Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiWeb 8.0.2 CLI Reference
    8.0.2
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0

    waf dlp exception

    waf dlp exception

    Use this command to configure DLP Exception to apply to the DLP Policy.

    The DLP Exception feature allows you to define granular bypass conditions for traffic that would otherwise trigger Data Loss Prevention (DLP) rules. You can create exception objects composed of one or more match elements, each specifying conditions such as client IP, HTTP header, URI, or payload hash. These exceptions can be assigned to DLP policies to exclude matching traffic from enforcement. This enables more accurate DLP coverage while minimizing false positives and maintaining support for trusted applications and sources.

    Syntax

    config waf dlp exception

    edit <name>

    config exception-element-list

    edit <entry_index>

    set match-target {HOST | URI | FULL_URL | PARAMETER | COOKIE | CLIENT_IP | HTTP_HEADER | PAYLOAD_SHA256 | FILE_SHA256}

    set operator {STRING_MATCH | REGEXP_MATCH | EQ | NE}

    set ip <IP_range>

    set value {<value_str> | <value_pattern>}

    set value-check {enable | disable}

    set value-name {<value-name_str> | <value-name_pattern>}

    set concatenate-type {AND | OR}

    next

    end

    next

    end

    Variable Description Default
    <name> Name of the DLP exception object. This name is referenced when assigning the exception to a DLP policy. No default
    config exception-element-list
    <entry_index> Index number of the exception element entry. No default
    match-target {HOST | URI | FULL_URL | PARAMETER | COOKIE | CLIENT_IP | HTTP_HEADER | PAYLOAD_SHA256 | FILE_SHA256} Specifies the traffic field to match against. Each target supports specific operators and field options. No default
    operator {STRING_MATCH | REGEXP_MATCH | EQ | NE}

    Defines how the value is compared:

    • STRING_MATCH – Direct string comparison.

    • REGEXP_MATCH – Regular expression comparison.

    • EQ, NE – Equal / Not Equal (only supported for CLIENT_IP).

    		 No default
    ip <IP_range>

    Specifies the source IP address to match.

    Only used when match-target is CLIENT_IP. Accepts both IPv4 and IPv6.

    		 No default
    value {<value_str> | <value_pattern>}

    Specifies the value to match for the selected target.

    For PAYLOAD_SHA256 and FILE_SHA256, this must be a 64-character SHA-256 hash string.

    This field is not available when match-target is CLIENT_IP.

    		 No default

    value-check {enable | disable}

    Enable to match the value of a specified name-value pair.

    Only applicable for PARAMETER, COOKIE, and HTTP_HEADER.

    When enabled, value-name and value must be defined.

    disable

    value-name {<value-name_str> | <value-name_pattern>}

    Specifies the name of the parameter, cookie, or HTTP header to inspect when value-check is enabled.

    Only applicable to PARAMETER, COOKIE, and HTTP_HEADER.

    		 No default

    concatenate-type {AND | OR}

    Defines how this exception element is evaluated with others:

    • AND – All conditions must match.

    • OR – Any condition may match.

    AND

    Example

    config waf dlp exception
  edit "DLP_exp"
    config  exception-element-list
      edit 1
        set match-target HTTP_HEADER
        set operator STRING_MATCH
        set value XYZ_Corp_Marketing_Tool
        set value-check enable
        set value-name User-Agent
    end
end
    Previous
    Next

    waf dlp exception

    waf dlp exception

    Use this command to configure DLP Exception to apply to the DLP Policy.

    The DLP Exception feature allows you to define granular bypass conditions for traffic that would otherwise trigger Data Loss Prevention (DLP) rules. You can create exception objects composed of one or more match elements, each specifying conditions such as client IP, HTTP header, URI, or payload hash. These exceptions can be assigned to DLP policies to exclude matching traffic from enforcement. This enables more accurate DLP coverage while minimizing false positives and maintaining support for trusted applications and sources.

    Syntax

    config waf dlp exception

    edit <name>

    config exception-element-list

    edit <entry_index>

    set match-target {HOST | URI | FULL_URL | PARAMETER | COOKIE | CLIENT_IP | HTTP_HEADER | PAYLOAD_SHA256 | FILE_SHA256}

    set operator {STRING_MATCH | REGEXP_MATCH | EQ | NE}

    set ip <IP_range>

    set value {<value_str> | <value_pattern>}

    set value-check {enable | disable}

    set value-name {<value-name_str> | <value-name_pattern>}

    set concatenate-type {AND | OR}

    next

    end

    next

    end

    Variable Description Default
    <name> Name of the DLP exception object. This name is referenced when assigning the exception to a DLP policy. No default
    config exception-element-list
    <entry_index> Index number of the exception element entry. No default
    match-target {HOST | URI | FULL_URL | PARAMETER | COOKIE | CLIENT_IP | HTTP_HEADER | PAYLOAD_SHA256 | FILE_SHA256} Specifies the traffic field to match against. Each target supports specific operators and field options. No default
    operator {STRING_MATCH | REGEXP_MATCH | EQ | NE}

    Defines how the value is compared:

    • STRING_MATCH – Direct string comparison.

    • REGEXP_MATCH – Regular expression comparison.

    • EQ, NE – Equal / Not Equal (only supported for CLIENT_IP).

    		 No default
    ip <IP_range>

    Specifies the source IP address to match.

    Only used when match-target is CLIENT_IP. Accepts both IPv4 and IPv6.

    		 No default
    value {<value_str> | <value_pattern>}

    Specifies the value to match for the selected target.

    For PAYLOAD_SHA256 and FILE_SHA256, this must be a 64-character SHA-256 hash string.

    This field is not available when match-target is CLIENT_IP.

    		 No default

    value-check {enable | disable}

    Enable to match the value of a specified name-value pair.

    Only applicable for PARAMETER, COOKIE, and HTTP_HEADER.

    When enabled, value-name and value must be defined.

    disable

    value-name {<value-name_str> | <value-name_pattern>}

    Specifies the name of the parameter, cookie, or HTTP header to inspect when value-check is enabled.

    Only applicable to PARAMETER, COOKIE, and HTTP_HEADER.

    		 No default

    concatenate-type {AND | OR}

    Defines how this exception element is evaluated with others:

    • AND – All conditions must match.

    • OR – Any condition may match.

    AND

    Example

    config waf dlp exception
  edit "DLP_exp"
    config  exception-element-list
      edit 1
        set match-target HTTP_HEADER
        set operator STRING_MATCH
        set value XYZ_Corp_Marketing_Tool
        set value-check enable
        set value-name User-Agent
    end
end
    Previous
    Next