- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hello all,
Looking for a suggestion on the following.
Requirement:
DLP policy enforcement for outbound SMTP Traffic to G Suite mail relay located on internet.
Setup:
R80.10 Distributed setup
HTTPS inspection not enabled.
Description:
The Mail Relay is located at mail-relay.google.com as customer has a G Suite setup.
We have enabled SMTP protocol under DLP configuration but could not set the mail server as the relay server IP is dynamic in nature.
Not able to add the FQDN address to Mail Server object.
DLP policy is currently not enforced with this configuration.
Is it possible to achieve this requirement without an internal mail server?
Or should the customer setup an on premise mail relay to enforce DLP policy?
Please find the attachment for the required topology.
Thanks!
Arun Kumar S
Security Engineer
QOS Technology.
DLP for SMTP definitely requires a relay of some sort.
In fact, the recommended configuration is to have an internal mail server and a separate relay in the DMZ
The relay can be internal, but this is not recommended.
Both configurations are discussed here: Data Loss Prevention R80.10 (Part of Check Point Infinity)
Thanks for your response.
Right now, customer doesn't have a mail server nor a mail relay located on-premise.
The mail relay is on google cloud and it relays the received mails to the mail server.
According to the document, it is required to have an internal mail relay and/or an internal mail server. (Not sure if mail server is mandatory to be internal.)
So, the requirement that I mentioned is not possible?
Thanks!!
Theoretically the mail relay/server could be one in the same server, but it should be on-premise to use the DLP blade on an on-premise security gateway.
If you're wanting to do DLP with G-Suite, you should be looking into CloudGuard SaaS as that integrates more directly.
Thanks Dameon.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY