Step10: Configure DLP policies for cloud applications in the Forcepoint ONE SSE

Describes how to configure DLP policies in Forcepoint ONE SSE.

A new predefined data pattern named Forcepoint DLP is available under Protect > Objects > DLP Objects page once a valid DPS license is uploaded to Forcepoint ONE SSE.

After uploading and validating DPS license in Forcepoint ONE SSE, you can now use Forcepoint DLP data pattern in Secure App Access policy action modals as a Data pattern in all your CASB policies.



Forcepoint DLP Data Pattern in CASB Policies

After uploading and validating JSON license file, you can use the Forcepoint DLP data pattern while configuring CASB policies. Refer to Configuring contextual access control and Configuring proxy policy actions to create or edit existing policy.

While creating CASB policies, if you select Forcepoint DLP as the data pattern in any of the Actions dialog for Secure App Access, then:

  • The FSM Enforced option gets populated in Action field as the action is configured on the FSM. The FSM Enforced is the only option available for selection.

    If an action other than Allow that is not supported by the application is returned when using Forcepoint DLP data pattern, Forcepoint ONE SSE translates it as a Deny.

    To send notifications when the Forcepoint DLP returns an action other than Allow, click Notify.



  • All other fields in the upload or download DLP table are set to their default value and greyed out and are not supported with Forcepoint DLP.

Along with the Forcepoint DLP data pattern, you can also configure other data patterns created under Protect > Objects > DLP Objects page. Refer to Configuring proxy policy actions.

Forcepoint DLP Data Pattern in API Setup

After uploading and validating DPS license, you can select the Forcepoint DLP data pattern from the Data Patterns section while configuring API scanning of files for any of the following supported applications. To enable API scanning for cloud applications, refer to Protecting data at rest.

  • Microsoft 365
  • Google Workspace
  • Salesforce
  • ServiceNow
  • Box
  • Dropbox
  • AWS S3
  • Cisco Webex

Forcepoint DLP currently supports scanning of File objects for API Scanning.



While configuring the application, you can select either Forcepoint DLP data pattern or other Forcepoint ONE SSE data patterns available under Protect > Objects > DLP Objects page.

Forcepoint ONE SSE executes the action returned by Forcepoint DLP.

Following are the limitations if FSM-based DLP policy control is used for API scanning:

  • You cannot configure Forcepoint ONE SSE data patterns alongside Forcepoint DLP data pattern. If you configure Forcepoint ONE SSE data patterns alongside the Forcepoint DLP data pattern and save the application API setup, then an error message Forcepoint DLP data pattern cannot be configured with other data patterns in API setup appears.
  • When the application API setup contains only the Forcepoint DLP data pattern and when you configure a new API policy on the Protect > Policies page and save it, then an error message API policy actions cannot be configured on Forcepoint ONE and are controlled via the FSM. Please configure actions in the FSM appears.

    To configure API policies for the cloud applications, refer to Configuring API policies.

  • Any existing API polices if present will not be enforced if the API setup is changed to contain only the Forcepoint DLP data pattern. These API policies will become read-only and will display a message saying they are not enforced.