>
    Troubleshoot the Enterprise DLP Plugin
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Activation & Onboarding
    4. Install the Enterprise DLP Plugin on Panorama
    5. Troubleshoot the Enterprise DLP Plugin
    Download PDF
    Enterprise DLP

    Troubleshoot the Enterprise DLP Plugin

    Table of Contents

    Troubleshoot the Enterprise DLP Plugin

    Troubleshoot issues when installing the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama™ management server.
    Review the information below if you have trouble installing or upgrading the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama™ management server.

    Reset the Enterprise DLP Plugin

    In some cases, data security administrators need to reset the Enterprise DLP plugin in the Panorama CLI to resolve Enterprise DLP configuration sync or upgrade issues causing Panorama commit failures or failed plugin validation errors. These errors are often related to the device certificate required on Panorama or the NGFW, or a general connectivity issue preventing Panorama or the NGFW from connecting to Enterprise DLP. This issue manifests in two primary ways:
    • Out-of-Sync State—Occurs when Enterprise DLP can't sync data patterns or data filtering profiles on Panorama with Strata Cloud Manager. This results in commit warnings and commit failures on Panorama.
    • Manual Post-Upgrade Sync—After upgrading from Enterprise DLP plugin 1.0.4 or 1.0.5 to a later version, your data security administrator must manually synchronize the Enterprise DLP plugin with Strata Cloud Manager.
    Review the steps below to identify and resolve.
    1. Log in to the Panorama CLI.
    2. Reset the Enterprise DLP plugin using either of the following commands. They are functionally the same and both reset the Enterprise DLP plugin.
      • request plugins reset-plugin only plugin plugin-name dlp
      • request plugins reset-plugin plugin-name dlp
    3. Review the plugin reset command responses.
      A successful plugin reset returns one of the following responses.
      • pass dlp reset local state, then synced candidate configuration
      • plugin dlp has been reset
      An unsuccessful plugin reset returns one the following responses.
      • fail DLP reset failure, check DLP plugin log
        Plugin reset failed due to an issue with the device certificate on Panorama and requires the data security administrators to investigate the plugin log.
      • Cannot perform operation : DLP not provisioned for this tenant
        Plugin reset failed due to Panorama not having a valid Enterprise DLP tenant ID.
    4. Investigate further depending on the error message Panorama returned when resetting the plugin,
      • fail DLP reset failure, check DLP plugin log
        Check the Enterprise DLP plugin log on Panorama.
        admin>tail follow yes mp-log plugin_dlp.log
        Look for the following device certificate errors.
        ERROR: [dlp_agent] Cannot load the device certificate for authentication
        ERROR: [dlp_agent] Tenant: , Result: fail, Message: Cannot load the device certificate for authentication
        If you find these device certificate errors, install the Panorama device certificate and reset the plugin.
        If you installed the Panorama device certificate and continue to experience errors after a plugin reset, continue to the next step.
      • Cannot perform operation : DLP not provisioned for this tenant
        1. Check that Panorama successfully provisioned your Enterprise DLP tenant ID.
          admin>show system state | match cfg.platform.dlp_tenant_id
        2. Panorama returns one of the following responses.
          • Provisioned Enterprise DLP Tenant ID: 
            cfg.platform.dlp_tenant_id: <numerical tenant ID>
            If Panorama successfully provisioned your Enterprise DLP tenant ID and you continue to experience issues resetting the Enterprise DLP plugin, review your Panorama connectivity and logs. There might be unrelated network configurations causing this error. Additionally, ensure that you enabled Enterprise DLP on your network. Continue to the next step to troubleshoot NGFW connectivity issues.
          • No Provisioned Enterprise DLP Tenant ID:
            cfg.platform.dlp_tenant_id: 0
            Continue to the next step to provision the Enterprise DLP tenant ID on Panorama.
        3. Provision the Enterprise DLP tenant ID on Panorama.
          admin>request plugins dlp provision-tenant
          Panorama returns the following responses.
          • Successful Provisioning:
            Pass
            DLP Provision Successful
          • Failed Provisioning - Generic
            fail
            DLP Provisioning Failed - Empty tenant ID
            If Panorama returns this response, review your Panorama connectivity and logs. There might be unrelated network configurations preventing Panorama from contacting the Enterprise DLP cloud service. Additionally, ensure that you enabled Enterprise DLP on your network.
          • Failed Provisioning - Panorama Device Certificate
            fail
            DLP Provisioning Failed - Thermite Cert is not installed
            If Panorama returns this response, install the Panorama device certificate and provision the Enterprise DLP tenant ID.
    5. Troubleshoot NGFW connectivity issues.
      1. Log in to the NGFW CLI.
      2. Check the CTD-Agent status.
        admin>show ctd-agent status security-client
      3. Review the Cloud connection status.
        If the status displays connected there might issues not related to the Enterprise DLP or the device certificate.
        If the status displays disconnected, install the device certificate on your NGFW.
      4. Restart the Enterprise DLP agent.
        admin>debug software restart process ctd-agent
      5. Check the Cloud connection status again.

    © 2025 Palo Alto Networks, Inc. All rights reserved.