A specific configuration is required to apply DLP filtering based on file size.

The following steps illustrate an example configuration.

1. Configure the DLP profile.

config dlp profile
    edit "1MB"
        set feature-set proxy
            config rule
                edit 1
                    set name "1MB"
                    set severity critical
                    set proto smtp pop3 imap http-get http-post ftp nntp cifs
                    set file-size 1000
                    set action log-only
                next
            end
        set extended-log enable
    next
end

After, apply the DLP profile to a firewall policy. This policy needs to use SSL Deep Inspection and Proxy inspection mode. Remember that certificate warnings may appear if the end device does not trust the CA.

config firewall policy
    edit 9
        set name "DLP file size"
        set uuid be953654-ad19-51ef-43da-8ec8900d05ac
        set srcintf "internal"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "Test_PC"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "deep-inspection"
        set dlp-profile "1MB"
        set logtraffic all
        set nat enable
    next
end

After this configuration is in place, try to download a file larger than 1 MB, then go to Log & Report -> Security Events -> Data Loss Prevention.

Logs should appear, including service, source IP, URL, Action, File name, Filter type, Filter Category and more details.