Enterprise DLP
Create a Granular Data Profile on Panorama
Table of Contents
Expand All
|
Collapse All
Enterprise DLP Docs
Create a Granular Data Profile on Panorama
Create a granular Enterprise Data Loss Prevention (E-DLP) data profile to apply differentiated
inline traffic inspection and response actions within a single Security policy rule on your
Panorama™ management server.
- Log in to the Panorama web interface.Select ObjectsDLPData Filtering Profiles.(Optional) Create your classic data profiles on Panorama or advanced data profiles on Strata Cloud Manager.You can create a granular data profile that combines predefined data profiles and any custom data profiles you created.Add a new data profile.Enter a descriptive Name for the granular data profile.For the Profile Type, select Granular.Select the File Mode to explicitly include or exclude specific file types from Enterprise DLP inspection.
- Include—Enterprise DLP only inspects the selected file types configured in the data profiles added to the granular data profile. Enterprise DLP ignores all other forwarded file types.
- Exclude—The NGFW or Prisma Access tenant ignores the selected File Types and does not send them Enterprise DLP for inspection and verdict rendering. The NGFW or Prisma Access tenant forwards all other file types to Enterprise DLP.
In the Profile Selection, Add a data profile.Repeat this step to add additional data profiles.- Select the Data Filtering Profile.Select the File/None-File based traffic to forward to Enterprise DLP.You can select File (default), Non-File, or Both.Select the File Type you want to forward to Enterprise DLP. Click Modify to add one or more supported file types.Enterprise DLP prioritizes the File Type settings configured in the granular data profile, and ignores the existing File Type settings configured in the data profile added to the granular data profile.Select the File Direction you want to inspect.You can select Upload, Download, or Both (default).Select the Action Enterprise DLP takes if inspected traffic contains sensitive data.You can select Alert (default) or Block.Set the Log Severity for the DLP incident when Enterprise DLP detects sensitive data that matches this data profile.You can select critical, high, medium, low, or informational (default).Click OK to add the data profile.(Requires Non-File Data Profile) Configure the URL category list to exclude URL traffic from inspection for non-file based traffic.You can configure the URL category list only if you add a non-file based data profile to the granular data profile.
- Select URL Category List Excluded From Non-File.Add a new URL category list.Select a predefined URL category, custom URL category, or EDL.(Requires Non-File Data Profile) Configure the application exclusion list to exclude application traffic from inspection for non-file based traffic.You can configure the application list only if you add a non-file based data profile to the granular data profile. At least one application list or application group is required to create a data filtering profile for inspecting non-file traffic.
- Select Application List Excluded From Non-File.Add an application filter or application group.If you did not create a custom application filter or application group, you must add the DLP App Exclusion Filter.(Exclude File Mode Required) Configure the File Types you want to exclude from Enterprise DLP inspection.The NGFW or Prisma Access tenant ignores the selected File Types and does not send them Enterprise DLP for inspection and verdict rendering. The NGFW or Prisma Access tenant forwards all other file types to Enterprise DLPClick Modify to search for and select the supported file types you want to exclude. This setting applies to all data profiles added to the granular data profile. Click OK after making your selections to continue.Click OK to save your changes.Attach the data filtering profile to a Security policy rule.
- Select PoliciesSecurity and specify the Device Group.Select the Security policy rule to which you want to add the data filtering profile.Select Actions and set the Profile Type to Profiles.Select the Data Filtering profile you created previously.Click OK.Commit and push the new configuration to your managed firewalls.The Commit and Push command isn't recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Full configuration push from Panorama
- Select CommitCommit to Panorama and Commit.
- Select CommitPush to Devices and Edit Selections.
- Select Device Groups and Include Device and Network Templates.
- Click OK.
- Push your configuration changes to your managed firewalls that are using Enterprise DLP.
- Partial configuration push from PanoramaAlways include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and the DLP cloud service in sync.For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
- Select CommitCommit to Panorama.
- Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.Click OK to continue.
- Commit.
- Select CommitPush to Devices.
- Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.Click OK to continue.
- Select Device Groups and Include Device and Network Templates.
- Click OK.
- Push your configuration changes to your managed firewalls that are using Enterprise DLP.