In This Section: |
Data is more accessible and transferable today than ever before, and the vast majority of data is sensitive at different levels. Some is confidential simply because it is part of an internal organization and is not meant to be available to the public. Some data is sensitive because of corporate requirements and legal regulations.
The Check Point Data Loss Prevention Software Blade (DLP) lets you use the Firewall to prevent users from sending sensitive data to external networks. DLP helps you implement an automated corporate policy that catches sensitive and protected data before it leaves your organization.
For more about using DLP, see the R80.20 Data Loss Prevention Administration Guide.
These are the features that the Data Loss Prevention Software Blade uses:
Note - See the R77 versions DLP CPcode Reference Guide. |
You can configure the Security Gateway to send email notifications to users and Data Owners. If you are using email notifications, it is necessary for the Security Gateway to access a mail server and a mail relay.
We recommend that you use different computers for a mail server and a mail relay. For more about other deployments, see the R80.20 Data Loss Prevention Administration Guide.
You can configure a DLP rule that sends users to the DLP portal when they send questionable data. This rule lets users decide if they will send data that can potentially violate the security policy.
The DLP portal is a web page that informs users that the specified data is possibly against company policy. If the users Send the data, then the action is logged.
Important - If you are using Data Owners, it is necessary to configure a mail server in the DLP Portal and Mail Server window. |
To enable DLP on an existing Security Gateway or cluster:
The General Properties window of the gateway opens.
The Data Loss Prevention Wizard opens.
The Email Domain and Active Directory page opens.
The Security Gateway accesses information in the definition of My Organization.
The My Organization Name page opens.
DLP uses these names to accurately detect incidents of data loss.
The DLP Portal and Mail Server page opens.
NOTE: It is not necessary to enable the DLP portal if UserCheck is enabled.
The Protocols page opens.
The Data Loss Prevention Blade Setup is Completed window opens.
When DLP incidents are logged, the DLP gateway can send automatic notifications to the Data Owners.
To add Data Owners to a Data Type:
SmartDashboard opens and shows the My Organization page in the Data Loss Prevention tab.
The data type properties window opens.
The Add Data Owners window opens.
If the data owner is not in the list, click New. In the Email Addresses window, enter the name and email address of the data owner (or name a list of email addresses).
DLP can send automatic messages to Data Owners for incidents that involve the applicable data types.
To configure Data Owner notification:
SmartDashboard opens and shows the My Organization page in the Data Loss Prevention tab.
The Email window opens.
Data Owners are added to the Email Notification list.
The default message is: The Check Point Data Loss Prevention system has found traffic which matches a rule
Internal emails between Microsoft Exchange clients use a proprietary protocol which is not supported by the Security Gateways. To scan internal emails between Microsoft Exchange clients, you must install an Exchange Security Agent on the Exchange Server. The agent sends emails to the Security Gateway for inspection using the SMTP protocol encrypted with TLS. To supply Data Loss Prevention for Microsoft exchange, it is necessary that the Exchange server can communicate with the Security Gateway.
An Exchange Security Agent must be installed on each Exchange Server that sends traffic to the Security Gateway with DLP. Each agent is centrally managed through SmartConsole and can only send emails to one Security Gateway. If your organization uses Exchange servers for all of its emails, you can also use this setup for scanning all emails.
To use the Exchange Security Agent it is necessary to configure settings in SmartConsole and on the Exchange server. For more about configuring an Exchange Security Agent, see sk103166.