Enterprise DLP
Create Microsoft Exchange Transport Rules
Table of Contents
Create Microsoft Exchange Transport Rules
Create Microsoft Exchange transports rule to forward emails to
Enterprise Data Loss Prevention (E-DLP)
for inspection, and to specify what actions Microsoft Exchange takes based on the Enterprise DLP
verdicts.Where Can I Use This? | What Do I Need? |
---|---|
|
|
Create Microsoft Exchange email transport rules to forward emails from Microsoft
Exchange to the
Enterprise Data Loss Prevention (E-DLP)
cloud service for inspection to prevent
exfiltration of sensitive data. Additionally, you must create transport rules to
specify the actions Microsoft Exchange takes based on the verdicts rendered by Enterprise DLP
. The following transport rules are required:- Email TransportRequired to forward all outbound emails from Microsoft Exchange to theEnterprise Data Loss Prevention (E-DLP)cloud service for inline email inspection and verdict rendering. The email transport rule is required in all cases regardless of the verdictEnterprise DLPrenders.Enterprise DLPaddsx-panw-inspected: trueto the email header for all inspected emails. If an outbound email already includes this header, it will not be forwarded toEnterprise DLPagain. Instead, Microsoft Exchange will take the action specified in the hosted quarantine, admin approval, manager approval, encrypt, or block transport rules based on the verdict already rendered byEnterprise DLP.
- Hosted QuarantineInstructs Microsoft Exchange to quarantine and forward the email to the spam quarantine mailbox hosted by Microsoft Exchange whenEnterprise Data Loss Prevention (E-DLP)cloud service returns aQuarantineverdict for an email that contains sensitive data.Enterprise DLPaddsx-panw-action: quarantineto the email header for inspected emails. The email is transported back to Microsoft Exchange and forwarded to the hosted quarantine spam inbox so an email administrator can review the email contents and decide whether to approve or block the email. Any future emails with this header already included will not be forwarded toEnterprise DLPagain. Instead, Microsoft Exchange will take the action specified in the quarantine transport rule.
- Admin ApprovalInstructs Microsoft Exchange to forward the email to the specified email administrator whenEnterprise Data Loss Prevention (E-DLP)cloud service returns aForward email for approval adminverdict for an email that contains sensitive data.Enterprise DLPaddsx-panw-action: fwd_to_adminto the email header for inspected emails. The email is transported back to Microsoft Exchange so an email administrator can review the email contents and decide whether to approve or block the email. Any future emails with this header already included will not be forwarded toEnterprise DLPagain. Instead, Microsoft Exchange will take the action specified in the transport rule.
- Manager ApprovalInstructs Microsoft Exchange to forward the email to the sender's manager whenEnterprise Data Loss Prevention (E-DLP)cloud service returns aForward email for approval by end user's managerverdict for an email that contains sensitive data.Enterprise DLPaddsx-panw-action: fwd_to_managerto the email header for inspected emails. The email is transported back to Microsoft Exchange so a manager can review the email contents and decide whether to approve or block the email. Any future emails with this header already included will not be forwarded toEnterprise DLPagain. Instead, Microsoft Exchange will take the action specified in the transport rule.
- EncryptInstructs Microsoft Exchange on the action to take whenEnterprise DLPreturns aEncryptverdict for an email that contains sensitive data.Enterprise DLPaddsx-panw-action: encryptto the email header for inspected emails. The email is transported back to Microsoft Exchange and encrypted based on the encryption settings you configure in the transport rule. Any future emails with this header already included will not be forwarded toEnterprise DLPagain. Instead, Microsoft Exchange will take the action specified in the encrypt transport rule.
- BlockInstructs Microsoft Exchange on the action to take whenEnterprise DLPreturns aBlockverdict for an email that contains sensitive data.Enterprise DLPaddsx-panw-action: blockto the email header for all inspected emails. Any future emails with this header already included will not be forwarded toEnterprise DLPfor inspection. Instead, Microsoft Exchange takes the action specified in the Block transport rule.
Email Transport
Create a Microsoft Exchange email transport rule to forward traffic to the
Enterprise Data Loss Prevention (E-DLP)
cloud service for inline email inspection.- Create the outbound and inbound connectors.Skip this step if you have already created both the outbound and inbound connectors.
- Selectto create a new email transport rule.Mail flowRulesAdd a ruleCreate a new rule
- Configure the email transport rule conditions.
- Enter aNamefor the email transport rule.
- Specify the email recipient.This instructs Microsoft Exchange to forward the email toEnterprise DLPbefore it leaves your network when the email recipient is outside your organization.
- ForApply this rule if, selectThe recipient.
- For the recipient, selectis external/internal. When prompted to select the recipient location, selectOutside the organizationClickSaveto continue.
- Specify Microsoft Exchange Connector you created as the transport target for email inspection.
- ForDo the following, selectredirect the message to.
- For the transport target, selectthe following connector. When prompted, select the outbound connector.ClickSaveto continue.
- Add an exception for emails that exceed the maximum message size supported byEnterprise DLP.Enterprise DLPsupports inspection of email messages up to 20 MB in size. Larger email messages are not supported and should not be forwarded toEnterprise DLP.
- In the sExcept Iffield, selectThe message.
- Selectsize is greater than or equal to. When prompted, enter the following maximum-supported message size KB:20480
Add an exception for emails that were already inspected byEnterprise DLP.- In theExcept ifcondition, click the add symbol ( ) to add a newOrcondition.
- Select theThe message headerscondition.
- For theOrcondition action, selectmatches any of these words.
- ClickEnter textto set the message header tox-panw-inspected.
- ClickEnter wordsand entertrue.ClickAddand select the word you added. ClickSaveto continue.
ClickNextto continue. - Configure the email transport rule settings.
- For theRule mode, ensureEnforceis selected.This setting is enabled by default when a new transport rule is created.
- (Optional) Configure the rest of the email transport rule settings as needed.
- ClickNextto continue.
- Save.
- Review the email transport rule configuration and clickFinish.ClickDonewhen prompted that the email transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
- Modify the email transport rule priority as needed.To change the priority of a transport rule, select the transport rule andMove UporMove Downas needed.A proper rule hierarchy is recommended to ensure emails successfully forward toEnterprise DLP.
- The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
- Any email encryption rules not created as part of the email DLP configuration must be ordered below the transport rules created for Email DLP.Enterprise DLPcannot inspect encrypted emails.
- There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.AfterEnterprise DLPinspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.
Hosted Quarantine
Create a Microsoft Exchange Quarantine transport rule to quarantine and forward a
quarantined email to Microsoft Exchange hosted quarantine for approval after inspection by
Enterprise Data Loss Prevention (E-DLP)
.Microsoft supports email approvals on the web browser-based Microsoft Exchange
only. Approving or rejecting emails on the Microsoft Exchange mobile application
or desktop client is not supported.
- Create the outbound and inbound connectors.Skip this step if you have already created both the outbound and inbound connectors.
- Selectto create a new email transport rule.Mail flowRulesAdd a ruleCreate a new rule
- Configure the quarantine transport rule conditions.
- Enter aNamefor the quarantine transport rule.
- Add the quarantine email message header.Thequarantineheader is added by the DLP cloud service when an email contains sensitive information that needs to be approved by your email administrator.
- ForApply this rule if, selectThe message headers....
- Selectmatch these text patterns.
- ClickEnter Text. When promoted, enter the following.x-panw-actionClickSaveto continue.ClickEnter words. When prompted, enter the following andAdd:quarantineSelect the word you added. ClickSaveto continue.
Specify the action Microsoft Exchange takes when an email header includes the quarantine header added byEnterprise DLP.- ForDo the following, selectRedirect the message to.
- Selecthosted quarantine.
ClickNextto continue. - Configure the quarantine transport rule settings.
- For theRule mode, ensureEnforceis selected.This setting is enabled by default when a new transport rule is created.
- (Optional) Configure the rest of the quarantine transport rule settings as needed.
- ClickNextto continue.
- Review the quarantine transport rule configuration and clickFinish.ClickDonewhen prompted that the quarantine transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
- Modify the email transport rule priority as needed.To change the priority of a transport rule, select the transport rule andMove UporMove Downas needed.A proper rule hierarchy is recommended to ensure emails successfully forward toEnterprise DLP.
- The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
- Any email encryption rules not created as part of the email DLP configuration must be ordered below the transport rules created for Email DLP.Enterprise DLPcannot inspect encrypted emails.
- There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.AfterEnterprise DLPinspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.
- An email administrator must review and approve or reject quarantined emails forwarded to the hosted quarantine mailbox.
Admin Approval
Create a Microsoft Exchange transport rule to forward an email to the specified email
administrator for approval after inspection by
Enterprise Data Loss Prevention (E-DLP)
.Microsoft supports email approvals on the web browser-based Microsoft Exchange
only. Approving or rejecting emails on the Microsoft Exchange mobile application
or desktop client is not supported.
- Create the outbound and inbound connectors.Skip this step if you have already created both the outbound and inbound connectors.
- Selectto create a new email transport rule.Mail flowRulesAdd a ruleCreate a new rule
- Configure the transport rule conditions.
- Enter aNamefor the transport rule.
- Add the email message header.Thefwd_to_adminemail header is added by the DLP cloud service when an email contains sensitive information requiring email administrator approval.
- ForApply this rule if, selectThe message headers....
- Selectmatch these text patterns.
- ClickEnter Text. When promoted, enter the following.x-panw-actionClickSaveto continue.ClickEnter words. When prompted, enter the following andAdd:fwd_to_adminSelect the word you added. ClickSaveto continue.
Specify the action Microsoft Exchange takes when an email header includes the header added byEnterprise DLP.- ForDo the following, selectForward the message for approval.
- Selectto these people.
ClickNextto continue. - Configure the transport rule settings.
- For theRule mode, ensureEnforceis selected.This setting is enabled by default when a new transport rule is created.
- (Optional) Configure the rest of the transport rule settings as needed.
- ClickNextto continue.
- Review the transport rule configuration and clickFinish.ClickDonewhen prompted that the transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
- Modify the transport rule priority as needed.To change the priority of a transport rule, select the transport rule andMove UporMove Downas needed.A proper rule hierarchy is recommended to ensure emails successfully forward toEnterprise DLP.
- The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
- Any email encryption rules not created as part of the email DLP configuration must be ordered below the transport rules created for Email DLP.Enterprise DLPcannot inspect encrypted emails.
- There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.AfterEnterprise DLPinspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.
Manager Approval
Create a Microsoft Exchange email transport rule to forward an email to the sender's
manager for approval after inspection by
Enterprise Data Loss Prevention (E-DLP)
.Microsoft Exchange Active Directory is required to assign a manager to a user. To
successfully send an email for manager approval if sensitive data is detected by
Enterprise DLP
, the sender must have a manager assigned. If no manager is assigned to the sender, then the email is sent to the recipient
because no manager is assigned to approve or reject the email.
Additionally, Microsoft supports email approvals on the web browser-based
Microsoft Exchange only. Approving or rejecting emails on the Microsoft Exchange
mobile application or desktop client is not supported.
- Create the outbound and inbound connectors.Skip this step if you have already created both the outbound and inbound connectors.
- Selectto create a new email transport rule.Mail flowRulesAdd a ruleCreate a new rule
- Configure the transport rule conditions.
- Enter aNamefor the transport rule.
- Add the email message header.Thefw_to_managerheader is added by the DLP cloud service when an email contains sensitive information requiring manager approval.
- ForApply this rule if, selectThe message headers....
- Selectmatch these text patterns.
- ClickEnter Text. When promoted, enter the following.x-panw-actionClickSaveto continue.ClickEnter words. When prompted, enter the following andAdd:fwd_to_managerSelect the word you added. ClickSaveto continue.
Specify the action Microsoft Exchange takes when an email header includes the header added byEnterprise DLP.Microsoft Exchange Active Directory is required to assign a manager to a user. To successfully forward a sender's email if sensitive data is detected byEnterprise DLP, a user must have a manager assigned.If no manager is assigned to a user, then the email is sent to the recipient because no manager is assigned to approve or reject the email.- ForDo the following, selectForward the message for approval.
- Selectto the sender's manager.
ClickNextto continue. - Configure the transport rule settings.
- For theRule mode, ensureEnforceis selected.This setting is enabled by default when a new transport rule is created.
- (Optional) Configure the rest of the transport rule settings as needed.
- ClickNextto continue.
- Review the transport rule configuration and clickFinish.ClickDonewhen prompted that the transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
- Modify the email transport rule priority as needed.To change the priority of a transport rule, select the transport rule andMove UporMove Downas needed.A proper rule hierarchy is recommended to ensure emails successfully forward toEnterprise DLP.
- The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
- Any email encryption rules not created as part of the email DLP configuration must be ordered below the transport rules created for Email DLP.Enterprise DLPcannot inspect encrypted emails.
- There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.AfterEnterprise DLPinspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.
Encrypt
Create a Microsoft Exchange Encrypt transport rule to encrypt an outbound email to
Microsoft Exchange after inspection by
Enterprise Data Loss Prevention (E-DLP)
.- Create the outbound and inbound connectors.Skip this step if you have already created both the outbound and inbound connectors.
- Selectto create a new email transport rule.Mail flowRulesAdd a ruleCreate a new rule
- Configure the encrypt transport rule conditions.
- Enter aNamefor the encrypt transport rule.
- Add the encrypt email message header.Theencryptheader is added by the DLP cloud service when an email contains sensitive information that should be encrypted.
- ForApply this rule if, selectThe message headers....
- Selectmatch these text patterns.
- ClickEnter Text. When promoted, enter the following.x-panw-actionClickSaveto continue.ClickEnter words. When prompted, enter the following andAdd:encryptSelect the word you added. ClickSaveto continue.
Specify the action Microsoft Exchange takes when an email header includes the encrypt header added byEnterprise DLP.- ForDo the following, selectModify the message security.
- SelectApply Office 365 Message Encryption and rights protection.
- Select the RMS template you want to use for outbound email encryption andSave.
ClickNextto continue. - Configure the encrypt transport rule settings.
- For theRule mode, ensureEnforceis selected.This setting is enabled by default when a new transport rule is created.
- (Optional) Configure the rest of the encrypt transport rule settings as needed.
- ClickNextto continue.
- Review the encrypt transport rule configuration and clickFinish.ClickDonewhen prompted that the encrypt transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
- Modify the email transport rule priority as needed.To change the priority of a transport rule, select the transport rule andMove UporMove Downas needed.A proper rule hierarchy is recommended to ensure emails successfully forward toEnterprise DLP.
- The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
- Any email encryption rules not created as part of the email DLP configuration must be ordered below the transport rules created for Email DLP.Enterprise DLPcannot inspect encrypted emails.
- There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.AfterEnterprise DLPinspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.
Block
Create a Microsoft Exchange Block transport rule to specify the action Microsoft
Exchange takes when an email contains sensitive data and is blocked.
- Create the outbound and inbound connectors.Skip this step if you have already created both the outbound and inbound connectors.
- Selectto create a new email transport rule.Mail flowRulesAdd a ruleCreate a new rule
- Configure the Block transport rule conditions.
- Enter aNamefor the Block transport rule.
- Add the Block email message header.The Block header is added by the DLP cloud service when an inspected email contains sensitive information that is blocked.
- ForApply this rule if, selectThe message headers....
- Selectincludes any of these words.
- ClickEnter Text. When promoted, enter the following.x-panw-actionClickSaveto continue.ClickEnter words. When prompted, enter the following andAdd:blockSelect the word you added. ClickSaveto continue.
Specify the action Microsoft Exchange takes when an email header includes the Block header added byEnterprise DLP.- ForDo the following, selectBlock the message.
- Selectreject the message and include an explanation. When prompted, enter the explanation for why the email was blocked.This is the response members of your organization receive when an outbound email is blocked.ClickSaveto continue.
ClickNextto continue. - Configure the Block transport rule settings.
- For theRule mode, ensureEnforceis selected.This setting is enabled by default when a new transport rule is created.
- (Optional) Configure the rest of the Block transport rule settings as needed.
- ClickNextto continue.
- Save.
- Review the Block transport rule configuration and clickFinish.ClickDonewhen prompted that the Block transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
- Modify the email transport rule priority as needed.To change the priority of a transport rule, select the transport rule andMove UporMove Downas needed.A proper rule hierarchy is recommended to ensure emails successfully forward toEnterprise DLPfor inspection.
- The email transport rule should always be the highest priority rule relative to the other transport rules required forEnterprise DLPinspection.
- Any email encryption rules not created as part of the email DLP configuration must be ordered below the transport rules created forEnterprise DLPinspection.Enterprise DLPcannot inspect encrypted emails.
- There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.AfterEnterprise DLPinspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.