Connection Filters

Email Security creates Connection Filters to prevent the blocking of emails sent to users.

Connection filter name: Connection filter policy (Default)

  • 3.101.216.128/28

  • 3.101.216.144/28

  • 3.214.204.181

  • 18.97.17.224/28

  • 35.174.145.124

  • 44.211.178.96/28

  • 44.211.178.112/28

  • 3.40.131.0/28

  • 3.252.108.160/28

  • 3.252.108.176/28

  • 13.39.103.0/28

  • 13.39.103.16/28

  • 52.17.62.50

  • 52.212.19.177

  • 3.27.51.160/28

  • 3.27.51.176/28

  • 3.27.51.178/28

  • 3.105.224.60

  • 13.211.69.231

  • 18.98.196.176/28

  • 18.143.136.64/28

  • 18.143.136.80/28

  • 18.99.4.64/28

  • 18.96.227.0/28

  • 3.41.0.160/28

  • 3.29.194.128/28

  • 3.29.194.144/28

  • 18.96.97.192/28

  • 3.44.1.224/28

Journal Rules

Email Security creates a Journal rule that configures Microsoft 365 to send a copy of all scoped emails to the journaling mailbox used by Email Security for inspection.

Email Security uses this Journal rule only for policies in Detect and Detect and Remediate protection modes.

Journal rule name: Check Point - Monitor

Journal Reports

Email Security configures the Journal rule to send the Journal reports to [portal]@[portal]-mail.checkpointcloudsec.com

It also configures a mailbox for undeliverable journal reports, if the mailbox was not configured yet for the Check Point Portal tenant.

Email Security sends the undeliverable journal reports to these mailboxes when they are not deliverable to the email address specified in the journal rule:

Check Point Portal Tenant Region

Undeliverable Journal Report Mailbox

United States

[portal name]@mt-prod-cp-us-2-journal-error.checkpointcloudsec.com

Europe

[portal name]@mt-prod-cp-eu-1-journal-error.checkpointcloudsec.com

Australia

[portal name]@mt-prod-cp-au-4-journal-error.checkpointcloudsec.com

Canada

[portal name]@mt-prod-cp-ca-1-journal-error.checkpointcloudsec.com

Groups

Email Security creates groups to protect the specific users and groups selected in the policies for Prevent (Inline) protection mode.

When administrators configure Scope for a policy in Prevent (Inline) protection mode, it gets updated to the relevant group so that only those specific users are protected inline.

Email Security creates these groups:

  • checkpoint_inline_incoming

  • checkpoint_inline_outgoing

Check Point Inline Incoming Group

This group allows Email Security to protect only the incoming emails sent to users protected by an incoming policy in Prevent (Inline) protection mode.

Group name: checkpoint_inline_incoming

Group email address: checkpoint_inline_incoming@[portal domain]

Check Point Inline Outgoing Group

This group allows Email Security to protect only the outgoing emails sent by users protected by an outgoing policy in Prevent (Inline) protection mode.

Group name: checkpoint_inline_outcoming

Group email address: checkpoint_inline_outcoming@[portal domain]

Distribution Lists

Email Security creates a distribution list to support the protection of group mailboxes for policies in Prevent (Inline) protection mode.

Distribution list name: checkpoint_inline_groups

Spoofed Senders Allow List

To route emails from protected users and send emails on behalf of the protected domain, Email Security adds spoofed sender exceptions to Tenant Allow/Block List in Microsoft 365.

For example, Email Security adds these infrastructure values for Check Point Portal tenants residing in the United States region.

User

Sending Infrastructure

Spoof Type

Action

*

us.cloud-sec-av.com

Internal

Allow

*

us.cloud-sec-av.com

External

Allow

Sending infrastructure for Check Point Portal tenants residing in different regions:

Region

Country

Sending Infrastructure

Americas

USA

Canada

EMEA (Europe, Middle East and Africa)

Ireland

United Arab Emirates

APAC (Asia Pacific)

 

Australia

India

Singapore

United Kingdom

-

Trusted ARC Sealers

To ensure email authentication remains valid even after routing emails, Email Security adds a Check Point domain to the list of Authentication Received Chain (ARC) trusted sealers.

Check Point adds this to the list of trusted ARC sealers: checkpointcloudsec.com

Reported Phishing Emails

To present all phishing reported emails from end users using the Microsoft Report Message Add-in, reports must be configured to be sent to Microsoft and to an internal phishing reporting mailbox.

If your Microsoft 365 account is configured to send reported emails to an internal mailbox, Email Security monitors that internal mailbox for phishing reports, and the configuration does not change.

If your Microsoft 365 account is not configured to send emails to an internal mailbox, the system creates a shared mailbox with report-phishing-checkpoint@<your domain> email address and configures it to receive these reports.

Note - The system creates only a shared mailbox and it does not consume a Microsoft license from your account.

Delegated Token

To complete the required actions during automatic onboarding, such as creating groups and assigning a Global Admin role to the Check Point application, Email Security uses a delegated token from the authorizing user who approved the permissions.

If you choose to disconnect Email Security from Microsoft 365, Email Security executes the reverse actions, including deleting groups and disassociating roles. To do that, the Check Point Azure application must periodically refresh and maintain a valid delegated token.

The system initiates the refresh action on behalf of the authorizing user, and you can observe these activities in your Microsoft 365 audit log:

  • Periodic logins by the Check Point application on behalf of the user to refresh the token.

  • Failed login attempts in case the user no longer exists or the password has changed.

    Note - These failed logins do not affect security or email delivery. However, when disconnecting Email Security from Microsoft 365, manual actions are necessary to eliminate its footprint.

    To resolve this issue, re-authorize the Microsoft 365 application with the same or another Microsoft administrator credentials.

    1. Click Security Settings > SaaS Applications.

    2. Click Configure for Office 365 Mail.

    3. Click Re-Authorize Check Point Office 365 Email App.

    4. Follow the onscreen instructions and authorize the Microsoft 365 application.

PowerShell Scripts

Email Security uses PowerShell scripts to perform various tasks in the Microsoft 365 environment, such as:

  • Create / edit / delete Mail Flow rules, Connectors, Journal rules, Connection Filter, and Distribution List.

  • Configuring a mailbox for undeliverable Journal Reports (if the mailbox was not configured yet for the tenant).

    This mailbox will be used to receive Journal Reports when they are not deliverable to the email address specified in the Journal rule.

  • Reading the Hosted Content Filter Policy to get the tenant’s policy actions.

  • Allowing Email Security domain, so emails will not be blocked when going through Email Security’s security engines.

  • In case a policy that triggers Microsoft Encryption is created, a script will read the IRM Encryption to configure an Encryption rule.

  • Creating a new shared mailbox and configuring the system to forward reported phishing emails to the mailbox using the Microsoft Report Message Add-in.

    Note - If the Microsoft account is already configured to forward reported phishing emails to an internal mailbox, this configuration will not be performed.