Step 1: Handling Existing Email Solutions (if Applicable)
If you are operating a third-party email gateway solution or a standalone Check Point deployment outside of Guardz and intend to migrate to Check Point (Avanan) through Guardz, follow the instructions outlined in this guide.
Step 2: Verify Prerequisites Are Met
Verify that you have a super user Administrator for Google Workspace (to be used for the installing and authorizing the SaaS App).
Verify that you have at least one additional Google Workspace license available to integrate with Check Point (or that you are on the Flexible Plan, where one will be automatically allocated).
Verify that have the minimum supported SaaS license (Integration is not supported for clients on the free G-Suite license tiers).
Minimum License Required | Other Supported Licenses | Licenses Not Supported |
|
|
|
In environments leveraging GCDS (Google Cloud Directory Sync) for hybrid directory synchronization, exclusion rules for synchronized user groups must be configured before activating Google Workspace.
Avanan_inline_policy
Avanan_inline_outgoing_policy
Avanan_monitor_policy
Avanan_monitor_outgoing_policy
For more information, see User Groups.
Ensure Authentication is allowed for the cloud-sec-av service user.
While onboarding Google Workspace (Gmail / Google Drive), Check Point Email Protection creates a service user (cloud-sec-av@[domain]) in the root organizational unit.Ensure that the below settings are selected in your Google Admin console.
Go to Authentication Settings of the root organizational unit (Security > Authentication > Ensure root OU is selected) as shown below.
Verify the Allow users to turn on 2-Step Verification check-box is selected.
If the Only security key option is selected, do not select the Don’t allow users to generate security codes option.
Please note:
During activation, it is normal to receive a “Super Admin password reset” alert for the service user cloud-sec-av. The alert will appear as shown below.
Check Point Email Protecrion automatically resets the password for this account as part of the activation process.
By default, Google Chrome authenticates the currently signed-in Chrome profile to Google Workspace, rather than prompting for a specific account selection.
To verify whether you are signed in to Google Chrome, check the profile name displayed in the top-right corner of the browser window. Possible workarounds:
Perform the Google Workspace activation using a non-Chrome browser.
Sign out (switch to Guest) any logged-in Chrome user before you continue
If the necessary Authentication Settings are not supported in the environment, onboarding cannot proceed. To remediate this, complete one of the following steps:
If you want to keep the unsupported Authentication Settings of your root organizational unit, verify all other prerequisites have been met, start the activation process (per the next step below) then move the service user (cloud-sec-av@[domain]) to an organizational unit with the supported Authentication Settings after it is created. Then, start onboarding Gmail again.
Create a new dedicated organizational unit with the supported Authentication Settings and move the service user (cloud-sec-av@[domain]) to the organizational unit after activation has created the user. Then, start onboarding Gmail again.
Step 3: Activate Check Point Email Protection via Guardz
Please refer to this guide for complete step-by-step installation instructions.