Perform Initial

AI Access Security

Configuration

Set up and configure
Enterprise Data Loss Prevention (E-DLP)
.
Enterprise DLP
is the detection engine that prevents exfiltration of sensitive data to GenAI apps. Associate an
Enterprise DLP
data profile with a Security policy rule to define what is considered sensitive data and the action
Enterprise DLP
takes when sensitive data is detected.
Set Up
Enterprise DLP
.
Panorama
—Install the
Enterprise DLP
plugin.
Strata Cloud Manager
—Enable
Enterprise DLP
.
Edit the
Enterprise DLP
settings to define the Cloud Content, data filtering, and snippet settings.
Review the supported advanced Detection Methods to use in your
Enterprise DLP
configuration.
The are advanced traffic match detection techniques used to prevent exfiltration of sensitive data. They can be used alongside any combination of predefined, custom regex, or file property data patterns in an advanced data profile.
Create data patterns and data profiles to define your sensitive data match criteria.
Palo Alto Networks
recommends creating advanced data profiles as they allow you to use advanced detection method techniques to strengthen your security posture.
(
Strata Cloud Manager
only
) Modify the DLP Rule to specify the impacted file types and file direction (upload or download) and the action
Enterprise DLP
takes when sensitive data is detected.
Enable Role Based Access to define the access privileges for your security administrators.
Configuring access privileges
AI Access Security
and
Enterprise DLP
, as well as for the management interface (
Panorama™ management server
or
Strata Cloud Manager
.
Create a Vulnerability Protection profile.
Vulnerability Protection profiles are associated with your Security policy rule and stop attempts to exploit system flaws or gain unauthorized access to systems.
(
NGFW
only
) Create an internal trust zone and an outbound untrusted zone.
Zones are a logical way to group physical and virtual interfaces on the
NGFW
to control and log the traffic that traverses specific interfaces on your network
.
Policy rules on the
NGFW
use zones to identify where the traffic comes from and where it's going.
The internal trust zone designates traffic originating from within your organization while the outbound untrusted zone designates traffic destined for the internet.
Create application filters to dynamically group GenAI apps for which you want to apply the same Security policy requirements.
AI Access Security
includes dynamic predefined GenAI application filters based on the GenAI app use case.
Create Custom Security policy rules to begin safely adopting GenAI apps in your organization.
Modify the
Default Web Access Policies
to allow
Enterprise DLP
to successfully inspect traffic for non-GenAI apps.
Skip this step if you don't have an active
Enterprise DLP
license. An active
Enterprise DLP
, CASB-PA, or
CASB-X
license is required to forward traffic to
Enterprise DLP
for inspection and verdict rendering.
Select
Manage
Configuration
NGFW and Prisma Access
Security Services
Policies
Web Security
.
Select your
Configuration Scope
.
Navigate to the
Default Web Access Policies
.
Select the
Global Catch All Policy
policy rule and
Disable
.
Select the
Global Web Access
policy rule to edit it.
Remove all entries from the
Global Web Access
policy rule configuration.
Allowed Web Applications
Blocked URL Categories
Allowed URL Categories
Save
.
Push Config
and
Push
.