Description
This article describes the DLP configuration to block specific File types and troubleshoot.
Scope
FortiGate UTM (6.4 and above).
Solution
Configure the DLP file pattern to specify the type of file that needs to be matched. In this example, all PDF files are blocked.
config dlp filepattern
edit 11
set name "sample"
config entries
edit "pdf"
set filter-type type
set file-type pdf
next
end
next
end
The next step will be configuring the DLP Sensor and using the file pattern in the DLP Sensor.
config dlp sensor
edit "FortiDLP"
config filter
edit 1
set name "Block File Extension"
set proto http-get http-post
set filter-by file-type
set file-type 11
set action block
next
end
next
end
Then enable the DLP sensor on the Firewall policy that needs to block Data leak.
Note:
From v6.2.2 to v7.2.3, the DLP is unavailable in the GUI and can only be configured through CLI. However, it was re-introduced in v7.2.4 (If Data Leak Prevention is not visible in the tree menu, go to System -> Feature Visibility and enable it.)
To enable DLP via CLI:
config system settings
set gui-dlp-profile enable
end
In FortiGate versions v7.4.x and v7.6.x, the DLP (Data Loss Prevention) option may not be visible in the GUI under Security Profiles or Feature Visibility.
The DLP configuration can still be accessed via direct URL: https://<firewall-ip>/utm/dlp.
If multiple VDOMs are enabled, specify the VDOM in the URL like this: https://<firewall-ip>/utm/dlp?vdom=<vdom name>
Example: https://10.9.11.54/utm/dlp?vdom=root
config firewall policy
edit 1
set name "Internet"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "g-default"
set dlp-sensor "FortiDLP"
set application-list "g-default"
set nat enable
next
end
Note:
Deep inspection is required for DLP.
Testing the DLP Profile:
To check the logs in GUI, go to Logs & Reports > Security Events > Data loss Prevention.
Logs:
date=2025-03-14 time=18:14:35 eventtime=1741956274384127466 tz="+0530" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 dlpextra="file-type:10" filtertype="none" filtercat="file" severity="medium" policyid=3 poluuid="49aede10-ef97-51ef-cc4a-bd22f57102a1" policytype="policy" sessionid=16370892 epoch=1873018425 eventid=1 srcip=xx.xx.xx.xx srcport=50400 srccountry="Reserved" srcintf="port3" srcintfrole="lan" srcuuid="c9c86604-5ee5-51ef-0266-3bc14f951c47" dstip=216.58.211.206 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="c9c86604-5ee5-51ef-0266-3bc14f951c47" proto=6 service="HTTPS" filetype="exe" direction="incoming" action="block" hostname="dl.google.com" url="https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE59E04FF..." agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" httpmethod="GET" referralurl="https://www.google.com/" filename="ChromeSetup.exe" filesize=10485680 profile="configcheck"
When trying to download the blocked type file, below replacement message is seen:
Troubleshooting:
During testing, make sure the traffic is handled by the correct policy where DLP and Deep Inspection are applied.
Like in this example the certificate is signed by the FortiGate used for SSL/SSH deep inspection profile applied to the policy.
If DLP is using Flow-based features.
For Flow-based features, IPS process is responsible for DLP inspection.
diagnose ips filter set "host <Source or destination IP address >"
diagnose ips debug enable all
diagnose debug enable
diagnose debug disable <- To disable debugging.
Note:
It is recommended to use an IPS filter to reduce the volume of debugs.
Example Output of a successful block.
[280@70649]ips_process_event: ctx 0: 0 => 3
[280@70649]ips_handle_pkt_verdict: drop a packet, size=735
Proxy Based Debugs:
For Proxy based Feature set Scanunit Process inspects traffic for DLP.
diagnose sys scanunit debug all
diagnose debug enable
Example Output of a successful block.
su 6149 job 2 MIME: done DLP file scan, file 'studyguide.pdf'
su 6149 job 2 DLP: Taking action 0x2, filter ID 1 <- 0x2 or 2 is Blocked.
Important Note:
If using the DLP Archiving feature it is only supported with Proxy-based inspection policies and Proxy-based DLP sensors.
config dlp sensor
edit <sensor name>
set feature-set proxy
end
In case the above debug of scanunit is not generating output, resp. is not triggerred, it can be useful to debug WAD daemon with below:
diagnose wad debug enable category scan
diagnose wad debug enable level verbose
diagnose debug enable
After testing, disable debugging with diagnose debug disable.
For more information on DLP Archiving, refer to Technical Tip: How to archive content of all emails passing through a FortiGate.
Related documents:
