Enterprise DLP
Create Gmail Transport Rules
Table of Contents
Create Gmail Transport Rules
Transport rules establish the actions Gmail takes based on the monitor, quarantine,
or block verdicts rendered by
Enterprise Data Loss Prevention (E-DLP)
.Where Can I Use This? | What Do I Need? |
---|---|
|
|
Transport rules instruct Gmail to forward emails to
Enterprise DLP
establish the
actions Gmail takes based on the quarantine,or block verdicts rendered by Enterprise Data Loss Prevention (E-DLP)
.Create Gmail transport rules to forward emails from Gmail to the
Enterprise Data Loss Prevention (E-DLP)
cloud service for inspection to prevent exfiltration of
sensitive data. Additionally, you must create transport rules to specify the actions
Gmail takes based on the verdicts rendered by Enterprise DLP
. The following
transport rules are required:- Email TransportRequired to forward all outbound emails from Gmail to theEnterprise Data Loss Prevention (E-DLP)cloud service for inline email inspection and verdict rendering. The email transport rule is required in all cases regardless of the verdictEnterprise DLPrenders.Enterprise DLPaddsx-panw-inspected: trueto the email header for all inspected emails. If an outbound email already includes this header, it will not be forwarded toEnterprise DLPagain. Instead, Gmail takes the action specified in the quarantine, or block transport rules based on the verdict already rendered byEnterprise DLP.
- QuarantineInstructs Gmail to quarantine and forward the email to the spam quarantine mailbox hosted by Gmail whenEnterprise Data Loss Prevention (E-DLP)cloud service returns aQuarantineverdict for an email that contains sensitive data. An email administrator must review and take action on quarantined emails afterEnterprise DLPinspection.Enterprise DLPaddsx-panw-action: quarantineto the email header for inspected emails ifEnterprise DLPrenders aQuarantineverdict. The email is transported back to Gmail and forwarded to the hosted quarantine spam inbox so an email administrator can review the email contents and decide whether to approve or block the email. Any future emails with this header already included will not be forwarded toEnterprise DLPagain. Instead, Gmail will take the action specified in the quarantine transport rule.
- BlockInstructs Gmail on the action to take whenEnterprise Data Loss Prevention (E-DLP)cloud service returns aBlockverdict for an email that contains sensitive data.Enterprise DLPaddsx-panw-action: blockto the email header for all inspected emails. Any future emails with this header already included will not be forwarded toEnterprise DLPfor inspection. Instead, Gmail takes the action specified in the Block transport rule.
A transport rule is not required for emails that match your Email DLP policy where the action is set to
Monitor
. In this case, the
x-panw-action - monitor
email header is added,
a DLP incident is created, and the email continues to its
intended recipient.Email Transport
Create a Gmail email transport rule to forward traffic to the
Enterprise Data Loss Prevention (E-DLP)
cloud service for inline email inspection.- In the Dashboard, select.AppsGoogle WorkspaceGmailCompliance
- In the Content compliance section,Add Another Rule.
- Configure the email transport rule.
- In theContent compliancefield, enter a descriptive name for the transport rule.
- For theEmail messages to affect, selectOutbound.This instructs Gmail to forward the email toEnterprise DLPbefore it leaves your network when the email recipient is outside your organization.
- Configure email forwarding toEnterprise DLPfor emails that have not been inspected.
- In theAdd experiences that describe the content you want to search for in each messagesection, selectIf ANY of the following match the message.
- Add.
- In theAdd settingpage, selectAdvanced content match.
- For theLocation, selectFull Headers.
- For theMatch type, selectNot contains text.
- For theContent, enterx-panw-inspected.
- Save.
- Configure the action Gmail takes for emails that have already been inspected byEnterprise DLP, and the encryption settings.
- In theIf the above expressions match, do the followingsection, enableChange Route.
- Select the Email DLP Host you created.
- For theEncryption (onward delivery only), selectRequire secure transport (TLS).
- Configure the types of Gmail accounts the transport rule affects.
- Show Options.After you expand the options menu, the button displaysHide Options.
- In theAccount types to affectsection, selectUsers,Groups, andUnrecognized / Catch-all.
- Save.
- Verify that the email transport rule was successfully added and that theStatusisEnabled.
Quarantine
Create a Gmail quarantine transport rule to quarantine and forward a quarantined
email to Gmail hosted quarantine for approval after inspection by
Enterprise Data Loss Prevention (E-DLP)
.- In the Dashboard, select.AppsGoogle WorkspaceGmailCompliance
- In the Content compliance section,Add Another Rule.
- Configure the quarantine transport rule.
- In theContent compliancefield, enter a descriptive name for the transport rule.
- For theEmail messages to affect, selectOutbound.This instructs Gmail to forward the email toEnterprise DLPbefore it leaves your network when the email recipient is outside your organization.
- Configure email forwarding toEnterprise DLPfor emails that have not been inspected.
- In theAdd experiences that describe the content you want to search for in each messagesection, selectIf ANY of the following match the message.
- Add.
- In theAdd settingpage, selectAdvanced content match.
- For theLocation, selectFull Headers.
- For theMatch type, selectStarts with.
- For theContent, enterx-panw-action: quarantine.
- Save.
- Configure the action Gmail takes for emails that need to be quarantined.
- In theIf the above expressions match, do the followingsection, selectQuarantine message.
- In theMove the message to the following quarantine, select the Gmail quarantine inbox you want to forward emails that need to be reviewed by an email administrator.
- EnableNotify sender when email is quarantined (onward delivery only).
- Configure the types of Gmail accounts the transport rule affects.
- Show Options.After you expand the options menu, the button displaysHide Options.
- In theAccount types to affectsection, selectUsers,Groups, andUnrecognized / Catch-all.
- Save.
- Verify that the email transport rule was successfully added and that theStatusisEnabled.
- An email administrator must review and allow or reject quarantined emails forwarded to the quarantine mailbox.Due to a Gmail limitation,SaaS Securitygenerates two Email DLP logs () when a quarantined email is allowed. The first Email DLP log describes the initial outbound email blocked by Email DLP. The second Email DLP log describes the allowed outbound email that is sent back toManageConfigurationSaaS SecurityData SecurityLogsEmail DLP LogsEnterprise DLPto addx-panw-inspected: trueandx-panw-action: monitorto the email header before it continues on its path to the intended recipient.
Block
Create a Gmail block transport rule to specify the action Gmail takes when an email
contains sensitive data and is blocked.
- In the Dashboard, select.AppsGoogle WorkspaceGmailCompliance
- In the Content compliance section,Add Another Rule.
- Configure the email transport rule.
- In theContent compliancefield, enter a descriptive name for the transport rule.
- For theEmail messages to affect, selectOutbound.This instructs Gmail to forward the email toEnterprise DLPbefore it leaves your network when the email recipient is outside your organization.
- Configure email forwarding toEnterprise DLPfor emails that have not been inspected.
- In theAdd experiences that describe the content you want to search for in each messagesection, selectIf ANY of the following match the message.
- Add.
- In theAdd settingpage, selectAdvanced content match.
- For theLocation, selectFull Headers.
- For theMatch type, selectStarts with.
- For theContent, enterx-panw-action: block.
- Save.
- Configure the action Gmail takes for emails that are blocked.
- In theIf the above expressions match, do the followingsection, selectReject message.
- (Optional) Enter a customized rejection notice when an email is blocked.
- Configure the types of Gmail accounts the transport rule affects.
- Show Options.After you expand the options menu, the button displaysHide Options.
- In theAccount types to affectsection, selectUsers,Groups, andUnrecognized / Catch-all.
- Save.
- Verify that the email transport rule was successfully added and that theStatusisEnabled.