Configuring a DLP Gateway or Security Cluster

You can enable the DLP Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. as one of the Software Blades on a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. This is known as an integrated DLP deployment. In a dedicated DLP Gateway, the Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. Software Blade is enabled on a separate Security Gateway (or Security ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.).

In ClusterXL Load Sharing cluster, the DLP Software Blade can work only when the policy contains DLP rules that use the Detect, Inform, or Prevent actions (see DLP Rule Actions). The Ask DLP action is not supported for ClusterXL Load Sharing.

In a Cluster with enabled DLP Software Blade, state synchronization happens every two minutes. Therefore, if there is a cluster failover, the new Active cluster memberClosed Security Gateway that is part of a cluster. may not be aware of DLP incidents that happened in the two minutes since the cluster failover.

In an integrated deployment you can:

  • Enable the DLP blade on an existing Security Gateway or Security Cluster.

  • Configure a new Security Gateway or cluster and enable the DLP blade on it.

To enable DLP on an existing Security Gateway or cluster:

  1. Open SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., open the Security Gateway or Security Cluster object.

    The gateway window opens and shows the General Properties page.

  2. For a Security Cluster: in the ClusterXL page, select High Availability or Load Sharing mode .

    For ClusterXL Load Sharing, the Ask action in the DLP rules is not supported.

  3. In the Software Blades section, click the Data Loss Prevention Software Blade.

    Note - On a Security Cluster, this enables the DLP blade on every cluster member.

    The Data Loss Prevention Wizard opens.

  4. Complete the Data Loss Prevention Wizard (see Data Loss Prevention Wizard).

  5. Install policy.

To configure a dedicated DLP Gateway behind an existing Security Gateway or Security Cluster:

  1. Install a separate gateway (or cluster) behind the existing Security Gateway.

  2. In SmartConsole, create a new object for the separate Security Gateway or cluster.

    Note - If you created a cluster, in the ClusterXL Load Sharing modes, the Ask action in the DLP rules is not supported.

  3. In the Security Gateway or cluster object, go to the General Properties page.

  4. In the Network Security tab, clear the Firewall Software Blade and select the Data Loss Prevention Software Blade.

    The Data Loss Prevention Wizard opens.

  5. Complete the Data Loss Prevention Wizard (see Data Loss Prevention Wizard).

  6. Install policy on the separate Security Gateway or cluster object.

>

Best Practice - When you set up a dedicated DLP Gateway, configure it in Bridge ModeClosed Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology.. The bridge is transparent to network routing.