Check Point Manual Integration with Office 365

Policy Modes

These are the policy modes:

  • Detect - Monitors the emails and creates the relevant event.

  • Detect and Remediate - Creates an event, and also performs retroactive enforcement for Inbound emails already delivered to users.

  • Prevent (Inline) - All emails are reviewed before delivery to the user.

Detect and Detect and Remediate have the same configuration and are sometimes referred to as Detect modes in this document.

Best Practice - We recommend that you start with the configuration for Detect modes and later change to Prevent (Inline). If you are already in one of the Detect modes and want to start with Prevent (inline) mode, skip to Introduction - Prevent (Inline) Mode.

Note- For the system to work properly, you must follow the steps in the order they appear.

Step 1 - Check Point Contact

The first step in Manual Integration is to add your dedicated Check Point Contact. This contact is used for the Undeliverable Journal Reports under Journal Rules in Step 2 - Journal Rule.

If you already configured a recipient for undeliverable journal rules, skip this step.

Step 2 - Journal Rule

The Journal rule is used only for Detect modes (Detect or Detect and Remediate). The Journal rule configures Office 365 to send a copy of all scoped emails to the journaling mailbox used by CloudGuard SaaS for inspection.

Note - Before you create a Journal rule, you must specify a mailbox to receive the Undeliverable journal report. If you already configured a mailbox for this purpose, skip this step and define only the journal rule.

Step 3 - Connectors

In this step, you define two connectors:

  • Inbound connector - For all modes.

  • Journaling Outbound - For Detect modes.

These connectors send traffic to and receive traffic from the cloud.

Note - These connectors are used for Detect modes. For information on the configuration for Prevent (Inline) mode, see Introduction - Prevent (Inline) Mode.

Step 4 - Connection Filter (All Modes)

Update the Connection Filter to whitelist emails from Check Point. This goes hand-in-hand with the Check Point Inbound Connector created in Step 3 - Connectors .

Step 5 - On-boarding (Detect & Detect and Remediate)

In this step, you are ready to integrate CloudGuard SaaS with Office 365 for Detect and Detect and Remediate modes.

Step 6 - Quarantine Mailbox (for Office 365 Outlook Only)

The quarantine mailbox is a dedicated mailbox for suspicious/malicious emails. Most of the emails in the quarantine mailbox contain a possible threat and/or sensitive information. Quarantined emails can be tracked and restored in the Events and Quarantine pages on the portal.

Best Practice - We highly recommend that you restrict access to the Quarantine mailbox.

To configure the quarantine mailbox, you must first create an Office 365 user with mailbox.

Introduction - Prevent (Inline) Mode

In Prevent (inline) mode, the system inspects all emails in scope before delivery to the users. In manual mode, you must change the policy to Prevent (inline) before moving to Office 365 configurations.

To configure Prevent (inline) mode, follow Steps 7-9 in the following pages.

Note - To return to detect modes, disable the transport rules in Step 9 - Transport Rules (Prevent (Inline) Mode).

Step 7 - Prevent (Inline) Policy Configuration on CloudGuard SaaS

Step 8 - Connectors (Prevent (Inline) Mode)

In this step, you define the outbound connector for Prevent (Inline) mode.

Step 9 - Transport Rules (Prevent (Inline) Mode)

The purpose of the transport rule is to implement the inline mode for the users that need to be inline. Every time you change the scope of the inline policy (add or remove users/groups) you need to edit the scope of the transport rule accordingly.

Note - If any mail flow rules already exist, the Check Point rules must be prioritized.

These are the three Check Point rules:

  1. Check Point - Protect

  2. Check Point - Whitelist

  3. Check Point - Junk Filter

Check Point - Protect

Check Point - Whitelist

Check Point - Junk Filter

Transport Rules

Office 365 Transport rules automate actions on emails-in-traffic based on custom policies. In most enterprise environments, every transport rule falls under either Delivery Rule or Modification Rule.