Overview:

Check Point 'Advanced Protect' delivers strong protection for inbound email traffic. The 'Complete Protect' builds on this foundation by extending protection to outbound emails, providing organizations with full email lifecycle security.

Outbound DLP scans outgoing emails to detect sensitive information that should not be shared externally and takes appropriate actions (e.g., encryption) as defined by the admin.

Check Point 'Complete Protect' is available for Guardz Elite plan customers.

How to Apply for the Feature?

This feature is enabled automatically for Guardz Elite plan customers.

Once enabled, the new section appears in the Email Protection section:

Please note:

To enable the feature in its full capacity, administrators must configure the following SPF record in the domain’s DNS settings: include:spfa.cpmails.com

Configuration and Policies Management

Admins configure the types of sensitive data to detect/protect, along with the actions the system should apply when such data is detected.

All Complete setting are managed via same email protection section:

Go to 'Security Controls' tab
Scroll down to the 'Email Protection' section
Open the 'DLP and Email Encryption' section

1. Select the detection mode:

Monitor mode is used for visibility without enforcement: the system scans outgoing data, detects policy violations, and generates logs or alerts, but it does not block or alter any content. This makes it useful for testing and tuning policies safely.

In contrast, Protect mode actively enforces the policies, when a violation is detected, the system can block, quarantine, encrypt, or otherwise modify the outgoing data. In short, Monitor mode is for observing and learning, while Protect mode is for actually preventing data leaks.

2. Select the sensitive data:

PHI
Intellectual Property
SOX
PCI
HIPAA
Resumes
Financial
PII
Access Control
Encrypted Content

3. Select the outcome

Policy Action	What Happens to the Email?	Issue Creation
Auto encrypt via M365	Email is encrypted and delivered automatically via Microsoft 365 encryption mechanism	Yes
Auto encrypt via Check Point	Email is encrypted using Check Point and delivered as secure links that can be opened within the Check Point environment	Yes
Do nothing	Email is sent normally	No
Block & restore	Email is blocked, but can be restored and sent normally after admins' review.	Yes
Block & resend encrypted	Email is blocked, but can be resent encrypted (Check Point mechanism) after review.	Yes

3. Select the sensitivity level:

Sensitivity level in Check Point Outbound DLP controls how strict the system is when detecting sensitive data.

Low: Only clear, high-confidence data (fewer false positives)
Medium: Balanced detection (most common setting)
High: More aggressive, catches more data but may create more false alerts

4. Add file types:

Admins can define which attachment formats Check Point will scan for sensitive data (on top of the email body which is automatically scanned).

5. Enable self restore by end users:

A new toggle will be added under User Interactions, allowing MSPs to decide whether end users can take action on blocked emails.

If enabled:

A new tab will appear in the user portal: 'Outbound Email'
End users will be able to review and release their own blocked emails (based on chosen policy)

Please note:

Admins can use custom RegEx patterns for DLP configuration, but designing, validating, or troubleshooting custom RegEx is outside the scope of Guardz Support. Guardz provides the default Check Point DLP filters, and any advanced custom RegEx rules should be created and tested by the customer or their internal team.

End-user Experince:

The sender (end user) receives an automated email from Avan notifying them that their email was quarantined. The notification includes:

The subject line of the blocked email
The categories of sensitive data that were detected (e.g. PCI, Financial, HIPAA)
A preview of the email content
A link to the user portal where they can request to release the email