Activation & Onboarding
  • Activation & Onboarding
  • Enterprise DLP Documentation
  • All Documentation
>
Single Tenant
Focus
Download PDF
Focus
  1. Home
  2. Enterprise DLP
  3. Activate Endpoint DLP
  4. Single Tenant
Download PDF
Enterprise DLP

Single Tenant

Table of Contents
Activate Endpoint DLP to prevent exfiltration of sensitive data over peripheral devices for a single tenant Customer Support Portal account.
  1. Contact your Palo Alto Networks representative to purchase the Endpoint DLP subscription.
  2. Click the magic link provided to you by Palo Alto Networks when you purchased the Endpoint DLP subscription.
  3. Activate Subscription to begin activating Endpoint DLP.
  4. Enter your Email Address and click Next to continue.
    This email address must match the email that received the magic link to activate Endpoint DLP and must have a valid Palo Alto Networks Customer Support Portal account.
    Click Create a New Account if you're a security administrator who does not yet have a valid Palo Alto Networks Customer Support Portal account for your organization. This is required before you can continue activating Endpoint DLP.
  5. Verify the tenant details for which you're activating Endpoint DLP.
    This information is populated by default when the magic link is generated. Palo Alto Networks recommends verifying the following tenant details before activation to resolve any issues before activation.
    • Customer Support Account—Endpoint DLP must be activate on the same Customer Support Portal account as Enterprise DLP.
    • Region—Region is populated by default and is based on the region configured for the Customer Support Portal tenant. This cannot be changed.
    • Endpoint DLP Licenses—Endpoint DLP license must be Fully Assigned and display the total number of supported users.
  6. Agree to the Terms and Conditions.
  7. Activate Now.
  8. Log in to Strata Cloud Manager.
  9. Set up Endpoint DLP.
    1. Edit the Endpoint DLP data filtering settings and snippet settings to define the operational parameters.
    2. Enable Optical Character Recognition on Strata Cloud Manager to scan files with images containing sensitive information.
    3. (Optional) Save evidence for investigative analysis with Enterprise DLP to connect an AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise DLP to automatically store evidence of inspected traffic.
    4. (Optional) Add peripheral devices to Endpoint DLP.
    5. (Optional) Create a peripheral group to group similar types of peripheral devices together for easier application of Endpoint DLP policy rules.
    6. Create an Endpoint DLP policy rule to control access to peripheral devices and prevent exfiltration of sensitive data.
      The Prisma Access Agent displays the Endpoint DLP service as disabled until you push an Endpoint DLP policy rule from Strata Cloud Manager to the Prisma Access Agent installed on the endpoint.
    7. (Optional) Create a User Coaching Notification Template for Endpoint DLP.
      The End User Coaching Notification Template allows you to configure the notification displayed to your users in the Access Experience User Interface (UI) when they generate a DLP incident.
      For the Product Name, select Endpoint Data Loss Prevention. Configure the Applied Rules and Notification Message as needed.
  10. Set up Prisma Access Agent and install it on your endpoints.
    1. (SSL Decryption) If you configured SSL decryption for Prisma Access, you must add the following decryption exclusion entry for Enterprise DLP.
      *.dss.paloaltonetworks.com
    2. Enable the Endpoint DLP service in the Prisma Access Agent configuration file.
      The Prisma Access Agent has the Endpoint DLP service disabled by default. The security administrator must enable the Endpoint DLP service in the Prisma Access Agent configuration file before installing the Prisma Access Agent on endpoints.
      To enable Endpoint DLP, configure "enable_dlp" as true.
      The Prisma Access Agent considers the Endpoint DLP disabled if you remove the "enable_dlp" field from the configuration file.
    3. Install the Prisma Access Agent on all endpoints you want to protect.
      You must use one of the supported Mobile Device Management (MDM) installation methods if the endpoint currently has GlobalProtect or Cortex XDR installed. Prisma Access Agent doesn't support manual installation if GlobalProtect or Cortex XDR are already installed on the endpoint.
    4. Allow the Prisma Access Agent processes for your Endpoint Detection and Response (EDR) tools.
      At a minimum, you must allow all DLP (Microsoft Windows) or pangdlp (macOS) Endpoint DLP processes.
      However, Palo Alto Networks recommends allowing all Prisma Access Agent processes to prevent your EDR tools from flagging Endpoint DLP and other Prisma Access Agent processes as malicious. Not allowing these processes might result in unexpected behavior and might prevent Endpoint DLP functionality.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.