Set Up the Email DLP Host

1. Log in to the Google Admin portal.
2. In the Dashboard, select AppsGoogle WorkspaceGmailHosts and Add Route.
3. Configure the Email DLP host.

   1. Enter a descriptive Name.
   2. In Specify email server, verify Single host is selected.
   3. Enter the host name and port.

      Adding the Email DLP host name is required for positive identification of the Palo Alto Networks DLP cloud service. The CA issuer FQDN you add must match the email routing FQDN you added in the previous step.

      • United States—

        mail.us-west1.email.dlp.paloaltonetworks.com

      • Europe—

        mail.europe-west3.email.dlp.paloaltonetworks.com

      • APAC—

        mail.asia-southeast1.email.dlp.paloaltonetworks.com

      • Port—25
   4. For the Options, verify the following settings are enabled.

      • Require mail to be transmitted via a secure (TLS) connection
      • Require CA signed certificate
      • Validate certificate hostname
   5. Test TLS connection to verify Gmail can successfully connect to Enterprise DLP.
   6. Save.

4. Back in the Hosts page, verify that the Email DLP host is displayed.

5. Set Up a Proofpoint Server for Email Encryption.

   This is required to encrypt emails inspected by Enterprise DLP that match your encryption Email DLP policy rule.

   Skip this step if you already configured routing to your Proofpoint server.
6. Create Gmail Transport Rules.

   After you successfully set up the Email DLP host on Gmail, you must create the Gmail transports rule to instruct Gmail to forward emails to Enterprise DLP and establish the actions Gmail takes based on verdicts rendered by Enterprise DLP.

   A transport rule isn't required for emails that match your Email DLP policy where the action is set to Monitor. In this case, Enterprise DLP adds x-panw-action - monitor to the email header, a DLP incident is created, and the email continues to its intended recipient.