When activating Office 365 Outlook in CloudGuard SaaS Threat Protection, you can select one of two options: Manual Mode or Automatic Mode. This page describes the configuration of Office 365 by CloudGuard SaaS after Office 365 activation using Automatic Mode.
For more information about manual configuration using Manual Mode, refer to the Check Point CloudGuard SaaS Manual Configuration with Office 365 Administration Guide.
Important Note about Quarantine Mailbox:
The quarantine mailbox is a dedicated mailbox for suspicious/malicious emails. It is necessary when you operate in Detect, Detect and Remediate, and Prevent (Inline) modes.
You need to manually create it in Office 365, even when onboarding with Automatic Mode. The quarantine mailbox requires an Office 365 license with mailbox.
Best Practice: We highly recommend that you restrict access to the Quarantine mailbox.
- Creation of a Global Administrator account in Office 365
After selecting Automatic Mode, you are redirected to Office 365 to grant CloudGuard SaaS access permissions to Microsoft APIs. After you accept, a new global administrator account is created in your Exchange Admin Center. The global administrator has an email address in the following format: checkpoint-service-user@[TENANT-NAME].onmicrosoft.com. It is sometimes referred to as the Check Point Service User. This user does not require any license.
For more information on the Global Administrator role, click here.
The Check Point Service User is used to run PowerShell commands that configure Office 365 to work with CloudGuard SaaS.
Global Admin Security:
The password of the global administrator contains 16 random characters; a mix of lower case letters, upper case letters, and digits. At this time, the password is not updated after the initial setup.
You cannot protect the checkpoint-service-user account with MFA (multi-factor authorization).
Note: If MFA is activated by default on all global administrators, change the setting before onboarding in CloudGuard SaaS. If you already onboarded, submit a Service Request so that we can assist you.
- Operation Modes in CloudGuard SaaS
In Detect mode, CloudGuard SaaS receives a copy of every email and scans it for threats. If there is malicious content, a security event is created in the CloudGuard SaaS portal. No action is automatically taken by the system to remediate threats.
In Detect and Remediate, emails arrive to users' mailboxes and are scanned for threats afterwards. If malicious content is detected, the threat is automatically removed from the mailbox.
In Prevent (Inline), emails are scanned by CloudGuard SaaS before delivery to users' mailboxes. Quarantine is automatically taken if there is malicious content. Only clean content is delivered to users' mailboxes.
Depending on the mode (Detect / Detect and Remediate / Prevent (Inline)), a different configuration of Office 365 might be required. In Automatic Mode, changes in policy and modes are automatically transferred to Office 365 via the Check Point Service User.
- Configuration in Detect Mode
3.1. Journal Rule
Generally speaking, journaling is used to record data. On Microsoft Exchange, journaling is used to record emails for legal, regulatory, and compliance purposes, as required by the organization. For more information about journaling, click here.
CloudGuard SaaS creates a Journal Rule in Office 365 which is used to send a copy of all scoped emails to the journaling mailbox used by the system for inspection. You can find this Journal Rule in the Exchange Admin Center, under the section Compliance Management.
Note: At the time of onboarding or later, you can choose to apply your CloudGuard SaaS licenses to all of your organization (licenses will be applied alphabetically) or to a specific Office 365 group (see sk145672 for details). When you choose to apply licenses to a specific group, the Journal Rule will be modified accordingly so that only emails of this user group will be inspected by CloudGuard SaaS.
Connectors help control the flow of email messages to and from your Office 365 account. Connectors allow using Transport Layer Security (TLS) to encrypt sensitive information, and restricting an IP address range for incoming emails. Inbound connectors are used for control of emails coming from outside the organization. Outbound connectors are used for control of emails sent externally.
For more information about connectors, click here.
CloudGuard SaaS automatically creates two connectors that enable mail flow between Office 365 and CloudGuard SaaS:
Check Point Inbound: used in conjunction with the connection filter policy (see section 3.3, below) to ensure that emails sent from CloudGuard SaaS to your organization are not tampered with. A safe IP address range is defined for the email sender, and messages that are not encrypted using TLS are rejected.
Check Point Journaling Outbound: used for emails sent to CloudGuard SaaS for inspection through the journal rule. The copied emails are routed via a smart host using TLS encryption, and are received only if the recipient's email server has a digital certificate.
You can review the connectors in the Exchange Admin Center under the Mail Flow section, Connectors tab.
Note: The connectors appear as not validated. Validation is Microsoft's way of verifying that the configuration is correct. Validation is not necessary for these connectors because they are configured programmatically.
3.3 Connection Filter
A connection filter policy allows you to create an Allow List, also known as a safe sender list, of trusted IP addresses. An email from a sender IP in this list will always be accepted. CloudGuard SaaS uses the connection filter policy to prevent MS from blocking, filtering, or tagging emails sent from our service IP to a customer's organization.
For more information about the connection filter policy in Microsoft Exchange click here.
The connection filter policy, found under Protection
, tab Connection Filter
, is updated to whitelist emails from our service IP:
- If your data residency is in the United States, the service IP is: 18.104.22.168
- If your data residency is in Europe, the service IP is: 22.214.171.124
This IP is used for sending emails to your organization such as admin or user alerts (phishing/malware), quarantine notifications, or restore requests.
- Configuration in Detect and Remediate Mode
If you decide to use CloudGuard SaaS in Detect and Remediate mode, no additional configuration will be done in your Exchange Admin Center. The system will use the Journal Rule and the Connectors already in place.
- Configuration in Prevent (Inline) Mode
When you create a policy in Prevent (Inline) mode, CloudGuard SaaS will automatically adjust your Exchange admin center configuration accordingly.
CloudGuard SaaS creates an additional connector, the Check Point Outbound connector, that can be reviewed in the Exchange Admin Center under the section Mail Flow, tab Connectors. This connector is used to guarantee safe routing of emails between your organization and CloudGuard SaaS, where they are inspected before being routed back to Office 365 for delivery to end users.
5.2 Transport Rules
Transport rules are used to configure the routing of emails once they get to Office 365 based on several conditions: recipient, sender, subject and more.
CloudGuard SaaS uses transport rules to enable inline policy mode. Three transport rules are created to route emails to the system for inspection and to apply the relevant policy based on the verdict. By default, the 3 rules will have priority over any existing rules.
They can be reviewed in the Mail Flow\Rules section of the Exchange Admin Center:
- Check Point - Protect: used for emails sent to the organization. This rule routes the messages using the Check Point Outbound connector with a specific header and value for inspection and stops more rules from being processed. The incoming messages are inspected as if the policy is Detect or Detect & Remediate when the spam confidence level (SCL) is greater than or equal to 5, or if the sender is CloudGuard SaaS.
- Check Point - Whitelist: used to define emails sent by CloudGuard SaaS as NOT being spam (SCL -1), to avoid delivery to the junk folder (except when the header matches the pattern X-CLOUD-SEC-AV-SCL).
- Check Point - Junk Filter: used to set the spam confidence level (SCL) to 9 when the sender IP is CloudGuard SaaS and when the header is X-CLOUD-SEC-AV-SCL. With this rule, emails marked as spam by Microsoft always find their way to the spam folder.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.