22 January 2020

DATA LOSS
PREVENTION

R80.40

[Classification: Protected]

Administration Guide


Check Point Copyright Notice
© 2020 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed
under licensing restricting their use, copying, distribution, and decompilation. No part of this product or
related documentation may be reproduced in any form or by any means without prior written authorization
of Check Point. While every precaution has been taken in the preparation of this book, Check Point
assumes no responsibility for errors or omissions. This publication and features described herein are
subject to change without notice.

RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)
(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.

Data Loss Prevention R80.40 Administration Guide

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection
against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.

Check Point R80.40
For more about this release, see the R80.40 home page.

Latest Version of this Document
Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments.

Revision History
Date

Description


22 January 2020

First release of this document

Data Loss Prevention R80.40 Administration Guide      |      3


Table of Contents

Table of Contents
Glossary

10

Introduction to Data Loss Prevention

20

The Need for Data Loss Prevention

20

Data Loss Prevention and Privacy

20

The Check Point Solution for DLP

21


Content Awareness Software Blade

22

How DLP Works

22

Integrated DLP Security Gateway Deployment

23

Dedicated DLP Gateway Deployment

24

Alternative Gateway Deployments

26

What Happens on Rule Match

28
28

Role of DLP Administrator
DLP Permissions for Administrator Accounts

29


Configuring Full DLP Permissions

30

Configuring a Subset of Permissions

30

Installation and Configuration

32

Installing the DLP Gateway

32

DLP Software Blade Trial License

32

Configuring a DLP Gateway or Security Cluster

32

Data Loss Prevention Wizard

34

Configuring a DLP Gateway in Bridge Mode


35

Configuring Active Directory and LDAP for DLP

36

Rerunning the Data Loss Prevention Wizard

37

Configuring a DLP Gateway for a Web Proxy

37

Configuring DLP for an Internal Web Proxy

39

Configuring Proxy Settings after Management Upgrade

39

Mail Server Required Configuration

40

Action Settings for DLP Rules

40


Configuring Mail Relay

41

Configuring Settings for the Mail Relay

41

Data Loss Prevention R80.40 Administration Guide      |      4


Table of Contents

Configuring a Dedicated DLP Gateway and Relay on DMZ

42

Recommended Deployment - DLP Gateway with Mail Relay

43

Workarounds for a Non-Recommended Mail Relay Deployment

44

Untrusted Mail Relays and Microsoft Outlook

46

TLS-Encrypted SMTP Connections


46

Configuring Incident Log Handling

46

Configuring the Exchange Security Agent

47

Configuring SmartConsole for the Exchange Security Agent

48

Exchange Server Configuration

49

Configuring SMTP Mirror Port Mode

53

Configuring HTTPS Inspection

54

Inspecting HTTPS Packets

55


Outbound Connections

55

Inbound Connections

55

Configuring Gateways to Inspect Outbound and Inbound HTTPS

56
66

UserCheck Interaction Objects
Configuring UserCheck

66

Kerberos Single Sign On

67

UserCheck Page

71

Creating UserCheck Interaction Objects

72


Plain Text Email Notifications

74

More UserCheck Interaction Options

75

Localizing and Customizing the UserCheck Portal

75
77

UserCheck Client
Enabling UserCheck Client

77

Client and Gateway Communication

78

Renaming the MSI

79

Troubleshooting DNS Based Configuration

82

83

Getting the MSI File

83

Distributing and Connecting Clients
UserCheck and Check Point Password Authentication
Helping Users
Out of the Box

85
85
87

Data Loss Prevention R80.40 Administration Guide      |      5


Table of Contents

Default Deployment

87

Data Loss Prevention in SmartDashboard

87

Defining My Organization


89

Adding Email Addresses and Domains to My Organization

89

Managing Users

90

Managing Networks

91

Managing VPNs

92

Data Loss Prevention Policies

94

Overview of DLP Rules

94

DLP and Identity Awareness

95


DLP Rule Matching

98

DLP Rule Actions

99

Managing Rules in Detect
Setting DLP Rule Tracking
Store Incident

100
100
101

Setting a Time Restriction

103

DLP Selective Deployment

104

Auditing and Analysis of Incidents
DLP Actions
Data Owner and User Notifications
Defining Data Owners

105

106
110
110

Preparing Corporate Guidelines

110

Communicating with Data Owners

111

Communicating with Users

112

Notifying Data Owners

113

Notifying Users

113

Customizing Notifications

114

Setting and Managing Rules to Ask User


116

Setting Rules to Ask User

116

Managing Rules in Ask User

116

DLP Self Incident-Handling Portal

117

What Users See and Do

117

Unhandled UserCheck Incidents

117

Data Loss Prevention R80.40 Administration Guide      |      6


Table of Contents

Managing Incidents by Replying to Emails

118


UserCheck Notifications

118

Learning Mode

118
120

Data Loss Prevention by Scenario
Analytical Deployment

120

Creating New Rules

120

Internal DLP Policy Rules

121

More Options for Rules

123

Rule Exceptions

124

127

Fine Tuning
Customized Deployment

127

Setting Rules to Prevent

128

Multi-Realm Authentication Support

128

Troubleshooting DLP-Related Authentication Issues

129
130

Defining Data Types
Protecting Data by Keyword

130

Protecting Data by Pattern

131

Protecting Documents by Template


131

Protecting Data by Fingerprint

133

Repository Scanning

134

Filtering the Repository for Efficiency

134

Granularity

134

Scan Times

135

Logging

135

Log Details

135


NFS Repository scanning in NATed Environments

139

Protecting Files by Attributes

139

Defining Compound Data Types

140

Advanced Data Types

140

Enhancing Accuracy through Statistical Analysis

145

Adding Data Types to Rules

146

Repositories

156

Whitelist Policy


158

Data Loss Prevention R80.40 Administration Guide      |      7


Table of Contents

Defining Email Addresses

159

Configuring the DLP Watermark

160

Watermarking documents

160

Creating a New Watermark Profile

161

Adding a Shadow Behind Watermark Text in Word and PowerPoint

162

Configuring Watermark Settings on the General Page


163

Configuring Watermark Settings on the Hidden Text Page

163

Completing the Watermark Profile

164

Previewing Watermarks

164

Viewing Watermarks in MS Office Documents

164

Resolving Watermark Conflicts

165

Turning Watermarking On and Off

168

Using the DLP Watermark Viewing Tool

168
169


Fine Tuning Source and Destination
Creating Different Rules for Different Departments

169

Isolating the DMZ

171

Defining Strictest Security

171
172

Defining Protocols of DLP Rules
Fine Tuning for Protocol

173

Configuring More HTTP Ports

173
175

Advanced Configuration
Configuring User Access to an Integrated DLP Gateway

175


Internal Firewall Policy for a Dedicated DLP Gateway

176

Advanced Expiration Handling

177

Advanced SMTP Quotas

177

Advanced FTP and HTTP Quotas

178

Advanced User Notifications

179

Gateway Cleanup of Data

179

Gateway Cleanup of Expired Data

180

Gateway Cleanup of All Captured Data


180

Customizing DLP User-Related Notifications

182

Supporting LDAP Servers with UTF-8 Records

184

Configuring the Corporate Guidelines Link

185

Data Loss Prevention R80.40 Administration Guide      |      8


Table of Contents

Editing Extreme Condition Values

185

Editing Exchange Security Agent Values

187

Configuring HTTP Inspection on All Ports

189


Defining New File Types

189

Supported File Types

190
207

Server Certificates
Obtaining, Installing, and Viewing a Trusted Server Certificate

207
210

Troubleshooting
Incidents Do Not Expire

210

Mail Server Full

210

Advanced Options for Data Types

212

Regular Expressions and Character Sets


215

Non-Printable Characters

216

Character Types

216

Supported Character Sets

216

Character Set Aliases

218

Command Line Reference

220

Syntax Legend

220

dlpcmd

223


Working with Kernel Parameters on Security Gateway

226

Kernel Debug on Security Gateway

227

Data Loss Prevention R80.40 Administration Guide      |      9


Glossary

Glossary
A
Administrator

A user with permissions to manage Check Point security products and the network
environment.
API

In computer programming, an application programming interface (API) is a set of
subroutine definitions, protocols, and tools for building application software. In general
terms, it is a set of clearly defined methods of communication between various software
components.
Appliance

A physical computer manufactured and distributed by Check Point.


B
Bond

A virtual interface that contains (enslaves) two or more physical interfaces for
redundancy and load sharing. The physical interfaces share one IP address and one
MAC address. See "Link Aggregation".
Bonding

See "Link Aggregation".
Bridge Mode

A Security Gateway or Virtual System that works as a Layer 2 bridge device for easy
deployment in an existing topology.

Data Loss Prevention R80.40 Administration Guide      |      10


Glossary

C
CA

Certificate Authority. Issues certificates to gateways, users, or computers, to identify
itself to connecting entities with Distinguished Name, public key, and sometimes IP
address. After certificate validation, entities can send encrypted data using the public
keys in the certificates.
Certificate

An electronic document that uses a digital signature to bind a cryptographic public key
to a specific identity. The identity can be an individual, organization, or software entity.

The certificate is used to authenticate one identity to another.
Cluster

Two or more Security Gateways that work together in a redundant configuration - High
Availability, or Load Sharing.
Cluster Member

A Security Gateway that is part of a cluster.
CoreXL

A performance-enhancing technology for Security Gateways on multi-core processing
platforms. Multiple Check Point Firewall instances are running in parallel on multiple
CPU cores.
CoreXL Firewall Instance

Also CoreXL FW Instance. On a Security Gateway with CoreXL enabled, the Firewall
kernel is copied multiple times. Each replicated copy, or firewall instance, runs on one
processing CPU core. These firewall instances handle traffic at the same time, and
each firewall instance is a complete and independent firewall inspection kernel.

Data Loss Prevention R80.40 Administration Guide      |      11


Glossary

CoreXL SND

Secure Network Distributer. Part of CoreXL that is responsible for: Processing incoming
traffic from the network interfaces; Securely accelerating authorized packets (if
SecureXL is enabled); Distributing non-accelerated packets between Firewall kernel

instances (SND maintains global dispatching table, which maps connections that were
assigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewall
instances is statically based on Source IP addresses, Destination IP addresses, and the
IP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision to
stick to a particular FWK daemon is done at the first packet of connection on a very high
level, before anything else. Depending on the SecureXL settings, and in most of the
cases, the SecureXL can be offloading decryption calculations. However, in some other
cases, such as with Route-Based VPN, it is done by FWK daemon.
CPUSE

Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you
can automatically update Check Point products for the Gaia OS, and the Gaia OS itself.
For details, see sk92449.

D
DAIP Gateway

A Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway where the
IP address of the external interface is assigned dynamically by the ISP.
Data Loss Prevention

Check Point Software Blade that detects and prevents the unauthorized transmission of
confidential information outside the organization. Acronym: DLP.
Data Type

A classification of data. The Firewall classifies incoming and outgoing traffic according
to Data Types, and enforces the Policy accordingly.
Database

The Check Point database includes all objects, including network objects, users,

services, servers, and protection profiles.
Distributed Deployment

The Check Point Security Gateway and Security Management Server products are
deployed on different computers.

Data Loss Prevention R80.40 Administration Guide      |      12


Glossary

Domain

A network or a collection of networks related to an entity, such as a company, business
unit or geographical location.
Domain Log Server

A Log Server for a specified Domain. It stores and processes logs from Security
Gateways that are managed by the corresponding Domain Management Server.
Acronym: DLS.
Domain Management Server

A virtual Security Management Server that manages Security Gateways for one
Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS.

E
Expert Mode

The name of the full command line shell that gives full system root permissions in the
Check Point Gaia operating system.

External Network

Computers and networks that are outside of the protected network.
External Users

Users defined on external servers. External users are not defined in the Security
Management Server database or on an LDAP server. External user profiles tell the
system how to identify and authenticate externally defined users.

F
Firewall

The software and hardware that protects a computer network by analyzing the incoming
and outgoing network traffic (packets).

G
Gaia

Check Point security operating system that combines the strengths of both
SecurePlatform and IPSO operating systems.

Data Loss Prevention R80.40 Administration Guide      |      13


Glossary

Gaia Clish

The name of the default command line shell in Check Point Gaia operating system. This
is a restrictive shell (role-based administration controls the number of commands

available in the shell).
Gaia Portal

Web interface for Check Point Gaia operating system.

H
Hotfix

A piece of software installed on top of the current software in order to fix some wrong or
undesired behavior.

I
ICA

Internal Certificate Authority. A component on Check Point Management Server that
issues certificates for authentication.
Internal Network

Computers and resources protected by the Firewall and accessed by authenticated
users.
IPv4

Internet Protocol Version 4 (see RFC 791). A 32-bit number - 4 sets of numbers, each
set can be from 0 - 255. For example, 192.168.2.1.
IPv6

Internet Protocol Version 6 (see RFC 2460 and RFC 3513). 128-bit number - 8 sets of
hexadecimal numbers, each set can be from 0 - ffff. For example,
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.


J
Jumbo Hotfix Accumulator

Collection of hotfixes combined into a single package. Acronyms: JHA, JHF.

Data Loss Prevention R80.40 Administration Guide      |      14


Glossary

L
Link Aggregation

Various methods of combining (aggregating) multiple network connections in parallel to
increase throughput beyond what a single connection could sustain, and to provide
redundancy in case one of the links should fail.
Log

A record of an action that is done by a Software Blade.
Log Server

A dedicated Check Point computer that runs Check Point software to store and process
logs in Security Management Server or Multi-Domain Security Management
environment.

M
Management High Availability

Deployment and configuration mode of two Check Point Management Servers, in which
they automatically synchronize the management databases with each other. In this

mode, one Management Server is Active, and the other is Standby. Acronyms:
Management HA, MGMT HA.
Management Interface

Interface on Gaia computer, through which users connect to Portal or CLI. Interface on a
Gaia Security Gateway or Cluster member, through which Management Server
connects to the Security Gateway or Cluster member.
Management Server

A Check Point Security Management Server or a Multi-Domain Server.
Multi-Domain Log Server

A computer that runs Check Point software to store and process logs in Multi-Domain
Security Management environment. The Multi-Domain Log Server consists of Domain
Log Servers that store and process logs from Security Gateways that are managed by
the corresponding Domain Management Servers. Acronym: MDLS.

Data Loss Prevention R80.40 Administration Guide      |      15


Glossary

Multi-Domain Security Management

A centralized management solution for large-scale, distributed environments with many
different Domain networks.
Multi-Domain Server

A computer that runs Check Point software to host virtual Security Management Servers
called Domain Management Servers. Acronym: MDS.


N
Network Object

Logical representation of every part of corporate topology (physical machine, software
component, IP Address range, service, and so on).

O
Open Server

A physical computer manufactured and distributed by a company, other than Check
Point.

P
Primary Multi-Domain Server

The Multi-Domain Server in Management High Availability that you install as Primary.

R
Rule

A set of traffic parameters and other conditions in a Rule Base that cause specified
actions to be taken for a communication session.
Rule Base

Also Rulebase. All rules configured in a given Security Policy.

Data Loss Prevention R80.40 Administration Guide      |      16



Glossary

S
Secondary Multi-Domain Server

The Multi-Domain Server in Management High Availability that you install as
Secondary.
SecureXL

Check Point product that accelerates IPv4 and IPv6 traffic. Installed on Security
Gateways for significant performance improvements.
Security Gateway

A computer that runs Check Point software to inspect traffic and enforces Security
Policies for connected network resources.
Security Management Server

A computer that runs Check Point software to manage the objects and policies in Check
Point environment.
Security Policy

A collection of rules that control network traffic and enforce organization guidelines for
data protection and access to resources with packet inspection.
SIC

Secure Internal Communication. The Check Point proprietary mechanism with which
Check Point computers that run Check Point software authenticate each other over
SSL, for secure communication. This authentication is based on the certificates issued
by the ICA on a Check Point Management Server.
Single Sign-On


A property of access control of multiple related, yet independent, software systems. With
this property, a user logs in with a single ID and password to gain access to a
connected system or systems without using different usernames or passwords, or in
some configurations seamlessly sign on at each system. This is typically accomplished
using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases
on (directory) servers. Acronym: SSO.
SmartConsole

A Check Point GUI application used to manage Security Policies, monitor products and
events, install updates, provision new devices and appliances, and manage a multidomain environment and each domain.

Data Loss Prevention R80.40 Administration Guide      |      17


Glossary

SmartDashboard

A legacy Check Point GUI client used to create and manage the security settings in
R77.30 and lower versions.
Software Blade

A software blade is a security solution based on specific business needs. Each blade is
independent, modular and centrally managed. To extend security, additional blades can
be quickly added.
SSO

See "Single Sign-On".
Standalone


A Check Point computer, on which both the Security Gateway and Security
Management Server products are installed and configured.

T
Traffic

Flow of data between network devices.

U
Users

Personnel authorized to use network resources and applications.

V
VLAN

Virtual Local Area Network. Open servers or appliances connected to a virtual network,
which are not physically connected to the same network.
VLAN Trunk

A connection between two switches that contains multiple VLANs.

Data Loss Prevention R80.40 Administration Guide      |      18


Glossary

VSX


Virtual System Extension. Check Point virtual networking solution, hosted on a
computer or cluster with virtual abstractions of Check Point Security Gateways and
other network devices. These Virtual Devices provide the same functionality as their
physical counterparts.
VSX Gateway

Physical server that hosts VSX virtual networks, including all Virtual Devices that
provide the functionality of physical network devices. It holds at least one Virtual
System, which is called VS0.

Data Loss Prevention R80.40 Administration Guide      |      19


Introduction to Data Loss Prevention

Introduction to Data Loss Prevention
The Need for Data Loss Prevention
Data is more accessible and transferable today than ever before, and the vast majority of data is sensitive
at various levels. Some is confidential simply because it is part of an internal organization and was not
meant to be available to the public. Some data is sensitive because of corporate requirements, national
laws, and international regulations. Often the value of data is dependent upon its remaining confidential consider intellectual property and competition.
Leakage of your data could be embarrassing or worse, cost you industrial edge or loss of accounts.
Allowing your organization to act in non-compliance with privacy acts and other laws could be worse than
embarrassing - the integrity of your organization may be at stake.
You want to protect the privacy of your organization, but with all the tools making information sharing
easier, it is easier to make an irrecoverable mistake. To make the matter more complex, along with the
severity of data leakage, we now have tools which inherently make it easier to happen: cloud servers,
Google docs, and simple unintentional abuse of company procedures - such as an employee taking work
home. In fact, most cases of data leakage occur because of unintentional leaks.
The best solution to prevent unintentional data leaks is to implement an automated corporate policy that

will catch protected data before it leaves your organization. Such a solution is known as Data Loss
Prevention (DLP).
Data Loss Prevention identifies, monitors, and protects data transfer through deep content inspection and
analysis of transaction parameters (such as source, destination, data object, and protocol), with a
centralized management framework. In short, DLP detects and prevents the unauthorized transmission of
confidential information.

Note - Data Loss Prevention is also known as Data Leak Prevention, Information Leak
Detection and Prevention, Information Leak Prevention, Content Monitoring and
Filtering, and Extrusion Prevention.

Data Loss Prevention and Privacy
DLP captures original data that caused a rule match, including the body of the transmission and attached
files.

Best Practice - Disclose to your users how your DLP deployment works. Tell users
that transmissions that violate the data security guidelines of your organization will be
stored and may be read by security personnel.
Information disclosure recommendations:

1. Disclose the privacy policy BEFORE deploying DLP.
2. Translate the most important DLP rules into guidelines and tell your users what is not allowed and
will result in captured transmissions.
3. Explain that DLP scans only transmissions originating from computers inside the organization
(including any source that uses organization resources, such as Remote Access or VPN

Data Loss Prevention R80.40 Administration Guide      |      20


Introduction to Data Loss Prevention


connections).

4. Explain how to handle Ask User violations.
DLP incident notifications can be sent by email (for SMTP traffic) or shown in a system tray popup
from the UserCheck client (for SMTP, HTTP, FTP, etc.).
If the incident of the notification is in Ask User mode, the user can click the Send or Discard link in
the popup of UserCheck client: to handle the incident in real-time.

Important - Make your users are aware of the purpose of the UserCheck client: handle
the DLP options directly from the popup.
If the user exits the client, the alternative web page that provides the Ask User options may not function.

1. Explain that captured transmissions will be logged and saved, and that some may be reported to
managers (Data Owners).
2. Explain that captured emails, attachments, web posts, etc. will be available for review by security
personnel.
3. Explain that review of original transmissions is for organization data security alone - you are not
collecting personal information. Therefore, your users do not have, nor require, the option to not
have their transmissions scanned.
4. Make sure that you maintain your guidelines: do not keep or use original transmissions for any use
other than review of DLP incidents and rules.

The Check Point Solution for DLP
The Check Point Data Loss Prevention Software Blade provides the ability for you to quickly deploy realistic
out-of-the-box detection capabilities based on expert heuristics.
However, optimal DLP must take time. To define data that should be prevented from transmission, you
must take into account many variables, each changing in the context of the particular transmission: What
type of data is it? Who owns it? Who is sending it? Who is the intended receiver? When is it being sent?
What is the cost if tasks are disrupted because the policy is stricter than needed?


Data Loss Prevention Features
Check Point solves the complexity of Data Loss Prevention with unique features.
n

UserCheck ™ - Provides rapid response for incident handling with automated user notification
and the unique Ask User mode. Each person in your organization learns best practices as
needed, preventing future unintentional leaks - the vast majority of DLP incidents - and quickly
handling immediate incidents. The user handles these incidents either through the DLP Self
Incident Handling Portal , or through the UserCheck client.
Without UserCheck, a security administrator, or even a security team, would have to check every
email and data transfer in real time and approve or reject each. For this reason, other products
offer only detection of suspicious incidents. With UserCheck, the decision-making is distributed to
the users. They are presented with the reason for the data capture and must provide a reason for
letting it pass (if the notification did not change their minds about sending it on). User decisions
(send or discard) and reasons for sending are logged. With the original message and user
decisions and reasons, you can develop an effective prevention policy based on actual use.

n

MultiSpect™ - Provides unmatched accuracy in identifying and preventing incidents through

Data Loss Prevention R80.40 Administration Guide      |      21


Introduction to Data Loss Prevention

multi-parameter correlation with Compound Data Types and customizable Data Types with
CPcode.
n


Out of the Box Security - A rich set of pre-defined Data Types recognizes sensitive forms,
templates, and data to be protected. The Data Types are enforced in an effective out-of-the-box
policy.

n

Data Owner Auditing - The Data Owner is the person responsible for controlling the information
and files of his or her own area in the corporation. Data Owners get timely and relevant
information through automated notifications and reports that show exactly how their data is being
moved. Check Point DLP gives Data Owners the information they need to handle usage issues
directly related to their areas of responsibility. Without Data Owner control, the security
administrator would often be placed in an awkward position between managers and employees.

n

CPcode - DLP supports fully customized data identification through the use of CPcode. You
define how data is to be matched by DLP, with the greatest flexibility possible. See the R77
versions DLP CPcode Reference Guide. .

Data Loss Prevention Benefits
Check Point DLP saves time and significantly improves ROI. Its innovative technologies provide
automation that negates the need for long and costly analysis and a team for incident handling. You can
now move from a detection-only policy to an accurate and effective prevention policy without bringing in
outside consultants or hiring a security team.
All of this functionality is easy to manage through the SmartConsole, in an interface similar to other
Software Blades. You are not expected to be a DLP expert from the day of deployment. Check Point
Data Loss Prevention guides you on how to customize and improve your DLP policy - with the Improve
Accuracy flag, for example. The DLP Software Blade comes with a large number of built-in Data Types
that can be quickly applied as a default policy. You can fine-tune the out-of-the-box policy to easily

convert the confidentiality and integrity guidelines of your organization into automated rules. And later,
you can create your own Data Types. This cycle of updating the policy, moving from a detection policy
to a preventative policy, is close with the Check Point Logs & Monitor tool.

Content Awareness Software Blade
Content Awareness and Data Loss Prevention both use Data Type. However, they have different features
and capabilities. They work independently, and the Security Gateway enforces them separately.
For more information on the Content Awareness Software Blade see the R80.40 Next Generation Security
Gateway Guide.

How DLP Works
General Description
Item

Description

1

Internal network

2

Data Loss Prevention Software Blade enabled on a Security Gateway

3

Security Management Server

4


HTTP proxy

Data Loss Prevention R80.40 Administration Guide      |      22


Introduction to Data Loss Prevention

Item

Description

5

Mail server

6

Active Directory or LDAP server

7

Logs & Monitor view

DLP Workflow:

1. The Data Loss Prevention Software Blade is enabled on a Security Gateway (2) (or ClusterXL
Security Cluster). This makes it a DLP gateway (or a DLP security cluster). Alternatively, a
dedicated DLP gateway can be installed behind a protecting Security Gateway.
2. You use the SmartConsole and the Security Management Server to install the DLP Policy on the
DLP gateway.

3. The DLP gateway (2) uses the built-in Data Types and rules to provide out-of-the-box Data Loss
Prevention. It may use the Active Directory or LDAP server (6) to identify the internal
organization.
It catches all traffic containing data and being sent through supported protocols. Thus, when
users send data that goes to an HTTP proxy (4) or a mail server (5), for example, the DLP
gateway catches the data before it leaves the organization.
It scans the traffic, including email attachments, for data that should be protected from being sent
outside the organization. This data is recognized by protocol, source, destination, and complex
Data Type representations.
It can also scan internal traffic between Microsoft Exchange clients within the organization. This
requires installation of the Exchange Security Agent on the Microsoft Exchange server. The
agent forwards internal emails to the DLP gateway which then scans them. If the organization
only uses Exchange servers for managing emails (internal and external), you can use this setup
to also scan emails that are sent outside of the organization.
If the data does not match any of the rules of the DLP policy, the traffic is allowed to pass.

4. The Logs & Monitor view (7) provides effective logging, tracking, event analysis, and reporting of
incidents captured by the DLP gateway.

Integrated DLP Security Gateway Deployment
In an Integrated DLP Security Gateway deployment, the Data Loss Prevention Software Blade is enabled
on a Security Gateway (or a cluster). This makes it the DLP gateway (or DLP Security Cluster). The
Firewall Software Blade, and optionally, other Network Security Software Blades, are also enabled on the
gateway.
If the DLP gateway is on the perimeter, the SMTP server forwards only transmissions with destinations
outside of the organization to DLP. Internal and external transmissions can be inspected by DLP if they are
forwarded to DLP by the Exchange Security Agent on the Exchange Server. For external transmissions
through the Exchange Security Agent the Exchange Server must have an accessible IP address to the DLP
gateway.


Data Loss Prevention R80.40 Administration Guide      |      23


Introduction to Data Loss Prevention

Dedicated DLP Gateway Deployment
General Description
In a Dedicated DLP gatewaydeployment , a separate gateway (2) (or cluster) is installed in addition to
the protecting gateway (3) (or cluster). The Data Loss Prevention Software Blade is enabled on that
separate gateway.
Install the dedicated DLP gateway behind the protecting Security Gateway to ensure its protection. We
recommend that you enable only the Data Loss Prevention Software Blade to maximize the use of
available hardware resources.

Best Practice - When you set up a dedicated DLP gateway, configure it in Bridge
Mode. The bridge is transparent to network routing.

Data Loss Prevention R80.40 Administration Guide      |      24


Introduction to Data Loss Prevention

Item

Description

1

Internal network


2

Data Loss Prevention Software Blade enabled on a Security Gateway

3

Security Gateway

4

Security Management Server

5

HTTP proxy

6

Mail server

7

Active Directory or LDAP server

8

Logs & Monitor view

Data Loss Prevention R80.40 Administration Guide      |      25