Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vanitha
Staff
Staff

Created on ‎10-10-2014 02:32 AM Edited on ‎01-19-2025 11:47 PM By Community Manager

Article Id 197422

Technical Tip: Using FortiGate DLP to block specific file types

Description

 

This article explains how to configure DLP (Data Leak Prevention) to block files passing through a FortiGate.


Scope

 

FortiGate v5.0, FortiAP v5.4, FortiGate v5.2,


Solution

 

  1. Configure the file filters/file patterns for the respective file types. (For example: pdf)

    vanitha_FD35108_DLP1.jpg

  2. Create a new DLP sensor. Choose the file pattern created earlier and set the action to block.

    vanitha_FD35108_DLP2.jpg
  3. Configure the firewall policy and apply the DLP sensor to the respective policy.

    vanitha_FD35108_DLP3.jpg

Note:

  • For lower-end models (FortiGate-40C, FortiGate-30B, FortiGate-20C) only CLI configuration is available as shown below:

    Config the file filters/file patterns for the respective file types. (For example: pdf)
 
config dlp filepattern
edit 1
set name "Test_file_filter"
config entries
edit "pdf"
set filter-type type
set file-type pdf
next
end
next
end
 
  • Create a new DLP sensor and choose the file pattern already created.
 
config dlp sensor
edit "Test_dlp_sensor"
set comment 'to block files'
config filter
edit 1
set type file
set proto smtp pop3 imap http-get http-post ftp
set filter-by file-type
set file-type 3
set archive enable
set action block
next
end
set extended-utm-log enable
# set flow-based disable
next
end
 
  • Configure the firewall policy and apply the dlp sensor on the policy.
 
config firewall policy
edit 1
set srcintf "internal1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set schedule "always"
set service "ALL"
set nat enable
set utm-status enable
set dlp-sensor "Test_dlp_sensor"
set profile-protocol-options "default"
next
end
 

Note:

From v6.2.2 to v7.2.3, the DLP is unavailable in GUI and can only be configured through CLI. However, it was re-introduced in v7.2.4 (If Data Leak Prevention is not visible in the tree menu, go to System -> Feature Visibility and enable it).

9675
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.