Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Configuring file shadowing with MinIO

    Configuring file shadowing with MinIO

    When configuring file shadowing with MinIO, first see their own documentation for detailed server installation instructions, such as the MinIO Quickstart Guide and MinIO Object Storage for Baremetal Infrastructure Guide.

    After you set up your server, you must create a storage bucket. You will also need to create a user and a policy to grant access permissions to the bucket and the shadow copies within it.

    You must also configure a TLS certificate which allows the FortiDLP Agent to securely connect to your server. If your MinIO server is going to be accessible on the public internet, we recommend obtaining a TLS certificate from public Certificate Authority (CA), such as LetsEncrypt or DigiCert. For usage within a private network space, we recommend seeing if your IT department has an internal CA that can be used to generate a TLS certificate. In all other cases, we recommend generating a self-signed certificate using the instructions here.

    TLS versions and supported ciphers

    MinIO servers support TLS encryption of incoming and outgoing traffic. We require MinIO servers to run with TLS enabled to ensure end-to-end security of client-server or server-server transmissions.

    The FortiDLP Agent uses TLS v1.2 and a specific set of ciphers that are compatible with MinIO as follows:

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

    To learn more about network encryption over TLS, click here.

    How to configure file shadowing with MinIO
    Note

    These instructions only focus on the settings relevant to configuring file shadowing, and the MinIO Console's user interface may vary depending on your deployment mode. Refer to MinIO's documentation for comprehensive information.
    1. Log in to the MinIO Console.
    2. Create your storage bucket:
      1. In the left-hand panel, click Buckets.
      2. Click Create Bucket.
      3. In the Create Bucket dialog box, do the following:
        1. In the Bucket Name field, type the bucket name. Uppercase letters and spaces cannot be used.
        2. Click Create Bucket.
      4. On the upper-right side of the page, click .
      5. Leave the Access Policy field set to Private.
        Caution

        This is required to restrict bucket access to only authenticated users.

      6. Optionally, if you are enabling bucket encryption, set the Encryption field to SSE-S3 or SSE-KMS. We recommend using this feature, and you can read more about this here.
    3. Create a policy:
      1. In the left-hand panel, click Access.
      2. Click Create Policy.
      3. In the Create Policy dialog box, do the following:
        1. In the Policy Name field, type the policy name.
        2. In the Write Policy entry box, paste the following text, replacing shadow-copies with your storage bucket name (from step 1ci):
          3. {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::shadow-copies/*"
            ]
        }
    ]
}
        3. Click Save.
    4. Create a user:
      1. In the left-hand panel, click Identity > Users.
      2. Click Create User.
      3. In the Create User dialog box, do the following:
        1. In the Access Key field, type an access key. We recommend using a unique, random, and long string of at least 32 characters.
        2. In the Secret Key field, type a secret key. We recommend using a unique, random, and long string of at least 32 characters.
          3. Note

          Remember these values, as you will need them when Configuring file shadowing with FortiDLP.

        3. Select the checkbox of the policy you created at step 2.
        4. Click Save.
    How to generate a self-signed TLS certificate with MinIO
    1. On the MinIO server host, download the certgen tool.
    2. Open a command-line interface and go to the directory containing the certgen binary.
    3. Run one of the following commands, where <company> is your company name and <host> is the domain name or IP address of the machine running the MinIO instance:
      • On Windows, run:
        .\<certgen-download-name>.exe -org-name “<company>” -rsa-bits 2048 -host “<host>”.
      • On macOS or Linux, run:
        ./<certgen-download-name>.exe -org-name “<company>” -rsa-bits 2048 -host “<host>”.

    A public.crt file and a private.key file are generated.

    Caution

    The private.key file should remain on the MinIO server and should not be shared. Permissions should be used to allow only the MinIO instance user to access this file.

    You will need the public.crt file later when Configuring file shadowing with FortiDLP.

    This certificate will be valid for one year and must be renewed before it expires.

    How to install a TLS certificate on MinIO

    The TLS certificate (CA-issued or self-signed) must be installed in either the {HOME}/.minio/certs or {HOME}\.minio\certs directory of the server. To do this, follow the instructions here.

    After you install the TLS certificate, restart the server.

    You should then proceed to Configuring file shadowing with FortiDLP.

    Previous
    Next

    Configuring file shadowing with MinIO

    Configuring file shadowing with MinIO

    When configuring file shadowing with MinIO, first see their own documentation for detailed server installation instructions, such as the MinIO Quickstart Guide and MinIO Object Storage for Baremetal Infrastructure Guide.

    After you set up your server, you must create a storage bucket. You will also need to create a user and a policy to grant access permissions to the bucket and the shadow copies within it.

    You must also configure a TLS certificate which allows the FortiDLP Agent to securely connect to your server. If your MinIO server is going to be accessible on the public internet, we recommend obtaining a TLS certificate from public Certificate Authority (CA), such as LetsEncrypt or DigiCert. For usage within a private network space, we recommend seeing if your IT department has an internal CA that can be used to generate a TLS certificate. In all other cases, we recommend generating a self-signed certificate using the instructions here.

    TLS versions and supported ciphers

    MinIO servers support TLS encryption of incoming and outgoing traffic. We require MinIO servers to run with TLS enabled to ensure end-to-end security of client-server or server-server transmissions.

    The FortiDLP Agent uses TLS v1.2 and a specific set of ciphers that are compatible with MinIO as follows:

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

    To learn more about network encryption over TLS, click here.

    How to configure file shadowing with MinIO
    Note

    These instructions only focus on the settings relevant to configuring file shadowing, and the MinIO Console's user interface may vary depending on your deployment mode. Refer to MinIO's documentation for comprehensive information.
    1. Log in to the MinIO Console.
    2. Create your storage bucket:
      1. In the left-hand panel, click Buckets.
      2. Click Create Bucket.
      3. In the Create Bucket dialog box, do the following:
        1. In the Bucket Name field, type the bucket name. Uppercase letters and spaces cannot be used.
        2. Click Create Bucket.
      4. On the upper-right side of the page, click .
      5. Leave the Access Policy field set to Private.
        Caution

        This is required to restrict bucket access to only authenticated users.

      6. Optionally, if you are enabling bucket encryption, set the Encryption field to SSE-S3 or SSE-KMS. We recommend using this feature, and you can read more about this here.
    3. Create a policy:
      1. In the left-hand panel, click Access.
      2. Click Create Policy.
      3. In the Create Policy dialog box, do the following:
        1. In the Policy Name field, type the policy name.
        2. In the Write Policy entry box, paste the following text, replacing shadow-copies with your storage bucket name (from step 1ci):
          3. {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::shadow-copies/*"
            ]
        }
    ]
}
        3. Click Save.
    4. Create a user:
      1. In the left-hand panel, click Identity > Users.
      2. Click Create User.
      3. In the Create User dialog box, do the following:
        1. In the Access Key field, type an access key. We recommend using a unique, random, and long string of at least 32 characters.
        2. In the Secret Key field, type a secret key. We recommend using a unique, random, and long string of at least 32 characters.
          3. Note

          Remember these values, as you will need them when Configuring file shadowing with FortiDLP.

        3. Select the checkbox of the policy you created at step 2.
        4. Click Save.
    How to generate a self-signed TLS certificate with MinIO
    1. On the MinIO server host, download the certgen tool.
    2. Open a command-line interface and go to the directory containing the certgen binary.
    3. Run one of the following commands, where <company> is your company name and <host> is the domain name or IP address of the machine running the MinIO instance:
      • On Windows, run:
        .\<certgen-download-name>.exe -org-name “<company>” -rsa-bits 2048 -host “<host>”.
      • On macOS or Linux, run:
        ./<certgen-download-name>.exe -org-name “<company>” -rsa-bits 2048 -host “<host>”.

    A public.crt file and a private.key file are generated.

    Caution

    The private.key file should remain on the MinIO server and should not be shared. Permissions should be used to allow only the MinIO instance user to access this file.

    You will need the public.crt file later when Configuring file shadowing with FortiDLP.

    This certificate will be valid for one year and must be renewed before it expires.

    How to install a TLS certificate on MinIO

    The TLS certificate (CA-issued or self-signed) must be installed in either the {HOME}/.minio/certs or {HOME}\.minio\certs directory of the server. To do this, follow the instructions here.

    After you install the TLS certificate, restart the server.

    You should then proceed to Configuring file shadowing with FortiDLP.

    Previous
    Next