>
    Create Gmail Transport Rules
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administration
    4. Configure Enterprise DLP
    5. Email DLP
    6. Onboard Gmail
    7. Create Gmail Transport Rules
    Download PDF
    Enterprise DLP

    Create Gmail Transport Rules

    Table of Contents

    Create Gmail Transport Rules

    Transport rules establish the actions Gmail takes based on the monitor, quarantine, or block verdicts rendered by
    Enterprise Data Loss Prevention (E-DLP)
    .
    Where Can I Use This?
    What Do I Need?
    • SaaS Security
    • Enterprise Data Loss Prevention (E-DLP)
      license
    • SaaS Security
       license
      Or
    • Any of the following licenses
      • Prisma Access
         CASB license
      • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
         license
      • Data Security
         license
    Transport rules instruct Gmail to forward emails to
    Enterprise DLP
     establish the actions Gmail takes based on the quarantine,or block verdicts rendered by
    Enterprise Data Loss Prevention (E-DLP)
    .
    Create Gmail transport rules to forward emails from Gmail to the
    Enterprise Data Loss Prevention (E-DLP)
     cloud service for inspection to prevent exfiltration of sensitive data. Additionally, you must create transport rules to specify the actions Gmail takes based on the verdicts rendered by
    Enterprise DLP
    . The following transport rules are required:
    • Email Transport
      Required to forward all outbound emails from Gmail to the
      Enterprise Data Loss Prevention (E-DLP)
       cloud service for inline email inspection and verdict rendering. The email transport rule is required in all cases regardless of the verdict
      Enterprise DLP
       renders.
      Enterprise DLP
       adds
      x-panw-inspected: true
       to the email header for all inspected emails. If an outbound email already includes this header, it will not be forwarded to
      Enterprise DLP
       again. Instead, Gmail takes the action specified in the quarantine, or block transport rules based on the verdict already rendered by
      Enterprise DLP
      .
    • Quarantine
      Instructs Gmail to quarantine and forward the email to the spam quarantine mailbox hosted by Gmail when
      Enterprise Data Loss Prevention (E-DLP)
       cloud service returns a
      Quarantine
       verdict for an email that contains sensitive data. An email administrator must review and take action on quarantined emails after
      Enterprise DLP
       inspection.
      Enterprise DLP
       adds
      x-panw-action: quarantine
       to the email header for inspected emails if
      Enterprise DLP
       renders a
      Quarantine
       verdict. The email is transported back to Gmail and forwarded to the hosted quarantine spam inbox so an email administrator can review the email contents and decide whether to approve or block the email. Any future emails with this header already included will not be forwarded to
      Enterprise DLP
       again. Instead, Gmail will take the action specified in the quarantine transport rule.
    • Block
      Instructs Gmail on the action to take when
      Enterprise Data Loss Prevention (E-DLP)
       cloud service returns a
      Block
       verdict for an email that contains sensitive data.
      Enterprise DLP
       adds
      x-panw-action: block
       to the email header for all inspected emails. Any future emails with this header already included will not be forwarded to
      Enterprise DLP
       for inspection. Instead, Gmail takes the action specified in the Block transport rule.
    A transport rule is not required for emails that match your Email DLP policy where the action is set to
    Monitor
    . In this case, the
    x-panw-action - monitor
     email header is added, a DLP incident is created, and the email continues to its intended recipient.

    Email Transport

    Create a Gmail email transport rule to forward traffic to the
    Enterprise Data Loss Prevention (E-DLP)
     cloud service for inline email inspection.
    2. In the Dashboard, select
      Apps
      Google Workspace
      Gmail
      Compliance
      .
    3. In the Content compliance section,
      Add Another Rule
      .
    4. Configure the email transport rule.
      1. In the
        Content compliance
         field, enter a descriptive name for the transport rule.
      2. For the
        Email messages to affect
        , select
        Outbound
        .
        This instructs Gmail to forward the email to
        Enterprise DLP
         before it leaves your network when the email recipient is outside your organization.
      3. Configure email forwarding to
        Enterprise DLP
         for emails that have not been inspected.
        1. In the
          Add experiences that describe the content you want to search for in each message
           section, select
          If ANY of the following match the message
          .
        2. Add
          .
        3. In the
          Add setting
           page, select
          Advanced content match
          .
        4. For the
          Location
          , select
          Full Headers
          .
        5. For the
          Match type
          , select
          Not contains text
          .
        6. For the
          Content
          , enter
          x-panw-inspected
          .
        7. Save
          .
      4. Configure the action Gmail takes for emails that have already been inspected by
        Enterprise DLP
        , and the encryption settings.
        1. In the
          If the above expressions match, do the following
           section, enable
          Change Route
          .
        2. Select the Email DLP Host you created.
        3. For the
          Encryption (onward delivery only
          ), select
          Require secure transport (TLS)
          .
      5. Configure the types of Gmail accounts the transport rule affects.
        1. Show Options
          .
          After you expand the options menu, the button displays
          Hide Options
          .
        2. In the
          Account types to affect
           section, select
          Users
          ,
          Groups
          , and
          Unrecognized / Catch-all
          .
      6. Save
        .
    5. Verify that the email transport rule was successfully added and that the
      Status
       is
      Enabled
      .

    Quarantine

    Create a Gmail quarantine transport rule to quarantine and forward a quarantined email to Gmail hosted quarantine for approval after inspection by
    Enterprise Data Loss Prevention (E-DLP)
    .
    2. In the Dashboard, select
      Apps
      Google Workspace
      Gmail
      Compliance
      .
    3. In the Content compliance section,
      Add Another Rule
      .
    4. Configure the quarantine transport rule.
      1. In the
        Content compliance
         field, enter a descriptive name for the transport rule.
      2. For the
        Email messages to affect
        , select
        Outbound
        .
        This instructs Gmail to forward the email to
        Enterprise DLP
         before it leaves your network when the email recipient is outside your organization.
      3. Configure email forwarding to
        Enterprise DLP
         for emails that have not been inspected.
        1. In the
          Add experiences that describe the content you want to search for in each message
           section, select
          If ANY of the following match the message
          .
        2. Add
          .
        3. In the
          Add setting
           page, select
          Advanced content match
          .
        4. For the
          Location
          , select
          Full Headers
          .
        5. For the
          Match type
          , select
          Starts with
          .
        6. For the
          Content
          , enter
          x-panw-action: quarantine
          .
        7. Save
          .
      4. Configure the action Gmail takes for emails that need to be quarantined.
        1. In the
          If the above expressions match, do the following
           section, select
          Quarantine message
          .
        2. In the
          Move the message to the following quarantine
          , select the Gmail quarantine inbox you want to forward emails that need to be reviewed by an email administrator.
        3. Enable
          Notify sender when email is quarantined (onward delivery only)
          .
      5. Configure the types of Gmail accounts the transport rule affects.
        1. Show Options
          .
          After you expand the options menu, the button displays
          Hide Options
          .
        2. In the
          Account types to affect
           section, select
          Users
          ,
          Groups
          , and
          Unrecognized / Catch-all
          .
      6. Save
        .
    5. Verify that the email transport rule was successfully added and that the
      Status
       is
      Enabled
      .
    6. An email administrator must review and allow or reject quarantined emails forwarded to the quarantine mailbox.
      Due to a Gmail limitation,
      SaaS Security
       generates two Email DLP logs (
      Manage
      Configuration
      SaaS Security
      Data Security
      Logs
      Email DLP Logs
      ) when a quarantined email is allowed. The first Email DLP log describes the initial outbound email blocked by Email DLP. The second Email DLP log describes the allowed outbound email that is sent back to
      Enterprise DLP
       to add
      x-panw-inspected: true
       and
      x-panw-action: monitor
       to the email header before it continues on its path to the intended recipient.

    Block

    Create a Gmail block transport rule to specify the action Gmail takes when an email contains sensitive data and is blocked.
    2. In the Dashboard, select
      Apps
      Google Workspace
      Gmail
      Compliance
      .
    3. In the Content compliance section,
      Add Another Rule
      .
    4. Configure the email transport rule.
      1. In the
        Content compliance
         field, enter a descriptive name for the transport rule.
      2. For the
        Email messages to affect
        , select
        Outbound
        .
        This instructs Gmail to forward the email to
        Enterprise DLP
         before it leaves your network when the email recipient is outside your organization.
      3. Configure email forwarding to
        Enterprise DLP
         for emails that have not been inspected.
        1. In the
          Add experiences that describe the content you want to search for in each message
           section, select
          If ANY of the following match the message
          .
        2. Add
          .
        3. In the
          Add setting
           page, select
          Advanced content match
          .
        4. For the
          Location
          , select
          Full Headers
          .
        5. For the
          Match type
          , select
          Starts with
          .
        6. For the
          Content
          , enter
          x-panw-action: block
          .
        7. Save
          .
      4. Configure the action Gmail takes for emails that are blocked.
        1. In the
          If the above expressions match, do the following
           section, select
          Reject message
          .
        2. (
          Optional
          ) Enter a customized rejection notice when an email is blocked.
      5. Configure the types of Gmail accounts the transport rule affects.
        1. Show Options
          .
          After you expand the options menu, the button displays
          Hide Options
          .
        2. In the
          Account types to affect
           section, select
          Users
          ,
          Groups
          , and
          Unrecognized / Catch-all
          .
      6. Save
        .
    5. Verify that the email transport rule was successfully added and that the
      Status
       is
      Enabled
      .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.