Edit

Share via

Create a file policy to filter network file content (preview)

Global Secure Access supports network content filtering through file policies. This feature helps you safeguard against unintended data exposure and prevents inline data leaks to generative AI applications and internet destinations. By extending data protection capabilities to the network layer through Global Secure Access, network content filtering enables your organization to enforce data policies on network traffic in real time. You can discover and protect files shared with unsanctioned destinations, such as generative AI and unmanaged cloud apps, from managed endpoints through browsers, applications, add-ins, APIs, and more.

The network content filtering solution brings together Microsoft Purview's data classification service and the identity-centric network security policies in Global Secure Access. This combination creates an advanced network-layer data security solution, Data Loss Prevention (DLP), that's identity-centric and policy-driven. By combining content inspection with real-time user risk evaluation, you can enforce granular controls over sensitive data movement across the network without compromising user productivity or security posture.

High-level architecture

Diagram showing the architecture of network content filtering with Global Secure Access and Microsoft Purview.

This article explains how to create a file policy to filter internet traffic flowing through Global Secure Access.

Important

The network content filtering with file policies feature is currently in PREVIEW.
This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

Scenarios included in this preview

This preview supports the following key scenarios and outcomes for HTTP/1.1 traffic:

  • Using Basic file policy, you can block files based on supported file MIME types.
  • Using the Scan with Purview action in file policy, you can audit and block files based on:
    • Microsoft Purview sensitivity labels
    • Sensitive content in the file
    • The user's risk level
  • You can generate Data loss prevention (DLP) admin alerts for rule matches.

Important

This preview supports network content filtering only for files over HTTP/1.1. It doesn't support network content filtering for text.

Prerequisites

To use the File Policy feature, you need the following prerequisites:

  • A valid Microsoft Entra tenant.
  • The product requires licensing. For details, see the licensing section of What is Global Secure Access. If needed, you can purchase licenses or get trial licenses.
    • A valid Microsoft Entra Internet Access license.
    • A valid Microsoft Purview license, required for Scan with Purview inspection. (You can use basic file policy without a Purview license.)
  • A user with the Global Secure Access Administrator role in Microsoft Entra ID to configure Global Secure Access settings.
  • A Conditional Access Administrator role to configure Conditional Access policies.
  • The Global Secure Access client requires a device (or virtual machine) that is either Microsoft Entra ID joined or Entra ID Hybrid joined.

Initial configuration

To configure file policies, complete the following initial setup steps:

  1. Enable the Internet Access traffic forwarding profile and ensure correct user assignments.  
  2. Configure the Transport Layer Security (TLS) inspection policy.
  3. Install and configure the Global Secure Access client:
    1. Install the Global Secure Access client on Windows or macOS.

      Important

      Before you continue, test and ensure your client's internet traffic is routed through Global Secure Access. To verify the client configuration, see the steps in the following section.

    2. Select the Global Secure Access icon and select the Troubleshooting tab.
    3. Under Advanced Diagnostics, select Run tool.
    4. In the Global Secure Access Advanced Diagnostics window, select the Forwarding Profile tab. 
    5. Verify that Internet Access rules are present in the Rules section. This configuration might take up to 15 minutes to apply to clients after enabling the Internet Access traffic profile in the Microsoft Entra admin center. Screenshot of the Global Secure Access Advanced Diagnostics window on the Forwarding Profile tab, showing Internet Access rules in the Rules section.
  4. Confirm access to web applications you plan for file policies.

Configure a file policy

To configure a file policy in Global Secure Access, complete the following steps:

  1. Create a file policy.
  2. Link the file policy to a security profile.
  3. Configure a Conditional Access policy.

Create a file policy

  1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
  2. Browse to Global Secure Access > Secure > File policies.
  3. Select + Create Policy. Pick the appropriate options.
  4. On the Basics tab:
    1. Enter the policy Name.
    2. Enter the policy Description.
    3. Select Next.
  5. On the Rules tab:
    1. Add a new rule.
    2. Enter the Name, Description, Priority, and Status as appropriate.
    3. Select the appropriate option for the Action menu:
      • To configure a basic data policy, select Allow or Block.
      • To use data policies configured in Microsoft Purview, select Scan with Purview. Screenshot of the File scan rule screen with the Action menu expanded and the Scan with Purview option selected.
    4. For Matching conditions, select the appropriate Activities and File types.
    5. Select + Add destination and choose an option for the destination.
  6. Select Next.
  7. On the Review tab, review your settings.
  8. Select Create to create the policy.

Note

If you choose "Scan with Purview" action, please ensure you have configured corresponding data policy through Microsoft Purview.

  1. Browse to Global Secure Access > Secure > Security profiles.
  2. Select the security profile you want to modify.
  3. Switch to the Link policies view.
  4. Configure the link file policy:
    1. Select + Link a policy > Existing File policy.
    2. From the Policy name menu, select the file policy you created.
    3. Leave Position and State set to the defaults.
    4. Select Add.
  5. Close the security profile.

Configure a Conditional Access policy

To enforce the Global Secure Access security profile, create a conditional access policy with the following configuration:

  1. Sign in to the Microsoft Entra admin center.
  2. Browse to Identity > Protection > Conditional Access.
  3. Select + Create new policy.
  4. Name the policy.
  5. Select the users and groups to apply the policy to.
  6. Set the Target resources to All internet resources with Global Secure Access.
  7. Configure the Network, Conditions, and Grant sections according to your needs.
  8. Under Session, select Use Global Secure Access Security Profile and select the security profile you created.
  9. To create the policy, select Create.

For more information, see Create and link a Conditional Access policy.

The file policy is successfully configured.

Test the file policy

Test the configuration by attempting to upload or download files that match the file policy conditions. Verify that the policy settings block or allow the actions.

  1. Open a test file that contains personal data, such as dlptest.com/sample-data.pdf.
  2. Try to share the test file with the destination you configured in the file policy. If the policy is configured properly, the action is blocked.

Known limitations

  • Network content filtering doesn't support text. It only supports files.
  • Multipart encoding isn't supported, so file policy doesn't work for such applications (for example, Google Drive uses multipart encoding for file upload).
  • Compressed content is detected in zip format (the content isn't decompressed).
  • Accuracy of true file type detection might not be 100%.
  • Destination applications using WebSocket (such as Copilot) aren't supported.
  • Top level and second level domains don't support wildcards (like *, *.com, *contoso.com) while configuring FQDNs.

Note

Apps might use multiple URLs and FQDNs under the hood when you interact with them. Make sure to configure the correct destination for the file policy to take effect.

Monitoring and logging

To view traffic logs:

  1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.
  2. Select Global Secure Access > Monitor > Traffic logs.

To show all traffic subject to Netskope inspection:

  1. Go to the Transactions tab.
  2. Select Add filter.
  3. Search for or scroll to find the appropriate filter (for example, Action, policyName). 
  4. Select Apply.
  5. Check the filteringProfileName and policyName to identify the policies responsible for the applied action.

Related content

  • Last updated on