Configure EDM CLI App Connectivity to Enterprise DLP

Table of Contents

Create a Service Account for EDM Dataset Uploads

Upload an Encrypted EDM Data Set to Enterprise DLP Using a Configuration File

Configure EDM CLI App Connectivity to Enterprise DLP

Configure connectivity between the Exact Data Matching (EDM) CLI app and Enterprise DLP on your local device.

On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.

You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This?	What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager) Prisma Access (Managed by Panorama or Strata Cloud Manager) Prisma Browser	Enterprise Data Loss Prevention (E-DLP) license Review the Supported Platforms for details on the required license for each enforcement point. Or any of the following licenses that include the Enterprise DLP license Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license Data Security license

Where Can I Use This?

What Do I Need?

NGFW (Managed by Panorama or Strata Cloud Manager)
Prisma Access (Managed by Panorama or Strata Cloud Manager)
Prisma Browser

Enterprise Data Loss Prevention (E-DLP) license
Review the Supported Platforms for details on the required license for each enforcement point.

Or any of the following licenses that include the Enterprise DLP license

Prisma Access CASB license
Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
Data Security license

To configure connectivity to Enterprise Data Loss Prevention (E-DLP), you must create an Enterprise DLP service account on Strata Cloud Manager. After you create and encrypt the service account Client ID and Secret, you must configure the upload_config.properties file included with the EDM CLI app. Enterprise DLP uses the encrypted Client ID and Secret to authenticates the local device and to which user is uploading an EDM dataset to Enterprise DLP. If you use a proxy server to connect to the internet, you must enter the proxy server details in the upload_config.properties file as well to successfully upload an EDM dataset.

Set Up the EDM CLI App.

Download EDM CLI app version 3.0 or later version to upload an EDM dataset to a TSG-supported tenant.
Download EDM CLI app version 3.5 or later to create an encrypted EDM dataset in an air-gapped environment.
On the local device where you downloaded the EDM CLI app, navigate to and open the upload configuration file.
The EDM CLI app bundles the upload configuration file with the package-edm-secure-cli-<version>-<platform>.zip file contents you extracted when you set up the EDM CLI app.

The name of the upload configuration file for Linux and Windows versions of the EDM CLI display as:
- Linux—upload_config.properties
- Windows—upload_config
Configure the upload configuration file to enable connectivity to Enterprise DLP.
- EDM CLI App Version 4.0 and 5.0
  1. Add the client_id and client_secret.
    
    EDM CLI app version 4.0 and later support connections to Enterprise DLP using the Client ID and Client Secret only. EDM CLI app version 4.0 and later doesn't support connections to Enterprise DLP using Access and Refresh API tokens.
  2. (Proxy server only) Configure the proxy server settings.
    Skip this step if you don't require a proxy server for the local device to connect to the internet.
    Specify whether the local device uploading the EDM dataset to Enterprise DLP requires a proxy server to the connect to the internet.
    If you don't require a proxy server, enter no (default).
    If you require a proxy server, enter yes.
    Enter the proxy_host_name and proxy_port_number.
    Enter the proxy_user_name and proxy_password.
  3. Enter the dataset_name for the EDM dataset you want to upload. Enterprise DLP uses the dataset name entered here in Strata Cloud Manager for the uploaded EDM dataset.
  4. (FedRAMP only) Configure the FedRAMP settings.
    Skip this step if not uploading to a FedRAMP Enterprise DLP environment.
    In the fed_ramp field, enter yes if uploading an EDM dataset to a FedRAMP Enterprise DLP environment.
    In the fed_ramp_level field, enter the FedRAMP impact level (moderate or high)
  5. Enter the region_name to specify a specific region where you want your hashed and encrypted EDM datasets uploaded if your organization must adhere to data residency requirements.
    Review the list of FQDNs for EDM for a full list of supported regions. Enter the Country name in the region_name field. The default region_name is United States.
  6. Save the changes to the upload configuration file.
(Air-gapped Environments only) Create the environment.properties file to instruct the EDM CLI app to skip checking for a connection to Enterprise DLP.

Requires EDM CLI app version 3.5 or later version.
By default, the EDM CLI app connects to Enterprise DLP each time you create an encrypted EDM dataset to verify the CLI app version. Encrypted EDM dataset creation fails when running an unsupported EDM CLI app version or if the EDM CLI app can't connect to Enterprise DLP.
The EDM CLI app version 3.5 and later check for the existence of environment.properties file every time you create an encrypted EDM dataset. The environment.properties file instructs the EDM CLI app to skip connecting to Enterprise DLP to allow you to create the encrypted EDM dataset.
1. In the same folder as your other EDM CLI app config files, create the following new configuration file with the exact file name provided below.
  
  environment.properties
2. Enter the following:
  
  skip_dlp_api_call_for_create_cmd=true
3. Save the changes to the environment.properties file.
Create and upload your EDM datasets to Enterprise DLP.
- Upload an Encrypted EDM Data Set to Enterprise DLP Using a Configuration File
- Create and Upload an Encrypted EDM Data to Enterprise DLP in Interactive Mode