Enterprise DLP
Connect Gmail and Enterprise DLP
Table of Contents
Expand All
|
Collapse All
Enterprise DLP Docs
Connect Gmail and Enterprise DLP
After you create you set up the Email DLP Host and create the transport rules, you
must connect Gmail and Enterprise Data Loss Prevention (E-DLP) to complete onboarding.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Connect Gmail to Enterprise Data Loss Prevention (E-DLP) through SaaS Security on Cloud Management to complete the onboarding.
- Contact your email domain provider to update your SPF record to add the required Enterprise DLP service IP addresses.Add the IP addresses for the region where your email domain is hosted. You can update your SPF record with multiple regional IP addresses if you have email domains hosted in multiple regions.
- APAC—35.186.151.226 and 34.87.43.120
- E.U—34.141.90.172 and 34.107.47.119
- U.S—34.168.197.200 and 34.83.143.116
Log in to the Google Admin Console.Add an SMTP relay service entry to forward outbound emails to Enterprise DLP.- Select AppsGoogle WorkspaceGmailRouting.For the SMTP relay service, Add Another Rule.In the Description, enter a descriptive name for the Enterprise DLP SMTP relay service.For Allowed Senders, verify Only addresses in my domains is selected.For Authentication, check (enable) Only accept mail from the specified IP addresses.Add a new SMTP relay serviceIn the Enter IP address/range field, enter the required IP addresses for the region where you host your email domain. You can add multiple sets of IP addresses if needed.
- APAC—35.186.151.226 and 34.87.43.120
- E.U—34.141.90.172 and 34.107.47.119
- U.S—34.168.197.200 and 34.83.143.116
Verify that the SMTP relay service is Enabled.Save.Repeat this step to add both the required Enterprise DLP SMTP relay service IP addresses for the region where you host your email domain.For Encryption, check (enable) Require TLS Encryption.Save.Configure Gmail to allow the download of emails for investigative analysis when you review Email DLP incidents.- E.U—Create a Domain Wide Delegation
- In the Google Admin Console, select SecurityAccess and data controlAPI ControlsManage Domain Wide Delegation and Add New.
- Enter the Client ID for the region where your host your email domain.If you have multiple email domains hosted in different regions associated with one Google Workspace, you need to add a Domain Wide Delegation for each region in the same Google Workspace.If you have multiple email domains hosted in different regions but each is associated with a different Google Workspace, you need to add the appropriate Domain Wide Deletion in the appropriate Google Workspace.
- E.U—102967811737819901800
- Add the OAuth scopesAdd all the comma-delimited OAuth scopes listed below.
- https://mail.google.com
- https://www.googleapis.com/auth/gmail.addons.current.message.action
- https://www.googleapis.com/auth/gmail.addons.current.message.metadata
- https://www.googleapis.com/auth/gmail.addons.current.message.readonly
- https://www.googleapis.com/auth/gmail.modify
- https://www.googleapis.com/auth/gmail.readonly
- https://www.googleapis.com/auth/aim
- Authorize.
- APAC and U.S—Download the Email DLP Palo Alto Networks appSee the Microsoft 365 Defender prerequisites for more information.
- Enter Email DLP in the search bar and select the Email DLP app for your region.You can only download the Email DLP app for the region from which you're currently accessing the Google Workspace Marketplace.
- APAC—Email DLP by Palo Alto Networks (APAC)
- U.S—Email DLP by Palo Alto Networks (US)
For example, if you access the Google Workspace Marketplace from California, you can only download the Email DLP by Palo Alto Networks (US) version of the Email DLP app. - Click the Email DLP by Palo Alto Networks app tile.
- Click Admin Install.
- You're prompted with a confirmation that you're about to install the Email DLP by Palo Alto Networks app. Click Continue.
- Select for which users you want to install the Email DLP app.
- Everyone at your organization—Select this option if you want to be able to download emails for everybody in your organization who generates an Email DLP incident.
- Certain groups or organizational units—Select this option if you want to be able to download emails for specific user groups and organizational units when they generate an Email DLP incident.For example, you have user groups Group1, Group2, and Group3 where your CEO and other executives are part of Group3. You don't want to give your security administrators the ability to download emails sent by the CEO and other executives. In this case, you would select the Certain groups or organizational units option and add Group1 and Group2 but not Group3.
- Agree to the app Terms and Conditions.
- (Certain groups or organizational units) Select the user groups and organizational you want to install the app for.
- Click Finish.
- A notification is displayed notifying you the Email DLP by Palo Alto Networks app successfully installed.
- Click Done.
- Enter Email DLP in the search bar and select the Email DLP app for your region. Verify that the app tile displays Installed.
Set Up a Proofpoint Server for Email Encryption.This is required to encrypt emails inspected by Enterprise DLP that match your encryption Email DLP policy rule.Create the Gmail transport rules, and create the Email DLP Policy.Palo Alto Networks recommends setting Email DLP Host, transport rules, and Email DLP policy rules to ensure enforcements begins as soon as you successfully connect Gmail to Enterprise DLP.- Setting up a routing to the Email DLP Host allows Gmail to forward emails to Enterprise DLP and for inspection and verdict rendering to prevent exfiltration of sensitive data.
- Transport rules instruct Gmail to forward emails to Enterprise DLP and establish the actions Gmail takes based on verdicts rendered by Enterprise DLP.A transport rule isn't required for emails that match your Email DLP policy where you set the action to Monitor. In this case, the x-panw-action - monitor email header is added, a DLP incident is created, and the email continues to its intended recipient.
- The DLP email policy specifies the incident severity and the action Enterprise DLP takes when matching traffic is inspected and sensitive data is detected.
Log in to Strata Cloud Manager.Select ManageConfigurationSaaS SecuritySettingsApps Onboarding.Add the Gmail app to SaaS Security.- Search for Gmail and click the Gmail app.Add the Gmail app to SaaS Security.In the Email DLP Instance, click Add Instance.In the Setup Connectors and Rules page, add the email domains and relay hosts.Enterprise DLP requires you add one or more email domains and the Gmail Relay Host to ensure Gmail successfully forwards emails inspected by Enterprise DLP to the Gmail Relay Host.
- Enter an Email Domain.The Gmail Relay Host is always smtp-relay.gmail.com. The Port is always 587. This fields are automatically populated by default.(Optional) Add any additional email domains as needed.Connect.Gmail is now successfully connected and onboarded.Configure the Email DLP settings.
- Edit the snippet settings to configure if and how Enterprise DLP stores and masks snippets of sensitive data that match your data pattern match criteria.
- Edit the policy evaluation timeout settings to configure what Enterprise DLP does when Email DLP policy evaluation exceeds the configured timeout.
- Configure evidence storage to save evidence for investigative analysis.