Connect Gmail and Enterprise DLP
Focus
Focus
Enterprise DLP

Connect Gmail and Enterprise DLP

Table of Contents

Connect Gmail and Enterprise DLP

After you create you set up the Email DLP Host and create the transport rules, you must connect Gmail and Enterprise Data Loss Prevention (E-DLP) to complete onboarding.
Where Can I Use This?What Do I Need?
  • Data Security
  • One of the following licenses that include the Enterprise DLP license
    Review the Supported Platforms for details on the required license for each enforcement point.
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
  • Email DLP license
Connect Gmail to Enterprise Data Loss Prevention (E-DLP) through SaaS Security on Strata Cloud Manager to complete the onboarding.
  1. Contact your email domain provider to update your SPF record to add the required Enterprise DLP service IP addresses.
    Add the IP addresses for the region where your email domain is hosted. You can update your SPF record with multiple regional IP addresses if you have email domains hosted in multiple regions.
    • APAC
      35.186.151.226 and 34.87.43.120
    • Europe
      34.141.90.172 and 34.107.47.119
    • India
      34.93.185.212 and 35.200.159.173
    • United States
      34.168.197.200 and 34.83.143.116
  2. Log in to the Google Admin Console.
  3. Add an SMTP relay service entry to forward outbound emails to Enterprise DLP.
    1. Select AppsGoogle WorkspaceGmailRouting.
    2. For the SMTP relay service, Add Another Rule.
    3. In the Description, enter a descriptive name for the Enterprise DLP SMTP relay service.
    4. For Allowed Senders, verify Only addresses in my domains is selected.
    5. For Authentication, check (enable) Only accept mail from the specified IP addresses.
    6. Add a new SMTP relay service
    7. In the Enter IP address/range field, enter the required IP addresses for the region where you host your email domain. You can add multiple sets of IP addresses if needed.
      • APAC
        35.186.151.226 and 34.87.43.120
      • Europe
        34.141.90.172 and 34.107.47.119
      • India
        34.93.185.212 and 35.200.159.173
      • United States
        34.168.197.200 and 34.83.143.116
    8. Verify that the SMTP relay service is Enabled.
    9. Save.
    10. Repeat this step to add both the required Enterprise DLP SMTP relay service IP addresses for the region where you host your email domain.
    11. For Encryption, check (enable) Require TLS Encryption.
    12. Save.
  4. Configure Gmail to allow the download of emails for investigative analysis when you review Email DLP incidents.
    1. Download the Email DLP app for your region.
      You can only download the Email DLP app for the region from which you're currently accessing the Google Workspace Marketplace.
      For example, if you access the Google Workspace Marketplace from California, click the United States link below to download the Email DLP app.
    2. Click Admin Install.
    3. You're prompted with a confirmation that you're about to install the Email DLP by Palo Alto Networks app. Click Continue.
    4. Select for which users you want to install the Email DLP app.
      • Everyone at your organization—Select this option if you want to be able to download emails for everybody in your organization who generates an Email DLP incident.
      • Certain groups or organizational units—Select this option if you want to be able to download emails for specific user groups and organizational units when they generate an Email DLP incident.
        For example, you have user groups Group1, Group2, and Group3 where your CEO and other executives are part of Group3. You don't want to give your security administrators the ability to download emails sent by the CEO and other executives. In this case, you would select the Certain groups or organizational units option and add Group1 and Group2 but not Group3.
    5. Agree to the app Terms and Conditions.
    6. (Certain groups or organizational units) Select the user groups and organizational you want to install the app for.
    7. Click Finish.
    8. A notification is displayed notifying you the Email DLP by Palo Alto Networks app successfully installed.
    9. Click Done.
    10. Enter Email DLP in the search bar and select the Email DLP app for your region. Verify that the app tile displays Installed
  5. Set Up a Proofpoint Server for Email Encryption.
    This is required to encrypt emails inspected by Enterprise DLP that match your encryption Email DLP policy rule.
  6. Create the Gmail transport rules, and create the Email DLP Policy.
    Palo Alto Networks recommends setting Email DLP Host, transport rules, and Email DLP policy rules to ensure enforcements begins as soon as you successfully connect Gmail to Enterprise DLP.
    • Setting up a routing to the Email DLP Host allows Gmail to forward emails to Enterprise DLP and for inspection and verdict rendering to prevent exfiltration of sensitive data.
    • Transport rules instruct Gmail to forward emails to Enterprise DLP and establish the actions Gmail takes based on verdicts rendered by Enterprise DLP.
      A transport rule isn't required for emails that match your Email DLP policy where you set the action to Monitor. In this case, the x-panw-action - monitor email header is added, a DLP incident is created, and the email continues to its intended recipient.
    • The DLP email policy specifies the incident severity and the action Enterprise DLP takes when matching traffic is inspected and sensitive data is detected.
  7. Log in to Strata Cloud Manager.
  8. Select ManageConfigurationSaaS SecuritySettingsApps Onboarding.
  9. Add the Gmail app to SaaS Security.
    1. Search for Gmail and click the Gmail app.
    2. Add the Gmail app to SaaS Security.
  10. In the Email DLP Instance, click Add Instance.
  11. In the Setup Connectors and Rules page, add the email domains and relay hosts.
    Enterprise DLP requires you add one or more email domains and the Gmail Relay Host to ensure Gmail successfully forwards emails inspected by Enterprise DLP to the Gmail Relay Host.
    1. Enter an Email Domain.
      The Gmail Relay Host is always smtp-relay.gmail.com. The Port is always 587. This fields are automatically populated by default.
    2. (Optional) Add any additional email domains as needed.
    3. Connect.
  12. Gmail is now successfully connected and onboarded.
  13. Configure the Email DLP settings.
    • Edit the snippet settings to configure if and how Enterprise DLP stores and masks snippets of sensitive data that match your data pattern match criteria.
    • Edit the policy evaluation timeout settings to configure what Enterprise DLP does when Email DLP policy evaluation exceeds the configured timeout.
    • Configure evidence storage to save evidence for investigative analysis.