Profiles > Data Leak Prevention.
  2. Click Create New. The New DLP Sensor page opens.
  3. Click Add Filter in the filter table. The New Filter pane opens.
  4. For filtering in files, set Type to Files. For filtering in messages, set Type to Messages.
  5. Select Containing.
  6. Select Credit Card # or SSN from the Containing drop-down list, then click OK.

Basic DLP filter types

Basic DLP filter types

Basic filter types can be configured using the GUI or CLI and include:

Note

In FortiOS 6.2.2 and later, DLP can only be configured in the CLI.

File type and name

A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list.

To configure file type and name filtering using the CLI:
  1. Create a file pattern to filter files based on the file name patter or file type:
    config dlp filepattern
        edit <filepatern_entry_integer>
            set name <string>
            config entries
                edit <file pattern>
                    set filter-type <type | pattern>
                    set file-type <file type>
                next
            end
        next
    end

    For example, to filter for GIFs and PDFs:

    config dlp filepattern
        edit 11
            set name “sample_config”
            config entries
                edit "*.gif"
                    set filter-type pattern
                next
                edit "pdf"
                    set filter-type type
                    set file-type pdf
                next
            end
        next
    end
  2. Attach the file pattern to a DLP sensor, and specify the protocols and actions:
    config dlp sensor
       edit <string>
          config filter
             edit <integer>
                set name <string>
                set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> 
                set filter-by file-type
                set file-type 11    <-- Previously configured filepattern 
                set action <allow | log-only| block | quarantine-ip>
             next
          end
       next
    end
To configure file type and name filtering using the GUI:
  1. Go to Security Profiles > Data Leak Prevention.
  2. Click Create New. The New DLP Sensor page opens.
  3. Click Add Filter in the filter table. The New Filter pane opens.
  4. Set Type to Files and select Specify File Types.

  5. Add file types by clicking in the File Types field and select file types from the side pane.

  6. Add file name patterns by clicking in the File Name Patterns field:
    1. In the side pane that opens, enter the pattern in the search bar.
    2. Click Create.
    3. Select the newly created pattern.

File size

A file size filter checks for files that exceed the specific size, and performs the DLP sensor's configured action on them.

To configure file size filtering using the CLI:
config dlp sensor
   edit <string>
      config filter
         edit <integer>
            set name <string>
            set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> 
            set filter-by file-size  <-- Match any file over with a size over the threshold
            set file-type 11   <-- Previously configured filepattern 
            set action <allow | log-only| block | quarantine-ip>
         next
      end
   next
end
To configure file size filtering using the GUI:
  1. Go to Security Profiles > Data Leak Prevention.
  2. Click Create New. The New DLP Sensor page opens.
  3. Click Add Filter in the filter table. The New Filter pane opens.
  4. Set Type to Files and select File size over.
  5. Enter the maximum file size, in kilobytes, in the File size over field, then click OK.

Regular expression

A regular expression filter is used to filter files or messages based on the configured regular expression pattern.

To configure regular expression filtering using the CLI:
config dlp sensor
   edit <string>
      config filter
         edit <integer>
            set name <string>
            set type <file | message>   <-- Check contents of a file or of messages, web pages, etc.
            set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> 
            set filter-by regexp   <-- Use a regular expression to match content
            set regexp <regexp>   <-- Input a regular expression pattern
            set action <allow | log-only| block | quarantine-ip>
         next
      end
   next
end
To configure regular expression filtering using the GUI:
  1. Go to Security Profiles > Data Leak Prevention.
  2. Click Create New. The New DLP Sensor page opens.
  3. Click Add Filter in the filter table. The New Filter pane opens.
  4. For filtering regular expressions in files, set Type to Files. For filtering in messages, set Type to Messages.
  5. Select Regular Expression.
  6. Enter the regular expression string in the Regular Expression field, then click OK.

Credit card and SSN

The credit card sensor can match the credit card number formats used by American Express, Mastercard, and Visa. It can be used to filter files or messages.

The SSN sensor can be used to filter files or messages for Social Security Numbers.

To configure credit card or SSN filtering using the CLI:
config dlp sensor
   edit <string>
      config filter
         edit <integer>
            set name <string>
            set type <file | message>  <-- Check contents of a file, or of messages, web pages, etc.
            set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi> 
            set filter-by < credit-card | ssn >   <-- Match credit cards or social security numbers
            set action <allow | log-only| block | quarantine-ip>
         next
      end
   next
end
To configure credit card or SSN filtering using the GUI:
  1. Go to Security Profiles > Data Leak Prevention.
  2. Click Create New. The New DLP Sensor page opens.
  3. Click Add Filter in the filter table. The New Filter pane opens.
  4. For filtering in files, set Type to Files. For filtering in messages, set Type to Messages.
  5. Select Containing.
  6. Select Credit Card # or SSN from the Containing drop-down list, then click OK.