Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    File shadowing

    File shadowing

    File shadowing allows you to capture evidence when users violate data loss prevention policies.

    When file shadowing is enabled, the FortiDLP Agent copies the files associated with policy violations and sends them to an external storage location. From there or from the FortiDLP Console, operators can download the shadow copies and reference them during threat investigations.

    With file shadowing, you own and manage your data. Shadow copies are not uploaded to the FortiDLP Infrastructure; they are only uploaded to your chosen storage location which is accessed directly by the FortiDLP Agent. Your data is protected at motion and at rest. Before transferring shadow copies, the FortiDLP Agent encrypts them and establishes a secure connection to the storage service via Transport Layer Security (TLS). Only private key holders can view shadow copies, who must first decrypt them using the FortiDLP Decryption Tool. Fortinet provides two versions of this tool—a GUI version, which is available as a browser extension for Google Chrome, Microsoft Edge, and Firefox (recommended), and a command-line interface (CLI) version. Both tools are compatible with all OSs.

    File shadowing actions can be executed on all OSs, and shadow copies can be stored on-premises with MinIO, or on the cloud with Amazon Web Services (AWS), Google Cloud Storage (GCS), or Microsoft Azure Blob Storage.

    File shadowing setup

    The following table provides an overview of the tasks required to enable file shadowing.

    File shadowing setup tasks
    Task Description
    Downloading the FortiDLP Decryption Tool To get started, you will need to download the FortiDLP Decryption Tool Extension or FortiDLP Decryption CLI Tool.

    Depending on your storage vendor:

    		 Next, you need to perform vendor-side setup. This entails creating a secure storage bucket/container and granting the FortiDLP Agent and operators access to it. For MinIO, you must also configure a TLS certificate to enable secure connections between the Agent and the storage server.

    Configuring file shadowing with FortiDLP.

    		 Next, you must configure FortiDLP with your storage vendor and bucket details, along with local storage and file size limits.

    Testing file shadowing configurations.

    		Next, we recommend testing your configuration to ensure it is working as expected. During this stage, you verify that a test shadow copy can be uploaded to your storage bucket and that it can also be downloaded.

    Setting encryption keys.

    		Then, using the FortiDLP Decryption Tool Extension or FortiDLP Decryption CLI Tool, you will need to generate an encryption key and then add the public key component to the FortiDLP Console. This key enables the FortiDLP Agent to encrypt shadow copies and for operators to later decrypt them.

    Enabling policies with file shadowing.

    		Lastly, you must configure and enable policy templates to execute the make shadow copy action.
    Previous
    Next

    File shadowing

    File shadowing

    File shadowing allows you to capture evidence when users violate data loss prevention policies.

    When file shadowing is enabled, the FortiDLP Agent copies the files associated with policy violations and sends them to an external storage location. From there or from the FortiDLP Console, operators can download the shadow copies and reference them during threat investigations.

    With file shadowing, you own and manage your data. Shadow copies are not uploaded to the FortiDLP Infrastructure; they are only uploaded to your chosen storage location which is accessed directly by the FortiDLP Agent. Your data is protected at motion and at rest. Before transferring shadow copies, the FortiDLP Agent encrypts them and establishes a secure connection to the storage service via Transport Layer Security (TLS). Only private key holders can view shadow copies, who must first decrypt them using the FortiDLP Decryption Tool. Fortinet provides two versions of this tool—a GUI version, which is available as a browser extension for Google Chrome, Microsoft Edge, and Firefox (recommended), and a command-line interface (CLI) version. Both tools are compatible with all OSs.

    File shadowing actions can be executed on all OSs, and shadow copies can be stored on-premises with MinIO, or on the cloud with Amazon Web Services (AWS), Google Cloud Storage (GCS), or Microsoft Azure Blob Storage.

    File shadowing setup

    The following table provides an overview of the tasks required to enable file shadowing.

    File shadowing setup tasks
    Task Description
    Downloading the FortiDLP Decryption Tool To get started, you will need to download the FortiDLP Decryption Tool Extension or FortiDLP Decryption CLI Tool.

    Depending on your storage vendor:

    		 Next, you need to perform vendor-side setup. This entails creating a secure storage bucket/container and granting the FortiDLP Agent and operators access to it. For MinIO, you must also configure a TLS certificate to enable secure connections between the Agent and the storage server.

    Configuring file shadowing with FortiDLP.

    		 Next, you must configure FortiDLP with your storage vendor and bucket details, along with local storage and file size limits.

    Testing file shadowing configurations.

    		Next, we recommend testing your configuration to ensure it is working as expected. During this stage, you verify that a test shadow copy can be uploaded to your storage bucket and that it can also be downloaded.

    Setting encryption keys.

    		Then, using the FortiDLP Decryption Tool Extension or FortiDLP Decryption CLI Tool, you will need to generate an encryption key and then add the public key component to the FortiDLP Console. This key enables the FortiDLP Agent to encrypt shadow copies and for operators to later decrypt them.

    Enabling policies with file shadowing.

    		Lastly, you must configure and enable policy templates to execute the make shadow copy action.
    Previous
    Next