Configuring a DLP Gateway for a Web Proxy

You can use a Web Proxy server or servers for HTTP and HTTPS traffic. If you want the DLP Gateway to scan this traffic, you must configure the DLP Gateway.

Note - You can enable HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. on the gateway to scan HTTPS connections.

To configure DLP for a Web Proxy, use these procedures if the proxy or proxies are between the DLP Gateway and the Internet, or in a DMZ.

Best Practice - If a proxy is in a DMZ, use the DLP Gateway to scan the HTTP traffic between the user network and the proxy in the DMZ.

If you have one Web proxy server between the DLP Gateway and the Internet, use either Procedure 1 or Procedure 2.

If you have more than one proxy between the DLP Gateway and the Internet, use Procedure 2.

If you configure both Procedure 1 and Procedure 2, the DLP Gateway drops HTTP and HTTPS traffic sent to any web proxy that is not specified in Procedure 1.

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Gateways & Servers and double-click the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. > Protocols.

  3. Make sure that HTTP is selected for this gateway or for the default protocols.

  4. From the navigation tree, click Network Management > Proxy.

  5. Configure the proxy server settings:

    • To use the proxy server that is configured in Global Properties, click Use default proxy settings.

    • To use a proxy server for this gateway:

      1. Click Use custom proxy settings for this network object.

      2. Click Use proxy server.

      3. Enter the IP address and Port of the Web proxy server.

  6. Click OK.

  7. Install Policy.

    DLP only scans traffic to the specified web proxy.

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Data Loss Prevention > Protocols.

  3. Make sure that HTTP is selected for this gateway or for the default protocols.

  4. From the navigation tree, click Network Management > Proxy.

  5. Click Use custom proxy settings for this network object.

  6. Click Use proxy server.

  7. Enter the IP address and Port of the Web proxy server.

  8. Click OK.

  9. Install Policy.

For a pre-R75 DLP Gateway, if you have one Web proxy between the DLP Gateway and the Internet, use Procedure 1:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Data Loss Prevention > Protocols.

  3. Make sure that HTTP is selected for this gateway or for the default protocols.

  4. From the navigation tree, click Network Management > Proxy.

  5. Configure the proxy server settings:

    • To use the proxy server that is configured in Global Properties, click Use default proxy settings.

    • To use a proxy server for this gateway:

      1. Click Use custom proxy settings for this network object.

      2. Click Use proxy server.

      3. Enter the IP address and Port of the Web proxy server.

  6. Click OK.

  7. In SmartConsole, install the policy.

    DLP only scans traffic to the specified web proxy.

If you have more than one Web proxy, put the DLP Gateway between the proxies and the Internet.

Configuring DLP for an Internal Web Proxy

If the DLP Gateway is between the Web (HTTP) proxy server or servers and the Internet, use these procedures.

  1. In SmartConsole, select Security PoliciesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartConsole opens and shows the DLP tab.

  2. From the navigation tree, click Additional Settings > Protocols.

  3. Click HTTP. Either for the gateway, or on the default protocols.

  4. Click OK.

  5. From the navigation tree, click My Organization.

  6. In the Networks section, if Select specific networks and hosts is selected, do these steps:

    1. Click Edit.

    2. In the Networks and Hosts window, make sure that the internal Web Proxy is listed. Or click Add, and select the objects for the internal Web Proxy.

    3. Click OK.

  7. Click Save and then close SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings..

  8. In SmartConsole, install policy.

Configuring Proxy Settings after Management Upgrade

For a Security Management server that is upgraded from R70 and lower, traffic that passes through a DLP Gateway to a web proxy server contains the gateway's IP as the source address instead of the original client IP address. For new installations and for installations that were upgraded from R71, the original client IP address is used.

If the traffic that contains the gateway's IP as source address reaches another Security Gateway which either logs traffic or enforces access based on identity, the source IP address does not represent the user's IP address.

  1. On the SmartConsole computer, run:

    C:\Program Files\CheckPoint\SmartConsole\R80.30\PROGRAM\Database Tool (GuiDBEdit Tool).exe

  2. Log in with your SmartConsole credentials.

  3. In the left pane, select Table > Network Objects > network_objects.

  4. In the right pane, select the DLP Gateway.

  5. In the bottom pane, in the Field Name column, select firewall_settings.

  6. Change the http_unfold_proxy_conns attribute to true.