Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jfelix09
Staff
Staff

Created on ‎07-29-2025 09:22 AM Edited on ‎10-28-2025 04:52 AM By Moderator

Article Id 403829

Technical Tip: How to block file transfers that contains a specific filename using Data Loss Prevention (DLP)

Description

This article provides a step-by-step guide to configure a DLP profile to detect and prevent unauthorised file sharing based on file names.
Scope

FortiGate v7.4 and v7.6.
Solution

It is possible to block unwanted file transfers of files that contain specific words.

In this example, FortiGate should block files that contain the word 'CONFIDENTIAL' in the filename. This ensures that sensitive information is not inadvertently shared or accessed, enhancing the security of the network.

 

dlp-diagram.png

 

  1. Configure a new file pattern. The wildcard '*' is used to match any sequence of characters.
 
config dlp filepattern
    edit 0
        set name "fp-confidential"
            config entries
                edit "*CONFIDENTIAL*.*"
                next
            end
        next
    end
 
  1. Confirm the ID of the previously created file pattern using the FortiGate CLI command 'get dlp filepattern', which results in a list of all created file patterns, as in the following example:
 
== [ 1 ]
id: 1 name: builtin-patterns
== [ 2 ]
id: 2 name: all_executables
== [ 3 ]
id: 3 name: file-pat-exe
== [ 4 ]    <---- Previously created file pattern "fp-confidential" ID
id: 4 name: fp-confidential.

 

  1. Configure a DLP profile:
 
config dlp profile
    edit "dlp-profile-confidential"
        set feature-set proxy
            config rule
                edit 0
                    set proto smtp pop3 imap http-get http-post ftp nntp mapi
                    set file-type 4            <--- Change the file pattern ID accordingly.
                    set action block
                next
            end
    next
end
 
  1. Create or edit a firewall policy and apply the 'dlp-profile-confidentialprofile. At least a certificate-inspection SSL-SSH profile should be applied. Deep-inspection profile is required if traffic from client to server is encrypted (HTTPS, SMTPS, or FTPS).
 
config firewall policy
    edit 0
        set name "dlp"
        set srcintf "port2"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "deep-inspection"
        set dlp-profile "dlp-profile-confidential"
        set logtraffic all
        set nat enable
    next
end
 
  1. Perform an HTTP-POST test using the following tool: HTTP Post. Upload a file with filename 'CONFIDENTIAL.pdf', 'CONFIDENTIAL123.pdf', or '123CONFIDENTIAL.pdf' (an error should be presented with the following message: 'The transfer attempt has been blocked because it appears to match a data loss prevention profile.').

  2. Confirm the DLP log at FortiGate GUI -> Log & Report -> Security Events -> Data Loss Prevention.
                                                                                                     

dlp-profile-log.png

 

1: date=2025-07-28 time=10:17:05 eventtime=1753694226101033597 tz="+0100" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 dlpextra="file-type:4" filtertype="none" filtercat="file" severity="medium" policyid=13 poluuid="c5febb2c-6b91-51f0-1dd6-7004344241cd" policytype="policy" sessionid=1766479 epoch=420203252 eventid=1 srcip=10.100.10.2 srcport=64660 srccountry="Reserved" srcintf="vlan-510" srcintfrole="lan" srcuuid="d18a74f8-3844-51ef-cbe8-0a651689694b" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="d18a74f8-3844-51ef-cbe8-0a651689694b" proto=6 service="HTTPS" filetype="pdf" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/wp-admin/admin-ajax.php" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://dlptest.com/http-post/" filename="CONFIDENTIAL.pdf" filesize=6 profile="dlp-profile-confidential"
 
Related articles:
329
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.