Staff

Technical Tip: How to block file transfers that contains a specific filename using Data Loss Prevention (DLP)

Forum|Forum|10 months ago
July 29, 2025
0 replies
857 views

Description

This article provides a step-by-step guide to configure a DLP profile to detect and prevent unauthorised file sharing based on file names.

Scope

FortiGate v7.4 and v7.6.

Solution

It is possible to block unwanted file transfers of files that contain specific words.

In this example, FortiGate should block files that contain the word 'CONFIDENTIAL' in the filename. This ensures that sensitive information is not inadvertently shared or accessed, enhancing the security of the network.

Configure a new file pattern. The wildcard '*' is used to match any sequence of characters.

config dlp filepattern

edit 0

set name "fp-confidential"

config entries

edit "*CONFIDENTIAL*.*"

Confirm the ID of the previously created file pattern using the FortiGate CLI command 'get dlp filepattern', which results in a list of all created file patterns, as in the following example:

== [ 1 ]
id: 1 name: builtin-patterns
== [ 2 ]
id: 2 name: all_executables
== [ 3 ]
id: 3 name: file-pat-exe
== [ 4 ] <---- Previously created file pattern "fp-confidential" ID
id: 4 name: fp-confidential.

Configure a DLP profile:

config dlp profile

edit "dlp-profile-confidential"

set feature-set proxy

config rule

edit 0

set proto smtp pop3 imap http-get http-post ftp nntp mapi

set file-type 4 <--- Change the file pattern ID accordingly.

set action block

Create or edit a firewall policy and apply the 'dlp-profile-confidential' profile. At least a certificate-inspection SSL-SSH profile should be applied. Deep-inspection profile is required if traffic from client to server is encrypted (HTTPS, SMTPS, or FTPS).

config firewall policy

edit 0

set name "dlp"

set srcintf "port2"

set dstintf "virtual-wan-link"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set utm-status enable

set inspection-mode proxy

set ssl-ssh-profile "deep-inspection"

set dlp-profile "dlp-profile-confidential"

set logtraffic all

set nat enable

Perform an HTTP-POST test using the following tool: HTTP Post. Upload a file with filename 'CONFIDENTIAL.pdf', 'CONFIDENTIAL123.pdf', or '123CONFIDENTIAL.pdf' (an error should be presented with the following message: 'The transfer attempt has been blocked because it appears to match a data loss prevention profile.').
Confirm the DLP log at FortiGate GUI -> Log & Report -> Security Events -> Data Loss Prevention.

1: date=2025-07-28 time=10:17:05 eventtime=1753694226101033597 tz="+0100" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 dlpextra="file-type:4" filtertype="none" filtercat="file" severity="medium" policyid=13 poluuid="c5febb2c-6b91-51f0-1dd6-7004344241cd" policytype="policy" sessionid=1766479 epoch=420203252 eventid=1 srcip=10.100.10.2 srcport=64660 srccountry="Reserved" srcintf="vlan-510" srcintfrole="lan" srcuuid="d18a74f8-3844-51ef-cbe8-0a651689694b" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="d18a74f8-3844-51ef-cbe8-0a651689694b" proto=6 service="HTTPS" filetype="pdf" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/wp-admin/admin-ajax.php" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://dlptest.com/http-post/" filename="CONFIDENTIAL.pdf" filesize=6 profile="dlp-profile-confidential"

Related articles:

Technical Tip: DLP Configuration to Block by file-type and Troubleshooting

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded