Connect Gmail and Enterprise DLP
Focus
Focus
Enterprise DLP

Connect Gmail and Enterprise DLP

Table of Contents

Connect Gmail and
Enterprise DLP

After you create you set up the Email DLP Host and create the transport rules, you must connect Gmail and
Enterprise Data Loss Prevention (E-DLP)
to complete onboarding.
Where Can I Use This?
What Do I Need?
  • SaaS Security
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • SaaS Security
    license
    Or
  • Any of the following licenses
    • Prisma Access
      CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
      license
    • Data Security
      license
Connect Gmail to
Enterprise Data Loss Prevention (E-DLP)
through
SaaS Security
on
Cloud Management
to complete the onboarding.
  1. Contact your email domain provider to update your SFP record to add the required
    Enterprise DLP
    service IP addresses.
    Add the IP addresses for the region where your email domain is hosted. You can update your SFP record with multiple regional IP addresses if you have email domains hosted in multiple regions.
    • APAC
      35.186.151.226
      and
      34.87.43.120
    • E.U
      34.141.90.172
      and
      34.107.47.119
    • U.S
      34.168.197.200
      and
      34.83.143.116
  2. Log in to the Google Admin Console.
  3. Add an STMP relay service entry to forward outbound emails to
    Enterprise DLP
    .
    1. Select
      Apps
      Google Workspace
      Gmail
      Routing
      .
    2. For the
      SMTP relay service
      ,
      Add Another Rule
      .
    3. In the
      Description
      , enter a descriptive name for the
      Enterprise DLP
      STMP relay service.
    4. For
      Allowed Senders
      , verify
      Only addresses in my domains
      is selected.
    5. For
      Authentication
      , check (enable)
      Only accept mail from the specified IP addresses
      .
    6. Add
      a new STMP relay service
    7. In the
      Enter IP address/range
      field, enter the required IP addresses for the region where your email domain is hosted. You can add multiple sets of IP addresses if needed.
      • APAC
        35.186.151.226
        and
        34.87.43.120
      • E.U
        34.141.90.172
        and
        34.107.47.119
      • U.S
        34.168.197.200
        and
        34.83.143.116
    8. Verify that the STMP relay service is
      Enabled
      .
    9. Save
      .
    10. Repeat this step to add both the required
      Enterprise DLP
      STMP relay service IP addresses for the region where your email domain is hosted.
    11. For
      Encryption
      , check (enable)
      Require TLS Encryption
      .
    12. Save
      .
  4. Create a Domain Wide Delegation.
    A domain wide delegation is required to downloaded emails for investigative analysis when you review Email DLP incidents.
    1. Select
      Security
      Access and data control
      API Controls
      Manage Domain Wide Delegation
      and
      Add New
      .
    2. Enter the
      Client ID
      for the region where your email domain is hosted.
      If you have multiple email domains hosted in different regions associated with one Google Workspace, you need to add a Domain Wide Delegation for each region in the same Google Workspace.
      If you have multiple email domains hosted in different regions but each is associated with a different Google Workspace, you need to add the appropriate Domain Wide Deletion in the appropriate Google Workspace.
      • APAC
        112988510035368951494
      • E.U
        102967811737819901800
      • U.S
        108172098174169507493
    3. Add the
      OAuth scopes
      .
      You must add all the comma-delimited OAuth scopes listed below.
      • https://mail.google.com
      • https://www.googleapis.com/auth/gmail.addons.current.message.action
      • https://www.googleapis.com/auth/gmail.addons.current.message.metadata
      • https://www.googleapis.com/auth/gmail.addons.current.message.readonly
      • https://www.googleapis.com/auth/gmail.modify
      • https://www.googleapis.com/auth/gmail.readonly
      • https://www.googleapis.com/auth/aim
    4. Authorize
      .
  5. Create the Gmail transport rules, and create the Email DLP Policy.
    Palo Alto Networks recommends setting Email DLP Host, transport rules, and Email DLP policies to ensure enforcements begins as soon as you successfully connect Gmail to
    Enterprise DLP
    .
    • Setting up a routing to the Email DLP Host allows Gmail to forward emails to
      Enterprise DLP
      and for inspection and verdict rendering to prevent exfiltration of sensitive data.
    • Transport rules instructs Gmail to forward emails to
      Enterprise DLP
      and establish the actions Gmail takes based on the quarantine or block verdicts rendered by
      Enterprise DLP
      .
      A transport rule is not required for emails that match your Email DLP policy where the action is set to
      Monitor
      . In this case, the
      x-panw-action - monitor
      email header is added, a DLP incident is created, and the email continues to its intended recipient.
    • The DLP email policy specifies the incident severity and the action
      Enterprise DLP
      takes when matching traffic is inspected and sensitive data is detected.
  6. Log in to
    Strata Cloud Manager
    .
  7. Select
    Manage
    Configuration
    SaaS Security
    Settings
    Apps Onboarding
    .
  8. Add the Gmail application to
    SaaS Security
    .
    1. Search for
      Exchange
      and click
      Gmail
      .
    2. Add the Gmail appto
      SaaS Security
      .
  9. In the
    Email DLP Instance
    , click
    Add Instance
    .
  10. In the
    Setup Connectors and Rules
    page, add the email domains and relay hosts.
    Adding one or more email domain and the Gmail Relay Host is required to ensure emails inspected by
    Enterprise DLP
    are successfully forwarded to the Gmail Relay Host.
    1. Enter an
      Email Domain
      .
      The Gmail
      Relay Host
      is always
      smtp-relay.gmail.com
      . The
      Port
      is always
      587
      . This fields are automatically populated by default.
    2. (
      Optional
      )
      Add
      any additional email domains as needed.
    3. Connect
      .
  11. Gmail is now successfully connected and onboarded.

Recommended For You