cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Kim_Moberg
Silver

Why does it take 8-10 minutes to get through after protect(inline) mode is enabled

Hi CheckMates

Since last week I have been running CloudGuard SaaS for Office 365 in policy mode “Monitoring”.

I have been preparing to setup Protect (inline) accordingly CloudGuard SaaS manual.

This mean that I have to create a group and add a limited users (3-5 users) which are affected by the Protect (inline) rule.

I have on the example below disabled the protect(inline) policy rule because of delivery time of 8-10 minutes. But when testing it is running.

 

Next I have in Exchange Online Control Panel under Mailflow added a traffic rule again accordingly to CloudGuard SaaS for Office 365 manual. Instead of using recipient is “inside organisation” for all uses, I have used my newly created group.

When I enable Exchange Online transport rule “Check Point - Protect” and in CloudGuard SaaS policy enable Protect (inline) and set flag to manually Control Ip exempt to hinder mail loops.

As a test I am e-mailing from Gmail to my business e-mail. It talkes forever to arrive. After multiple tests it tales exactly 9 minuts to arrive. I have read in the manual that fail-close ends after 10 minutes.

Before Check Point Protect mailflow traffic rule and Protect (inline) policy being enabled it tolk less than 30-60 seconds to arrive in my business e-mail mailbox.

As soon I disable setup everything works as before.

Note! I am in a transition of moving from Sandblast for O365 to CloudGuard SaaS. So I am actually having two systems running. As soon as CloudGuard SaaS delivery of e-mails gets normalized I will remove Sandblast for O365.

I have checked the e-mail headers and I can see delivery time from Check Point Protect mailflow delivers to check Point Amazon AWS instans it takes 8 minutes.

This is a screenshot of e-mail header analyzer from mxtoolbox.com

Here you see it takes 8 minutes to delivery e-mail from ip-10-155-236-16.ec2.internal 10.10.6.28

Why does it take 8-10 minuts to get through after protect(inline) mode is enabled. Is this normal behaviour?

Do I have a conflict between Sandblast for O365 and CloudGuard SaaS? Can anyone help? 

Thanks

Kim

Best Regards
Kim
0 Kudos
4 Replies
Employee+
Employee+

Re: Why does it take 8-10 minuts to get through after protect(inline) mode is enabled

Dear Kim Moberg,

Thank you for the detailed description of the issue you are experiencing. Such a delay in email delivery when using CloudGuard SaaS Inline Prevention is definitely not the expected behavior.

Please open a ticket to our TAC to report the issue so that we can investigate and fix it. Make sure to include your tenant name (eurowindenergyas) and some email subjects as examples of emails with delayed delivery.

Please don't hesitate to reach out to me directly in case you have any additional question about CloudGuard SaaS.

Best regards,

Abigael Saal Levy

abigaels@checkpoint.com

CloudGuard SaaS RnD Product Manager

0 Kudos
Kim_Moberg
Silver

Re: Why does it take 8-10 minuts to get through after protect(inline) mode is enabled

Dear Abigael,

Thank you for your reply

I will create a ticket for TAC for this.

Best regards

Kim

Best Regards
Kim
0 Kudos
Kim_Moberg
Silver

Re: Why does it take 8-10 minuts to get through after protect(inline) mode is enabled

Dear CheckMates

After a possible experience with TAC team they found out a misconfiguration of the Exchange Online Transport.

I wonder why it was not described in the manual.

Problem was primary the tenant-name was the wrong one.. it is not the Office 365 tenat name but the CloudGuard SaaS and also I had to remove the "group" for limited users. Had to be all users in the organisation.

R&D also added two other Exchange Online Transport rules which wasn't present in the manual..

Whitelist and Junk Filter.

This the configuration which got the Protect inline to work, but also to the solve the delay of 8-10 minutes.

this is the configuration for inline protect rule

Exchange Online Transport Rule - Check Point Protect

This is the other transport rule for whitelist

Exchange Online Transport Rule - Check Point Whitelist

last but not least the Junk filter rule

Exchange Online Transport Rule - Check Point Junk Filter

Could be great to include the two extra Transport rules to the guide for manual configuration with office 365.

Check Point CloudGuard SaaS Getting Started Guide 

Check Point CloudGuard SaaS Threat Protection Administration Guide 

Check Point CloudGuard SaaS Manual Configuration with Office 365 Administration Guide 

Hope this knowledge will help others in their search of configuring their CloudGuard SaaS setup for O365.

Thanks

Kim

Best Regards
Kim
0 Kudos
Employee+
Employee+

Re: Why does it take 8-10 minutes to get through after protect(inline) mode is enabled

Hi Kim Moberg‌,

We are in the process of updating the admin guides you listed regarding the manual configuration of Office 365. Microsoft recently introduced some changes in transport rules behavior which forced us to add two new rules ("Check Point Junk" and "Check Point Whitelist"). An email was sent by our PM, Asaf Henig, to warn about those changes.


Additionally, we expect to release soon a new version of CloudGuard SaaS that will indicate the tenant name necessary to the manual configuration mode of Office 365 in the portal, when you select your onboarding mode.

Thank you very much for sharing knowledge and please let me know if you experience any other issue with teh system or would like more information.

Best,

Abigael