Description
This article describes the DLP configuration to block specific File types and troubleshoot.
Scope
FortiGate UTM (v6.4 and above), FortiProxy.
Solution
Configure the DLP file pattern to specify the type of file that needs to be matched. In this example, all PDF files are blocked.
config dlp filepattern
edit 11
set name sample
config entries
edit pdf
set filter-type type
set file-type pdf
next
end
next
end
The next step will be configuring the DLP Sensor and using the file pattern in the DLP Sensor.
config dlp sensor
edit FortiDLP
config filter
edit 1
set name Block File Extension
set proto http-get http-post
set filter-by file-type
set file-type 11
set action block
next
end
next
end
Then enable the DLP sensor on the Firewall policy that needs to block Data leaks.
DLP Profile can only be enabled via the CLI:
Note:
From v6.2.2 to v7.2.3, the DLP is unavailable in the GUI and can only be configured through CLI. However, it was reintroduced in v7.2.4 (If Data Leak Prevention is not visible in the tree menu, go to System -> Feature Visibility and enable it).
To enable DLP via CLI:
config system settings
set gui-dlp-profile enable
end
In FortiGate versions v7.4.x and v7.6.x, the DLP (Data Loss Prevention) option may not be visible in the GUI under Security Profiles or Feature Visibility.
The DLP configuration can still be accessed via direct URL: https://<firewall-ip>/utm/dlp.
If multiple VDOMs are enabled, specify the VDOM in the URL like this: https://<firewall-ip>/utm/dlp?vdom=<vdom name>
Example: https://10.9.11.54/utm/dlp?vdom=root
config firewall policy
edit 1
set name Internet
set srcintf port2
set dstintf port1
set action accept
set srcaddr all
set dstaddr all
set schedule always
set service ALL
set utm-status enable
set ssl-ssh-profile deep-inspection
set av-profile g-default
set dlp-sensor FortiDLP
set application-list g-default
set nat enable
next
end
Note:
Deep inspection is required for DLP.
Testing the DLP Profile:
To check the logs in the GUI, go to Logs & Reports -> Security Events -> Data Loss Prevention.
Logs:
date=2025-03-14 time=18:14:35 eventtime=1741956274384127466 tz="+0530" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 dlpextra="file-type:10" filtertype="none" filtercat="file" severity="medium" policyid=3 poluuid="49aede10-ef97-51ef-cc4a-bd22f57102a1" policytype="policy" sessionid=16370892 epoch=1873018425 eventid=1 srcip=xx.xx.xx.xx srcport=50400 srccountry="Reserved" srcintf="port3" srcintfrole="lan" srcuuid="c9c86604-5ee5-51ef-0266-3bc14f951c47" dstip=216.58.211.206 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="c9c86604-5ee5-51ef-0266-3bc14f951c47" proto=6 service="HTTPS" filetype="exe" direction="incoming" action="block" hostname="dl.google.com" url="https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE59E04FF..." agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" httpmethod="GET" referralurl="https://www.google.com/" filename="ChromeSetup.exe" filesize=10485680 profile="configcheck"
When trying to download the blocked type file, below replacement message is seen:
Troubleshooting:
During testing, make sure the traffic is handled by the correct policy where DLP and Deep Inspection are applied.
Like in this example, the certificate is signed by the FortiGate used for the SSL/SSH deep inspection profile applied to the policy.
If DLP is using Flow-based features.
For Flow-based features, the IPS process is responsible for DLP inspection.
diagnose ips filter set "host <Source or destination IP address >"
diagnose ips debug enable all
diagnose debug enable
diagnose debug disable <- To disable debugging.
Note:
It is recommended to use an IPS filter to reduce the volume of debugs.
Example of an output of a successful block.
[280@70649]ips_process_event: ctx 0: 0 => 3
[280@70649]ips_handle_pkt_verdict: drop a packet, size=735
Proxy-Based Debugs:
For the Proxy-based Feature set, the Scanunit Process inspects traffic for DLP.
diagnose sys scanunit debug all
diagnose debug enable
Example Output of a successful block.
su 6149 job 2 MIME: done DLP file scan, file 'studyguide.pdf'
su 6149 job 2 DLP: Taking action 0x2, filter ID 1 <- 0x2 or 2 is Blocked.
Important Note:
If using the DLP Archiving feature, it is only supported with Proxy-based inspection policies and Proxy-based DLP sensors.
config dlp sensor
edit <sensor name>
set feature-set proxy
end
In some cases, scanunit may not generate output with the configuration above, or may not be triggered. If this occurs, it is recommended to debug the WAD daemon. The WAD daemon may be generating too many logs and lines, depending on the number of sessions that it is managing. It is important to set filters before executing any WAD debug in order to avoid any issues.
diagnose debug console timestamp enable
diagnose wad filter src x.x.x.x <----- x.x.x.x is the source IP of the test client.
diagnose wad debug enable category scan
diagnose wad debug enable level verbose
diagnose wad filter list
diagnose wad debug show
diagnose debug enable
After testing, disable debugging with the following commands:
diagnose debug disable
diagnose debug reset
diagnose wad debug filter clear
For more information on DLP Archiving, see Technical Tip: How to archive content of all emails passing through a FortiGate.
Related documents:
