>
    Strata Copilot
    Configure Enterprise DLP for Cloud NGFW on Azure
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for Azure Administration
    3. Protect Traffic with Cloud NGFW for Azure
    4. Panorama Policy Management
    5. Configure Enterprise DLP for Cloud NGFW on Azure
    Download PDF
    Cloud NGFW for Azure

    Configure Enterprise DLP for Cloud NGFW on Azure

    Table of Contents

    Configure Enterprise DLP for Cloud NGFW on Azure

    Configure Enterprise Data Loss Prevention (E-DLP) for Cloud NGFW for Azure to protect sensitive data from unauthorized access or exfiltration.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for Azure
    • Cloud NGFW subscription
    • Panorama with PAN-OS 11.2.7-h4 or a later 11.2 release
    • DLP plugin 5.0.8 or later on Panorama
    • Cloud Services plugin 6.0.0 or later on Panorama
    • Azure plugin 5.2.3 or later on Panorama
    • Strata Tenant Group (TSG) with E-DLP or CASB, or Strata Cloud Manager
    • Palo Alto Networks Customer Support Portal (CSP) account
    Enterprise Data Loss Prevention (E-DLP) is a cloud-delivered security service that protects sensitive information from unauthorized access or exfiltration. You can integrate E-DLP with Cloud NGFW for Azure and use the Panorama console to apply consistent data filtering profiles to your security policy rules across your cloud infrastructure.
    Cloud NGFW for Azure exclusively supports E-DLP. Consequently, all data-filtering profiles configured in Panorama are treated as E-DLP usage and billed at the E-DLP add-on price. To prevent E-DLP-related charges, verify that no data-filtering profiles remain active within your security rules.
    Use the following workflow to integrate your Cloud NGFW for Azure with E-DLP and Panorama:
    StepDescription
    Panorama preparation
    Ensure Panorama is deployed with the following software versions:
    • PAN-OS 11.2.7-h4 or a later 11.2 release (Panorama versions 12.0.x and 12.1.x and above are not supported)
    • DLP plugin 5.0.8 or later
    • Cloud Services plugin 6.0.0 or later
    • Azure plugin 5.2.3 or later
    Ensure you are a member of the Palo Alto Networks Customer Support Portal (CSP) account where your organization has registered the Panorama appliance.
    Associate Panorama to a Strata Tenant Group (TSG) for E-DLP integration
    A Strata Tenant Group (TSG) is required for this integration. While an E-DLP subscription is typically required, if one does not exist, Palo Alto Networks creates a new DLP service and tenant during the integration process.
    • If your Panorama is already onboarded to a Strata Tenant Group (TSG) with E-DLP or CASB, proceed to the next step.
    • If you have a TSG with E-DLP or CASB but Panorama is not yet onboarded, onboard your Panorama to the TSG and proceed to the next step.
    • If you do not have a TSG, activate a new Strata Cloud Manager and onboard your Panorama to the associated TSG.
    Create or update Cloud NGFW resources
    If you already have Cloud NGFW for Azure resources registered with this Panorama:
    • Automated association: If your Panorama is already TSG-aware with Strata Cloud Manager (with or without E-DLP), the instance is associated with E-DLP automatically as part of a rolling upgrade.
    • Manual association: If you are making your Panorama TSG-aware for the first time, update your firewall with the same registration string in the Azure portal to trigger association with the appropriate DLP services. You do not need a new registration string.
    Author DLP profiles and policiesOnce registered, add a DLP data filtering profile to your security policy rules for your Cloud NGFW resources in Panorama.
    View logs and incidents
    • View detailed security events and data matches in Strata Cloud Manager under the E-DLP Incidents page.
    • If your logging destination is Strata Logging Service or Panorama, view logs in either location.
    • Configure logs to be sent to Azure Event Hub, Azure Storage Account, or Azure Log Analytics Workspace, and view them natively in Azure.
    When moving Panorama from one Strata Tenant Group (TSG) to another:
    • If the new TSG does not have E-DLP, Palo Alto Networks creates a new DLP service. Update your policies to reference the new DLP tenant.
    • If the new TSG already has E-DLP, Cloud NGFW can use the existing E-DLP tenant. You must still update your policies accordingly.
    Generate a new registration string and update it in the Azure portal after Panorama moves to the new TSG. If you intend to move E-DLP tenants from one TSG to another, complete that migration before moving Panorama, then generate and update the registration string.
    1. Provision E-DLP on Panorama.
      1. Log in to Panorama.
      2. Select PanoramaAzureCloud NGFW.
      3. Locate the Registration String, click Generate, and copy the string for use in the Azure portal.
      4. Select PanoramaSetupManagement and verify that a device certificate is installed.
      5. Verify that the DLP plugin is active under PanoramaPlugins.
    2. Configure the Cloud NGFW in the Azure portal.
      1. In the Azure portal, select Cloud NGFWs by Palo Alto Networks.
      2. Click Create or select an existing firewall to update.
      3. On the Basics tab, enter the firewall name and select the subscription and resource group.
      4. On the Security Policies tab, choose Managed by Palo Alto Networks Panorama.
      5. Enter the Panorama registration string you generated in the previous step.
      6. Complete the Review + Create process to deploy the firewall.
    3. Apply DLP profiles and verify the configuration.
      1. In Panorama, select ObjectsSecurity ProfilesData Filtering and create a data filtering profile using predefined or custom data patterns.
      2. Apply the data filtering profile to a security policy rule under the Actions tab.
      3. Commit the changes to Panorama and push them to the Cloud NGFW device group.
      4. Monitor DLP security events in Strata Cloud Manager under Data Loss PreventionDLP Incidents.

    Update the Registration String for an Existing Cloud NGFW on Azure

    Associate an existing Cloud NGFW for Azure resource with a new E-DLP tenant by updating the Panorama registration string in the Azure portal.
    If you have an existing Cloud NGFW on Azure that you want to associate with a new E-DLP tenant, update the registration string rather than creating a new firewall.
    1. In Panorama, select AzureCloud NGFW.
    2. Select the appropriate device group.
    3. Under Registration String, click Generate and copy the string.
    4. In the Azure portal, select your existing Cloud NGFW by Palo Alto Networks resource.
    5. Under Security Policies, enter the registration string.
    6. Click Save to associate the firewall with the E-DLP tenant.

    © 2026 Palo Alto Networks, Inc. All rights reserved.