Recommended Deployment - DLP Gateway with Mail Relay

Item

Description

1

Internal mail server

2

DLP Gateway

3

Mail relay in the DMZ

Make sure that the DLP Gateway does NOT scan emails as they pass from the mail relay to the target mail server in the Internet.

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Gateways & Servers and double-click the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

    The gateway window opens and shows the General Properties page.

  2. Make sure that mails from the internal mail server (e.g. Microsoft Exchange) (1) arrive at the gateway using an internal Gateway interface.

    1. From the navigation tree, click Network Management.

    2. Double-click the gateway interface that leads to the internal mail server.

    3. From the General page, click Modify.

    4. In the Leads To section, click Override > This Network (Internal) > Network defined by the interface IP and Net Mask.

    5. Click OK and close the interface window.

  3. Deploy the internal mail relay (2) behind a DMZ interface of the DLP Gateway:

    In the Topology page of the DLP Gateway object, define the gateway interface that leads to the Mail relay as Internal and also as Interface leads to DMZ.

  4. In the Networks section of the My Organization page:

    1. Select Anything behind the internal interfaces of my DLP Gateways

    2. Do NOT select Anything behind interfaces which are marked as leading to the DMZ

Note - If the DLP Gateway interface leading to the internal mail relay is internal, and you cannot deploy the internal mail relay behind a DMZ interface of the DLP Gateway.

  1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. opens and shows the DLP tab.

  2. From the navigation tree, click My Organization page.

  3. In the Networks section, click Select specific networks and hosts.

  4. Click Edit.

  5. Select the networks that include the internal mail server, but do NOT include the relay server.

  6. Click OK.

  7. Click Save and then close SmartDashboard.

  8. In SmartConsole, install policy.