Enterprise DLP
Connect Gmail and Enterprise DLP
Table of Contents
Connect Gmail and Enterprise DLP
Enterprise DLP
After you create you set up the Email DLP Host and create the transport rules, you
must connect Gmail and
Enterprise Data Loss Prevention (E-DLP)
to complete onboarding.Where Can I Use This? | What Do I Need? |
---|---|
|
|
Connect Gmail to
Enterprise Data Loss Prevention (E-DLP)
through SaaS Security
on Cloud Management
to complete the onboarding.- Contact your email domain provider to update your SFP record to add the requiredEnterprise DLPservice IP addresses.Add the IP addresses for the region where your email domain is hosted. You can update your SFP record with multiple regional IP addresses if you have email domains hosted in multiple regions.
- APAC—35.186.151.226and34.87.43.120
- E.U—34.141.90.172and34.107.47.119
- U.S—34.168.197.200and34.83.143.116
- Log in to the Google Admin Console.
- Add an STMP relay service entry to forward outbound emails toEnterprise DLP.
- Select.AppsGoogle WorkspaceGmailRouting
- For theSMTP relay service,Add Another Rule.
- In theDescription, enter a descriptive name for theEnterprise DLPSTMP relay service.
- ForAllowed Senders, verifyOnly addresses in my domainsis selected.
- ForAuthentication, check (enable)Only accept mail from the specified IP addresses.
- Adda new STMP relay service
- In theEnter IP address/rangefield, enter the required IP addresses for the region where your email domain is hosted. You can add multiple sets of IP addresses if needed.
- APAC—35.186.151.226and34.87.43.120
- E.U—34.141.90.172and34.107.47.119
- U.S—34.168.197.200and34.83.143.116
- Verify that the STMP relay service isEnabled.
- Save.
- Repeat this step to add both the requiredEnterprise DLPSTMP relay service IP addresses for the region where your email domain is hosted.
- ForEncryption, check (enable)Require TLS Encryption.
- Save.
- Configure Gmail to allow download of emails for investigative analysis when you review Email DLP incidents.
- E.U—Create a Domain Wide Delegation
- In the Google Admin Console, selectandSecurityAccess and data controlAPI ControlsManage Domain Wide DelegationAdd New.
- Enter theClient IDfor the region where your email domain is hosted.If you have multiple email domains hosted in different regions associated with one Google Workspace, you need to add a Domain Wide Delegation for each region in the same Google Workspace.If you have multiple email domains hosted in different regions but each is associated with a different Google Workspace, you need to add the appropriate Domain Wide Deletion in the appropriate Google Workspace.
- E.U—102967811737819901800
- Add theOAuth scopesYou must add all the comma-delimited OAuth scopes listed below.
- https://mail.google.com
- https://www.googleapis.com/auth/gmail.addons.current.message.action
- https://www.googleapis.com/auth/gmail.addons.current.message.metadata
- https://www.googleapis.com/auth/gmail.addons.current.message.readonly
- https://www.googleapis.com/auth/gmail.modify
- https://www.googleapis.com/auth/gmail.readonly
- https://www.googleapis.com/auth/aim
- Authorize.
- APAC and U.S—Download the Email DLPPalo Alto NetworksappSee the Microsoft 365 Defender prerequisites for more information.
- EnterEmail DLPin the search bar and select the Email DLP app for your region.You can only download the Email DLP app for the region from which you are currently accessing the Google Workspace Marketplace.
- APAC—Email DLP by Palo Alto Networks(APAC)
- U.S—Email DLP by Palo Alto Networks(US)
For example, if you are access the Google Workspace Marketplace from California, you can only download theEmail DLP by Palo Alto Networksversion of the Email DLP app.(US) - Click theEmail DLP byapp tile.Palo Alto Networks
- ClickAdmin Install.
- You are prompted with a confirmation that you are about to install theEmail DLP byapp. ClickPalo Alto NetworksContinue.
- Select for which users you want to install the Email DLP app.
- Everyone at your organization—Select this option if you want to be able to download emails for everybody in your organization who generates an Email DLP incident.
- Certain groups or organizational units—Select this option if you want to be able to download emails for specific user groups and organizational units when they generate an Email DLP incident.For example, you have user groupsGroup1,Group2, andGroup3where your CEO and other executives are part ofGroup3. You do not want to give your security administrators the ability to download emails sent by the CEO and other executives. In this case, you would select theCertain groups or organizational unitsoption and addGroup1andGroup2but notGroup3.
- Agree to the app Terms and Conditions.
- (Certain groups or organizational units) Select the user groups and organizational you want to install the app for.
- ClickFinish.
- A notification is displayed notifying you theEmail DLP byapp successfully installed.Palo Alto Networks
- ClickDone.
- EnterEmail DLPin the search bar and select the Email DLP app for your region. Verify that the app tile displaysInstalled.
- Create the Gmail transport rules, and create the Email DLP Policy.Palo Alto Networks recommends setting Email DLP Host, transport rules, and Email DLP policies to ensure enforcements begins as soon as you successfully connect Gmail toEnterprise DLP.
- Setting up a routing to the Email DLP Host allows Gmail to forward emails toEnterprise DLPand for inspection and verdict rendering to prevent exfiltration of sensitive data.
- Transport rules instructs Gmail to forward emails toEnterprise DLPand establish the actions Gmail takes based on the quarantine or block verdicts rendered byEnterprise DLP.A transport rule is not required for emails that match your Email DLP policy where the action is set toMonitor. In this case, thex-panw-action - monitoremail header is added, a DLP incident is created, and the email continues to its intended recipient.
- The DLP email policy specifies the incident severity and the actionEnterprise DLPtakes when matching traffic is inspected and sensitive data is detected.
- Log in toStrata Cloud Manager.
- Select.ManageConfigurationSaaS SecuritySettingsApps Onboarding
- Add the Gmail application toSaaS Security.
- Search forExchangeand clickGmail.
- Add the Gmail apptoSaaS Security.
- In theEmail DLP Instance, clickAdd Instance.
- In theSetup Connectors and Rulespage, add the email domains and relay hosts.Adding one or more email domain and the Gmail Relay Host is required to ensure emails inspected byEnterprise DLPare successfully forwarded to the Gmail Relay Host.
- Enter anEmail Domain.The GmailRelay Hostis alwayssmtp-relay.gmail.com. ThePortis always587. This fields are automatically populated by default.
- (Optional)Addany additional email domains as needed.
- Connect.
- Gmail is now successfully connected and onboarded.
- Configure the Email DLP settings.
- Snippet Settings forSaaS Security(Email DLP Only)
- Policy Evaluation Timeout Settings forSaaS Security(Email DLP Only)