Avanan: Google Deployment Verification/Troubleshooting

Important Notes

Comprehensive Storage

Google offers a service called comprehensive storage. If you have this service enabled, note that actions such as quarantining an email will not be applicable alongside this service. The service guarantees that a copy of the email is delivered to the inbox if the original is not. Ergo, we would quarantine the original to prevent access to the email, but Google would then turn around and deliver a copy of the email to the end user.

Cloud Directory Sync

If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, the synchronization triggers deleting these two Check Point groups. Though this will not impact the email delivery, Harmony Email & Collaboration cannot scan the emails, and no security events are generated.

Before activating Google Workspace, create two exclusion rules for the two user groups. Select the exclusion type as Group Email Address, match type as Exact Match, and the group email address should be in the groupname@(domain) format.

For example, the group email addresses should be check_point_inline_policy@mycompany<.>com and check_point_monitor_policy@mycompany<.>com, where mycompany is your company's name.

Avanan SEG and DLP - Installation & Implementation

Google Mail Threat Protection (Default) - "Monitor only" mode.

1. Create a Mail Threat Protection policy in "monitor" mode.

Manually Confirm that Google Tenant settings are applied correctly.

There are four configuration settings to verify that Avanan has completed onboarding/setup.

1. 4 compliance rules with the naming scheme outlined below are created.
2. A host named CLOUD-SEC-AV Service is created.
3. An inbound gateway with an Avanan IP is enabled.
4. 2 groups named avanan_inline and avanan_monitor are now created.

To verify that the host and inbound gateway are configured, see below:

1. In Google Admin Portal, go to Apps > Google Workspace > Gmail
   1. Hosts: should have a host/route that looks like this.

2. Spam, phishing, and malware > Email allowlist
   1. Just a note confirming that you should NOT put Avanan's IP address here. Use the Inbound Gateway setting below instead.
3. Spam, phishing, and malware > Inbound gateway
   1. Set the following:

2. The value for the Regexp field is X-CLOUD-SEC-AV-SCL: true (note the space between ":" and "true")
3. FYI: The reason to leave Gmail's spam evaluation on is that when Avanan's Gmail Threat Protection is in "monitor only" mode, messages received from Avanan's servers will NOT have the X-CLOUD-SEC-AV-SCL header added to them at all, which means that Avanan isn't marking any emails as spam. For this reason, it's essential to have Gmail's spam filters still filtering the email from this inbound gateway; otherwise, if the Gmail spam filter were disabled, all incoming spam/malicious emails would be effectively allow-listed because they came from Avanan's IP address. This would result in user inboxes getting flooded with spam.
   1. Allow listed IPs would be added under the "Email allowlist'' setting, which is another method of bypassing, so the training messages should still bypass Google's filtering.

To verify that compliance rules are configured, see below:

1. Go to Compliance > Content Compliance
   1. Four rules (3 monitor rules and 1 inline rule) that should be automatically created are called:
      1. [tenantname]_monitor_ei -- incoming email ("external inbound")
      2. [tenantname]_monitor_ii - internal email ( "internal inbound")
      3. [tenantname]_monitor_eo -- outgoing email ("external outbound")
      4. [tenantname]_inline_ei -- incoming email ("external inbound")
   2. Heads up: the inline_ei rule doesn't get created until the Protect {lnline) mode is enabled, so see the below section Switch Mail Threat protection from "Monitor only" to "Protect /inlinel" for details on that.
      1. Looks like this:

3. Verify the details of all of the rules.
4. Heads up: Some settings, such as the "envelope filler" have been found to be incorrect in previous implementations, so thisis worth checking.
5. Monitor_ei:

6. Heads up: The bottom setting (C. Envelope filter), in which you indicate the membership that's affected by this setting, is subtle but critical. If missed, it will cause duplicate emails to appear in user inboxes.
7. Monitor_ii

8. Monitor_eo:

Switch Mail Threat protection from "Monitor only" to "Protect (inline)"

• 01

Manually Confirm that Google Tenant has applied the inline rule correctly.

1. In Google Admin Portal, go to Apps > Google Workspace > Settings for Gmail > Compliance >
   1. You should see the fourth and final rule appear here now:

2. Click "edit" to confirm these settings for it:

2. Confirm that Google Group membership updated correctly
   • Go to Google Groups > All Groups
   • Make sure that the "avanan_inline_policy" has 1 subgroup and that the "avanan_monitor_policy" has NO membership. Like this:
3. FYI: Here's how this works, if you're curious...
   • The "monitor_ei" and "inline_ei" compliance rules will apply only to the users that are listed in the groups that are listed in part "C. Envelop filter".
   • Avanan creates in the background two Google Groups to correspond with both the "monitor" and "inline" rules.

• Whichever policy mode (monitor vs inline )is set as active in Avanan at the time will be assigned a membership of a single subgroup, and the other group will have no membership at all. The below example indicates that the "inline" policy is active.

• The subgroup, by the way, is a mysterious-looking external subgroup just called "unknown", which presumably contains the set of users that are selected in Avanan's settings on the corresponding policy.

• If you were to ever remove the Protect (lnline) mode for users in Avanan, the Compliance Rule remains in the Google Admin console but the content of the user group avanan_inline_rule gets updated to reflect that no users are protected in this mode.

4. Ensure that Gmail filter is disabled on Inbound Gateways
5. Google Admin Portal, go to Apps > Google Workspace > Settings for Gmail > Spam, phishing, and malware > Inbound gateway, set the following.