FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msingh_FTNT
Staff
Staff
Article Id 330153
Description This article describes Troubleshooting DLP Issues.
Scope FortiGate.
Solution

DLP (Data Leak Prevention) Debug:

 

FortiGate UTM inspects traffic in two modes: Proxy-based inspection and flow-based inspection.

 

Depending on the type of inspection configured, the daemons handling the DLP inspection will be different. The section below identifies the ways of fetching basic DLP debugs based on the inspection type.

DLP in Proxy-base Mode:

 

In Proxy mode, the proxy DLP and scanunit daemon will be involved in the DLP filtering. The intention in this example is to enable scanunit debug along with DLP because the scanunit daemon scans the traffic and passes the packets to the DLP daemon.

For instance, a lot of times, if DLP is not detecting violating traffic, the issue can often be identified when scanunit does not pass anything to DLP. In the example below, debug output shows both the scanunit and DLP daemon.

 

Debug Command Comments
diag sys scanunit debug all 
diagnose debug enable   

Enable debug to see if scanunit passes packet to DLP.
diag wad debug enable all
diagnose debug enable 
This enables the DLP daemon debug.
diag sys scanunit debug dlp
diagnose debug enable 
To filter the debug only for DLP traffic.
diag wad debug enable category scan
diagnose debug enable 
To filter the debug only for UTM Scan.