Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Configuring file shadowing with GCS

    Configuring file shadowing with GCS

    When configuring file shadowing with GCS, you will need to create a storage bucket and a bucket policy. You must also create a service account and a corresponding private key to grant access permissions to the bucket and the shadow copies within it.

    FortiDLP requires HTTPS (TLS) to prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. GCS has HTTPS (TLS) by enabled default, so no action is required to configure a secure connection.

    The following instructions describe the tasks required to configure file shadowing with GCS.

    How to configure file shadowing with GCS
    1. Log in to the Google Cloud Platform Console.
    2. Create your storage bucket:
      1. Go to Cloud Storage > Buckets.
      2. Click Create.
      3. In the Name your bucket field, type the bucket name. Then click Continue.
      4. In the Choose where to store your data section, select the appropriate Location type radio button and location for the bucket. We recommend choosing a single region that is the same region your company is located in. Then click Continue.
      5. In the Choose a storage class for your data section, select the radio button for the appropriate storage class option. Then click Continue.
      6. In the Choose how to control access to objects section, leave the Enforce public access prevention on this bucket checkbox selected and select the Uniform radio button. Then click Continue.
      7. In the Choose how to protect object data section:
        1. Select the radio button for the appropriate protection tools option.
        2. Optionally, to enable data encryption using a customer-managed encryption key, click Data encryption and then select the Cloud KMS key checkbox. To use this feature, you must also create a new key in your Cloud Key Management Console, as described here. Google Cloud provides default encryption at rest using AES-256 encryption standards, which applies if a Cloud KMS key is not configured.
        3. Click Create.
      8. In the Public access will be prevented dialog box, click Confirm.
    3. Create a service account key:
      1. Go to IAM and admin > Service accounts.
      2. Click Create service account.
      3. In the Service account details section:
        1. In the Service account name field, type a service account display name.
          2. Note

          Your Service account ID is created as you type your Service account name and is displayed in the field below in the format serviceaccountname@projectid.iam.gserviceaccount.com. Take note of this value, as you will need it during step 4.

        2. In the Service account description field, type a service account description.
        1. Click Done.
      4. On the row of your service account, click> Manage keys.
      5. Click Add key > Create new key.
      6. In the Create private key dialog box, leave the JSON radio button selected and click Create.
        The service account JSON file will then download to your computer. You will need this to complete the next task, Configuring file shadowing with FortiDLP.
    4. Create a bucket policy:
      1. Go to Cloud Storage > Buckets.
      2. On the row of your storage bucket, click> Edit access.
      3. In the right-hand panel, click Add principal.
      4. In the New principals field, enter the Service account ID (generated at step 3c).
      5. In the Select a role menu, click Cloud Storage > Storage Object Creator.
      6. Click Add another role.
      7. In the Select a role menu, click Cloud Storage > Storage Object Viewer.
      8. Click Save.

    You can then proceed to the next task, Configuring file shadowing with FortiDLP.

    Previous
    Next

    Configuring file shadowing with GCS

    Configuring file shadowing with GCS

    When configuring file shadowing with GCS, you will need to create a storage bucket and a bucket policy. You must also create a service account and a corresponding private key to grant access permissions to the bucket and the shadow copies within it.

    FortiDLP requires HTTPS (TLS) to prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. GCS has HTTPS (TLS) by enabled default, so no action is required to configure a secure connection.

    The following instructions describe the tasks required to configure file shadowing with GCS.

    How to configure file shadowing with GCS
    1. Log in to the Google Cloud Platform Console.
    2. Create your storage bucket:
      1. Go to Cloud Storage > Buckets.
      2. Click Create.
      3. In the Name your bucket field, type the bucket name. Then click Continue.
      4. In the Choose where to store your data section, select the appropriate Location type radio button and location for the bucket. We recommend choosing a single region that is the same region your company is located in. Then click Continue.
      5. In the Choose a storage class for your data section, select the radio button for the appropriate storage class option. Then click Continue.
      6. In the Choose how to control access to objects section, leave the Enforce public access prevention on this bucket checkbox selected and select the Uniform radio button. Then click Continue.
      7. In the Choose how to protect object data section:
        1. Select the radio button for the appropriate protection tools option.
        2. Optionally, to enable data encryption using a customer-managed encryption key, click Data encryption and then select the Cloud KMS key checkbox. To use this feature, you must also create a new key in your Cloud Key Management Console, as described here. Google Cloud provides default encryption at rest using AES-256 encryption standards, which applies if a Cloud KMS key is not configured.
        3. Click Create.
      8. In the Public access will be prevented dialog box, click Confirm.
    3. Create a service account key:
      1. Go to IAM and admin > Service accounts.
      2. Click Create service account.
      3. In the Service account details section:
        1. In the Service account name field, type a service account display name.
          2. Note

          Your Service account ID is created as you type your Service account name and is displayed in the field below in the format serviceaccountname@projectid.iam.gserviceaccount.com. Take note of this value, as you will need it during step 4.

        2. In the Service account description field, type a service account description.
        1. Click Done.
      4. On the row of your service account, click> Manage keys.
      5. Click Add key > Create new key.
      6. In the Create private key dialog box, leave the JSON radio button selected and click Create.
        The service account JSON file will then download to your computer. You will need this to complete the next task, Configuring file shadowing with FortiDLP.
    4. Create a bucket policy:
      1. Go to Cloud Storage > Buckets.
      2. On the row of your storage bucket, click> Edit access.
      3. In the right-hand panel, click Add principal.
      4. In the New principals field, enter the Service account ID (generated at step 3c).
      5. In the Select a role menu, click Cloud Storage > Storage Object Creator.
      6. Click Add another role.
      7. In the Select a role menu, click Cloud Storage > Storage Object Viewer.
      8. Click Save.

    You can then proceed to the next task, Configuring file shadowing with FortiDLP.

    Previous
    Next