Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mgoswami
Staff
Staff

Created on ‎05-01-2023 10:21 PM Edited on ‎06-06-2025 04:32 AM By Moderator

Article Id 254592

Technical Tip: Block upload or download of PDF files larger than a specific size using DLP

Description This article describes how to block PDF files larger than a specific size from being uploaded or downloaded by using DLP (Data Leak Prevention). 
Scope FortiGate v7.2.
Solution

Data Leak Prevention is not enabled by default. It has to be enabled from the Feature Visibility under Settings.

Once this is enabled, the DLP feature would be visible under Security Profiles.

 

  1. The File-pattern for PDF has to be created first.

config dlp filepattern

    edit 10
        set name "block-pdf"
        set comment ''
            config entries
                edit "pdf"
                    set filter-type type
                    set file-type pdf <----- Check for the available file type using 'set file-type ?'.
                next
            end
        next

    end

 

  1. Configure the DLP Profile:

config dlp profile
    edit "profile-case3_pdf"
        set feature-set proxy
            config rule
                edit 1
                    set name "Block-file-pdf-5MB"
                    set proto smtp pop3 imap http-get http-post ftp nntp cifs  <----- Add the protos to be blocked.

                    set file-size 5000 <----- Specify the size in KB to be blocked
                    set file-type 10   <----- This is the file pattern type created above for the PDF.
                    set action block
               next
             end
        next
    end

 

  1. Add the DLP profile 'profile-case3_pdf' to the Policy:

config firewall policy
    edit 1
        set status enable
        set name "Test"
        set srcintf "LAN"  
        set dstintf "WAN"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "deep-inspection"   <----- Ensure that the policy is in the deep inspection.
        set dlp-profile "profile-case3_pdf"

    next

end

 

To view the logs, go to Log & Report -> Security Events -> DLP.

 

Sample log for the above configuration:

date=2023-05-01 time=08:17:22 eventtime=1682921842747701607 tz="+0200" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" filteridx=1 filtername="Block-file-pdf-5MB" dlpextra="block-pdf;5000 kB" filtertype="none" filtercat="file" severity="medium" policyid=1 srcintf="LAN"  dstport=443 dstintf="WAN" proto=6 service="HTTPS" filetype="pdf" direction="incoming" action="block" hostname="jsoncompare.org" url="https://jsoncompare.org/LearningContainer/SampleFiles/PDF/sample-pdf-download-10-mb.pdf" httpmethod="GET"  filesize=10485760 profile="profile-case3_pdf"

Note: In newer FortiGate versions such as v7.4.x and v7.6.x, the DLP option is not available under Security Profiles and Feature Visibility in the GUI.

To configure Data Loss Prevention UTM on FortiGate firewall policies, add /utm/dlp to the URL or the IP address used to access FortiGate.

When multiple VDOMs are enabled, the VDOM name may need to be specified in the URL /utm/dlp?vdom=<vdom name>.

For example, the URL used to access DLP using the GUI is https://10.5.210.81/utm/dlp.

dlpppp.png
3629
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.