: Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS

Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS

Table of Contents

Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS

Enterprise Data Loss Prevention (E-DLP) is a set of tools and processes that allow you to protect sensitive information against unauthorized access, misuse, extraction, or sharing. For more information, see About Enterprise DLP.
You can integrate E-DLP with Cloud NGFW for AWS and use the Panorama console to add data filtering profiles to your Security Policy rules.

Minimum Requirements for E-DLP Integration

The following are the combination of Panorama and Panorama plugin version requirements to integrate E-DLP with your Cloud NGFW service:
Panorama Version (PAN-OS)
DLP Plugin
AWS Plugin
10.0.2 and above
10.2.4 and above
11.0.2 and above
11.1.0 and above

Provisioning New E-DLP Tenant on Cloud NGFW for AWS

If you have an existing DLP tenant on your Customer Support Portal (CSP) account that is provisioned in Panorama, the Cloud NGFW service will use that DLP tenant to integrate DLP with Cloud NGFW.
If you do not have a DLP tenant on your customer support portal account, then the Cloud NGFW service will create a new DLP tenant.
The following are the steps to enable a new DLP tenant on Cloud NGFW console:
  1. Log in to the Cloud NGFW console.
  2. Select
    page displays information about the currently linked Panorama.
  3. In the Security Service column, click
    Check Details
    You can also click
    Link ID
    of a linked Panorama, and then click
    Check Details
  4. On the
    Security Services
    panel, click
    Data Loss Prevention (DLP)
  5. Select the check box to accept the
    End User License Agreement
    , and then click
    Review the
    Action Required
    on the linked Panorama.
  6. Ensure that the linked Panorama meets minimum system requirements to integrate DLP with your Cloud NGFW service
    After you install the required AWS and DLP plugin on your Panorama, the DLP tenant on a Cloud NGFW console gets enabled.
    On the Cloud NGFW console, go to the
    page, select linked Panorama, and then click
    Check Details
    under the
    Security Services
    You can now see the enabled
    Data Loss Prevention (DLP)
    After you enable the DLP tenant on the Cloud NGFW console successfully, firewalls associated with the linked Panorama can start using the DLP services.
    You can add a DLP filtering profile to your
    Security Policy Rule
    for your firewall in Panorama.
    In the
    Security Policy Rule
    screen, go to the
    tab, and then select the action to take (for example, allow or deny).
    Determine the
    Profile Setting
    Select a
    DLP data filtering profile
    Configure the
    Log Setting
    and other settings.
    After pushing the Security policy rule to your firewall, you can view existing Data Filtering Profiles and Data Filtering Patterns that you can use for your DLP tenant.

Monitoring DLP Log Details

To view your DLP logs in Panorama, click the
tab, and then go to
Data Filtering
. For more information, see View Enterprise DLP Log Details on Panorama.
To view your CDL logs for DLP, go to the
tab, and select the
Firewall or File
option. For more information, see View Log Details on CDL.
To view your DLP tenant incidents logs on SCM, see View Enterprise DLP Log Details on Strata Cloud Manager.
For more information on AWS destinations on DLP logs, see Amazon CloudWatch Logs.

Recommended For You