Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Console User Guide

    Home FortiDLP FortiDLP Console User Guide

    Block file transfer to USB storage device

    Block file transfer to USB storage device

    Requirements: Windows or macOS 12+.

    The block file transfer to USB storage device action stops users from transferring sensitive files to USB storage devices.

    This powerful policy-initiated action enables the FortiDLP Agent to prevent unwanted USB transfers based on the file content (using content inspection patterns, keywords, and keyphrases, and MIP labels), name, size, type, and location.

    When this functionality is enabled, and a user attempts to transfer a file to a USB storage device, the Agent stores the file in a temporary location on the computer for scanning against policies. If the scanned file is permitted for transfer, it is then moved to the USB storage device. If the scanned file is denied for transfer, it is blocked from the USB storage device and instead moved to a Quarantine folder on the computer. Further, if scanning is interrupted—for example, if the user removes their USB storage device—the transfer is blocked and the file is moved to a Recovery folder on the computer. In either of the latter scenarios, a message is displayed to the user to inform them of the outcome of the scan and the file location.

    Blocked transfer of employee payslips using content inspection

    This functionality is supported for USB mass storage devices, such as:

    • Flash drives
    • Memory cards
    • External hard drives (HDDs) and solid-state drives (SSDs)
    • CD and DVD drives
    • Cameras.

    For more information about our USB file transfer blocking templates, see the FortiDLP Policies Reference Guide.

    In addition to policies, this functionality requires the Agent configuration group USB file transfer blocking action setting to be enabled. For details, see Creating Agent configuration groups in the FortiDLP Administration Guide.

    Caution

    As discussed more below, on Windows, when the USB file transfer blocking action setting is enabled, on Agent configuration update: (1) users will receive a pop-up message upon inserting their first USB storage device that states these devices are monitored; (2) only predefined applications will be allowed to write to USB storage devices; (3) files on USB storage devices will only be accessible in read-only mode. For these reasons, we advise enabling USB policies prior to turning this On.
    Known limitations

    USB file transfer blocking has the following limitations.

    Windows:

    • When the Agent configuration group USB file transfer blocking action setting is enabled, users will receive a pop-up message upon inserting their first USB storage device that states these devices are monitored. Devices also require a restart for a configuration change to take effect.
    • Files on USB storage devices will only be accessible in read-only mode.
    • Files cannot be saved or resaved directly to USB storage devices. File Explorer, Command Prompt, and PowerShell can be used to copy new files to USB storage devices and overwrite existing files on USB storage devices. Where another application is used, the user will be prompted to first save a local copy and then transfer it to their device.
    • Only predefined applications will be allowed to write to USB storage devices. For more information, contact Fortinet Support.
    • Alternate Data Stream files will not be scanned or blocked from being transferred to USB storage devices unless the file they are associated with is deemed sensitive.

    macOS:

    • When the Agent configuration group USB file transfer blocking action setting is turned off, a restart is required for the update to take effect.
    • File shadowing is not supported in conjunction with USB file transfer blocking.
    • The Binary names policy template parameter is not supported in conjunction with USB file transfer blocking. When USB file transfer blocking functionality is enabled, this parameter is ignored, resulting in all processes being monitored.
    • SD card readers connected over a Serial Peripheral Interface (SPI), such as those in the Apple silicon MacBook Pro, are not supported.
    • Encrypted APFS (password-protected) USB storage devices are not supported.
    • Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP) devices are not supported. For more information, read our FAQ here.
    Tooltip

    To ensure data is encrypted when USB file transfer blocking is enabled, you can use hardware-encrypted removable media and mandate the use of them using the Unauthorized USB storage device inserted policy template. For details, see the FortiDLP Policies Reference Guide.
    Previous
    Next

    Block file transfer to USB storage device

    Block file transfer to USB storage device

    Requirements: Windows or macOS 12+.

    The block file transfer to USB storage device action stops users from transferring sensitive files to USB storage devices.

    This powerful policy-initiated action enables the FortiDLP Agent to prevent unwanted USB transfers based on the file content (using content inspection patterns, keywords, and keyphrases, and MIP labels), name, size, type, and location.

    When this functionality is enabled, and a user attempts to transfer a file to a USB storage device, the Agent stores the file in a temporary location on the computer for scanning against policies. If the scanned file is permitted for transfer, it is then moved to the USB storage device. If the scanned file is denied for transfer, it is blocked from the USB storage device and instead moved to a Quarantine folder on the computer. Further, if scanning is interrupted—for example, if the user removes their USB storage device—the transfer is blocked and the file is moved to a Recovery folder on the computer. In either of the latter scenarios, a message is displayed to the user to inform them of the outcome of the scan and the file location.

    Blocked transfer of employee payslips using content inspection

    This functionality is supported for USB mass storage devices, such as:

    • Flash drives
    • Memory cards
    • External hard drives (HDDs) and solid-state drives (SSDs)
    • CD and DVD drives
    • Cameras.

    For more information about our USB file transfer blocking templates, see the FortiDLP Policies Reference Guide.

    In addition to policies, this functionality requires the Agent configuration group USB file transfer blocking action setting to be enabled. For details, see Creating Agent configuration groups in the FortiDLP Administration Guide.

    Caution

    As discussed more below, on Windows, when the USB file transfer blocking action setting is enabled, on Agent configuration update: (1) users will receive a pop-up message upon inserting their first USB storage device that states these devices are monitored; (2) only predefined applications will be allowed to write to USB storage devices; (3) files on USB storage devices will only be accessible in read-only mode. For these reasons, we advise enabling USB policies prior to turning this On.
    Known limitations

    USB file transfer blocking has the following limitations.

    Windows:

    • When the Agent configuration group USB file transfer blocking action setting is enabled, users will receive a pop-up message upon inserting their first USB storage device that states these devices are monitored. Devices also require a restart for a configuration change to take effect.
    • Files on USB storage devices will only be accessible in read-only mode.
    • Files cannot be saved or resaved directly to USB storage devices. File Explorer, Command Prompt, and PowerShell can be used to copy new files to USB storage devices and overwrite existing files on USB storage devices. Where another application is used, the user will be prompted to first save a local copy and then transfer it to their device.
    • Only predefined applications will be allowed to write to USB storage devices. For more information, contact Fortinet Support.
    • Alternate Data Stream files will not be scanned or blocked from being transferred to USB storage devices unless the file they are associated with is deemed sensitive.

    macOS:

    • When the Agent configuration group USB file transfer blocking action setting is turned off, a restart is required for the update to take effect.
    • File shadowing is not supported in conjunction with USB file transfer blocking.
    • The Binary names policy template parameter is not supported in conjunction with USB file transfer blocking. When USB file transfer blocking functionality is enabled, this parameter is ignored, resulting in all processes being monitored.
    • SD card readers connected over a Serial Peripheral Interface (SPI), such as those in the Apple silicon MacBook Pro, are not supported.
    • Encrypted APFS (password-protected) USB storage devices are not supported.
    • Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP) devices are not supported. For more information, read our FAQ here.
    Tooltip

    To ensure data is encrypted when USB file transfer blocking is enabled, you can use hardware-encrypted removable media and mandate the use of them using the Unauthorized USB storage device inserted policy template. For details, see the FortiDLP Policies Reference Guide.
    Previous
    Next