Create Gmail Transport Rules
Focus
Focus
Enterprise DLP

Create Gmail Transport Rules

Table of Contents

Create Gmail Transport Rules

Transport rules establish the actions Gmail takes based on the monitor, quarantine, or block verdicts rendered by
Enterprise Data Loss Prevention (E-DLP)
.
Where Can I Use This?
What Do I Need?
  • SaaS Security
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • SaaS Security
    license
    Or
  • Any of the following licenses
    • Prisma Access
      CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
      license
    • Data Security
      license
Transport rules instruct Gmail to forward emails to
Enterprise DLP
and establish the actions Gmail takes based on the quarantine,or block verdicts rendered by
Enterprise Data Loss Prevention (E-DLP)
.
Create Gmail transport rules to forward emails from Gmail to the
Enterprise Data Loss Prevention (E-DLP)
cloud service for inspection to prevent exfiltration of sensitive data. Additionally, you must create transport rules to specify the actions Gmail takes based on the verdicts rendered by
Enterprise DLP
. The following transport rules are required:
  • Email Transport
    Required to forward all outbound emails from Gmail to the
    Enterprise Data Loss Prevention (E-DLP)
    cloud service for inline email inspection and verdict rendering. The email transport rule is required in all cases regardless of the verdict
    Enterprise DLP
    renders.
    Enterprise DLP
    adds
    x-panw-inspected: true
    to the email header for all inspected emails. If an outbound email already includes this header, it will not be forwarded to
    Enterprise DLP
    again. Instead, Gmail takes the action specified in the quarantine, or block transport rules based on the verdict already rendered by
    Enterprise DLP
    .
  • Quarantine
    Instructs Gmail to quarantine and forward the email to the spam quarantine mailbox hosted by Gmail when
    Enterprise Data Loss Prevention (E-DLP)
    cloud service returns a
    Quarantine
    verdict for an email that contains sensitive data. An email administrator must review and take action on quarantined emails after
    Enterprise DLP
    inspection.
    Enterprise DLP
    adds
    x-panw-action: quarantine
    to the email header for inspected emails if
    Enterprise DLP
    renders a
    Quarantine
    verdict. The email is transported back to Gmail and forwarded to the hosted quarantine spam inbox so an email administrator can review the email contents and decide whether to approve or block the email. Any future emails with this header already included will not be forwarded to
    Enterprise DLP
    again. Instead, Gmail will take the action specified in the quarantine transport rule.
  • Block
    Instructs Gmail on the action to take when
    Enterprise Data Loss Prevention (E-DLP)
    cloud service returns a
    Block
    verdict for an email that contains sensitive data.
    Enterprise DLP
    adds
    x-panw-action: block
    to the email header for all inspected emails. Any future emails with this header already included will not be forwarded to
    Enterprise DLP
    for inspection. Instead, Gmail takes the action specified in the Block transport rule.
A transport rule is not required for emails that match your Email DLP policy where the action is set to
Monitor
. In this case, the
x-panw-action - monitor
email header is added, a DLP incident is created, and the email continues to its intended recipient.

Email Transport

Create a Gmail email transport rule to forward traffic to the
Enterprise Data Loss Prevention (E-DLP)
cloud service for inline email inspection.
  1. In the Dashboard, select
    Apps
    Google Workspace
    Gmail
    Compliance
    .
  2. In the Content compliance section,
    Add Another Rule
    .
  3. Configure the email transport rule.
    1. In the
      Content compliance
      field, enter a descriptive name for the transport rule.
    2. For the
      Email messages to affect
      , select
      Outbound
      .
      This instructs Gmail to forward the email to
      Enterprise DLP
      before it leaves your network when the email recipient is outside your organization.
    3. Configure email forwarding to
      Enterprise DLP
      for emails that have not been inspected.
      1. In the
        Add experiences that describe the content you want to search for in each message
        section, select
        If ANY of the following match the message
        .
      2. Add
        .
      3. In the
        Add setting
        page, select
        Advanced content match
        .
      4. For the
        Location
        , select
        Full Headers
        .
      5. For the
        Match type
        , select
        Not contains text
        .
      6. For the
        Content
        , enter
        x-panw-inspected
        .
      7. Save
        .
    4. Configure the action Gmail takes for emails that have already been inspected by
      Enterprise DLP
      , and the encryption settings.
      1. In the
        If the above expressions match, do the following
        section, enable
        Change Route
        .
      2. Select the Email DLP Host you created.
      3. For the
        Encryption (onward delivery only
        ), select
        Require secure transport (TLS)
        .
    5. Configure the types of Gmail accounts the transport rule affects.
      1. Show Options
        .
        After you expand the options menu, the button displays
        Hide Options
        .
      2. In the
        Account types to affect
        section, select
        Users
        ,
        Groups
        , and
        Unrecognized / Catch-all
        .
    6. Save
      .
  4. Verify that the email transport rule was successfully added and that the
    Status
    is
    Enabled
    .

Quarantine

Create a Gmail quarantine transport rule to quarantine and forward a quarantined email to Gmail hosted quarantine for approval after inspection by
Enterprise Data Loss Prevention (E-DLP)
.
  1. In the Dashboard, select
    Apps
    Google Workspace
    Gmail
    Compliance
    .
  2. In the Content compliance section,
    Add Another Rule
    .
  3. Configure the quarantine transport rule.
    1. In the
      Content compliance
      field, enter a descriptive name for the transport rule.
    2. For the
      Email messages to affect
      , select
      Outbound
      .
      This instructs Gmail to forward the email to
      Enterprise DLP
      before it leaves your network when the email recipient is outside your organization.
    3. Configure email forwarding to
      Enterprise DLP
      for emails that have not been inspected.
      1. In the
        Add experiences that describe the content you want to search for in each message
        section, select
        If ANY of the following match the message
        .
      2. Add
        .
      3. In the
        Add setting
        page, select
        Advanced content match
        .
      4. For the
        Location
        , select
        Full Headers
        .
      5. For the
        Match type
        , select
        Starts with
        .
      6. For the
        Content
        , enter
        x-panw-action: quarantine
        .
      7. Save
        .
    4. Configure the action Gmail takes for emails that need to be quarantined.
      1. In the
        If the above expressions match, do the following
        section, select
        Quarantine message
        .
      2. In the
        Move the message to the following quarantine
        , select the Gmail quarantine inbox you want to forward emails that need to be reviewed by an email administrator.
      3. Enable
        Notify sender when email is quarantined (onward delivery only)
        .
    5. Configure the types of Gmail accounts the transport rule affects.
      1. Show Options
        .
        After you expand the options menu, the button displays
        Hide Options
        .
      2. In the
        Account types to affect
        section, select
        Users
        ,
        Groups
        , and
        Unrecognized / Catch-all
        .
    6. Save
      .
  4. Verify that the email transport rule was successfully added and that the
    Status
    is
    Enabled
    .
  5. An email administrator must review and allow or reject quarantined emails forwarded to the quarantine mailbox.
    Due to a Gmail limitation,
    SaaS Security
    generates two Email DLP logs (
    Manage
    Configuration
    SaaS Security
    Data Security
    Logs
    Email DLP Logs
    ) when a quarantined email is allowed. The first Email DLP log describes the initial outbound email blocked by Email DLP. The second Email DLP log describes the allowed outbound email that is sent back to
    Enterprise DLP
    to add
    x-panw-inspected: true
    and
    x-panw-action: monitor
    to the email header before it continues on its path to the intended recipient.

Block

Create a Gmail block transport rule to specify the action Gmail takes when an email contains sensitive data and is blocked.
  1. In the Dashboard, select
    Apps
    Google Workspace
    Gmail
    Compliance
    .
  2. In the Content compliance section,
    Add Another Rule
    .
  3. Configure the email transport rule.
    1. In the
      Content compliance
      field, enter a descriptive name for the transport rule.
    2. For the
      Email messages to affect
      , select
      Outbound
      .
      This instructs Gmail to forward the email to
      Enterprise DLP
      before it leaves your network when the email recipient is outside your organization.
    3. Configure email forwarding to
      Enterprise DLP
      for emails that have not been inspected.
      1. In the
        Add experiences that describe the content you want to search for in each message
        section, select
        If ANY of the following match the message
        .
      2. Add
        .
      3. In the
        Add setting
        page, select
        Advanced content match
        .
      4. For the
        Location
        , select
        Full Headers
        .
      5. For the
        Match type
        , select
        Starts with
        .
      6. For the
        Content
        , enter
        x-panw-action: block
        .
      7. Save
        .
    4. Configure the action Gmail takes for emails that are blocked.
      1. In the
        If the above expressions match, do the following
        section, select
        Reject message
        .
      2. (
        Optional
        ) Enter a customized rejection notice when an email is blocked.
    5. Configure the types of Gmail accounts the transport rule affects.
      1. Show Options
        .
        After you expand the options menu, the button displays
        Hide Options
        .
      2. In the
        Account types to affect
        section, select
        Users
        ,
        Groups
        , and
        Unrecognized / Catch-all
        .
    6. Save
      .
  4. Verify that the email transport rule was successfully added and that the
    Status
    is
    Enabled
    .

Recommended For You