Enterprise DLP Administrator’s Guide
    : Create a Transport Rule for Manager Approval
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administrator’s Guide
    4. Configure Enterprise DLP
    5. Email DLP
    6. Onboard Microsoft Exchange Online
    7. Create Microsoft Exchange Transport Rules
    8. Create a Transport Rule for Manager Approval
    Download PDF

    Enterprise DLP Administrator’s Guide

    Create a Transport Rule for Manager Approval

    Table of Contents

    Create a Transport Rule for Manager Approval

    Create a Microsoft Exchange email transport rule to forward an email to the sender's manager for approval after inspection by
    Enterprise Data Loss Prevention (E-DLP)
    .
    Where Can I Use This?
    What Do I Need?
    • Strata Cloud Manager
    • Enterprise Data Loss Prevention (E-DLP)
       license
    • Data Security
       license
    • Prisma Access
       license
    • AIOps for NGFW Premium
       license
    • AIOps for NGFW Free
       license
    The Microsoft Exchange transport rule for manager approval instructs Microsoft Exchange to forward the email to the sender's manager when
    Enterprise Data Loss Prevention (E-DLP)
     cloud service returns a
    Forward email for approval by end user's manager
     verdict for an email that contains sensitive data.
    Enterprise DLP
     adds
    x-panw-action: fwd_to_manager
     to the email header for inspected emails if
    Enterprise DLP
     renders a
    Forward email for approval by end user's manager
     verdict. The email is transported back to Microsoft Exchange so a manager can review the email contents and decide whether to approve or block the email. Any future emails with this header already included will not be forwarded to
    Enterprise DLP
     again. Instead, Microsoft Exchange will take the action specified in the transport rule.
    Microsoft Exchange Active Directory is required to assign a manager to a user. To successfully send an email for manager approval if sensitive data is detected by
    Enterprise DLP
    , the sender must have a manager assigned.
    If no manager is assigned to the sender, then the email is sent to the recipient because no manager is assigned to approve or reject the email.
    Additionally, Microsoft supports email approvals on the web browser-based Microsoft Exchange only. Approving or rejecting emails on the Microsoft Exchange mobile application or desktop client is not supported.
    2. Create the outbound and inbound connectors.
      Skip this step if you have already created both the outbound and inbound connectors.
    3. Select
      Mail flow
      Rules
      Add a rule
      Create a new rule
       to create a new email transport rule.
    4. Configure the transport rule conditions.
      1. Enter a
        Name
         for the transport rule.
      2. Add the email message header.
        The
        fw_to_manager
         header is added by the DLP cloud service when an email contains sensitive information requiring manager approval.
        1. For
          Apply this rule if
          , select
          The message headers...
          .
        2. Select
          match these text patterns
          .
        3. Click
          Enter Text
          . When promoted, enter the following.
          x-panw-action
          Click
          Save
           to continue.
        4. Click
          Enter words
          . When prompted, enter the following and
          Add
          :
          fwd_to_manager
          Select the word you added. Click
          Save
           to continue.
      3. Specify the action Microsoft Exchange takes when an email header includes the header added by
        Enterprise DLP
        .
        Microsoft Exchange Active Directory is required to assign a manager to a user. To successfully forward a sender's email if sensitive data is detected by
        Enterprise DLP
        , a user must have a manager assigned.
        If no manager is assigned to a user, then the email is sent to the recipient because no manager is assigned to approve or reject the email.
        1. For
          Do the following
          , select
          Forward the message for approval
          .
        2. Select
          to the sender's manager
          .
      4. Click
        Next
         to continue.
    5. Configure the transport rule settings.
      1. For the
        Rule mode
        , ensure
        Enforce
         is selected.
        This setting is enabled by default when a new transport rule is created.
      2. (
        Optional
        ) Configure the rest of the transport rule settings as needed.
      3. Click
        Next
         to continue.
    6. Review the transport rule configuration and click
      Finish.
      Click
      Done
       when prompted that the transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
    7. Modify the email transport rule priority as needed.
      To change the priority of a transport rule, select the transport rule and
      Move Up
       or
      Move Down
       as needed.
      A proper rule hierarchy is recommended to ensure emails successfully forward to
      Enterprise DLP
      .
      • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
      • Any email encryption rules not created as part of the email DLP configuration must be ordered below the transport rules created for Email DLP.
        Enterprise DLP
         cannot inspect encrypted emails.
      • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
        After
        Enterprise DLP
         inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.