Check Pointintermediate

How to Configure DLP in Harmony Email & Collaboration

Learn to configure Data Loss Prevention (DLP) policies in Check Point Harmony Email to protect sensitive data in emails and attachments.

15 min readUpdated January 2025

Want us to handle this for you?

Get expert help →

Check Point Harmony Email & Collaboration includes a powerful Data Loss Prevention (DLP) engine that protects sensitive information from unauthorized sharing through email, attachments, and collaboration tools. This guide covers configuring DLP policies to prevent data breaches while minimizing false positives.

Prerequisites

Before configuring DLP, ensure you have:

  • Harmony Email & Collaboration connected to Microsoft 365 or Google Workspace
  • Administrator access to the Check Point Infinity Portal
  • Complete Protect license (DLP is included in Complete Protect tier)
  • Understanding of your data classification requirements and regulatory obligations

Understanding DLP Capabilities

Harmony Email DLP provides:

CapabilityDescription
Pre-built Data Types100+ patterns for common sensitive data (SSN, credit cards, etc.)
Custom Data TypesDefine your own regex patterns for organization-specific data
OCR ScanningExtract text from images for scanning
Microsoft Purview IntegrationHonor sensitivity labels from Microsoft 365
Multi-directional ScanningScan inbound, outbound, and internal emails

Step 1: Access DLP Configuration

  1. Sign in to https://portal.checkpoint.com
  2. Navigate to Harmony > Email & Collaboration
  3. Go to Security Settings in the left menu
  4. Click Security Engines
  5. Locate DLP and click Configure

Step 2: Configure Global DLP Settings

Detection Settings

Configure how the DLP engine processes detections:

Unique Detections Only

  1. In the DLP Configuration window, locate Detection Settings
  2. Enable Unique detections only checkbox
  3. When enabled, the system ignores duplicate occurrences of the same string
  4. Example: "SSN: 123-45-6789" appearing 5 times counts as 1 detection

Tip: Enable this setting to reduce false positives from email threads that repeat sensitive data in quoted replies.

Occurrence Threshold

Set the minimum number of matches required to trigger a detection:

  1. Locate Occurrence Threshold settings
  2. Set a threshold value (default is 1)
  3. If set to 3, the DLP engine only triggers when 3 or more matches are found
  4. This helps reduce false positives from isolated occurrences

Detected Text Storage Mode

Configure how detected sensitive strings are stored and displayed:

ModeDescriptionUse Case
FullStores complete matched textDetailed investigation
MaskedPartially obscures matched textPrivacy compliance
NoneNo text storedMaximum privacy
  1. Select your preferred Detected Text Storage Mode
  2. Consider regulatory requirements (GDPR, HIPAA) when choosing
  3. Click Save to apply settings

Step 3: Configure DLP Categories

DLP categories group related data types for easier policy management:

Pre-built Categories

Harmony Email includes these built-in categories:

CategoryData Types Included
PIISSN, Driver's License, Passport numbers
FinancialCredit card numbers, bank accounts, routing numbers
HIPAAPHI, medical record numbers, health insurance IDs
PCI-DSSCredit card data, CVV codes
GDPREU personal data identifiers
CustomOrganization-specific patterns

Enable DLP Categories

  1. Go to Security Settings > Security Engines > DLP
  2. Under DLP Categories, review available categories
  3. Enable categories relevant to your compliance requirements:
    • Toggle PII for personal information protection
    • Toggle Financial for payment card data
    • Toggle HIPAA for healthcare environments
  4. Click Save

Adjust Category Sensitivity

Fine-tune detection sensitivity for each category:

  1. Click the gear icon next to a DLP category
  2. Adjust Sensitivity Level:
    • Low: Fewer detections, may miss some violations
    • Medium: Balanced detection (recommended)
    • High: Maximum detection, more false positives
  3. Configure Likelihood Adjustment for specific data types
  4. Click Save

Step 4: Create DLP Policy Rules

DLP Policy for Outgoing Emails

Protect against data exfiltration via outbound email:

  1. Navigate to Policy in the left menu
  2. Click Add a New Policy Rule
  3. Under Choose SaaS, select your email platform (Office 365 Mail or Gmail)
  4. Under Choose Security, select DLP
  5. Click Next

Configure the rule:

  1. Rule Name: Enter a descriptive name (e.g., "Block PII in Outbound Email")
  2. Email Direction: Select Outbound
  3. Protection Mode: Choose based on your requirements:
    • Monitor only: Log violations without blocking
    • Prevent (Inline): Block emails containing sensitive data
  4. Click Next

Select DLP categories to enforce:

  1. Enable checkboxes for categories to include:
    • PII: Personal identifiable information
    • Financial: Credit cards, bank accounts
    • HIPAA: Protected health information
  2. Select Sensitivity Level for this rule
  3. Click Next

Configure actions:

  1. When DLP violation is detected:
    • Quarantine: Hold email for admin review
    • Block: Reject the email
    • Alert Only: Allow delivery but log the event
  2. Notify sender: Enable to inform users of violations
  3. Notify admin: Configure admin email for alerts
  4. Click Save

DLP Policy for Incoming Emails

Monitor sensitive data entering your organization:

  1. Click Add a New Policy Rule
  2. Select your email platform under Choose SaaS
  3. Select DLP under Choose Security
  4. Click Next

Configure the rule:

  1. Rule Name: "Monitor PII in Inbound Email"
  2. Email Direction: Select Inbound
  3. Protection Mode: Select Monitor only (recommended for inbound)
  4. Select applicable DLP Categories
  5. Configure notification settings
  6. Click Save

Note: Blocking inbound emails for DLP is less common, as you typically want to receive all business communications. Monitor mode helps track what sensitive data is being sent to your organization.

DLP Policy for Internal Emails

Monitor internal sharing of sensitive information:

  1. Create a new policy rule
  2. Email Direction: Select Internal
  3. Protection Mode: Choose Monitor only initially
  4. Select relevant DLP Categories
  5. This helps identify internal data handling issues

Step 5: Configure Microsoft Purview Integration

If using Microsoft 365, integrate with Purview Sensitivity Labels:

Enable Sensitivity Label Support

  1. Go to Security Settings > Security Engines > DLP
  2. Locate Microsoft Purview Sensitivity Labels section
  3. Enable Use Microsoft Purview Sensitivity Labels
  4. Click Authorize to connect to Microsoft 365

Create Label-Based DLP Rules

  1. Go to Policy > Add a New Policy Rule
  2. Select Office 365 Mail and DLP
  3. Under DLP settings, select Sensitivity Labels
  4. Choose which labels trigger DLP actions:
    • Confidential: Block external sharing
    • Highly Confidential: Quarantine for review
    • Internal Only: Alert on external recipients
  5. Configure actions and save

Supported File Formats for Labels

Sensitivity labels are detected in:

  • Emails
  • Microsoft Word (.docx)
  • Microsoft Excel (.xlsx)
  • Microsoft PowerPoint (.pptx)
  • PDF documents

Step 6: Create Custom DLP Data Types

Define custom patterns for organization-specific data:

Access Custom Data Types

  1. Go to Security Settings > Security Engines > DLP
  2. Click Custom Data Types or Manage Data Types
  3. Click Add New Data Type

Define a Custom Pattern

Example: Detect internal project codes (format: PROJ-XXXX):

  1. Name: "Internal Project Codes"
  2. Description: "Detects project identifiers in format PROJ-####"
  3. Pattern Type: Select Regular Expression
  4. Regex Pattern: PROJ-\d{4}
  5. Validation: Test the pattern with sample data
  6. Click Save

Add to a Custom Category

  1. Create or select a custom DLP category
  2. Add your custom data type to the category
  3. Enable the category in your DLP policies

Step 7: Test DLP Configuration

Before enforcing DLP policies, test your configuration:

Send Test Emails

  1. Create test emails containing:
    • Fake credit card numbers (use test patterns)
    • Dummy SSN formats
    • Sample data matching your custom patterns
  2. Send to internal and external addresses
  3. Verify detections appear in the Events log

Review DLP Events

  1. Go to Events in the left menu
  2. Filter by Event Type: DLP
  3. Review detected violations:
    • Check Data Type matched
    • Verify Sensitivity Level is appropriate
    • Confirm Action Taken matches policy

Adjust Policies Based on Results

  1. If too many false positives:
    • Increase occurrence threshold
    • Enable unique detections only
    • Lower sensitivity level
  2. If missing detections:
    • Lower occurrence threshold
    • Increase sensitivity level
    • Review regex patterns for custom types

Step 8: Enable DLP for Collaboration Tools

Extend DLP protection to collaboration platforms:

Microsoft Teams DLP

  1. Go to Policy > Add a New Policy Rule
  2. Select Microsoft Teams under Choose SaaS
  3. Select DLP under Choose Security
  4. Configure categories and actions
  5. Save the policy

SharePoint and OneDrive DLP

  1. Create a policy rule for OneDrive or SharePoint
  2. Configure DLP to scan:
    • File uploads
    • File sharing events
    • Document content
  3. Set appropriate actions for violations

Google Drive DLP

  1. Create a DLP policy for Google Drive
  2. Enable scanning for:
    • Document content
    • File names
    • Sharing permissions
  3. Configure actions for detected violations

Troubleshooting DLP Issues

No DLP Events Appearing

Symptoms: Emails with sensitive data aren't triggering DLP events.

Solutions:

  1. Verify DLP categories are enabled in policy rules
  2. Check that the policy applies to the correct email direction
  3. Ensure file size is under 10 MB limit
  4. Confirm the data matches the expected pattern format

Too Many False Positives

Symptoms: Legitimate emails are being flagged for DLP violations.

Solutions:

  1. Increase the occurrence threshold
  2. Enable "Unique detections only"
  3. Create exceptions for specific senders or recipients
  4. Adjust sensitivity levels to medium or low

Custom Patterns Not Matching

Symptoms: Custom regex patterns don't detect expected data.

Solutions:

  1. Test regex pattern with online tools (regex101.com)
  2. Verify pattern syntax is correct for the DLP engine
  3. Check for special character escaping requirements
  4. Test with exact sample data

Best Practices

  1. Start with Monitor mode: Observe detections before blocking
  2. Phase rollout: Enable one category at a time
  3. Document exceptions: Track any exclusions and reasons
  4. Regular review: Audit DLP events weekly
  5. User training: Educate users about data handling policies
  6. Test updates: Verify policies after any configuration changes

Next Steps

After configuring DLP:

  1. Set up alerts: Configure notifications for high-severity DLP events
  2. Create reports: Schedule regular DLP violation reports
  3. Integrate SIEM: Forward DLP events to your security operations center
  4. Review compliance: Map DLP policies to regulatory requirements
  5. User education: Train employees on data classification and handling

Additional Resources

Need help implementing DLP? Inventive HQ specializes in data protection solutions for regulated industries. Contact us for expert guidance.

Frequently Asked Questions

Find answers to common questions

Harmony Email DLP can detect credit card numbers, social security numbers, bank routing numbers, HIPAA-protected health information, PII (personally identifiable information), financial data, and custom patterns you define. It also supports Microsoft Purview Sensitivity Labels for classified documents.

Need Professional IT & Security Help?

Our team of experts is ready to help protect and optimize your technology infrastructure.

Learn About Risk AssessmentExplore vCISO Services

Related Articles

How to Configure Firewall Rules in Check Point SmartConsole

Learn how to create and manage firewall rules in Check Point SmartConsole. Step-by-step guide covering access control policies, services, and best practices.

Read More →

How to Configure Anti-Phishing Policies in Harmony Email

Step-by-step guide to configure anti-phishing protection, confidence thresholds, and exception lists in Check Point Harmony Email.

Read More →

How to Configure Attachment Sandboxing (Threat Emulation) in Harmony Email

Step-by-step guide to configure Threat Emulation sandboxing and Threat Extraction for email attachments in Check Point Harmony Email.

Read More →
Back to Check Point