FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 218034



This article describes the DLP configuration to block specific File types and troubleshoot.




Fortigate UTM (6.4 and above).




First, configure the DLP file pattern to specify the type of file that needs to be matched.


In this example, all PDF files are blocked.


# config dlp filepattern

edit 11

set name "sample"

config entries

            edit "pdf"

                set filter-type type

                set file-type pdf






The next step will be configuring DLP Sensor and using the file pattern in the DLP sensor.


# config dlp sensor

edit "FortiDLP"

        config filter

            edit 1

                set name "Block File Extension"

                set proto http-get http-post

                set filter-by file-type

                set file-type 11

                set action block






Then enable the DLP sensor on the Firewall policy that needs to block Data leak.

Note: From Forti OS 6.2.2 and Higher DLP is not available in GUI and can only be configured through CLI.


# config firewall policy

    edit 1

        set name "Internet"

        set srcintf "port2"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ssl-ssh-profile "deep-inspection"

        set av-profile "g-default"

        set dlp-sensor "FortiDLP"

        set application-list "g-default"

        set nat enable




Note: Deep inspection is required for DLP.



During testing make sure the traffic is handled by the correct policy where DLP and Deep Inspection are applied.


Like in this example the certificate is signed by the FortiGate used for SSL/SSH deep inspection profile applied to the policy.




If DLP is using Flow-based features.

For Flow-based features, IPS process is responsible for DLP inspection.


# diagnose ips filter set "host  <Source or destination IP address >" 
# diagnose ips debug enable  all
# diagnose debug enable
# diagnose debug disable    --------> To disable Debugs


Note: It is recommended to use an IPS filter to reduce the volume of debugs.

Example Output of a successful block.


[280@70649]ips_process_event: ctx 0: 0 => 3

[280@70649]ips_handle_pkt_verdict: drop a packet, size=735 


Proxy Based Debugs:

For Proxy based Feature set Scanunit Process inspects traffic for DLP.


# diagnose sys scanunit debug all
# diagnose debug enable


Example Output of a successful block.

su 6149 job 2 MIME: done DLP file scan, file 'studyguide.pdf'

su 6149 job 2 DLP: Taking action 0x2, filter ID 1   --------->  0x2 or 2 is Blocked


Important Note:

If using the DLP Archiving feature it is only supported with Proxy-based inspection policies and Proxy-based DLP sensors.


# config dlp sensor

edit <your sensor>

set feature-set proxy



For more information on DLP Archiving refer to:

Additional Reference -