Technical Tip: How to block file transfers that contains a specific filename using Data Loss Prevention (DLP)

jfelix09 · ‎07-29-2025

Description

This article provides a step-by-step guide to configure a DLP profile to detect and prevent unauthorized file sharing based on file names.

Scope

FortiGate 7.4 and 7.6

Solution

It is possible to block unwanted file transfers of files that contain specific words.

In this example, FortiGate should block files that contain the word 'CONFIDENTIAL' in the filename. This ensures that sensitive information is not inadvertently shared or accessed, enhancing the security of your network.

Configure a new file pattern. The wildcard '*' is used to match any sequence of characters.

config dlp filepattern

edit 0

set name "fp-confidential"

config entries

edit "*CONFIDENTIAL*.*"

Confirm the ID of the previously created file pattern using the FortiGate CLI command 'get dlp filepattern', which results in a list of all created file patterns, as in the following example:

== [ 1 ]
id: 1 name: builtin-patterns
== [ 2 ]
id: 2 name: all_executables
== [ 3 ]
id: 3 name: file-pat-exe
== [ 4 ] <---- previously created file pattern "fp-confidential" ID
id: 4 name: fp-confidential

Configure a DLP profile:

config dlp profile

edit "dlp-profile-confidential"

set feature-set proxy

config rule

edit 0

set proto smtp pop3 imap http-get http-post ftp nntp mapi

set file-type 4 <----- Change the file pattern ID accordingly.

set action block

Create or edit a firewall policy and apply the 'dlp-profile-confidential' profile. At least certificate-inspection SSL-SSH profile should be applied. Deep-inspection profile is required if traffic from client to server is encrypted (HTTPS, SMTPS, or FTPS).

config firewall policy

edit 0

set name "dlp"

set srcintf "port2"

set dstintf "virtual-wan-link"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set utm-status enable

set inspection-mode proxy

set ssl-ssh-profile "deep-inspection"

set dlp-profile "dlp-profile-confidential"

set logtraffic all

set nat enable

Perform an HTTP-POST test using the following tool: https://dlptest.com/http-post/. Upload a file with filename 'CONFIDENTIAL.pdf', 'CONFIDENTIAL123.pdf', or '123CONFIDENTIAL.pdf' (an error should be presented with the following message: 'The transfer attempt has been blocked because it appears to match a data loss prevention profile.').
Confirm the DLP log at FortiGate GUI -> Log & Report -> Security Events -> Data Loss Prevention.

1: date=2025-07-28 time=10:17:05 eventtime=1753694226101033597 tz="+0100" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 dlpextra="file-type:4" filtertype="none" filtercat="file" severity="medium" policyid=13 poluuid="c5febb2c-6b91-51f0-1dd6-7004344241cd" policytype="policy" sessionid=1766479 epoch=420203252 eventid=1 srcip=10.100.10.2 srcport=64660 srccountry="Reserved" srcintf="vlan-510" srcintfrole="lan" srcuuid="d18a74f8-3844-51ef-cbe8-0a651689694b" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="d18a74f8-3844-51ef-cbe8-0a651689694b" proto=6 service="HTTPS" filetype="pdf" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/wp-admin/admin-ajax.php" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://dlptest.com/http-post/" filename="CONFIDENTIAL.pdf" filesize=6 profile="dlp-profile-confidential"

Technical Tip: How to block file transfers that contains a specific filename using Data Loss Prevention (DLP)

You are leaving our website