Activate the Enterprise DLP License for VM-Series, funded with Software NGFW Credits

1. Create a new deployment profile or edit an existing one.

   This is required to activate the Enterprise DLP licenses for VM-Series firewalls.

   • New Deployment Profiles—Create a new deployment profile and check (enable) DLP in the Customize Subscription section.
   • Existing Deployments Profiles— Edit an existing deployment profile and check (enable) DLP in the Customize Subscription section.
2. Activate the deployment profile.
3. Select the Customer Support Account for which you're activating Enterprise DLP.

   Palo Alto Networks automatically populates the list of available Customer Support Portal accounts when you activate a new deployment profile or are editing an existing one. Palo Alto Networks recommends verifying you're activating Enterprise DLP for your Customer Support Portal account before you continue.

4. Select the deployment profile Recipient and click Done.

   The deployment profile must have DLP selected to activate Enterprise DLP.
5. Select the Region the deployment profile belong to.

   Regardless of which deployment profile region you select, the Enterprise DLP tenant belong to one of the following regions:

   • Global—Default for all non-FedRAMP Customer Support Accounts and can't be modified.
     All Enterprise DLP tenants are globally available by default. However, your Enterprise DLP data and incidents reside in geographic locations based on where the enforcement point that forwarded the traffic to Enterprise DLP was located.
     Alternatively on Panorama, you can configure a specific Public Cloud Server so your Panorama-managed enforcement point forward traffic to a region-specific Enterprise DLP tenant.
   • (FedRAMP only) United States - Government—Default for all FedRAMP Moderate and High Customer Support Accounts and can't be modified.
6. For the Data Loss Prevention tenant, select None.

   Selecting None creates a new Enterprise DLP tenant. If you have already activated a trial or EVAL license, you must create a new production Enterprise DLP.

7. Check Agree to the Terms and Conditions.
8. Activate.
9. Log in to Strata Cloud Manager and verify that you can select ConfigurationData Loss Prevention.
10. (Non-TSG Aware CSP Accounts) Gather the list of the enforcement points that already have an active Enterprise DLP license.

    This is required if you have a non-TSG aware Customer Support Account that hasn't been migrated and you already activated and associated the Enterprise DLP license with existing enforcement points to avoid activation failure.

    Skip this step if activating the Enterprise DLP for the first time or have a TSG aware Customer Support Portal account.

    1. Log in to the Palo Alto Networks Customer Support Portal.
    2. Select ProductAssets and Add New Filter.
    3. Click Select Filter and select DLP.
    4. The Customer Support Portal now displays the list of all enforcement points with an active Enterprise DLP license and the enforcement point Serial Number.

       Use this list of enforcement point serial numbers when selecting VM-Series firewalls with which to associate the Enterprise DLP license.
11. Associate Enterprise DLP with your VM-Series firewalls.

    1. Select System SettingsDevice Association.
    2. Navigate to the tenant for which you activated Enterprise DLP.
    3. Select one or more VM-Series firewalls and Associate Products.

       • TSG Aware Customer Support Account—Strata Cloud Manager displays only the VM-Series firewalls without an active Enterprise DLP license.
       • Non-TSG Aware Customer Support Account—Ensure you don't select any VM-Series firewalls with an already active Enterprise DLP license by comparing the list of available enforcement points and the list of enforcement points with an active Enterprise DLP license you generated in the previous step.
         Selecting a VM-Series firewall with an active Enterprise DLP license blocks activation. You must deselect any VM-Series firewalls with an active Enterprise DLP license.
    4. In the Products list, select Enterprise DLP.
    5. Select the VM-Series firewalls and Save.
12. (Panorama only) Install the Enterprise DLP Plugin on Panorama.

    If you're managing your VM-Series firewalls from Panorama, you must install the Enterprise DLP plugin on Panorama to manage your Enterprise DLP configuration, synchronize Enterprise DLP configuration objects with Strata Cloud Manager, and to push Enterprise DLP configuration changes to your VM-Series firewalls. A Panorama with the Enterprise DLP plugin installed is required; Enterprise DLP does not support managing your Enterprise DLP configuration directly on your VM-Series firewalls.
13. Enable Enterprise DLP.

    Some apps, such as SharePoint and OneDrive, use HTTP/2 by default. For NGFW, Prisma Access tenants, and VM-Series firewalls managed by Panorama or by Strata Cloud Manager running PAN-OS 10.2.2 and earlier releases, you must create a decryption profile and a Security policy rule to strip out the application-layer protocol negotiation (ALPN) extension in headers. Complete these steps to successfully forward traffic to Enterprise DLP.