SaaS apps

The SaaS apps template parameter lets you specify the web apps that users should or should not use, generating detections and optionally executing actions when unauthorized activity occurs. The parameter enables you to define either an allowlist that matches SaaS apps users are permitted to interact with or a denylist that matches SaaS apps users are prohibited to interact with.

The SaaS apps parameter integrates with the FortiDLP Console's SaaS apps module. Because of this, it is recommended that you set up your app inventory before configuring policies. For guidance on this, refer to SaaS apps in the FortiDLP Console User Guide.

There are three ways to configure the SaaS apps parameter:

• Match SaaS apps by condition: This method allows you to define the categories, verdicts, and/or a minimum and maximum risk score to match web apps for your allowlist or denylist. If multiple conditions are specified, a SaaS app will match if it has at least one of the defined values for each configured parameter.

For example, you might want to configure upload policy templates to only allow uploads to sanctioned apps. To do this, you could provide a condition configuration for an allowlist that includes the Sanctioned verdict. Further, if your allowlist includes the File sharing and storage and Google Apps categories and the Sanctioned verdict, apps in either category that are sanctioned will match. Alternatively, you could provide a condition configuration for a denylist that prohibits apps in the File sharing and storage category unless they are sanctioned.

• Match SaaS apps from inventory: This method allows you to choose web apps from your SaaS app inventory for your allowlist or denylist.

For example, instead of defining categories and a verdict to match apps, you could select specific apps like Google Drive from your inventory.

• Use SaaS app specifier policy assets: This method allows you to use custom SaaS app specifier assets for your allowlist or denylist. These assets can be created by defining app conditions and/or selecting apps from your inventory like the above methods. However, SaaS app specifiers can be reused across policies.

For example, you might create a SaaS app specifier that you reuse across policies which comprises a list of apps that you want to prevent sensitive data from being uploaded to, copied to, and so on.

For instructions on creating SaaS app specifiers, refer to Creating custom assets in the FortiDLP Administration Guide.

These three configuration methods can be used in conjunction within a single template, in which case OR logic will apply. That is, a SaaS app will match if it meets the criteria for either the condition configuration, the inventory configuration, or the policy asset configuration.

Using the Sensitive file downloaded template, you could create a policy to block sensitive files from being downloaded from Dropbox unless users are logged in using their corporate email address as follows: In the Website parameters section: For the SaaS apps parameter: Select the Prohibit listed SaaS apps radio button. In the Match SaaS apps by inventory section, click Add apps. In the Add SaaS applications dialog box, select the Dropbox checkbox and then click Add apps. In the SaaS apps dialog box, click Done. The parameter in the template editor will look as follows. For the User account domains parameter: Select the Allow listed domains radio button. Either enter a custom value or select an asset that matches your corporate email domain, such as company.com.

Some templates, such as the Sensitive file uploaded template, let you configure the SaaS apps parameter to prohibit uploads, considering both a file's web app origin and destination. For more on this, also see SaaS apps: origin (Preview).