Description
This article explains that the DLP option is no more available on the GUI and cannot be made visible on the GUI using the CLI.
That is, under "config system settings", there is no option as - 'set gui-dlp enable'.
Config system settings:
set opmode nat
set ngfw-mode profile-based
set consolidated-firewall-mode disable
set http-external-dest fortiweb
set firewall-session-dirty check-all
set bfd disable
set utf8-spam-tagging enable
set wccp-cache-engine disable
set vpn-stats-log ipsec pptp l2tp ssl
set vpn-stats-period 600
set v4-ecmp-mode source-ip-based
set snat-hairpin-traffic enable
set dhcp-proxy disable
set central-nat disable
set lldp-reception global
set lldp-transmission global
set link-down-access enable
set asymroute disable
set asymroute-icmp disable
set tcp-session-without-syn disable
set ses-denied-traffic disable
set strict-src-check disable
set allow-linkdown-path disable
set asymroute6 disable
set asymroute6-icmp disable
set sctp-session-without-init disable
set sip-expectation disable
set sip-nat-trace enable
set status enable
set sip-tcp-port 5060
set sip-udp-port 5060
set sip-ssl-port 5061
set sccp-port 2000
set multicast-forward enable
set multicast-ttl-notchange disable
set allow-subnet-overlap disable
set deny-tcp-with-icmp disable
set ecmp-max-paths 255
set discovered-device-timeout 28
set email-portal-check-dns enable
set default-voip-alg-mode proxy-based
set gui-icap disable
set gui-implicit-policy enable
set gui-dns-database disable
set gui-load-balance disable
set gui-multicast-policy disable
set ngfw-mode profile-based
set consolidated-firewall-mode disable
set http-external-dest fortiweb
set firewall-session-dirty check-all
set bfd disable
set utf8-spam-tagging enable
set wccp-cache-engine disable
set vpn-stats-log ipsec pptp l2tp ssl
set vpn-stats-period 600
set v4-ecmp-mode source-ip-based
set snat-hairpin-traffic enable
set dhcp-proxy disable
set central-nat disable
set lldp-reception global
set lldp-transmission global
set link-down-access enable
set asymroute disable
set asymroute-icmp disable
set tcp-session-without-syn disable
set ses-denied-traffic disable
set strict-src-check disable
set allow-linkdown-path disable
set asymroute6 disable
set asymroute6-icmp disable
set sctp-session-without-init disable
set sip-expectation disable
set sip-nat-trace enable
set status enable
set sip-tcp-port 5060
set sip-udp-port 5060
set sip-ssl-port 5061
set sccp-port 2000
set multicast-forward enable
set multicast-ttl-notchange disable
set allow-subnet-overlap disable
set deny-tcp-with-icmp disable
set ecmp-max-paths 255
set discovered-device-timeout 28
set email-portal-check-dns enable
set default-voip-alg-mode proxy-based
set gui-icap disable
set gui-implicit-policy enable
set gui-dns-database disable
set gui-load-balance disable
set gui-multicast-policy disable
Scope
FortiGate.
Solution
However, it is possible to enable the DLP feature for the specific policy by using the CLI.
Use the following commands to validate the DLP configuration:
# config dlp file pattern
show full
end
config dlp sensor
show full
end
On the policy you can able to enable the DLP sensor.
config firewall policy
edit <policy id>
set dlp-sensor ''
end
Since FortiOS 7.2.4 GA and higher DLP profile is re-introduced in the GUI
DLP can be enabled in GUI or CLI:
config system settings
set gui-dlp-profile enable
end
Find more information by following the link below:
https://docs.fortinet.com/document/fortigate/7.2.4/fortios-release-notes/572633/changes-in-gui-behav...
