Out of the Box

In This Section: Data Loss Prevention in SmartDashboard Defining Settings for My Organization Defining Internal VPNs Excluding VPNs from My Organization Setting a Time Restriction Selective Deployment - Gateways Selective Deployment - Protocols Event Analysis Views Available in R80 SmartConsole

Data Loss Prevention in SmartDashboard

To show these pages in SmartDashboard:

In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

SmartDashboard opens and shows the DLP tab.

Page	Function
Policy	Manage the rule base for Data Loss Prevention policy.
Whitelist Policy	Manage files that will never be matched by the DLP Rule Base.
Data Types	Define representations of data assets to protect.
Repositories	Manage the fingerprint and whitelist repositories. The fingerprint repository contains documents that are not allowed to leave the organization. The whitelist repository contains documents that can leave the organization.
My Organization	Define the internal environment: networks, users, email addresses, and VPN communities.
Gateways	Enable the Data Loss Prevention Software Blade on Check Point Security Gateways. You can define DLP gateways and Exchange Agents. An Exchange Agent lets you scan internal emails between Microsoft Exchange clients once you install the Exchange Security Agent on the Exchange Server. The table shows status, uptime, inspected items, version, CPU usage and comments for the gateways and Exchange Agents. You can see a graphical representation of this information in SmartView Monitor.
UserCheck	Manage UserCheck objects that are used in a Rule Base to: Help users with decisions that can be dangerous to the security of the organization. Share the organization's changing internet policy for web applications and sites with users, in real-time.
Additional Settings:
Protocols	Enable the protocols to be checked on individual DLP Gateways.
Mail Relay	Configure the mail server for DLP to send notification emails.
Email Addresses or Domains	Manage email address lists and domains for use in DLP rules and Data Types.
Watermarks	Configure the tracking option that adds visible watermarks or invisible encrypted text to Microsoft Office documents (Word, Excel, or PowerPoint files from Office 2007 and higher) that are sent as email attachments (outgoing and internal emails).
Advanced	Incident Tracking - Define whether to log all emails (to calculate ratio of incidents) or just DLP incidents. Email Notifications - Define if users are notified after a DLP violation on the selected protocols. Learn User Actions - Define whether DLP learns Ask User answers for all messages of a thread, or asks each time a message violates a DLP rule. Extreme Conditions - Lets you define if to bypass DLP SMTP, FTP and HTTP inspection and prefer connectivity under these extreme conditions: CPU load levels are more than the high CPU load watermark Other extreme conditions including: Internal errors Protocol message sizes are more than the default value File attachments are more than the default value Archive depth level is more than the default value If necessary, you can change the default values. Watermarks - Define whether watermarks are applied on DLP rules and how to handle a document that already has a watermark.
HTTPS Inspection (located in a separate tab)	Configure inspection of HTTPS/SSL traffic from enterprise networks to external destinations.

Defining Settings for My Organization

Configure these settings in the My Organization page in the Data Loss Prevention tab in SmartDashboard.

To open the Data Loss Prevention tab in SmartDashboard:

In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

SmartDashboard opens and shows the DLP tab.

To complete the configuration:

1. Click Save and close SmartDashboard.
2. From R80 SmartConsole, publish the changes.
3. Install the policy on the Security Gateways.

To add domains and email addresses to My Organization:

1. From the navigation tree, click My Organization.
2. In the Email Addresses or Domains section, enter a domain or specific email address.
3. Click Add.

To define user accounts as internal users or user groups:

1. On the My Organization page, in the Users section, click Select specific users and user groups.
2. Click Edit.
3. In the User Groups and Users window, click Add > New > User or User Group.

   The User Properties or Group Properties window opens.

4. For a new user, configure the settings and then click OK.

   Make sure to configure the email address. This lets DLP recognize the user for email scans.

5. For a new user group:
   1. Enter the Name for the group.
   2. Select the members that you are adding to the group, and click Add.
   3. Click OK.

   The users and groups are added to the Security Management Server database.

To define only the specified networks and hosts for DLP:

1. On the My Organization page, in the Networks section, click Select specific networks and hosts.
2. Click Edit.

   The Networks and Hosts window shows the objects that are defined as internal.

3. Click Add.
4. Select the item from the list of defined networks and hosts that you are defining as internal.
5. Repeat the previous two steps for all the necessary items.
6. Click OK.

To exclude users from My Organization:

1. On the My Organization page, in the Users section, click All users.
2. Click Exclusions.

   The User Groups and Users window opens.

3. Click Add.
4. Select the items that you want to exclude from My Organization.
5. Click OK.

Defining Internal VPNs

Remote Access communities in VPN of My Organization are supported only in Office Mode.

To configure Office Mode for support of Remote Access communities:

1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click VPN Clients > Office Mode.
3. Select Perform Anti spoofing on Office Mode addresses.
4. In Additional IP Addresses for Anti-Spoofing, select the applicable network object.
5. Click OK and publish the changes.

To include VPN traffic in My Organization:

1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click My Organization.
3. In the VPN section, make sure the All VPN traffic is selected.
4. Click Save and then close SmartDashboard.
5. From R80 SmartConsole, install the policy.

Excluding VPNs from My Organization

To discover VPNs known to DLP:

1. In R80 SmartConsole, click Gateways & Servers, and find the VPN gateway that protects the DLP gateway.

   For an integrated DLP deployment, this is the DLP gateway itself. The protecting VPN gateway includes the IP address of the DLP gateway in its encryption domain.

2. Double-click the VPN gateway.

   The gateway window opens and shows the General Properties page.

3. From the navigation tree, click IPSec VPN.

   The DLP gateway is aware of the VPN communities that are shown in this page.

To exclude VPNs from My Organization:

1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click My Organization.
3. In the VPN section, click Exclusions.

   The VPN Communities window opens.

4. Select the VPNs that you want to exclude from My Organization and click Add.

   Ignore the VPNs that are not relevant to the protecting VPN gateway; they are excluded by default.

5. Click Save and then close SmartDashboard.
6. From R80 SmartConsole, install the policy.

Setting a Time Restriction

The Time column in the DLP Rule table holds a time object or group of time objects. The time object is the same time object as used in the Firewall Rule Base.

• A time object defines:
  • A time period during which the DLP rule is enforced (in hours) or
  • A time period defined by activation and expiration dates.
• Time objects apply for each rule.

  Notes - A DLP rule that incorporates a time object will not be enforced once the time object expires. Time objects are not supported for UTM-1 Edge appliances and QoS. Installing a DLP policy that contains a time object in a rule will result in failure. An object that does not have an activation or expiration date is always active.

To create a time object:

1. Open the Data Loss Prevention tab > Policy page.
2. Right click in the Time column of a rule.
3. From the pop-up menu, select Time.

   A window opens showing a list of existing time objects. You can select an existing time or create a new one.

   Note - Existing time object can be reused.

4. Click New > Time.
5. The Time Properties window opens.
6. On the General page, enter a name for the object
7. On the Time page:
   1. In the Time Period section, configure when the time object activates and expires.
   2. In the Restrict to specific hour ranges section, specify up to 3 ranges when the time object enforces the DLP rule. During these periods, the related DLP rule is enforced. The time specified here refers to the local time on the Security Gateway.
   3. Specify days.

      The days when the time object enforces the DLP rule. The time object can be enforcing the DLP rule each day, specified days of the week, a specified month or all months.

8. Click OK.

If you have more than one time object, you can merge them into a group. When a condition in one of the time objects in the group is met, the DLP rule is enforced.

To create a time group object:

1. Open the Data Loss Prevention tab > Policy page.
2. Right click in the Time column of a rule.
3. From the pop-up menu, select Group.

   The Time Group window opens.

4. Enter a name for the group.
5. Add or Remove time objects from the group.
6. Click OK.

Selective Deployment - Gateways

For any rule in the policy, you can choose that it be deployed on specific Enforcing Gateways.

To deploy a rule on specific Enforcing DLP Gateways:

1. In R80 SmartConsole, open Data Loss Prevention > Policy.
2. In the rule you want, click in the plus in the Install On column.

   Defined DLP Gateways appear in a menu.

3. Select the Gateways on which you want this rule to be deployed.
4. Run Install Policy on the DLP gateway.

Selective Deployment - Protocols

Check Point Data Loss Prevention supports various data transmission protocols.

It is recommended that you enable protocols as needed in your deployment. Start with only SMTP. Observe the logs on detected emails and user responses for handling them. Later, add FTP to the policy. For emails and large uploads, users do not expect instant responses. They can handle incidents in the Portal or UserCheck client for emails and uploads without disturbing their work, especially if your users know what to expect and how to handle the incidents.

HTTP, which includes posts to web sites, comments on media sites, blogging, and web mail, is another matter. Users do expect that when they press Enter, their words are sent and received instantly. If an employee uses HTTP for mission-critical work, having to decide whether a sentence is OK to send or not every instance is going to be extremely disruptive. Therefore, it is recommended that you enable HTTP only after you have run analysis on usage and incidents.

You can also enable inspection for Exchange Agent emails and the HTTPS protocol.

To select protocol deployment for all gateways:

1. In R80 SmartConsole, open Data Loss Prevention.
2. Expand Additional Settings and click Protocols.
3. Clear the checkbox of any of the protocols that you do not want to inspect.

Important - If you clear all of the protocol checkboxes, Data Loss Prevention will have no effect.

To select protocol deployment per gateway:

1. In R80 SmartConsole, open the Firewall tab.
2. In the Network Objects list, double-click the gateway.

   The properties window of the gateway opens.

3. In General Properties > Software Blades > Network Security, make sure Data Loss Prevention is selected.
4. Open the Data Loss Prevention page.
5. In the Protocols area, select one of the following:
   • Apply the DLP policy on the default protocols - as selected in the Data Loss Prevention tab, according to the previous procedure.
   • Apply the DLP policy to these protocols only - select the protocols that you want this gateway to check for the Data Loss Prevention policy.

Event Analysis Views Available in R80 SmartConsole

As of R80, the Event Analysis views of the SmartEvent GUI have been incorporated into the R80 SmartConsole Logs & Monitor view. They provide advanced analysis tools with filtering, charts, and statistics of all events that pass through enabled Security Gateways.