- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello all,
Looking for a suggestion on the following.
Requirement:
DLP policy enforcement for outbound SMTP Traffic to G Suite mail relay located on internet.
Setup:
R80.10 Distributed setup
HTTPS inspection not enabled.
Description:
The Mail Relay is located at mail-relay.google.com as customer has a G Suite setup.
We have enabled SMTP protocol under DLP configuration but could not set the mail server as the relay server IP is dynamic in nature.
Not able to add the FQDN address to Mail Server object.
DLP policy is currently not enforced with this configuration.
Is it possible to achieve this requirement without an internal mail server?
Or should the customer setup an on premise mail relay to enforce DLP policy?
Please find the attachment for the required topology.
Thanks!
Arun Kumar S
Security Engineer
QOS Technology.
DLP for SMTP definitely requires a relay of some sort.
In fact, the recommended configuration is to have an internal mail server and a separate relay in the DMZ
The relay can be internal, but this is not recommended.
Both configurations are discussed here: Data Loss Prevention R80.10 (Part of Check Point Infinity)
Thanks for your response.
Right now, customer doesn't have a mail server nor a mail relay located on-premise.
The mail relay is on google cloud and it relays the received mails to the mail server.
According to the document, it is required to have an internal mail relay and/or an internal mail server. (Not sure if mail server is mandatory to be internal.)
So, the requirement that I mentioned is not possible?
Thanks!!
Theoretically the mail relay/server could be one in the same server, but it should be on-premise to use the DLP blade on an on-premise security gateway.
If you're wanting to do DLP with G-Suite, you should be looking into CloudGuard SaaS as that integrates more directly.
Thanks Dameon.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY