Policies
Policies automate threat detection and response. They enable you to define rules for specific user activities and the actions that are taken if these rules are breached.
Policies can be customized to align with your IT policies and security needs. You can use policies for educational purposes—for example, to display an on-screen message to a user upon connecting to an unsecured public Wi-Fi network, informing them that they are violating the corporate policy. Or, you can enforce stricter policies to prevent data loss, such as locking a computer if a user attempts to upload a sensitive file to a file sharing site. You can also use policies to highlight activities as detections in the FortiDLP Console. For example, you could be alerted to a user updating their profile and career interests on LinkedIn and visiting recruitment websites, so you could monitor their file activity and protect against data theft until they depart your organization.
Policies run on the FortiDLP Agent. When a user breaches a policy, the Agent generates a detection and optionally executes one or more actions on the associated managed node. Policy detections display throughout the FortiDLP Console, such as in the Investigate and Detection reports modules. Detections can optionally be configured to raise/form incidents, as described later in Configuring policy templates. An incident groups together detections that have the same root cause to prevent alert fatigue.
Fortinet provides a range of policy templates, as detailed in the FortiDLP Policies Reference Guide.
It is recommended that you review these documents prior to configuration.
Policy terms
Before you enable policies, it is important that you understand the following terms.
| Term | Definition |
|---|---|
| Policy | A rule specifying a user activity and a response if said activity occurs. |
| Policy group |
A collection of policies to apply to one or more entities. FortiDLP lets you create custom policy groups from scratch to configure policies individually or use predefined policy groups to create policies in bulk. |
| Policy template |
A form exposing a set of configurable parameters for creating a policy. FortiDLP provides standard policy templates that require partial configuration and out-of-box policy templates that require minimal configuration. |
| Policy asset |
A predefined policy template parameter value that eases setup. FortiDLP lets you create custom policy assets from scratch and use out-of-box policy assets that require little or no configuration. |
| Incident clustering rule |
A method for grouping detections together by a common property (such as a domain name, filename, and so on) or a common policy to form an incident. When this method is used, a single incident can encompass detections for one or multiple entities. |
| Incident sequence rule |
A method for grouping detections together to form an incident when a chain of threat activities occurs during a given time window. When this method is used, a single incident will encompass detections for one entity only. |
Policy template availability
By default, the latest policy templates are automatically available within the FortiDLP Console.
Standard policy templates are added and enhanced during FortiDLP Policy Templates releases and made accessible within the Policy templates panel as soon as a new version becomes available. It is during these releases that templates associated with custom and predefined policy groups are updated.
OOB policy templates are added and enhanced during FortiDLP Cloud releases. They are accessible within pregenerated policy groups on the Policies module after a FortiDLP deployment or upgrade.
Upon upgrade, existing policies automatically update to use the latest template functionality, preserving your custom values and applying default values where possible. If a custom value cannot be preserved and a default value cannot be applied, the FortiDLP Console will prompt you to provide input and upgrade manually.
If preferred, you can disable the OOB and/or auto-released policy template functionality. To do this, contact your Fortinet Account Manager. If you disable the auto-released policy template functionality, you will need to manually import our policy templates after each release. To learn more, see Importing policy templates.
Policy setup
The following table provides an overview of the setup tasks when using standard policy templates with custom policy groups.
| Task | Description |
|---|---|
| Optional. If you have not enabled auto-released policy templates but would like to use them, you must download the policy template bundle from the Next DLP Support Portal and import it into the FortiDLP Console. | |
|
Next, you must decide how you will apply policies to entities and create any custom policy groups you require. At this time, you may also want to create custom labels to ease configuration. For more information on this, see Labels. |
|
| After you create custom policy groups, you must add policy templates to the groups and configure them to suit your needs. At this time, you also associate policy groups with the entities you want to apply the policies to by selecting labels. | |
| Lastly, you must publish policy groups to make the policies they contain effective. You can either publish a policy group immediately, or save a draft and publish the policy group later. |
Alternatively, when using predefined policy groups, you just need to ensure you have access to the desired policy template pack before completing Using predefined policy groups.
When using OOB policy templates, the above tasks are not required. However, you may want to enable or disable policy templates to alter the default behavior. For guidance, see Configuring policy templates.