Configure EDM CLI App Connectivity to Enterprise DLP

Configure EDM CLI App Connectivity to Enterprise DLP

1. Access the Common Services Identity and & Access settings and add a Service Account to generate the Client ID and Client Secret.

   If you already have a Service Account created, you can Reset Client Secret to recover a lost Client Secret.

   • Enterprise DLP uses the Client ID and Client Secret to authenticate and connect the EDM CLI app.
     When you create the Service Account, the Client ID and Client Secret are displayed in the Client Credentials. You can manually copy the Client Credentials or Download CSV File to download the Client Credentials in plaintext locally to your device.

     

   • You must assign a role to the service account to upload EDM data sets to Enterprise DLP. EDM data set uploads fail if the service account does not have a role assigned with write access privileges to Enterprise DLP.
     You can assign any predefined role on Strata Cloud Manager or a predefined or custom role specific to the Enterprise DLP app on Strata Cloud Manager.
     If you're creating a service account only for EDM data set uploads, Palo Alto Networks recommends assigning the DLP Policy Administrator role for the Enterprise DLP app. The service account uploading EDM data sets to Enterprise DLP requires write privileges to successfully upload.

   
2. Set Up the EDM CLI App.

   Download EDM CLI app version 3.0 or later version to upload an EDM data set to a TSG-supported tenant.

   Download EDM CLI app version 3.5 or later to create an encrypted EDM data set in an air-gapped environment.
3. On the local device where you downloaded the EDM CLI app, navigate to and open the upload configuration file.

   The EDM CLI app bundles the upload configuration file with the package-edm-secure-cli-<version>-<platform>.zip file contents you extracted when you set up the EDM CLI app.

   The name of the upload configuration file for Linux and Windows versions of the EDM CLI display as:

   • Linux—upload_config.properties
   • Windows—upload_config

   
4. Configure the upload configuration file to enable connectivity to Enterprise DLP.

   Expand all
   Collapse all
   • EDM CLI App Version 3.0
     1. In the have_access_token_refresh_token field, enter no.
     2. Add the client_id and client_secret.
     3. (Proxy server only) Configure the proxy server settings.
        Skip this step if you don't require a proxy server for the local device to connect to the internet.
        • Specify whether the local device uploading the EDM data set to Enterprise DLP requires a proxy server to the connect to the internet.
          If you don't require a proxy server, enter no (default).
          If you require a proxy server, enter yes.
        • Enter the proxy_host_name and proxy_port_number.
        • Enter the proxy_user_name and proxy_password.
     4. Enter the dataset_name for the EDM data set you want to upload. Enterprise DLP uses the data set name entered here in Strata Cloud Manager for the uploaded EDM data set.
     5. Save the changes to the upload configuration file.

     

   • EDM CLI App Version 3.1 and Later
     1. In the have_access_token_refresh_token, enter no.
     2. Add the client_id and client_secret.
     3. (Proxy server only) Configure the proxy server settings.
        Skip this step if you don't require a proxy server for the local device to connect to the internet.
        • Specify whether the local device uploading the EDM data set to Enterprise DLP requires a proxy server to the connect to the internet.
          If you don't require a proxy server, enter no (default).
          If you require a proxy server, enter yes.
        • Enter the proxy_host_name and proxy_port_number.
        • Enter the proxy_user_name and proxy_password.
     4. Enter the dataset_name for the EDM data set you want to upload. Enterprise DLP uses the data set name entered here in Strata Cloud Manager for the uploaded EDM data set.
     5. (FedRAMP only) Configure the FedRAMP settings.
        Skip this step if not uploading to a FedRAMP Enterprise DLP environment.
        • In the fed_ramp field, enter yes if uploading an EDM data set to a FedRAMP Enterprise DLP environment.
        • In the fed_ramp_level field, enter the FedRAMP impact level (moderate or high)
     6. Save the changes to the upload configuration file.

     
5. (Air-gapped Environments only) Create the environment.properties file to instruct the EDM CLI app to skip checking for a connection to Enterprise DLP.

   Requires EDM CLI app version 3.5 or later version.

   By default, the EDM CLI app connects to Enterprise DLP each time you create an encrypted EDM data set to verify the CLI app version. Encrypted EDM data set creation fails when running an unsupported EDM CLI app version or if the EDM CLI app can't connect to Enterprise DLP.

   The EDM CLI app version 3.5 and later check for the existence of environment.properties file every time you create an encrypted EDM data set. The environment.properties file instructs the EDM CLI app to skip connecting to Enterprise DLP to allow you to create the encrypted EDM data set.

   1. In the same folder as your other EDM CLI app config files, create the following new configuration file with the exact file name provided below.

      environment.properties

      

   2. Enter the following:

      skip_dlp_api_call_for_create_cmd=true

      

   3. Save the changes to the environment.properties file.
6. Create and upload your EDM data sets to Enterprise DLP.

   • Upload an Encrypted EDM Data Set to Enterprise DLP Using a Configuration File
   • Create and Upload an Encrypted EDM Data to Enterprise DLP in Interactive Mode