Step 3 - Configuring Google Workspace [Inline]

You can integrate FortiMail Workspace Security with Google Workspace. This enables FortiMail Workspace Security to protect all incoming mail.

This is the 3rd step of the procedure to integrate Google Workspace with FortiMail Workspace Security:

Configuring the Google Workspace integration

To enable your Google Workspace integration with FortiMail Workspace Security, some configurations must be made in your Google Workspace account. Perform these configurations as described in the steps below.

See the available video.

Note: The procedures below may differ slightly depending on the versions of the products that you are using.

Step 1: Add and configure a Google Workspace host

Configure a FortiMail Workspace Security scanner host to which emails will be routed.

  1. Sign-in to the Google Admin console at admin.google.com.

  2. Go to Apps > Google Workspace > Gmail and then click Hosts.
    [Click here: https://admin.google.com/u/1/ac/apps/gmail/hosts]

  3. Click Add route.

  4. In the Add mail route dialog box, specify the following.

    1. Name: Perception Point Scanner

    2. Single host [name]:

       

      Multi-region enabled Multi-region not enabled

      For US environments

      us.mx-pp.com

      inbound-smtp.us-east-1.amazonaws.com

      For EU environments

      eu.mx-pp.com

      inbound-smtp.eu-west-1.amazonaws.com

      For AUS environments

      australia.mx-pp.com

      inbound-smtp.ap-southeast-2.amazonaws.com

    3. Port: 25

  5. Under 2. Options:

    1. Clear the "Perform MX lookup on host" check box.

    2. Select "Require mail to be transmitted via a secure (TLS) connection".

      Note that FortiMail Workspace Security supports TLS 1.2

    3. Select "Require CA signed certificate".

    4. Validate certificate hostname:

      1. If "multi-region" IS NOT enabled, select "Validate certificate hostname".

      2. If "multi-region" IS enabled, clear the "Validate certificate hostname" check box.

        For details about multi-region, see Multi-region.

  6. Click Save.

Step 2: Add IPs to inbound gateway

This procedure adds some FortiMail Workspace Security IP addresses to a safelist.

  1. Sign-in to the Google Admin console at admin.google.com.

  2. Click Apps > Google Workspace > Gmail.

    [Click here: https://admin.google.com/u/1/ac/apps/gmail/spam]

  3. Scroll down to Spam, Phishing and Malware - and select it.

  4. Locate Inbound gateway, hover over it, and click the Edit icon.

  5. Select the "Enable" check box under Inbound Gateway - if it has not already been enabled.

  6. Depending on the environment of your organization, add the following IP addresses to your inbound gateway:

     

    For US environments

    For EU environments

    For AUS environments

     
    • 54.227.64.76

    • 3.81.182.154

    • 3.93.155.149

    • 3.95.118.12

    • 3.95.142.181

    • 209.85.128.0/17

    • 189.25.64.0/24

    • 52.12.169.124 [required only if Muti-region is enabled]

    • 99.81.216.78

    • 34.249.190.60

    • 108.128.137.108

    • 99.80.189.20

    • 209.85.128.0/17

    • 176.23.157.0/24

    • 52.12.169.124 [required only if Muti-region is enabled]

    • 13.236.255.231

    • 54.66.125.250

    • 209.85.128.0/17

    • 176.23.158.0/24

    • 52.12.169.124 [required only if Muti-region is enabled]

  7. Select Automatically detect external IP.

    Important: Do NOT select "Reject all mail not from gateway IPs" - as this will interrupt mail flow.

  8. Select "Require TLS for connections from the email gateways listed above".

    Note that FortiMail Workspace Security supports TLS 1.2

  9. [Optional] To use the spam engine of FortiMail Workspace Security, scroll down and configure 2. Message Tagging.

    1. Select "Message is considered spam if the following header regexp matches".

    2. In the Regexp text box, enter X-PERCEPTION-POINT-SPAM: FAIL

    3. Select "Message is spam if regexp matches".

    4. Clear the following check box: "Disable Gmail spam evaluation on mail from his gateway; only use header value".

  10. [At the bottom of the page, click "Add".]

  11. Click Save.

Step 3: Route incoming emails to FortiMail Workspace Security

This procedure creates a content compliance rule that sends the email to FortiMail Workspace Security.

To add a content compliance rule:

  1. Sign-in to the Google Admin console at admin.google.com.

  2. Select Apps > Google Workspace > Gmail.

    [Click here: https://admin.google.com/u/1/ac/apps/gmail/compliance]

  3. Scroll down to Compliance, and click it.

  4. Scroll down to Content Compliance.

    If you already have a content compliance rule, click Add Another Rule.

    In the Add setting dialog box, specify the following:

    1. Short description: Perception Point Redirect Rule

    2. Under 1. Email messages to affect, select Inbound.

    3. Under "2. Add expressions that describe the content you want to search for in each message", in the first drop-down menu, select "If ALL of the following match the message"

      Important: Make sure to select "If ALL of the following match the message" and NOT the default "If ANY of the following match the message".

  5. Add and configure the following two expressions:

    5.1 Expression 1: Unique header

    In this step, you'll add the first expression to the Perception Point Redirect Rule. This expression helps to prevent looping.

    1. Under Expressions, click Add.

      Fill in the following fields:

    2. Advanced content match

    3. Location: Full headers

    4. Match type: Not contains text

    5. Content: <A unique value, at least 8 characters long>

      Create a value that is unique to your organization - preferably by using a password generator such as 1Password.

      For example, GHTD465J

      Note:

      • We highly recommend using only capital letters and numbers.

      • Avoid using the full organization name.

    6. Click Save.

    5.2 Expression 2: Email size limitation

    In this step, you'll add a second expression to the Perception Point Redirect Rule.

    Note: Amazon SES has a 40 MB maximum size limit. We recommend using a different file sharing service for larger files - as a best practice. Messages larger than 40 MB will not trigger the rule, and therefore they will not be scanned. These un-scanned messages will be delivered to the specified recipients.

    1. Under the Expressions box, click Add to add a new expression.

    2. Specify the following details for the new expression:

      1. Metadata match

      2. Attribute: Message size

      3. Match type: Message size is less than the following (MB)

        Important: Make sure that you select "less" and NOT "greater".

      4. 40

        Important: Check again to make sure that you selected "less than" and NOT "greater than".

    3. Click Save.

  6. Complete the setting:

    1. Under 3. If the above expressions match, do the following:

    2. Select Modify message.

    3. Under Headers:

      1. Select Add X-Gm-Original-To header.

      2. Select Add X-Gm-Spam and X-Gm-Phishy headers.

      3. Select Add custom headers and click Add to add a header.

        1. Header: X-PERCEPTION-POINT-ROUTING

          Note: The "X-" is added to the expression automatically.

        2. Value: The unique value that you created and entered for Content above. [see Expression 1: Unique header]

          As per the example above, GHTD465J.

        3. Click Save.

    4. Scroll down to Route.

      1. Select Change route.

      2. [Optional] Select Also reroute spam.

        Selecting this option: Emails that are marked as spam by Google Workspace will be scanned by FortiMail Workspace Security.

      3. From the drop-down menu, select Perception Point Scanner.

    5. Scroll down to the bottom of the dialog box, and click Show options.

    6. Under Account types to affect, select [all of the following]:

      1. Users

      2. Groups

      3. (Unrecognized / Catch-all)

    7. Specifying which users to protect [Google Workspace]

      For POC installations only

      Note: It is possible to configure partial protection - protection of only a limited set of users in a Google Workspace account. Partial protection should be used for POC installations only. If partial protection is configured for an organization with a Commercial contract type, then billing will be based on the number of licenses that are included in the Microsoft 365 account - not on the number of "partial protection" users. See License source.

      For details on how to configure partial protection, see Modifying the list of users to protect [Google Workspace] - PoC only.

      Under Envelope filter, select Only affect specific envelope recipients.

      1. From the drop-down menu that appears below, select "Pattern match" - and then enter your domain or domains to protect.

        Multiple domains: Add the domains with a pipe symbol ["|"] between them, and without spaces between them.

      2. Click Add setting.

    8. Click Save.

Email in Google Workspace is now protected by FortiMail Workspace Security.

If you want to configure this Google Workspace integration to operate in monitoring mode, continue with Configuring monitoring mode below.

Configuring monitoring mode

Important: Perform this procedure only if you want your integration to operate in monitoring mode.

Monitoring mode is typically used for PoC implementations.

In monitoring mode [also known as passive, silent, or detection mode], FortiMail Workspace Security will not:

  • quarantine malicious emails

  • route spam to the Junk folder

To configure the integration to operate in monitoring mode:

  1. Open the Settings > Bundles and Channels page.

  2. On the right, click Channel Settings.

  3. Click Edit [].

  4. Under Detection, clear the Malicious, Restricted, and Spam check boxes.

  5. Click Save.

  6. Sign-in to the Google Admin console at admin.google.com.

  7. Click Apps > Google Workspace > Gmail.

    [Click here: https://admin.google.com/u/1/ac/apps/gmail/spam]

  8. Scroll down to Spam, Phishing and Malware - and select it.

  9. Locate Inbound gateway, hover over it, and click the Edit icon.

  10. Under Message Tagging, clear the first check box.

Your Google Workspace Integration is now configured to operate in monitoring mode.

FortiMail Workspace Security will not quarantine any malicious emails or route spam to Junk folders.