Manual Steps for Enabling Gmail Prevent (Inline) Policy

If you receive the Manual Changes Required message while creating a Prevent (Inline) DLP policy for Gmail, you must make these changes in the Google Admin Console.

Gmail-Manual-Changes-Required

Step 1: Adding a Host

  1. Sign in to the Google Admin Console.
  2. From the left navigation panel, click Apps > Google Workspace > Gmail.
  3. Click Hosts.
  4. Click Add Route.
  5. Under Name, enter CLOUD-SEC-AV DLP Service for the mail route.
    Gmail-add-mail-route
  6. Under Specify email server, select Single host.
  7. Enter the host name as [portal]-dlp.avanan.net
    To find the portal identifier, see Portal identifier of Avanan portal.
  8. Enter the port number as 25.
  9. Under Options, clear the Require CA signed certificate checkbox.
  10. Click Save.

Step 2: Updating Inbound Gateway

  1. From the left navigation panel, click Apps > Google Workspace > Gmail.
  2. Scroll-down and click Spam, Phishing and Malware.
  3. Click Inbound gateway.
  4. Select Enable and under Gateway IPs, click Add and enter the IP address or IP address range relevant to your Avanan Portal tenant (account) region.
    For the list of supported IP addresses, see IP Addresses Supported Per Region.
    gmail-inbound-gateway

  5. Click Save.

Step 3: Adding SMTP Relay Host

  1. From the left navigation panel, click Apps > Google Workspace > Gmail.
  2. Scroll down and click Routing.
  3. Click SMTP relay service.
  4. Click Add Another Rule.
  5. Enter a description of the rule.
    gmail-smtp-relay-host
  6. In the Allow Senders list, select Any Addresses checkbox.
  7. Under Authentication, do options: 
    1. Select the Only accept mail from the specified IP addresses checkbox.
    2. Add the IP addresses relevant to your Avanan Portal tenant (account) region.
      For the list of supported IP addresses, see IP Addresses Supported Per Region.
      To add an IP address:

      1. Click Add.
      2. Enter a Description for the IP address.
        gmail-add-smtp-relay-ip
      3. Enter the IP address.
      4. Select the Enable checkbox.
      5. Click Save.
    3. Clear the Require SMTP Authentication checkbox.

  8. Under Encryption, select the Require TLS encryption checkbox.

  9. Click Save.

Step 4: Add Groups

You must create two groups.

  • avanan_inline_outgoing_policy
  • avanan_monitor_outgoing_policy

Note - If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, the synchronization triggers the deletion of these Avanan groups. Though this will not impact the email delivery, Avanan cannot scan the emails, and no security events are generated.

Before activating Google Workspace, you must create exclusion rules for these user groups. Select the exclusion type as Group Email Address, match type as Exact Match, and the group email address should be in the groupname@[domain] format.

For example, the group email addresses should be avanan_inline_outgoing_policy@mycompany.com and  avanan_monitor_outgoing_policy@mycompany.com, where mycompany is the name of your company.

To create a group:

  1. From the left navigation panel, click Directory > Groups.
  2. Click Create Group.
  3. In the Group name field, enter the group name. For example, avanan_inline_outgoing_policy.

    Gmail-Group
  4. In Group email field, enter the group email. For example, avanan_inline_outgoing_policy.
  5. Click Next.
  6. In Access Settings, clear everything except the default settings.
    gmail-create-group-access-settings

  7. In Who can join the group, select Anyone in the organization can join.
  8. Click Create Group.
  9. Repeat the same procedure and create a group with the Group name and Group email as avanan_monitor_outgoing_policy.

After creating the groups, you must do these to the avanan_monitor_outgoing_policy group.

  1. From the left navigation panel, click Directory > Groups.
  2. Hover over the avanan_monitor_outgoing_policy group you created and click Add members.
    gmail-create-group-add-members
  3. Click Advanced and select the Add all current and future users of {domain} to this group with All Email setting checkbox.
    Gmail-Group-Add-Members

  4. Click Add to Group.

Step 5: Create a Compliance Rule

  1. From the left navigation panel, click Apps > Google Workspace > Gmail.
  2. Scroll-down and click Compliance.
    By default, the system shows these rules for Content compliance:

      • [portal identifier]_monitor_ei

      • [portal identifier]_monitor_ii

      • [portal identifier]_monitor_eo

      • [portal identifier]_inline_ei

        To find the portal identifier, see Portal identifier of Avanan portal.
        gmail-create-compliance

  3. Update the settings for [portal]_monitor_eo rule.

    1. For [portal]_monitor_eo rule, click Edit.

    2. Scroll down to the end of the Edit setting pop-up and click Show options.

    3. Under Envelope filter, select the Only affect specific envelope senders checkbox.

      gmail-add-compliance-rule

    4. From the list, select Group membership (only sent mail).

    5. Click Select groups and select avanan_monitor_outgoing_policy.

    6. Click Save.

  4. Create the [portal identifier]_inline_eo rule with these settings:

    1. From the Content compliance rules, click Add Another Rule.

      gmail-create-compliance-1

    2. Enter the Content compliance rule name as [portal identifier]_inline_eo.

    3. Under Email messages to affect, do these:

      1. Select the Outbound checkbox.

      2. In Add expressions that describe the content you want to search for in each message, select If ALL of the following match the message.

      3. Click Add.

      4. In the Add setting pop-up, select Metadata match.

      5. Under Attribute, select Source IP.

      6. Under Match type, select Source IP is not within the following range.

      7. Enter the IP address relevant to your data region.
        For the list of supported IP addresses, see IP Addresses Supported Per Region.

      8. Click Save.

    4. Under If the above expressions match, do the following, do these:

      gmail-add-compliance-p2

      1. Select Modify message.

      2. Under Headers, do these:

        1. Select Add X-Gm-Original-To header checkbox.

        2. Select Add X-Gm-Spam and X-Gm-Phishy headers checkbox.

        3. Select Add custom headers checkbox and add custom headers with these values.

          Header Key

          Header Value

          CLOUD-SEC-AV-Sent

          true

          CLOUD-SEC-AV-Info

          [portal],google_mail,sent,inline

          To add a custom header:

          1. Click Add.

          2. In Header key, enter the header key.

          3. In Header value, enter the header value.

          4. Click Save.

      3. Under Route, do these:

        gmail-add-compliance-p3

        1. Select the Change route checkbox.

        2. Select the Also reroute spam checkbox.

        3. In the list, select CLOUD-SEC-AV DLP Service.

    5. Scroll down to the end of the page and click Show options.

    6. Under Account types to affect, select Users and Groups checkbox.

    7. Under Envelope filter, do these:

      gmail-add-compliance-p4-1

      1. Select the Only affect specific envelope senders checkbox.

      2. From the list, select Group membership (only sent mail).

      3. Click Select groups and select avanan_inline_outgoing_policy.

      4. Click Save.

IP Addresses Supported Per Region

United States

  • 35.174.145.124

  • 3.214.204.181

  • 44.211.178.96/28

  • 44.211.178.112/28

  • 3.101.216.128/28

  • 3.101.216.144/28

Australia *

  • 13.211.69.231

  • 3.105.224.60

  • 3.27.51.160/28

  • 3.27.51.176/28

  • 18.143.136.64/28

  • 18.143.136.80/28

Canada

  • 15.222.110.90

  • 52.60.189.48

  • 3.99.253.64/28

  • 3.99.253.80/28

  • 3.101.216.128/28

  • 3.101.216.144/28

Europe

  • 52.212.19.177

  • 52.17.62.50

  • 3.252.108.160/28

  • 3.252.108.176/28

  • 13.39.103.0/28

  • 13.39.103.23/28

India *

  • 3.109.187.96

  • 43.204.62.184

  • 43.205.150.240/29

  • 43.205.150.248/29

  • 18.143.136.64/28

  • 18.143.136.80/28

* These regions are relevant only for tenants created using the Avanan MSP Portal.