This article explains the GUI/CLI changes in configuring Data Leak Prevention (DLP)
Fortinet Documentation : https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/610893/file-filter
Concerns FortiOS version 6.2.2 and higher
The following option to enable/disable DLP feature visibility in the GUI has been removed.
# config system settings
set gui-dlp [enable|disable]
- No DLP profile in security profile
- No DLP profile section in IPv4, IPv6 and Proxy policy
- No DLP Log option in Log & Report
- No DLP option with NGFW
The DLP option is no longer available on the GUI and cannot be made visible on the GUI using the CLI. Under "config system settings", the option "set gui-dlp enable" no longer exists.
# Skywalker-kvm55 # config system settings
# Skywalker-kvm55 (settings) # set gui-dlp
command parse error before 'gui-dlp'
DLP is still functional on the releases 6.2.2 and later, however, configurable only from the CLI.The commands and configuration related to DLP stills remains the same as earlier code.
# Skywalker-kvm55 # get system status
Version: FortiGate-VM64-KVM v6.2.2,build1010,191008 (GA)
# Skywalker-kvm55 (sensor) # show
config dlp sensor
set comment "Default sensor."
set proto smtp pop3 imap http-get http-post ftp nntp mapi
set filter-by file-type
set file-type 3
set action block
set comment "Log a summary of email and web traffic."
set summary-proto smtp pop3 imap http-get http-post
# config firewall policy
set name "Full Access"
set uuid b4b85de6-d4f2-51e9-5247-91c302c291e2
set srcintf "port1"
set dstintf "port10"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set dlp-sensor "default" <<<<<<
set logtraffic all
set fsso disable
set nat enable
The DLP functionality can be leveraged using "File Filter" feature under Web Filter security profile which provides flexibility to inspect HTTP and FTP traffic for selected files.Though the ‘File Filter’ supports only inspection of HTTP and FTP traffic, DLP can still be configured to handle other types of file filtering
- SSN & Credit Card
- File nameImportant Notes:- DLP configuration is available in Flow based and Proxy based inspection modes in 6.2.2.
- If the unit is upgraded to FortiOS 6.2.2, firewall policies would lose the DLP sensor profile config on them and the DLP sensor profile needs to be manually added onto the firewall policy via CLI.
(set dlp-sensor default)
- Any custom DLP sensors that were created on the firmware prior to 6.2.2 would still be available to use after the upgrade to 6.2.2. However, by default, removed from the firewall policies and needs to be manually added.
- File filtering currently works only in Proxy based inspection mode.
- There is no web filter profile in NGFW Policy mode.