dlp : sensor
 
sensor
Use this command to create a DLP sensor. The DLP sensor includes settings such as action, archive, and severity for each rule or compound rule.
Syntax
config dlp sensor
edit <sensor_str>
set comment <comment_str>
set flow-based {disable | enable}
set full-archive-proto {ftp http‑get http‑post imap mapi nntp pop3 smtp }
set options {strict-file}
set replacemsg-group <group_name>
set summary-proto {ftp http‑get http‑post imap mapi nntp pop3 smtp}
config filter
edit <filter_str>
set action {block | log‑only | none | quarantine‑ip}
set expiry <duration_str>
set filter-by {credit-card | encrypted | file-size | file-type | fingerprint | regexp | ssn | watermark}
set name <name_str>
set proto {ftp http‑get http‑post imap mapi nntp pop3 smtp}
set severity {info | low | medium | high | critical}
set type {file | message}
end
end
Variable
Description
Default
<sensor_str>
Enter the name of a sensor to edit. Enter a new name to create a new DLP sensor.
No default.
comment <comment_str>
Enter an optional description of the DLP sensor. Enclose the description in quotes if you want to include spaces.
No default.
extended-utm-log {enable | disable}
Enable or disable detailed UTM log messages.
disable
flow-based {disable | enable}
Enable or disable flow-based DLP.
disable
full-archive-proto {ftp http‑get http‑post imap mapi nntp pop3 smtp }
Enter the protocols to always content archive.
null
options {strict-file}
strict-file is required for file filtering to function when the URL contains a ? character. For example, a file pattern configured to block *.exe will block file.exe if the URL is www.example.com/download?filename=file.exe unless strict-file is specified.
No default
replacemsg-group <group_name>
Enter the replacement message group to use.
No default
summary-proto {ftp http‑get http‑post imap mapi nntp pop3 smtp}
Enter the protocols to always log summary.
aim ftp http‑get http‑post icq imap mapi msn nntp pop3 smtp yahoo
edit <filter_str>
Add a rule to a sensor by specifying the name of a DLP rule that has already been added.
No default
action {block | log‑only | none | quarantine‑ip}
Enter the action taken when the rule is triggered.
block — prevents the traffic matching the rule from being delivered.
log-only — Prevent the DLP rule from taking any action on network traffic but log the rule match. Other matching rules in the same sensor and other sensors may still operate on matching traffic.
none — Take no action.
quarantine-ip — Block access through the FortiGate unit for any IP address that sends traffic matching a sensor with this action. The IP address is added to the Banned User list.
log-only
expiry <duration_str>
Set the duration of the quarantine in the days, hours, minutes format ###d##h##m. The minimum setting is 5 minutes. The maximum is 364d23h59m. This field is available when action is quarantine-ip.
5m
filter-by {credit-card | encrypted | file-size | file-type | fingerprint | regexp | ssn | watermark}
Select what the sensor filters by.
 
name <name_str>
Enter the filter name.
No default
proto {ftp http‑get http‑post imap mapi nntp pop3 smtp}
Enter the protocols to detect. Values are ftp, http‑get, http‑post, imap, mapi, nntp, pop3, smtp.
No default
severity {info | low | medium | high | critical}
Set the event severity.
medium
type {file | message}