This page describes the automatic configuration of Gmail by CloudGuard SaaS after activation in the CloudGuard SaaS portal. There is no manual option for Gmail configuration.
Important Note about Quarantine Mailbox:
The quarantine mailbox is a dedicated mailbox for suspicious/malicious emails. It is necessary when you operate in Detect and Remediate or Prevent (Inline) modes.
You need to manually create it in Gmail. The quarantine mailbox requires a Gmail license.
Best Practice: We highly recommend that you restrict access to the Quarantine mailbox.
(1) Creation of a Super Administrator account in Gmail
After clicking on Start for Gmail, you are redirected to Gmail to grant CloudGuard SaaS access permissions to G Suite APIs. After you accept, a new super administrator account is created in your Google Admin Console. The super administrator has an email address in the following format: cloud-sec-av@[domain] and is sometimes referred to as the Check Point Service User.
This user requires a Gmail license.
For more information on the Super Administrator role, see here.
The Check Point Service User is used to configure automatically Gmail to work with CloudGuard SaaS.
Super Admin Security:
The password of the super administrator contains 43 random characters; a mix of lower case letters, upper case letters, and digits.
At this time, the password is not updated after the initial setup. You cannot protect the Check Point Service User account with MFA (multi-factor authorization).
Note: If MFA is activated by default on all global administrators, change the setting before onboarding in CloudGuard SaaS. If you already onboarded, submit a Service Request so that we can assist you.
(2) Operation Modes in CloudGuard SaaS
In Detect mode, CloudGuard SaaS gets a copy of every email and scans it for threats. If there is malicious content, a security event is created in the CloudGuard SaaS portal. No action is automatically taken by the system to remediate threats.
In Detect and Remediate, emails arrive to users' mailboxes and are scanned for threats afterwards. If malicious content is detected, the threat is automatically removed from the mailbox.
In Prevent (Inline), emails are scanned by CloudGuard SaaS before delivery to users' mailboxes. Quarantine is automatically taken if there is malicious content. Only clean content is delivered to users' mailboxes.
Depending on the mode (Detect/Detect and Remediate/Prevent (Inline)), a different configuration of Gmail might be required. Changes in policy and modes are automatically transferred to Gmail, using the Check Point Service User.
(3) Configuration in Detect Mode
(3.1) User Groups
After activating protection for Gmail, CloudGuard SaaS will automatically create 2 User Groups. You can review them in your Google Admin Console, under Groups:
Note: If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-prem and in the cloud, the synchronization will trigger the deletion of the 2 Check Point groups. This will not impact email delivery but CloudGuard SaaS will not scan any emails and therefore you won't see any events in the dashboard.
Before activating Gmail protection, create 2 Exclusion Rules for the 2 user groups. The Type of the Exclusion Rules should be Group Email Address and the Match Type Exact Match. For each group, the email address to add will be groupname@[domain] so, for example, firstname.lastname@example.org.
If you already started Gmail, please open a Service Request to get assistance.
CloudGuard SaaS will automatically create a host (aka mail route) in your Google Admin Console. See more info here. You can see it in your Google Admin Console, under Apps\G Suite\Settings for Gmail\Hosts.
(3.3) Inbound Gateway
CloudGuard SaaS will automatically create an Inbound Gateway. You can see it in your Google Admin Console, under Apps\G Suite\Settings for Gmail\Advanced Settings.
(3.4) SMTP Relay Service
CloudGuard SaaS will automatically create an SMTP Relay Service. You can see it in your Google Admin Console, under Apps\G Suite\Settings for Gmail\Advanced Settings.
(3.5) Content Compliance Rules
CloudGuard SaaS will automatically create 3 Content Compliance Rules. You can review them in your Google Admin Console, under Apps\G Suite\Settings for Gmail\Advanced Settings. The rules are called:
where ei stands for incoming traffic; ii stands for internal traffic and eo stands for outgoing traffic.
(4) Configuration in Detect and Remediate Mode
If you decide to use CloudGuard SaaS in Detect and Remediate mode, no additional configuration will be done in your Google Admin Console. The system will use the configuration already in place.
(5) Configuration in Prevent (Inline) Mode
When you create a policy in Prevent (Inline) mode, CloudGuard SaaS will automatically adjust your Google Admin Console configuration accordingly. A new Content Compliance Rule is created: [tenantname]_inline_ei.
If you remove the inline protection of users in CloudGuard SaaS, the Content Compliance Rule for inline will remain in the Google Admin Console but the content of the user group check_point_inline_rule will be updated to reflect that no users are protected in this mode.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.