Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Configuring policy templates

    Configuring policy templates

    Policy templates encapsulate the policy logic and expose a set of configurable parameters to allow you to tailor policies to your needs.

    You must add policy templates to policy groups and configure them to meet your organization's requirements. Fortinet provides various policy templates—giving you control over how users interact with files, use USB storage devices, browse the web, and more.

    Each policy template has a policy, detection and incident, and action configuration:

    • Policy configuration parameters define the conditions of the policy.

    • Detection and incident configuration parameters define how the detection displays in the FortiDLP Console if the policy is violated and if/how an associated incident is formed.

    • Action configuration parameters define the action(s) executed on a managed node if the policy is violated.

    Note

    For most templates, policy configuration parameter groups use AND logic, where detections are only generated if the criteria for all configured parameters is met.

    There are exceptions to this, such as with the Sensitive file opened, Sensitive file uploaded, and Sensitive file downloaded templates. For details about the logic for these templates, contact Fortinet Support.

    To ease setup, most policy templates provide default values and tooltips. Some also support assets, which are predefined parameter values. For example, you can select from an array of content inspection patterns for detecting credit and debit card numbers and social security numbers.

    How to configure a policy template
    Note

    By default, FortiDLP rate limits certain actions to protect against misconfigured policy templates. This rate limit, which applies to all actions except kill process, empty clipboard, and make shadow copy, ensures actions are not executed on a node more than once per minute per policy.

    Where a custom rate limit is also configured for display message actions, the rate limit with the longer duration applies. For example, if display message actions are rate limited to once per hour, this overrides FortiDLP's default rate limit of once per minute.
    1. In the FortiDLP Console, on the left-hand sidebar, click .
    2. Click the policy group you want to add policies to.
    3. Click Edit.

    4. In the Policy group scope dialog box, do one of the following:
    • To apply the policy group all entities:
      1. In the Include section, leave the All entities radio button selected.
      2. In the Exclude section, leave the No entities radio button selected.
      3. Click Save.
    • To apply the policy group to a subset of entities by only selecting labels to include:
      1. In the Include section, select the Specific entities radio button.
      2. In the label list, select one or more labels for the entities you want to apply the group to.
      3. Do one of the following:
        • To include entities that have all of the previously selected labels, select the Require all radio button.
        • To include entities that have any of the previously selected labels, select the Require any radio button.
      4. Click Save.
      Example

      For example, to apply a policy group to all entities with a "Sales" label or a "Finance" label:

      In the Include section:

      1. Select the Specific entities radio button.
      2. In the labels list, select the Sales and Finance labels.
      3. Select the Require any radio button.
    • To apply the policy group to a subset of entities by selecting labels to include and exclude:
      1. In the Include section, follow the steps detailed above.
      2. In the Exclude section:
        1. Select the Specific entities radio button.
        2. In the label list, select one or more labels for the entities you want to exclude from the group.
        3. Do one of the following:
          • To exclude entities that have all of the previously selected labels, select the Require all radio button.
          • To exclude entities that have any of the previously selected labels, select the Require any radio button.
      3. Click Save.
      • Example

      For example, to apply a policy group to all entities except those with a "Sales" label or a "Finance" label:

      • In the Include section, select the All entities radio button.
      • In the Exclude section:
        1. Select the Specific entities radio button.
        2. In the labels list, select the Sales and Finance labels.
        3. Select the Require any radio button.

      Or, to apply a policy group to entities with a "Manager" label and a "Product" label, but not a "Windows" label:

      • In the Include section:
        1. Select the Specific entities radio button.
        2. In the labels list, select the Manager and Product labels.
        3. Select the Require all radio button.
      • In the Exclude section:
        1. Select the Specific entities radio button.
        2. In the labels list, select the Windows label.
        3. Select either the Require all or Require any radio button.
  • On the right side of the policy group page, click Add policies.
  • In the Policy templates dialog box, do the following:
    1. Click a template category.
    2. In the template category list, click a template to add to the policy group.
      3. Tooltip

      You can quickly find a template by typing the first few letters of its name or description into the Search field. You can also filter templates by their default tags and FortiDLP Agent and OS requirements.

  • In the table, select the template you added.
  • In the policy template editor, configure the policy as needed:
    • Optionally, click and edit the policy template name, and then click Done.
    • Optionally, click and edit the policy template description, and then click Done.
    • Do one of the following:
      • To enable the policy after configuring the template, keep the Enable policy toggle on.
      • To disable the policy after configuring the template, turn the Enable policy toggle off.
        • Note

        A policy is effective when the Enable policy toggle is on and the policy is published, as described later in these instructions.

    • In the Policy configuration panel, set any relevant parameters, referring to the FortiDLP Policies Reference Guide.
      Tooltip

      You can also click the icon corresponding to a parameter to view a description in a tooltip.

    • Optionally, in the Detection and incident configuration panel, do the following:
      1. In the Score field, type a number between 1–100 to define the detection's risk score:
        • A risk score of 0 is classified as no severity.
        • A risk score between 1–39 is classified as low severity.
        • A risk score between 40–69 is classified as medium severity.
        • A risk score between 70–89 is classified as high severity.
        • A risk score between 90–100 is classified as critical severity.
      2. In the Description field, type the detection's description.
        3. Note

        This field supports string formatting, where replacement fields are used to extract event data for display in the FortiDLP Console. This formatting is used in some of the default values provided, where one or more parts of the description are surrounded by curly brackets ({}).

        For example, in the description Connected to open Wi-Fi network {event.network.ssid}, {event.network.ssid} would be replaced with the SSID the user connected to when displayed in the FortiDLP Console.

      3. In the Tags field, type one or more keywords or terms describing the detection, separated by a space.
      4. To apply the MITRE ATT&CK framework to detections, under MITRE ATT&CK indicators, do the following:
        1. In the Tactic menu, select the MITRE ATT&CK tactic to assign to detections. Your selection will determine the available values in the Technique and Sub-technique menus.
        2. In the Technique menu, select the MITRE ATT&CK technique to assign to detections.
        3. In the Sub-technique menu, select the MITRE ATT&CK sub-technique to assign to detections.
          4. Note

          Multiple indicators can be added by clicking the Add indicator button and selecting the relevant values from the above menus.For more on MITRE ATT&CK indicators, see MITRE ATT&CK indicators.

      5. To raise an incident when the policy is breached:
        1. Turn the Raise incident if policy is violated toggle on.
        2. In the Incident clustering rule menu, select the method for grouping detections to form the incident. You can either cluster detections by a common property or by policy..For details, see Incident clustering rules.
    • Optionally, in the Action configuration panel, to execute one or more actions when the policy is breached, do the following:
      • To block browser downloads, turn the Block browser download toggle on.
      • To block browser uploads, turn the Block browser upload toggle on.
      • To block outbound emails, turn the Block outbound email toggle on (Windows and macOS only).
      • To block USB storage devices, turn the Block USB storage device toggle on.
      • To display an on-screen message to the user (Windows and macOS only):
        1. Turn the Display message toggle on.
        2. In the Title field, type a message title.
        3. In the Body field, type a message body:
          • Optionally, to apply italic or bold formatting, highlight the relevant text and click I or B.
          • Optionally, to create a dynamic message containing detection-specific event data, click {.data} and then select the desired variable. For example, inserting the event.url variable into the body would enable the URL related to a detection to display in the message.

        4. Optionally, to limit the number of messages displayed:
          1. Turn the Rate limit messages on screen toggle on.
          2. In the Display no more than one message per field, set the maximum number of messages you want displayed on a managed node using day, hour, minute, and second units.
            3. Example

            For example, setting the Hour(s) field to 1 would ensure the message would not display on the same managed node more than once per hour.

        5. Optionally, to include a URL in the message:
          1. Turn the Include link to URL toggle on.
          2. In the URL field, type the URL to direct the user to.
          3. In the Link text field, type the text to display as the link.
          4. To require the user to visit the URL, turn the Make clicking the link mandatory toggle on.
        6. Optionally, to include a feedback form:
          1. Turn the Include feedback form to provide a reason for the violation toggle on.
          2. In the Feedback form text field, type the text to display with feedback form.
          3. To require the user to submit feedback, turn the Make submitting feedback mandatory toggle on.
        7. Optionally, to include an acknowledgement checkbox:
          1. Turn the Include mandatory acknowledgement checkbox toggle on.
          2. In the Acknowledgement checkbox text field, type the text to display with the checkbox.
      • To clear the system clipboard, turn the Empty clipboard toggle on (Windows and macOS only).
      • To make a shadow copy, turn the Make shadow copy toggle on.
      • To block current and new connections to the node, turn the Isolate toggle on.
      • To kill the process on the node, turn the Kill process toggle on.
      • To block the node's keyboard and mouse input, turn the Lock toggle on (Windows and macOS only).
      • To restart the node, turn the Reboot toggle on.
      • To capture a screenshot of the user's computer screen(s), turn the Take screenshot toggle on (Windows and macOS only).
  • Click Save and exit.
  • Do one of the following:
    • To configure additional templates, repeat steps 6–9.
    • To publish the policy group now, click Publish policy group and then click Publish now in the dialog box that displays. Policies will be applied to FortiDLP Agents within 15 minutes.
    • To publish the policy group later, exit the policy group page, and see Publishing policy groups for instructions when you are ready.
    • Previous
    Next

    Configuring policy templates

    Configuring policy templates

    Policy templates encapsulate the policy logic and expose a set of configurable parameters to allow you to tailor policies to your needs.

    You must add policy templates to policy groups and configure them to meet your organization's requirements. Fortinet provides various policy templates—giving you control over how users interact with files, use USB storage devices, browse the web, and more.

    Each policy template has a policy, detection and incident, and action configuration:

    • Policy configuration parameters define the conditions of the policy.

    • Detection and incident configuration parameters define how the detection displays in the FortiDLP Console if the policy is violated and if/how an associated incident is formed.

    • Action configuration parameters define the action(s) executed on a managed node if the policy is violated.

    Note

    For most templates, policy configuration parameter groups use AND logic, where detections are only generated if the criteria for all configured parameters is met.

    There are exceptions to this, such as with the Sensitive file opened, Sensitive file uploaded, and Sensitive file downloaded templates. For details about the logic for these templates, contact Fortinet Support.

    To ease setup, most policy templates provide default values and tooltips. Some also support assets, which are predefined parameter values. For example, you can select from an array of content inspection patterns for detecting credit and debit card numbers and social security numbers.

    How to configure a policy template
    Note

    By default, FortiDLP rate limits certain actions to protect against misconfigured policy templates. This rate limit, which applies to all actions except kill process, empty clipboard, and make shadow copy, ensures actions are not executed on a node more than once per minute per policy.

    Where a custom rate limit is also configured for display message actions, the rate limit with the longer duration applies. For example, if display message actions are rate limited to once per hour, this overrides FortiDLP's default rate limit of once per minute.
    1. In the FortiDLP Console, on the left-hand sidebar, click .
    2. Click the policy group you want to add policies to.
    3. Click Edit.

    4. In the Policy group scope dialog box, do one of the following:
    • To apply the policy group all entities:
      1. In the Include section, leave the All entities radio button selected.
      2. In the Exclude section, leave the No entities radio button selected.
      3. Click Save.
    • To apply the policy group to a subset of entities by only selecting labels to include:
      1. In the Include section, select the Specific entities radio button.
      2. In the label list, select one or more labels for the entities you want to apply the group to.
      3. Do one of the following:
        • To include entities that have all of the previously selected labels, select the Require all radio button.
        • To include entities that have any of the previously selected labels, select the Require any radio button.
      4. Click Save.
      Example

      For example, to apply a policy group to all entities with a "Sales" label or a "Finance" label:

      In the Include section:

      1. Select the Specific entities radio button.
      2. In the labels list, select the Sales and Finance labels.
      3. Select the Require any radio button.
    • To apply the policy group to a subset of entities by selecting labels to include and exclude:
      1. In the Include section, follow the steps detailed above.
      2. In the Exclude section:
        1. Select the Specific entities radio button.
        2. In the label list, select one or more labels for the entities you want to exclude from the group.
        3. Do one of the following:
          • To exclude entities that have all of the previously selected labels, select the Require all radio button.
          • To exclude entities that have any of the previously selected labels, select the Require any radio button.
      3. Click Save.
      • Example

      For example, to apply a policy group to all entities except those with a "Sales" label or a "Finance" label:

      • In the Include section, select the All entities radio button.
      • In the Exclude section:
        1. Select the Specific entities radio button.
        2. In the labels list, select the Sales and Finance labels.
        3. Select the Require any radio button.

      Or, to apply a policy group to entities with a "Manager" label and a "Product" label, but not a "Windows" label:

      • In the Include section:
        1. Select the Specific entities radio button.
        2. In the labels list, select the Manager and Product labels.
        3. Select the Require all radio button.
      • In the Exclude section:
        1. Select the Specific entities radio button.
        2. In the labels list, select the Windows label.
        3. Select either the Require all or Require any radio button.
  • On the right side of the policy group page, click Add policies.
  • In the Policy templates dialog box, do the following:
    1. Click a template category.
    2. In the template category list, click a template to add to the policy group.
      3. Tooltip

      You can quickly find a template by typing the first few letters of its name or description into the Search field. You can also filter templates by their default tags and FortiDLP Agent and OS requirements.

  • In the table, select the template you added.
  • In the policy template editor, configure the policy as needed:
    • Optionally, click and edit the policy template name, and then click Done.
    • Optionally, click and edit the policy template description, and then click Done.
    • Do one of the following:
      • To enable the policy after configuring the template, keep the Enable policy toggle on.
      • To disable the policy after configuring the template, turn the Enable policy toggle off.
        • Note

        A policy is effective when the Enable policy toggle is on and the policy is published, as described later in these instructions.

    • In the Policy configuration panel, set any relevant parameters, referring to the FortiDLP Policies Reference Guide.
      Tooltip

      You can also click the icon corresponding to a parameter to view a description in a tooltip.

    • Optionally, in the Detection and incident configuration panel, do the following:
      1. In the Score field, type a number between 1–100 to define the detection's risk score:
        • A risk score of 0 is classified as no severity.
        • A risk score between 1–39 is classified as low severity.
        • A risk score between 40–69 is classified as medium severity.
        • A risk score between 70–89 is classified as high severity.
        • A risk score between 90–100 is classified as critical severity.
      2. In the Description field, type the detection's description.
        3. Note

        This field supports string formatting, where replacement fields are used to extract event data for display in the FortiDLP Console. This formatting is used in some of the default values provided, where one or more parts of the description are surrounded by curly brackets ({}).

        For example, in the description Connected to open Wi-Fi network {event.network.ssid}, {event.network.ssid} would be replaced with the SSID the user connected to when displayed in the FortiDLP Console.

      3. In the Tags field, type one or more keywords or terms describing the detection, separated by a space.
      4. To apply the MITRE ATT&CK framework to detections, under MITRE ATT&CK indicators, do the following:
        1. In the Tactic menu, select the MITRE ATT&CK tactic to assign to detections. Your selection will determine the available values in the Technique and Sub-technique menus.
        2. In the Technique menu, select the MITRE ATT&CK technique to assign to detections.
        3. In the Sub-technique menu, select the MITRE ATT&CK sub-technique to assign to detections.
          4. Note

          Multiple indicators can be added by clicking the Add indicator button and selecting the relevant values from the above menus.For more on MITRE ATT&CK indicators, see MITRE ATT&CK indicators.

      5. To raise an incident when the policy is breached:
        1. Turn the Raise incident if policy is violated toggle on.
        2. In the Incident clustering rule menu, select the method for grouping detections to form the incident. You can either cluster detections by a common property or by policy..For details, see Incident clustering rules.
    • Optionally, in the Action configuration panel, to execute one or more actions when the policy is breached, do the following:
      • To block browser downloads, turn the Block browser download toggle on.
      • To block browser uploads, turn the Block browser upload toggle on.
      • To block outbound emails, turn the Block outbound email toggle on (Windows and macOS only).
      • To block USB storage devices, turn the Block USB storage device toggle on.
      • To display an on-screen message to the user (Windows and macOS only):
        1. Turn the Display message toggle on.
        2. In the Title field, type a message title.
        3. In the Body field, type a message body:
          • Optionally, to apply italic or bold formatting, highlight the relevant text and click I or B.
          • Optionally, to create a dynamic message containing detection-specific event data, click {.data} and then select the desired variable. For example, inserting the event.url variable into the body would enable the URL related to a detection to display in the message.

        4. Optionally, to limit the number of messages displayed:
          1. Turn the Rate limit messages on screen toggle on.
          2. In the Display no more than one message per field, set the maximum number of messages you want displayed on a managed node using day, hour, minute, and second units.
            3. Example

            For example, setting the Hour(s) field to 1 would ensure the message would not display on the same managed node more than once per hour.

        5. Optionally, to include a URL in the message:
          1. Turn the Include link to URL toggle on.
          2. In the URL field, type the URL to direct the user to.
          3. In the Link text field, type the text to display as the link.
          4. To require the user to visit the URL, turn the Make clicking the link mandatory toggle on.
        6. Optionally, to include a feedback form:
          1. Turn the Include feedback form to provide a reason for the violation toggle on.
          2. In the Feedback form text field, type the text to display with feedback form.
          3. To require the user to submit feedback, turn the Make submitting feedback mandatory toggle on.
        7. Optionally, to include an acknowledgement checkbox:
          1. Turn the Include mandatory acknowledgement checkbox toggle on.
          2. In the Acknowledgement checkbox text field, type the text to display with the checkbox.
      • To clear the system clipboard, turn the Empty clipboard toggle on (Windows and macOS only).
      • To make a shadow copy, turn the Make shadow copy toggle on.
      • To block current and new connections to the node, turn the Isolate toggle on.
      • To kill the process on the node, turn the Kill process toggle on.
      • To block the node's keyboard and mouse input, turn the Lock toggle on (Windows and macOS only).
      • To restart the node, turn the Reboot toggle on.
      • To capture a screenshot of the user's computer screen(s), turn the Take screenshot toggle on (Windows and macOS only).
  • Click Save and exit.
  • Do one of the following:
    • To configure additional templates, repeat steps 6–9.
    • To publish the policy group now, click Publish policy group and then click Publish now in the dialog box that displays. Policies will be applied to FortiDLP Agents within 15 minutes.
    • To publish the policy group later, exit the policy group page, and see Publishing policy groups for instructions when you are ready.
    • Previous
    Next