Configuring User Access to an Integrated DLP Gateway

To use the DLP Portal , and UserCheck, users must be allowed to access the DLP Gateway. By default, users can only access the DLP Gateway through its internal interfaces, but not through its external interfaces.

You can configure user access to the DLP Gateway in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. in the Accessibility section of the Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. page of the DLP Gateway object. The options are:

  • Through all interfaces - Lets users access the DLP Gateway through all interfaces, including external interfaces.

    Note - We do not recommend that you use "Through all interfaces" when you configure the DLP Gateway at the perimeter.

    • Through internal interfaces - Lets users to access the DLP Gateway through interfaces that are defined as Internal in the Topology page of the DLP Gateway object. If an interface is configured in the Topology page as Not Defined or as Interface leads to DMZ, it is not counted as an internal interface with respect to DLP Accessibility options.

      This is the default option. This option is recommended to prevent unauthorized access to the DLP Gateway from the external gateway interfaces. To make this option meaningful, make sure the topology of the internal and external interfaces of the DLP Gateway are correctly defined.

    • Including VPN encrypted interfaces - Interfaces used for establishing route-based VPN tunnels (VTIs)

  • According to the Firewall policy - Allow access according to Firewall Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. rules defined by the SmartConsole administrator. Use this option if you want to decide which ports to open for DLP. The applicable ports are:

    Feature

    Service

    TCP Port

    DLP Portal

    TCP HTTP

    80

    TCP HTTPS

    443

    UserCheck

    TCP

    18300

    TCP HTTPS

    443

    Reply-to-email

    TCP HTTPS

    25

    For example, to allow access from remote sites and/or remote users to the DLP Gateway, add rules that allow access to the UserCheck service (port 18300) and HTTPS (port 443) from those VPN Communities to the DLP Gateway. You can also define the source IP address from which SMTP communication is allowed. This would normally be the mail server that receives emails from users.