Create a Post
Showing results for 
Search instead for 
Did you mean: 

DLP Gateway for G Suite relay

Hello all,

Looking for a suggestion on the following.

DLP policy enforcement for outbound SMTP Traffic to G Suite mail relay located on internet.

R80.10 Distributed setup
HTTPS inspection not enabled.


The Mail Relay is located at as customer has a G Suite setup.
We have enabled SMTP protocol under DLP configuration but could not set the mail server as the relay server IP is dynamic in nature.
Not able to add the FQDN address to Mail Server object.

DLP policy is currently not enforced with this configuration.

Is it possible to achieve this requirement without an internal mail server?
Or should the customer setup an on premise mail relay to enforce DLP policy?

Please find the attachment for the required topology.


Arun Kumar S
Security Engineer
QOS Technology.

Prabulingam N

0 Kudos
4 Replies

DLP for SMTP definitely requires a relay of some sort.

In fact, the recommended configuration is to have an internal mail server and a separate relay in the DMZ

The relay can be internal, but this is not recommended.

Both configurations are discussed here: Data Loss Prevention R80.10 (Part of Check Point Infinity) 

0 Kudos

Thanks for your response.

Right now, customer doesn't have a mail server nor a mail relay located on-premise. 

The mail relay is on google cloud and it relays the received mails to the mail server.

According to the document, it is required to have an internal mail relay and/or an internal mail server. (Not sure if mail server is mandatory to be internal.)

So, the requirement that I mentioned is not possible?


0 Kudos

Theoretically the mail relay/server could be one in the same server, but it should be on-premise to use the DLP blade on an on-premise security gateway.

If you're wanting to do DLP with G-Suite, you should be looking into CloudGuard SaaS as that integrates more directly.

0 Kudos

Thanks Dameon.

0 Kudos