Setting file download controls

All managed cloud applications as well as custom applications support download DLP action for files. Forcepoint ONE SSE will process files as they are downloaded to look for the DLP pattern you have configured in your policy and then apply the appropriate action.

Block All File Downloads

In addition Forcepoint ONE SSE also supports the ability to block all file downloads preventing any files regardless of type, content, etc to be downloaded. You can select this underneath the Actions section and above the DLP table. If you select this option, you will notice the Download DLP table disappears since there would be no need to configure individual DLP policies with all files being blocked.



Download DLP Actions

If you choose to enforce DLP on download actions you will see the table and be able to add policy lines and configure which actions are taken based on which DLP patterns you wish to protect.



  • Allow: Makes no changes to the file - it is downloaded unaltered.
  • Encrypt: Results in the downloaded file being encrypted with a user specific password. This password is defined on a per user basis and can be changed in their account profile. To learn how to configure the password see the Configuring a download encrypt action.
    Note: The Encrypt action will only work for Office and PDF files as it uses the built in password encrypt option within each of those applications. For all other files types that match a policy line with an action of Encrypt will instead be blocked.
  • DRM-Readonly: Converts the file to a read-only PDF file that is wrapped in an encrypted, self-extracting HTML container. Once containerized, the document cannot be accessed without authentication to Forcepoint ONE SSE. Upon opening the file, the user will be prompted for authentication. If that user's credentials are no longer valid (for example, they have left the company), they will no longer be able to access the content.
    • Authentication requires a network connection.
    • This functionality is typically used to provide access to sensitive data from higher risk scenarios (for example, a user on an unmanaged device or a user accessing the data from an untrusted location).
    • This is a one way operation that is performed on downloaded files and cannot be reversed to return the file to a fully editable source document. The user will have to return to the source of the file in order to operate on the file as necessary.
      Note: The DRM action is applied via our AJAX-VM technology. Since mobile mail apps do not execute AJAX code, it is not possible to run it through the ActiveSync proxy and thus a DRM action on mobile mail apps will result in a block action instead.
  • Block: Replaces all contents of a file with a block message.

    Block message are configurable under Protect > Notifications > Other Messages.

    Note: Due to how some applications handle downloads, if Forcepoint ONE SSE is unable to apply a specific action to the file, then we will take the next more restrictive available action (for example, if we can't encrypt we will DRM and if we can't DRM then we will block).
  • Deny: Will deny the download action outright instead of attempting to download a block message. This is useful for situations where you are trying to control things such as malware.
Note: If you select Forcepoint DLP as the data pattern, then FSM Enforced option gets populated in Action field as the action is provided from FSM. The FSM Enforced is the only option available for selection. Refer to Configuring FSM controlled policies for CASB and SWG channels to enable the Forcepoint DLP data pattern.

Scan Timeout (Deny Download)

At times files that are downloaded may be too large that Forcepoint ONE SSE cannot scan the file in time during the download action. In cases where the scan times out, customers can configure a policy to automatically deny the download action altogether to prevent possible data leakage attempts that bypass DLP scanning.

Under the Download DLP actions table, you can check the box Deny download on scan timeout. This means any file will automatically be denied from being downloaded if the DLP scan times out.