In This Section: |
Check Point Data Loss Prevention is a Software Blade. It needs connectivity to a Security Management Server and a R80 SmartConsole. A Check Point gateway or a DLP-1 appliance is necessary for DLP.
In a dedicated DLP gateway deployment, Check Point recommends that you have a protecting Security Gateway in front of the DLP gateway.
The environment must include a DNS.
Important - Before installing DLP, we recommend that you review the requirements and supported platforms for DLP in the R80 Release Notes. |
To configure full permissions:
The Administrator Properties window opens, and shows the General page.
The Permissions Profile Properties window opens.
To configure a subset of permissions for the DLP administrator:
The Administrator Properties window opens, and shows the General page.
The Permissions Profile Properties window opens.
Note - If you select all of these options with Write permissions, the administrator has full DLP permissions.
The DLP Software Blade has a 30 day trial license.
To activate the trial license:
The gateway window opens and shows the General Properties page.
In an integrated deployment you can:
To enable DLP on an existing Security Gateway or cluster:
The gateway window opens and shows the General Properties page.
You can use Load Sharing if the DLP rules use the Detect, Prevent, or Inform actions.
Note - On a Security Cluster, this enables the DLP blade on every cluster member.
The Data Loss Prevention Wizard opens.
These are the configuration options in a dedicated deployment environment:
To configure a dedicated DLP gateway on an existing Security Gateway or Security Cluster:
When you clear the Firewall Software Blade, a warning message shows.
You are about to turn off the Firewall blade, with only the DLP blade left on.
Therefore, this Security Gateway will not enforce the security policy.
It is recommended to place this Security Gateway behind a firewall.
Are you sure you want to continue?
To configure a dedicated DLP gateway or cluster on a locally managed DLP-1 appliance:
For a locally managed gateway, the Data Loss Prevention Wizard opens.
For a locally managed cluster, the DLP-1 Cluster Wizard opens.
To configure a dedicated DLP gateway or cluster on a centrally managed DLP-1 appliance:
If you run the DLP Wizard from a computer that is not part of the Active Directory domain, you can run it again from a computer in the Active Directory domain to create the LDAP account unit.
To run the Data Loss Prevention Wizard again:
The gateway window opens and shows the General Properties page.
The Data Loss Prevention Wizard starts.
Use these procedures if the proxy or proxies are between the DLP gateway and the Internet, or in a DMZ. If a proxy is in a DMZ, we recommend that you use the DLP gateway to scan the HTTP traffic between the user network and the proxy in the DMZ.
Configuring an R75 or higher DLP Gateway for Web Proxies
If you have one Web proxy server between the DLP gateway and the Internet, use either Procedure 1 or Procedure 2.
If you have more than one proxy between the DLP gateway and the Internet, use Procedure 2.
If you configure both Procedure 1 and Procedure 2, the DLP gateway drops HTTP and HTTPS traffic sent to any web proxy that is not specified in Procedure 1.
To configure DLP for Procedure 1:
The gateway window opens and shows the General Properties page.
DLP only scans traffic to the specified web proxy.
Procedure 2
The gateway window opens and shows the General Properties page.
Configuring a Pre-R75 DLP Gateway for a Web Proxy
For a pre-R75 DLP gateway, if you have one Web proxy between the DLP gateway and the Internet, use Procedure 1.
If you have more than one Web proxy, put the DLP gateway between the proxies and the Internet.
If the DLP gateway is between the Web (HTTP) proxy server or servers and the Internet, use these procedures.
Configuring the DLP Gateway for an Internal Web Proxy
R80 SmartConsole opens and shows the DLP tab.
You can use the Data Loss Prevention Wizard to configure the settings for the mail relay. Use these procedures to configure these settings without the Wizard.
To open the DLP tab in SmartDashboard:
R80 SmartConsole opens and shows the DLP tab.
To configure the mail relay for anonymous SMTP connections:
If the mail server object does not exist, create it.
To configure the mail server object for authenticated SMTP connections:
The Mail Server window opens.
To complete configuring the Mail Relay:
Configure the mail relay to accept anonymous connections from the DLP gateway. For details, consult the vendor documentation. For example, on Microsoft Exchange Servers, configure the permissions of the default receive connector (or other relevant connector that handles SMTP traffic) for anonymous users.
To configure the DLP and mail relay in the DMZ:
R80 SmartConsole opens and shows the DLP tab.
The Networks and Hosts window opens.
Otherwise, click New > Host.
Item |
Description |
---|---|
1 |
Internal mail server |
2 |
Mail relay in the DMZ |
Make sure that the DLP gateway does NOT scan emails as they pass from the mail relay to the target mail server in the Internet.
To deploy the internal mail relay behind a DMZ interface of the DLP gateway:
The gateway window opens and shows the General Properties page.
In the Topology page of the DLP gateway object, define the gateway interface that leads to the Mail relay as Internal and also as Interface leads to DMZ.
To configure the internal mail relay that is not behind a DMZ interface of the DLP gateway:
Note - If the DLP gateway interface leading to the internal mail relay is internal, and you cannot deploy the internal mail relay behind a DMZ interface of the DLP gateway.
SmartDashboard opens and shows the DLP tab.
To configure disk management for DLP incidents:
The server window opens and shows the General Properties page.
This setting applies to DLP incidents and logs, and to all other logs. The default setting is 5000 MBytes. When the free disk space becomes less than this limit, old DLP incidents and logs, and other logs are deleted to free up disk space.
C:\Program Files\CheckPoint\R80 SmartConsole\R80\PROGRAM\GuiDBedit.exe
Field Name |
Description |
Default value |
---|---|---|
|
The maximum % of disk space that incidents are allowed to occupy. |
20% |
|
Whether or not to delete incidents if the incidents take up more disk space than
|
|
|
Whether or not to run a script before deleting incidents. For example, to copy the logs to a different computer before they are deleted.
|
|
To define the Exchange Security Agent:
SmartDashboard opens and shows the DLP tab.
The Check Point Exchange Agent wizard opens.
You can enable HTTPS traffic inspection on Security Gateways to inspect traffic that is encrypted by the Secure Sockets Layer (SSL) protocol. SSL secures communication between internet browser clients and web servers. It supplies data privacy and integrity by encrypting the traffic, based on standard encryption ciphers.
However, SSL has a potential security gap. It can hide illegal user activity and malicious traffic from the content inspection of Security Gateways. One example of a threat is when an employee uses HTTPS (SSL based) to connect from the corporate network to internet web servers. Security Gateways without HTTPS Inspection are unaware of the content passed through the SSL encrypted tunnel. This makes the company vulnerable to security attacks and sensitive data leakage.
The SSL protocol is widely implemented in public resources that include: banking, web mail, user forums, and corporate web resources.
There are two types of HTTPS inspection:
The Security Gateway acts as an intermediary between the client computer and the secure web site. The Security Gateway behaves as the client with the server and as the server with the client using certificates.
To optimize performance, inbound HTTPS traffic is inspected only if the policy has rules for HTTPS. For example, if the IPS profile does not have HTTP/HTTPS-related protections activated, HTTPS Inspection is not started.
All data is kept private in HTTPS Inspection logs. This is controlled by administrator permissions. Only administrators with HTTPS Inspection permissions can see all the fields in a log. Without these permissions, some data is hidden.
To enable outbound HTTPS traffic inspection, you must do these steps:
When required, you can update the trusted CA list in the Security Gateway.
The outbound CA certificate is saved with a P12 file extension and uses a password to encrypt the private key of the file. The Security Gateways use this password to sign certificates for the sites accessed. You must keep the password as it also used by other Security Management Servers that import the CA certificate to decrypt the file.
After you create an outbound CA certificate, you must export it so it can be distributed to clients. If you do not deploy the generated outbound CA certificate on clients, users will receive SSL error messages in their browsers when connecting to HTTPS sites. You can configure a troubleshooting option that logs such connections.
After you create the outbound CA certificate, a certificate object named Outbound Certificate is created. Use this object in rules that inspect outbound HTTPS traffic in the HTTPS inspection Rule Base.
To create an outbound CA certificate:
The Gateway Properties window opens.
To prevent users from getting warnings about the generated CA certificates that HTTPS inspection uses, install the generated CA certificate used by HTTPS inspection as a trusted CA. You can distribute the CA with different distribution mechanisms such as Windows GPO. This adds the generated CA to the trusted root certificates repository on client computers.
When users run standard updates, the generated CA will be in the CA list and they will not receive browser certificate warnings.
To distribute a certificate with a GPO:
Note - Make sure that the CA certificate is pushed to the client computer organizational unit.
The HTTPS inspection policy determines which traffic is inspected. The primary component of the policy is the Rule Base. The rules use the categories defined in the Application Database, network objects and custom objects (if defined).
The HTTPS inspection Rule Base lets you inspect the traffic on other network blades. The blades that HTTPS inspection can operate on are based on the blade contracts and licenses in your organization and can include:
If you enable Identity Awareness on your Security Gateways, you can also use Access Role objects as the source in a rule. This lets you easily make rules for individuals or different groups of users.
To access the HTTPS Inspection Rule Base:
Check Point dynamically updates a list of approved domain names of services from which content is always allowed. This option makes sure that Check Point updates or other 3rd party software updates are not blocked. For example, updates from Microsoft, Java, and Adobe.
To bypass HTTPS inspection for software updates:
When a Security Gateway receives an untrusted certificate from a web site server, the settings in this section define when to drop the connection.
Untrusted server certificate
When selected, traffic from a site with an untrusted server certificate is immediately dropped. The user gets an error page that states that the browser cannot display the webpage.
When cleared, a self-signed certificate shows on the client machine when there is traffic from an untrusted server. The user is notified that there is a problem with the website's security certificate, but lets the user continue to the website (default).
Revoked server certificate (validate CRL)
When selected, the Security Gateway validates that each server site certificate is not in the Certificate Revocation List (CRL) (default).
If the CRL cannot be reached, the certificate is considered trusted (this is the default configuration). An HTTPS Inspection log is issued that indicates that the CRL could not be reached. This setting can be changed with GuiDBedit. Select Other > SSL Inspection > general_confs_obj and change the attribute
from false to true.drop_if_crl_cannot_be_reached
To validate the CRL, the Security Gateway must have access to the internet. For example, if a proxy server is used in the organizational environment, you must configure the proxy for the Security Gateway.
To configure the proxy:
When cleared, the Security Gateway does not check for revocations of server site certificates.
Important - Make sure that there is a rule in the Rule Base that allows outgoing HTTP from the Security Gateway. |
Expired server certificate
Track validation errors
Choose if the server validation traffic is logged in in the Logs tab of the R80 SmartConsole Logs & Monitor view or if it triggers other notifications. For the options, see Track.
Automatically retrieve intermediate CA certificates
In R80 SmartConsole, in the Gateways & Servers view, or in SmartDashboard, in the HTTPS Inspection tab > Gateways pane, you can edit a Gateway object. In the HTTP/HTTPS Proxy page, you can configure a gateway to be an HTTP/HTTPS proxy. When it is a proxy, the gateway becomes an intermediary between two hosts that communicate with each other. It does not allow a direct connection between the two hosts.
Each successful connection creates two different connections:
Proxy Modes
Two proxy modes are supported:
Access Control
You can configure one of these options for forwarding HTTP requests:
Ports
By default, traffic is forwarded only on port 8080. You can add or edit ports as required.
Advanced
By default, the HTTP header contains the Via proxy related header. You can remove this header with the Advanced option.
You can also use the Advanced option to configure the X-Forward-For header that contains the IP address of the client machine. It is not added by default because it reveals the internal client IP.
Logging
The Security Gateway opens two connections, but only the Firewall blade can log both connections. Other blades show only the connection between the client and the gateway. The Destination field of the log only shows the gateway and not the actual destination server. The Resource field shows the actual destination.
To configure a Security Gateway to be an HTTP/HTTPS proxy:
Note - If you select Non Transparent mode, make sure to configure the clients to work with the proxy.
The X-Forward-For header must be configured if traffic will be forwarded to Identity Awareness Security Gateways that require this information for user identification.
Logs from HTTPS Inspection are shown in the Logs & Monitor > Logs tab. Under Favorites, there is a predefined query for HTTPS Inspection logs. It shows all HTTPS traffic that matched the HTTPS Inspection policy and was configured to be logged.
The log includes an HTTP Inspection Action field. The field value can be inspect or bypass. If the traffic did not go through HTTPS inspection, the field does not show in the log.
An administrator must have HTTPS inspection permissions to see classified data in HTTPS inspected traffic.
To set permissions for an administrator in a new profile:
To edit an existing permissions profile: