Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Policies Reference Guide

    Home FortiDLP Policies 8.0.0 FortiDLP Policies Reference Guide
    8.0.0
    8.0.0
    7.1.2
    7.1.1
    7.1.0
    7.0.0

    User account domains (Preview)

    User account domains (Preview)

    Note

    To enable this Preview feature, contact Fortinet Support.

    The User account domains parameter allows detections to be generated based on the website/web app login account name used when uploading or downloading files, typing, coping and pasting text, and so on. You can use this parameter to define either an allowlist that matches permitted user account names or a denylist that matches prohibited user account names.

    Example

    For example, selecting the Allow listed domains radio button and entering company.com would create an allowlist that permits users to upload files to a Dropbox file share website (defined by the URL patterns parameter) using an account in the format name@company.com without generating detections. With this configuration, a detection would be generated if a user attempted an upload while using an account in the format name@gmail.com or any other that does not match the company's domain.

    Alternatively, selecting the Prohibit listed domains radio button and entering gmail.com would create a denylist that generates a detection if a user attempts a file upload while using an account in the format name@gmail.com, but does not generate a detection when any other accounts are used.

    The User account domains parameter helps distinguish between corporate and non-corporate web activity for users who have signed in to a site or web app using:

    • username- and password-based authentication
    • OAuth, or
    • SAML 2.0.
    Note

    OAuth and SAML logins are supported with Microsoft, Google, or Okta as identity providers.

    The User account domains parameter is provided in various policy templates, enabling you to set specific account domain conditions for triggering detections depending on the context.

    Example

    Using the Sensitive file downloaded template, you could create a policy to block sensitive files from being downloaded from a Dropbox file share website unless users are logged in using their corporate email address as follows:

    In the Website parameters section:

    • For the URL patterns parameter:
      1. Select the Prohibit listed URLs radio button.
      2. Either type a custom value or select an asset that matches your corporate Dropbox, such as dropbox.com.
    • For the User account domains parameter:
      1. Select the Allow listed domains radio button.
      2. Either type a custom value or select an asset that matches your corporate email domain, such as company.com.

    Some templates, such as the Sensitive file uploaded template, let you prohibit uploads, considering both a file's web origin and destination and associated account domains. For more on this, also see User account domains: origin (Preview).

    Known limitations

    Be mindful of the following limitations:

    • Password-free logins, where a one-time code, face, fingerprint, pin, or security key is used for authentication, are not recognized and will be reported as unknown logins. Two-factor authentication (2FA) logins can be tracked.
      • Note

      If the User account domains parameter is set, you can generate detections when activities associated with unknown logins occur by turning the Monitor unknown user accounts toggle on during template configuration.
    Previous
    Next

    User account domains (Preview)

    User account domains (Preview)

    Note

    To enable this Preview feature, contact Fortinet Support.

    The User account domains parameter allows detections to be generated based on the website/web app login account name used when uploading or downloading files, typing, coping and pasting text, and so on. You can use this parameter to define either an allowlist that matches permitted user account names or a denylist that matches prohibited user account names.

    Example

    For example, selecting the Allow listed domains radio button and entering company.com would create an allowlist that permits users to upload files to a Dropbox file share website (defined by the URL patterns parameter) using an account in the format name@company.com without generating detections. With this configuration, a detection would be generated if a user attempted an upload while using an account in the format name@gmail.com or any other that does not match the company's domain.

    Alternatively, selecting the Prohibit listed domains radio button and entering gmail.com would create a denylist that generates a detection if a user attempts a file upload while using an account in the format name@gmail.com, but does not generate a detection when any other accounts are used.

    The User account domains parameter helps distinguish between corporate and non-corporate web activity for users who have signed in to a site or web app using:

    • username- and password-based authentication
    • OAuth, or
    • SAML 2.0.
    Note

    OAuth and SAML logins are supported with Microsoft, Google, or Okta as identity providers.

    The User account domains parameter is provided in various policy templates, enabling you to set specific account domain conditions for triggering detections depending on the context.

    Example

    Using the Sensitive file downloaded template, you could create a policy to block sensitive files from being downloaded from a Dropbox file share website unless users are logged in using their corporate email address as follows:

    In the Website parameters section:

    • For the URL patterns parameter:
      1. Select the Prohibit listed URLs radio button.
      2. Either type a custom value or select an asset that matches your corporate Dropbox, such as dropbox.com.
    • For the User account domains parameter:
      1. Select the Allow listed domains radio button.
      2. Either type a custom value or select an asset that matches your corporate email domain, such as company.com.

    Some templates, such as the Sensitive file uploaded template, let you prohibit uploads, considering both a file's web origin and destination and associated account domains. For more on this, also see User account domains: origin (Preview).

    Known limitations

    Be mindful of the following limitations:

    • Password-free logins, where a one-time code, face, fingerprint, pin, or security key is used for authentication, are not recognized and will be reported as unknown logins. Two-factor authentication (2FA) logins can be tracked.
      • Note

      If the User account domains parameter is set, you can generate detections when activities associated with unknown logins occur by turning the Monitor unknown user accounts toggle on during template configuration.
    Previous
    Next