Configuring a DLP Gateway for a Web Proxy

You can use a Web Proxy server or servers for HTTP and HTTPS traffic. If you want the DLP gateway to scan this traffic, you must configure the DLP gateway.

Note - You can enable HTTPS Inspection on the gateway to scan HTTPS connections.

Configuring DLP for a Web Proxy

Use these procedures if the proxy or proxies are between the DLP gateway and the Internet, or in a DMZ.

Best Practice - If a proxy is in a DMZ, use the DLP gateway to scan the HTTP traffic between the user network and the proxy in the DMZ.

Configuring an R75 or higher DLP Gateway for Web Proxies

If you have one Web proxy server between the DLP gateway and the Internet, use either Procedure 1 or Procedure 2.

If you have more than one proxy between the DLP gateway and the Internet, use Procedure 2.

If you configure both Procedure 1 and Procedure 2, the DLP gateway drops HTTP and HTTPS traffic sent to any web proxy that is not specified in Procedure 1.

Procedure 1

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Data Loss Prevention > Protocols.
3. Make sure that HTTP is selected for this gateway or for the default protocols.
4. From the navigation tree, click Network Management > Proxy.
5. Configure the proxy server settings:
   • To use the proxy server that is configured in Global Properties, click Use default proxy settings.
   • To use a proxy server for this gateway:
   1. Click Use custom proxy settings for this network object.
   2. Click Use proxy server.
   3. Enter the IP address and Port of the Web proxy server.
6. Click OK.
7. Install Policy.

   DLP only scans traffic to the specified web proxy.

Procedure 2

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Data Loss Prevention > Protocols.
3. Make sure that HTTP is selected for this gateway or for the default protocols.
4. From the navigation tree, click Network Management > Proxy.
5. Click Use custom proxy settings for this network object.
6. Click Use proxy server.
7. Enter the IP address and Port of the Web proxy server.
8. Click OK.
9. Install Policy.

Configuring a Pre-R75 DLP Gateway for a Web Proxy

For a pre-R75 DLP gateway, if you have one Web proxy between the DLP gateway and the Internet, use Procedure 1.

If you have more than one Web proxy, put the DLP gateway between the proxies and the Internet.

Configuring DLP for an Internal Web Proxy

If the DLP gateway is between the Web (HTTP) proxy server or servers and the Internet, use these procedures.

Configuring the DLP Gateway for an Internal Web Proxy

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartConsole opens and shows the DLP tab.

2. From the navigation tree, click Additional Settings > Protocols.
3. Click HTTP. Either for the gateway, or on the default protocols.
4. Click OK.
5. From the navigation tree, click My Organization.
6. In the Networks section, if Select specific networks and hosts is selected, do these steps:
   1. Click Edit.
   2. In the Networks and Hosts window, make sure that the internal Web Proxy is listed. Or click Add, and select the objects for the internal Web Proxy.
   3. Click OK.
7. Click Save and then close SmartConsole.
8. From SmartConsole, Install Policy.

Configuring Proxy Settings after Management Upgrade

For a Security Management server that is upgraded from R70 and lower, traffic that passes through a DLP gateway to a web proxy server contains the gateway's IP as the source address instead of the original client IP address. For new installations and for installations that were upgraded from R71, the original client IP address is used.

If the traffic that contains the gateway's IP as source address reaches another Security Gateway which either logs traffic or enforces access based on identity, the source IP address does not represent the user's IP address.

To use the client's IP address as source address for the traffic leaving the DLP gateway:

1. On the SmartConsole computer, run:

   C:\Program Files\CheckPoint\SmartConsole\R80.30\PROGRAM\GuiDBedit.exe

2. Log in with your SmartConsole credentials.
3. In the left pane, select Table > Network Objects > network_objects.
4. In the right pane, select the DLP Gateway.
5. In the bottom pane, in the Field Name column, select firewall_settings.
6. Change the http_unfold_proxy_conns attribute to true.