Activate the Enterprise DLP License for NGFW

1. Contact your Palo Alto Networks representative to purchase the Enterprise DLP subscription.
2. Click the magic link provided to you by Palo Alto Networks when you purchased the Enterprise DLP subscription.
3. Activate Subscription to begin activating Enterprise DLP.

4. Enter your Email Address and click Next to continue.

   This email address must match the email that received the magic link to activate Enterprise DLP and must have a valid Palo Alto Networks Customer Support Portal account.

   Click Create a New Account if you're a security administrator who does not yet have a valid Palo Alto Networks Customer Support Portal account for your organization. This is required before you can continue activating Enterprise DLP.
5. Select the Customer Support Account for which you're activating Enterprise DLP.

   Palo Alto Networks automatically populates the list of available Customer Support Portal accounts when the Palo Alto Networks representative generates the magic link. Palo Alto Networks recommends verifying you're activating Enterprise DLP for your Customer Support Portal account before you continue.

6. For the Specify the Recipient field, select the Tenant for which you want to activate Enterprise DLP.

   You can select only one tenant for which to activate Enterprise DLP. You can’t activate Enterprise DLP for multiple tenants using the same magic link. If you have a multitenant tenant service group (TSG), expand the parent tenant to select the child tenant.
7. Verify that the correct Region is selected.

   • Global—Default for all non-FedRAMP Customer Support Accounts and can't be modified.
     All Enterprise DLP tenants are globally available by default. However, your Enterprise DLP data and incidents reside in geographic locations based on where the enforcement point that forwarded the traffic to Enterprise DLP was located.
     Alternatively on Panorama, you can configure a specific Public Cloud Server so your Panorama-managed enforcement point forward traffic to a region-specific Enterprise DLP tenant.
   • (FedRAMP only) United States - Government—Default for all FedRAMP Moderate and High Customer Support Accounts and can't be modified.
8. For the Data Loss Prevention tenant, select None.

   Selecting None creates a new Enterprise DLP tenant. If you have already activated a trial or EVAL license, you must create a new production Enterprise DLP.

9. Check Agree to the Terms and Conditions.
10. Activate.
11. Log in to Strata Cloud Manager and verify that you can select ManageConfigurationData Loss Prevention.
12. (Non-TSG Aware CSP Accounts) Gather the list of the enforcement points that already have an active Enterprise DLP license.

    This is required if you have a non-TSG aware Customer Support Account that hasn't been migrated and you already activated and associated the Enterprise DLP license with existing enforcement points to avoid activation failure.

    Skip this step if activating the Enterprise DLP for the first time or have a TSG aware Customer Support Portal account.

    1. Log in to the Palo Alto Networks Customer Support Portal.
    2. Select ProductAssets and Add New Filter.
    3. Click Select Filter and select DLP.
    4. The Customer Support Portal now displays the list of all enforcement points with an active Enterprise DLP license and the enforcement point Serial Number.

       Use this list of enforcement point serial numbers when selecting NGFW with which to associate the Enterprise DLP license.
13. Associate Enterprise DLP with your NGFW.

    1. Select System SettingsDevice Association.
    2. Navigate to the tenant for which you activated Enterprise DLP.
    3. Select one or more NGFW and Associate Products.

       • TSG Aware Customer Support Account—Strata Cloud Manager displays only the NGFW without an active Enterprise DLP license.
       • Non-TSG Aware Customer Support Account—Ensure you don't select any NGFW with an already active Enterprise DLP license by comparing the list of available enforcement points and the list of enforcement points with an active Enterprise DLP license you generated in the previous step.
         Selecting an NGFW with an active Enterprise DLP license blocks activation. You must deselect any NGFW with an active Enterprise DLP license.
    4. In the Products list, select Enterprise DLP.
    5. Select the NGFW and Save.
14. (NGFW (Managed by Panorama) only) Install the Enterprise DLP Plugin on Panorama.

    If you're managing NGFW from Panorama, you must install the Enterprise DLP plugin on Panorama to manage your Enterprise DLP configuration, synchronize Enterprise DLP configuration objects with Strata Cloud Manager, and to push Enterprise DLP configuration changes to your NGFW. A Panorama with the Enterprise DLP plugin installed is required; Enterprise DLP does not support managing your Enterprise DLP configuration directly on your NGFW.
15. Enable Enterprise DLP.

    Some apps, such as SharePoint and OneDrive, use HTTP/2 by default. For NGFW, Prisma Access tenants, and VM-Series firewalls managed by Panorama or by Strata Cloud Manager running PAN-OS 10.2.2 and earlier releases, you must create a decryption profile and a Security policy rule to strip out the application-layer protocol negotiation (ALPN) extension in headers. Complete these steps to successfully forward traffic to Enterprise DLP.