Overview:
When a Secure Email Gateway (SEG) is present in the environment, emails are not scanned inline by default — even when a Prevent Inline policy is configured in HEC. This happens because the SEG's IP addresses are automatically added to the exclusion list in the Check Point – Protect mail flow rule in Exchange Online, causing HEC to fall back to Detect & Remediate mode instead.
Why this happens
During installation, the system automatically adds gateway IPs to the mail flow rule to prevent mail loops. The HEC portal UI does not reflect this conflict — it shows the policy as "Prevent Inline" even when scanning is happening in Detect & Remediate mode in the backend. This issue affects any deployment that includes a third-party gateway.
Symptoms
If any of the following are occurring, HEC may be running in Detect & Remediate mode despite the policy showing Prevent Inline:
Emails are delivered to the inbox, then disappear or move to junk seconds later
Smart banners are not working (supported in Prevent Inline mode only)
Click-Time Protection (CTP) is not working (supported in Prevent Inline mode only)
Troubleshooting checklist
Confirm the recipient is an active user and is added to the Prevent Inline policy in HEC.
Check email message headers — for users in the Prevent Inline policy, the
X-CLOUD-SEC-AVvalue should sayinline. If it saysmonitor, the policy is not being applied inline.In Exchange Online, go to Mail Flow → Rules and confirm the Check Point – Protect rule exists and the inline group is added to it.
Verify the group members in Exchange match the users in the Prevent Inline policy in HEC.
At the bottom of the mail flow rule, check the Except if section. Look for "Or Sender IP address belongs to one of these ranges" — confirm whether any listed IPs belong to the SEG that holds the MX record.
Resolution steps
Important:
Many SEGs enforce an IP inclusion rule that rejects emails not originating from the gateway. Before removing SEG IPs from the Check Point – Protect rule, you must first add Check Point's IP addresses (based on your region) to the SEG's inclusion rule to avoid mail delivery failures.
Find the correct IPs at the Check Point footprint connectors reference ↗.
Log into the Check Point Infinity Portal and navigate to the Harmony Email & Collaboration application.
Go to Policy in the left navigation menu.
If no Prevent Inline policy exists yet, click Create New Policy Rule and select Prevent Inline as the mode. Configure scope and workflows as needed. If the policy already exists, proceed to the next step.
Scroll to the bottom of the policy configuration to Advanced Options and enable the checkbox: "Configure Excluded IPs Manually in Mail Flow Rule." This prevents HEC from automatically re-adding the SEG IPs after they are removed.
Wait approximately 10 minutes for the policy to update in the HEC backend.
Log into the SEG portal and check whether an IP inclusion rule exists that requires all inbound mail to originate from the gateway. If such a rule exists, add the Check Point IPs for your region to it before proceeding.
Log into the Microsoft Admin console and navigate to Admin center → Exchange
From the navigation panel, go to Mail flow → Rules.
Click the Check Point – Protect rule to open it for editing.
Scroll to the Except if section at the bottom. Find the condition:"Or Sender IP address belongs to one of these ranges."
Remove the SEG IP addresses from the list. Do not remove the Check Point IPs.ClickSave.
Note:
After saving changes in Exchange, Microsoft may take up to 24 hoursto fully propagate the update in the backend.
Verify Inline Scanning is Active
Once the changes are applied, confirm HEC is scanning emails in Prevent Inline mode:
In HEC, open an email event and click into the email header from the left-side email profile panel.
Confirm the
X-CLOUD-SEC-AVvalue shows inline (not monitor).If the email header is not visible, update your admin permissions to include "View All Sensitive Data "under Account Settings → Users → Specific Service Roles → Email & Collaboration.