Enterprise Application - Check Point Harmony Email and Collaboration - Manual Mode
Mail Contact for Journal NDR
Journal NDR Contact
Journal Rules
Allow IP Update
SPF Update
Connectors
Transport Rules
Outbound Protection
IP Address Requirements for Harmony
These are the IP addresses you will require for this guide for the transport rules, I will focus on United Kingdom, the rainy and windy capital of the world!
United States > 35.174.145.124 Europe > 52.212.19.177 Australia > 13.211.69.231 Canada > 15.222.110.90 India > 3.109.187.96 United Arab Emirates > 3.29.194.128 United Kingdom > 13.42.61.32
Email NDR Journal Address for Harmony
This is required for the Journal Rule to configure Harmony, find your region from below:
United States > {portal}@mt-prod-cp-1-journal-error.checkpointcloudsec.com Australia > {portal}@mt-prod-cp-au-4-journal-error.checkpointcloudsec.com Canada > {portal}@mt-prod-cp-ca-1-journal-error.checkpointcloudsec.com Europe > {portal}@mt-prod-cp-eu-1-journal-error.checkpointcloudsec.com India > {portal}@mt-prod-cp-aps1-1-journal-error.checkpointcloudsec.com United Arab Emirates > {portal}@mt-prod-cp-mec1-1-journal-error.checkpointcloudsec.com United Kingdom > {portal}@mt-prod-cp-euw2-1-journal-error.checkpointcloudsec.com
Infinity Portal Prerequisites
If you do not have an account you will need to create one, then login complete 2FA and SMS verification and then you should get here:
We
You will then get the "this may take a moment" this will then after a unspecified amount of time fail with this, but now you have your portal name as below:
If you wish to get back into this, you cannot sign out, you need to close that tab and then login again, which is weird, but you know its worked as you are presented with a white screen with nothing on it like this:
Once you have got here, you need to click on the cog then Identity and Access as below:
You then need to click on the "Add" icon as below:
We now need to verify we own the domain, this will record will need to be added to your external DNS for the domain name you are protecting, this will need to be added before you add the domain name to the setup wizard
Now that is added we are now verified, so we can move right along.
Now we have the settings for the Enterprise application as below:
Then you need to go to "Single Sign-on" and choose SAML as below:
Once here, add the Identifier from the Infinity Portal to the ID here like this and then click the Save button:
This should then not show "required" for anything in SAML like this:
You will also need to add a uk. to the Rely URL else the SAML will fail:
You now need to find the SAML Certificate section and then click the "Federation Metadata XML" as below, this will download a XML file from Entra.
Then you need to configure directory identity if applicable, however in this example this is not required so this will be skipped:
Finally you will get a confirmation of what you have just done:
Settings (Overview - for reference)
Identifier : <company_GUID>.uk.portal.checkpoint.com
Reply URL : https://cloudinfra-gw.uk.portal.checkpoint.com/api/saml/sso
Owners : Mail Bear Manager
Assignment Required : Yes
Linked to Group : HarmonyAdminUsers (Entra group)
VIsable to User : No
Once complete will wee see this is a valid identity provider as below:
Enterprise Application - Check Point Harmony Email and Collaboration - Manual Mode
This is created by the software when you activate the Office 365 so this is not created manually, so this is not created manually, this is created from the Infinity portal.
You will need the Global Admin role to grant for the whole company, however I noticed a permission that was not required, this is the "Enable and Disable user accounts" this will be removed below:
We have some permissions that should not be there so they will need to be revoked, the only one we need to revoke is the “Enable and Disable user accounts” this was do with navigate to this Enterprise application then choosing Permissions then finding that permission in the list
On the far right clicking the “three dots” and choosing revoke as below, if you have a greyed out permission then you do not have your roles activated or you do not have the access:
Other updates include:
Owners : Mail Bear Manager
Assignment Required : Yes
Linked to Group : HarmonyAdminUsers (Entra group)
VIsable to User : No
Mail Contact for Journal NDR
A mail contact on local exchange needs to be created for use in the Journal NDR response, the contact is required for a visual in message tracing if you have issues, and this is Journal setup but is required by checkpoint this needs to be the value of : <portal>@mt-prod-cp-euw2-1-journal-error.checkpointcloudsec.com
Replace the value is supplied by the Infinity portal with the <portal>
Journal NDR Contact
You are required to have a contact outside the current company, and by outside is needs to not be an accepted domain for your tenant else you cannot set it.
Journal rules are located in Purview which is from https://compliance.microsoft.com then from Data and Lifecycle management then Exchnage (Legacy) then from here click the Settings option cog:
Then you need to enter the e-mail address from the mail contact and then click Save:
Journal Rules
This is in the same location as the last step, and will require creating a new rule, so first you need the "New Rule" option:
Then you need to create the rule, remember to repalce <portal>@<portal> with your portal name here, the rest is as below then click Next and Save.
When you apply this rule, you will notice that in all messages in the message trace will now flow via the rule immediately:
Message was journaled. Journal report was sent to <portal@<portal>-mail.checkpointcloudsec.com. Message ID of Journal Report: <c220bded-e907-4992-aef6-e003f8251209@journal.report.generator>.
Allow IP Update
We now need a trusted IP try to avoid the term whitelist there is nothing that is “safe “ anymore, so this needs to be done in Defender for Office 365 this is from https://security.microsoft.com then when there Email and Collaboration>Policies and Rules > Threat Policies > Anti-Spam > Connection filter policy (Default)
Then you need to add the IP below to the “IP Allow List”
IP Address: 13.42.61.32 (this is for the UK datacentre IP)
SPF Update
You will need to update a TXT record that will be for the root of the domain then the record will look like this (at the time of this document)
v=spf1 include:_spf.mx.cloudflare.net ~all
You will need to add, there are NO comma or semicolons between the records just a space, also ensure you use ip4 and not ipv4:
include:spfa.cpmails.com
ip4:13.42.61.32
That should make it look like this, with the updates in bold:
v=spf1 include:_spf.mx.cloudflare.net ip4:13.42.61.32 include:spfa.cpmails.com ~all
Connectors
This requires 3 connectors for this product to work these will be as below before more information is provided :
Check Point Journaling Outbound
This connection is required for Journal emails to be routed to the correct location Harmony side and the rule looks something like this and will work in conjunction with the Journal rule created earlier to get Journal emails routed to the correct place in Harmony via the smart host required for the product to work, you will need to replace the red "blobs" with the name of your portal in Harmony:
Flow: This rule is from Office 365 to Checkpoint
This tells us that e-mail routed to <portal>-mail.checkpointcloud.com are then routed to the host<portal>-monitor.checkpointcloudsec.com - this comes from the email earlier if you remember about the domain from the Journal rule we created earlier, it will require TLS as well.
Check Point Inbound Connector
This rule will identify mails that we receive from Checkpoint from the IP 13.42.61.32 (this is the IP we trusted earlier) and they will need to have a TLS certificate else they will be rejected and not be accepted
Flow: This rule is from Checkpoint to our Office 365 EXO
Check Point Outbound (inline Mode)
This rule is only required for inline protection mode and this rule will alter mail flow by sending messages to Checkpoint and then having them return from Checkpoint after being scanned and checked, this connector itself is part of inline mode, but will not actually "redirect messages" yet.
This rule utilises a transport rule and will not be utilised until the required mail flow rule is enabled and pointed at this connector:
In this example when a transport rule calls this connector this connector will then process the email and send it to the smart host <portal>-host.checkpointcloudsec.com this connector does not run UNLESS the transport rule calls it to run.
Transport Rules
We also have a couple of these as well, this is in the Rule sections of mailflow:
Check Point - Junk Filter
This rule is only for messages that have been via Harmony in inline mode from the IP 13.42.61.32 and this rule ensures the message is marked as spam, however with a SCL of 9 that may end up in Quarantine as that is very high spam, this may require an updated to SCL of 6.
Check Point - Allow-List
This ensure the message is delivered again only in inline mode from the Ip of 13.42.61.32 and this disables the SCL, essentially making the mail “not spam” however the only exception is if Harmony set the header X-CLOUD-SEC-AV-SCL to be true this is an header controlled by Checkpoint.
Check Point – Protect
The rule is required for inline mode and changes now email flow from this, therefore be careful with this rule as it can cause weird behaviour:
WWW > EOP > EXO > Exchange
To this
WWW > EOP > Harmony > EXO > Exchange
This is where the e-mails are sent o the smart host of Checkpoint to be analysed and “bounced of their server” like “one ping Vasili, one ping only” in Hunt for Red October
Note : I have started this rule with a single mailbox, then a group then eventually everyone as I was happier doing some testing to confirm all as well and working like it should, the first "is sent to" in red is my mailbox, then the other red blob is where your portal address needs to go!
This shows that in this example for only me (for testing at this time) when I get a message from outside the company, it will be routed to the connector “Check Point Outbound” and the X-CLOUD-SEC-AV-Info will be added with the value <portal>, office365_emails, inline
This header will tell Harmony what to do with the message, however if the SCL is greater than 5 or the sender IP is 13.42.61.32 this does not fire, this should stop mail loops between ECO <> Harmony.
Note : This rule requires the connector to work and the connector needs to be online and active, if you validate this rule with the connector and the rules disabled it will fail!
Outbound Protection
Note : I do not agree with the official naming of the connectors as they are all prefixed with DLP, If you are not using DLP, you might be hesitant to create these connectors because it’s not a service you’re using, but these connectors are absolute required for outbound protection, The official names have been used, but personally, I would rather call them:
Checkpoint Outbound Protection (Pre Process) Checkpoint Inbound Protection (Post Process)
We have used manual mode but the process is the same for both once you understand the process, but how it works is quite simple take the normal mailflow route:
Mailbox > EXO > EOP > Outbound When you implement this it will flow like this: Mailbox >EXO > Checkpoint Outbound > Checkpoint > EOP > EXO > Outbound
Therefore you will see that it hits the rule then the connector to get to Checkpoint then once scanned Checkpoint will send it back to us on the other connector and then with the exclusion it will flow out using the MX record, so lets create those now.
First we need the Outbound DLP connector, this is for mails outbound from Office 365 to our email servers and here it fires on a transport and it will route the emails to the smart host <portal>.dlp.checkpointcloudsec.com and it will require TLS or a certificate:
Thirdly, we need to create the Rules that will fire the connector for outbound messages, this will route to the Outbound DLP connector and add X-CLOUD-SEC-AV-Info header with the values <portal>,office365_emails,sent,inline
This will be for message "outside" the company and here I have used one person for testing, but the official stance is received from "inside" the company, but for testing I do not like that, so I would rather test with one person, then a group of people, then when happy move to to "everyone"
This will then route the messages to the Outbound DLP connector we created earlier and you need to ensure you exclude the IP ranges from your chosen residency location for us this is '13.42.61.32' or '13.42.61.32/28' or '13.39.103.0/28' - this will prevent mail loops and is a require exception.
Now lets see a message though outbound protection, here you can clearly see it leave EXO then off to Harmony, then back to EXO before being sent on to Google Mail, exactly what we want!
When you enable this rule with the connector certain of the mail flow rules will ruin twice for example if you add a header to messages to warn about external content then this can occur:
This is down to the fact that the messages are being send to Harmony and then back to your company which means the "rule" will fire twice, here you are see the EXO to Harmony event and the Harmony to EXO events - green is Harmony and Red is EXO:
Harmony - Manual Mode and Permissions
Once you have selected this you will need to accept the licensing terms you will then need to authorised your administrative account (we have covered this earlier in the guide)
