>
    Connect Gmail and Enterprise DLP
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administration
    4. Configure Enterprise DLP
    5. Email DLP
    6. Onboard Gmail
    7. Connect Gmail and Enterprise DLP
    Download PDF
    Enterprise DLP

    Connect Gmail and Enterprise DLP

    Table of Contents

    Connect Gmail and
    Enterprise DLP

    After you create you set up the Email DLP Host and create the transport rules, you must connect Gmail and
    Enterprise Data Loss Prevention (E-DLP)
     to complete onboarding.
    Where Can I Use This?
    What Do I Need?
    • SaaS Security
    • Enterprise Data Loss Prevention (E-DLP)
      license
    • SaaS Security
       license
      Or
    • Any of the following licenses
      • Prisma Access
         CASB license
      • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
         license
      • Data Security
         license
    Connect Gmail to
    Enterprise Data Loss Prevention (E-DLP)
     through
    SaaS Security
     on
    Cloud Management
     to complete the onboarding.
    1. Contact your email domain provider to update your SFP record to add the required
      Enterprise DLP
       service IP addresses.
      Add the IP addresses for the region where your email domain is hosted. You can update your SFP record with multiple regional IP addresses if you have email domains hosted in multiple regions.
      • APAC
        35.186.151.226
         and
        34.87.43.120
      • E.U
        34.141.90.172
         and
        34.107.47.119
      • U.S
        34.168.197.200
         and
        34.83.143.116
    2. Log in to the Google Admin Console.
    3. Add an STMP relay service entry to forward outbound emails to
      Enterprise DLP
      .
      1. Select
        Apps
        Google Workspace
        Gmail
        Routing
        .
      2. For the
        SMTP relay service
        ,
        Add Another Rule
        .
      3. In the
        Description
        , enter a descriptive name for the
        Enterprise DLP
         STMP relay service.
      4. For
        Allowed Senders
        , verify
        Only addresses in my domains
         is selected.
      5. For
        Authentication
        , check (enable)
        Only accept mail from the specified IP addresses
        .
      6. Add
         a new STMP relay service
      7. In the
        Enter IP address/range
         field, enter the required IP addresses for the region where your email domain is hosted. You can add multiple sets of IP addresses if needed.
        • APAC
          35.186.151.226
           and
          34.87.43.120
        • E.U
          34.141.90.172
           and
          34.107.47.119
        • U.S
          34.168.197.200
           and
          34.83.143.116
      8. Verify that the STMP relay service is
        Enabled
        .
      9. Save
        .
      10. Repeat this step to add both the required
        Enterprise DLP
         STMP relay service IP addresses for the region where your email domain is hosted.
      11. For
        Encryption
        , check (enable)
        Require TLS Encryption
        .
      12. Save
        .
    4. Configure Gmail to allow download of emails for investigative analysis when you review Email DLP incidents.
      • E.U—Create a Domain Wide Delegation
        1. In the Google Admin Console, select
          Security
          Access and data control
          API Controls
          Manage Domain Wide Delegation
           and
          Add New
          .
        2. Enter the
          Client ID
           for the region where your email domain is hosted.
          If you have multiple email domains hosted in different regions associated with one Google Workspace, you need to add a Domain Wide Delegation for each region in the same Google Workspace.
          If you have multiple email domains hosted in different regions but each is associated with a different Google Workspace, you need to add the appropriate Domain Wide Deletion in the appropriate Google Workspace.
          • E.U
            102967811737819901800
        3. Add the
          OAuth scopes
          You must add all the comma-delimited OAuth scopes listed below.
          • https://mail.google.com
          • https://www.googleapis.com/auth/gmail.addons.current.message.action
          • https://www.googleapis.com/auth/gmail.addons.current.message.metadata
          • https://www.googleapis.com/auth/gmail.addons.current.message.readonly
          • https://www.googleapis.com/auth/gmail.modify
          • https://www.googleapis.com/auth/gmail.readonly
          • https://www.googleapis.com/auth/aim
        4. Authorize
          .
      • APAC and U.S—Download the Email DLP
        Palo Alto Networks
         app
        See the Microsoft 365 Defender prerequisites for more information.
        2. Enter
          Email DLP
           in the search bar and select the Email DLP app for your region.
          You can only download the Email DLP app for the region from which you are currently accessing the Google Workspace Marketplace.
          • APAC
            Email DLP by Palo Alto Networks
            (APAC)
          • U.S
            Email DLP by Palo Alto Networks
            (US)
          For example, if you are access the Google Workspace Marketplace from California, you can only download the
          Email DLP by Palo Alto Networks
          (US)
           version of the Email DLP app.
        3. Click the
          Email DLP by
          Palo Alto Networks
           app tile.
        4. Click
          Admin Install
          .
        5. You are prompted with a confirmation that you are about to install the
          Email DLP by
          Palo Alto Networks
           app. Click
          Continue
          .
        6. Select for which users you want to install the Email DLP app.
          • Everyone at your organization
            —Select this option if you want to be able to download emails for everybody in your organization who generates an Email DLP incident.
          • Certain groups or organizational units
            —Select this option if you want to be able to download emails for specific user groups and organizational units when they generate an Email DLP incident.
            For example, you have user groups
            Group1
            ,
            Group2
            , and
            Group3
             where your CEO and other executives are part of
            Group3
            . You do not want to give your security administrators the ability to download emails sent by the CEO and other executives. In this case, you would select the
            Certain groups or organizational units
             option and add
            Group1
             and
            Group2
             but not
            Group3
            .
        7. Agree to the app Terms and Conditions.
        8. (
          Certain groups or organizational units
          ) Select the user groups and organizational you want to install the app for.
        9. Click
          Finish
          .
        10. A notification is displayed notifying you the
          Email DLP by
          Palo Alto Networks
           app successfully installed.
        11. Click
          Done
          .
        12. Enter
          Email DLP
           in the search bar and select the Email DLP app for your region. Verify that the app tile displays
          Installed
          .
    5. Create the Gmail transport rules, and create the Email DLP Policy.
      Palo Alto Networks recommends setting Email DLP Host, transport rules, and Email DLP policies to ensure enforcements begins as soon as you successfully connect Gmail to
      Enterprise DLP
      .
      • Setting up a routing to the Email DLP Host allows Gmail to forward emails to
        Enterprise DLP
         and for inspection and verdict rendering to prevent exfiltration of sensitive data.
      • Transport rules instructs Gmail to forward emails to
        Enterprise DLP
         and establish the actions Gmail takes based on the quarantine or block verdicts rendered by
        Enterprise DLP
        .
        A transport rule is not required for emails that match your Email DLP policy where the action is set to
        Monitor
        . In this case, the
        x-panw-action - monitor
         email header is added, a DLP incident is created, and the email continues to its intended recipient.
      • The DLP email policy specifies the incident severity and the action
        Enterprise DLP
         takes when matching traffic is inspected and sensitive data is detected.
    6. Log in to
      Strata Cloud Manager
      .
    7. Select
      Manage
      Configuration
      SaaS Security
      Settings
      Apps Onboarding
      .
    8. Add the Gmail application to
      SaaS Security
      .
      1. Search for
        Exchange
         and click
        Gmail
        .
      2. Add the Gmail appto
        SaaS Security
        .
    9. In the
      Email DLP Instance
      , click
      Add Instance
      .
    10. In the
      Setup Connectors and Rules
       page, add the email domains and relay hosts.
      Adding one or more email domain and the Gmail Relay Host is required to ensure emails inspected by
      Enterprise DLP
       are successfully forwarded to the Gmail Relay Host.
      1. Enter an
        Email Domain
        .
        The Gmail
        Relay Host
         is always
        smtp-relay.gmail.com
        . The
        Port
         is always
        587
        . This fields are automatically populated by default.
      2. (
        Optional
        )
        Add
         any additional email domains as needed.
      3. Connect
        .
    11. Gmail is now successfully connected and onboarded.
    12. Configure the Email DLP settings.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.