Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.b
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home 26.1.b Administration Guide

    Data Protection

    Data Protection

    You can configure an integration between FortiClient, EMS, and FortiData. FortiData is a document classification and labeling service. It contains a database (DB) of your file hashes, along with file metadata, including a data category (optional) and a label. The file data labels work in the same way as Microsoft's Purview Information Protection labels, although the labels are not included in the file content but are associated with the file hash in the FortiData DB. A label taxonomy is defined to represent the various classification levels required for an organization. FortiClient can integrate with FortiData to retrieve file data labels and use them to control file access.

    The following describes how the integration functions once configured:

    1. The EMS administrator configures a FortiData Fortinet Security Fabric Connector to establish trust. EMS and FortiData communicate in the following ways:
      • EMS pulls a data label list from FortiData to use in Data Protection profiles.
      • EMS send its certificate to FortiData to verify tokens that managed endpoints send for lookup.
      • FortiData must provide a connector API key for Fabric connection with EMS.
      • Any other information exchanges between EMS and FortiData are done via this connector.
      • FortiData only accepts requests from endpoints that this EMS manages. FortiData verifies this using the EMS serial number.
      • EMS sends FortiData a zero trust network access (ZTNA) certificate that FortiData to verify FortiClient requests. FortiData must provide the API key to receive the ZTNA certificate.
    2. The EMS administrator defines a Data Protection profile to monitor access to a file based on its data label.
    3. The EMS administrator defines which file types to send to FortiData for classification lookup. FortiClient only sends the selected file types for lookup. FortiData supports file uploads for OCR, such as JPEG and GIF.
    4. When a user downloads or opens a file that matches the configuration, FortiClient performs a hash lookup and retrieves the data label from FortiData for that file.
    5. FortiClient sends its token with the request to authenticate with FortiData to authorize the endpoint.
    6. FortiClient enforces file access based on classification rules that EMS defined. All file monitor activity is logged.

    FortiClient and EMS support integration with FortiData 7.6.1 and later versions. This feature requires the Endpoint Protection Platform license.

    See Configuring FortiData integration.

    Options

    Description
    Server

    		 Select the desired FortiData server. You must configure a FortiData Fabric connector for a FortiData server to be available for selection. See Creating connectors with OAuth 2.0 token-based authentication.
    Data Labels For each data label, configure the desired action. FortiClient supports the Monitor action.
    Enable On
  • Enable any of the following as desired:
    • Browser: FortiClient applies the configured action to a file that matches data label and is uploaded to a website.
    • Messaging Clients: FortiClient applies the configured action to a file that matches data label and is uploaded to a messaging client. This feature supports Microsoft Teams and Telegram.
    • Clipboard: FortiClient applies the configured action to a file that is copied to the clipboard. For example, if you open the file and take a screenshot, it is copied to the clipboard.
    File Extensions Select the desired extensions to apply the data protection settings on.
    Exclude Specified Folders/Files

    Exclude specified folders or files from FortiData submission. You must also create the exclusion list.

    Paths to Excluded Folders

    		 Configure specific folders to exclude from FortiData submission.

    Paths to Excluded Files

    		 Configure specific files to exclude from FortiData submission.
    Previous
    Next

    Data Protection

    Data Protection

    You can configure an integration between FortiClient, EMS, and FortiData. FortiData is a document classification and labeling service. It contains a database (DB) of your file hashes, along with file metadata, including a data category (optional) and a label. The file data labels work in the same way as Microsoft's Purview Information Protection labels, although the labels are not included in the file content but are associated with the file hash in the FortiData DB. A label taxonomy is defined to represent the various classification levels required for an organization. FortiClient can integrate with FortiData to retrieve file data labels and use them to control file access.

    The following describes how the integration functions once configured:

    1. The EMS administrator configures a FortiData Fortinet Security Fabric Connector to establish trust. EMS and FortiData communicate in the following ways:
      • EMS pulls a data label list from FortiData to use in Data Protection profiles.
      • EMS send its certificate to FortiData to verify tokens that managed endpoints send for lookup.
      • FortiData must provide a connector API key for Fabric connection with EMS.
      • Any other information exchanges between EMS and FortiData are done via this connector.
      • FortiData only accepts requests from endpoints that this EMS manages. FortiData verifies this using the EMS serial number.
      • EMS sends FortiData a zero trust network access (ZTNA) certificate that FortiData to verify FortiClient requests. FortiData must provide the API key to receive the ZTNA certificate.
    2. The EMS administrator defines a Data Protection profile to monitor access to a file based on its data label.
    3. The EMS administrator defines which file types to send to FortiData for classification lookup. FortiClient only sends the selected file types for lookup. FortiData supports file uploads for OCR, such as JPEG and GIF.
    4. When a user downloads or opens a file that matches the configuration, FortiClient performs a hash lookup and retrieves the data label from FortiData for that file.
    5. FortiClient sends its token with the request to authenticate with FortiData to authorize the endpoint.
    6. FortiClient enforces file access based on classification rules that EMS defined. All file monitor activity is logged.

    FortiClient and EMS support integration with FortiData 7.6.1 and later versions. This feature requires the Endpoint Protection Platform license.

    See Configuring FortiData integration.

    Options

    Description
    Server

    		 Select the desired FortiData server. You must configure a FortiData Fabric connector for a FortiData server to be available for selection. See Creating connectors with OAuth 2.0 token-based authentication.
    Data Labels For each data label, configure the desired action. FortiClient supports the Monitor action.
    Enable On
  • Enable any of the following as desired:
    • Browser: FortiClient applies the configured action to a file that matches data label and is uploaded to a website.
    • Messaging Clients: FortiClient applies the configured action to a file that matches data label and is uploaded to a messaging client. This feature supports Microsoft Teams and Telegram.
    • Clipboard: FortiClient applies the configured action to a file that is copied to the clipboard. For example, if you open the file and take a screenshot, it is copied to the clipboard.
    File Extensions Select the desired extensions to apply the data protection settings on.
    Exclude Specified Folders/Files

    Exclude specified folders or files from FortiData submission. You must also create the exclusion list.

    Paths to Excluded Folders

    		 Configure specific folders to exclude from FortiData submission.

    Paths to Excluded Files

    		 Configure specific files to exclude from FortiData submission.
    Previous
    Next