This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Highlighted
Arun_Kumar_S
Participant
‎2019-02-23 08:06 AM

DLP Gateway for G Suite relay

Hello all,

Looking for a suggestion on the following.

Requirement:
DLP policy enforcement for outbound SMTP Traffic to G Suite mail relay located on internet.

Setup:
R80.10 Distributed setup
HTTPS inspection not enabled.

Description:

The Mail Relay is located at mail-relay.google.com as customer has a G Suite setup.
We have enabled SMTP protocol under DLP configuration but could not set the mail server as the relay server IP is dynamic in nature.
Not able to add the FQDN address to Mail Server object.

DLP policy is currently not enforced with this configuration.

Is it possible to achieve this requirement without an internal mail server?
Or should the customer setup an on premise mail relay to enforce DLP policy?

Please find the attachment for the required topology.

Thanks!

Arun Kumar S
Security Engineer
QOS Technology.

Prabulingam N

Preview file
14 KB
0 Kudos
4 Replies
Highlighted
PhoneBoy
Admin
Admin
‎2019-02-23 06:33 PM

DLP for SMTP definitely requires a relay of some sort.

In fact, the recommended configuration is to have an internal mail server and a separate relay in the DMZ

The relay can be internal, but this is not recommended.

Both configurations are discussed here: Data Loss Prevention R80.10 (Part of Check Point Infinity) 

0 Kudos
Highlighted
Arun_Kumar_S
Participant
‎2019-02-23 10:55 PM

Thanks for your response.

Right now, customer doesn't have a mail server nor a mail relay located on-premise. 

The mail relay is on google cloud and it relays the received mails to the mail server.

According to the document, it is required to have an internal mail relay and/or an internal mail server. (Not sure if mail server is mandatory to be internal.)

So, the requirement that I mentioned is not possible?

Thanks!!

0 Kudos
Highlighted
PhoneBoy
Admin
Admin
‎2019-02-24 05:22 AM

Theoretically the mail relay/server could be one in the same server, but it should be on-premise to use the DLP blade on an on-premise security gateway.

If you're wanting to do DLP with G-Suite, you should be looking into CloudGuard SaaS as that integrates more directly.

0 Kudos
Highlighted
Arun_Kumar_S
Participant
‎2019-02-24 05:25 AM

Thanks Dameon.

0 Kudos