Data Leak Prevention is not enabled by default. It has to be enabled from the Feature Visibility under Settings. 

Once this is enabled, the DLP feature will be visible under Security Profiles.

1. Dictionary for the pattern has to be created first:

config dlp dictionary

    edit "dic-pattern"

        set match-type match-all

            config entries

                edit 1

                    set type "keyword"

                    set pattern "test"  <----- Pattern to check for any attachment.

                    set repeat enable

                    set comment "block_test-more_than_4"

                next

            end

        next

    end

2. Configure the sensor for the dictionary created. 

config dlp sensor

    edit "sensor-dic-pattern"

        config entries

            edit 1

                set dictionary "dic-pattern"  <----- Dictionary created above.

                set count 4  <----- Set the count to check for. If a pattern 'test' occurs more than 4 times in an attachment, it will be blocked. 

            next

        end

    next
end

3. Create the DLP Profile.

config dlp profile

    edit "Profile_block_pattern"

        set feature-set proxy

            config rules

                edit 3

                    set name "Block-pattern-Test"

                    set type message 

                    set proto smtp pop3 imap http-post nntp mapi

                    set filter-by sensor

                    set sensor "sensor-dic-pattern"  <----- Sensor created above.

                    set action block

                next

            end

        next

    end

4. Use the DLP profile created in an IPv4 policy.

config firewall policy 

    edit 1

        set status enable

        set srcintf "LAN"

        set dstintf "WAN"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable

        set inspection-mode proxy  
        set ssl-ssh-profile "deep-inspection" <----- Deep Inspection has to be enabled.
        set dlp-profile "Profile_block_pattern"
    next
end

5. To view the logs, go to Log & Report -> Security Events -> DLP.

Example log for the configuration above: 

date=2023-05-01 time=10:33:48 eventtime=1682930028111513197 tz="+0200" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" 
filteridx=3 filtername="Block-patter-Test" dlpextra="sensor-dic-pattern" filtertype="sensor" filtercat="message" severity="medium" policyid=1 srcintf="LAN" dstintf="WAN" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="mail.google.com" 
agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) httpmethod="POST" profile="Profile_block_pattern" 

The logs above were generated while trying to upload a doc file to a Gmail attachment with the 'test' word included in the doc more than 4 times. 

Note: In newer FortiGate versions such as v7.4.x and v7.6.x, the DLP option is not available under Security Profiles and Feature Visibility to access from the GUI.

To configure Data Loss Prevention UTM on FortiGate firewall policies, add /utm/dlp to the URL or IP address used to access FortiGate.

When multiple VDOMs are enabled, the VDOM name may need to be specified in the URL /utm/dlp?vdom=<vdom name>.

For example, the URL used to access DLP using the GUI is https://10.5.210.81/utm/dlp.