Administration
  • Administration
  • Enterprise DLP Documentation
  • All Documentation
>
Create a Nested Data Profile
Focus
Download PDF
Focus
  1. Home
  2. Enterprise DLP
  3. Configure Enterprise DLP
  4. Data Profiles
  5. Create a Nested Data Profile
Download PDF
Enterprise DLP

Create a Nested Data Profile

Table of Contents

Create a Nested Data Profile

Create a single Enterprise Data Loss Prevention (E-DLP) data profile containing multiple data profiles to simplify management of sensitive data leaving your network.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
Enterprise Data Loss Prevention (E-DLP) supports creating a single data profile that contains multiple nested data profiles. Creating a single data profile that contains multiple nested data profiles allows you to consolidate the match criteria to prevent exfiltration of sensitive data to a single data profile that you can associate with a single Security policy rule. This allows you to simplify the management of sensitive data leaving your network and reduces the need to manage multiple Security policy rules and data profiles. Enterprise DLP synchronizes nested data profiles between Panorama and Strata Cloud Manager
When you create a data profile that contains predefined data profiles and patterns, be sure to consider the detection types used by the predefined data patterns because the detection type determines how Enterprise DLP arrives at a verdict for scanned files.
  • Enterprise DLP supports updating a nested data profile only from Strata Cloud Manager.
  • Enterprise DLP does not support adding a nested data profile to another nested data profile.
  • Enterprise DLP supports adding a classic or advanced data profiles that have only a Primary Rule configured. Enterprise DLP does not support adding data profiles that include both Primary and Secondary Rules to a nested data profile.
  • Enterprise DLP supports adding a data profile that includes an advanced detection method to an existing nested data profile if you did not include one when you originally created the data profile.
  • (SaaS Security) Enterprise DLP supports adding a nested data profile to SaaS Security Inline policy recommendations and Internet Access policy rules only.
    Enterprise DLP does not support adding a nested data profile to data asset policy rules in Data Security.
  1. Log in to Strata Cloud Manager.
  2. (Optional) Create your classic or advanced data profiles on Strata Cloud Manager.
    You can create a data profile that contains multiple data profiles using both predefined data profiles and custom data profiles you create.
  3. Select ManageConfigurationData Loss PreventionData Profiles and Add Data ProfilesNested Data Profiles.
    You can also create a new data profile by copying an existing data profile that already contains multiple data profiles. This allows you to quickly modify an existing data profile with additional data profile match criteria while preserving the original data profile from which the new data profile was copied.
    Enterprise DLP appends the name of copied a data profile with Copy - <name_of_original_data_profile>.
  4. Enter the Data Profile Name.
  5. Configure the Primary Rule for the data profile.
    Add Data Profile to add predefined or custom data profiles. Repeat this step to include additional data profiles.
    Add the data profile match criteria for allowed traffic to the Primary Rule. Add data profiles for blocked traffic to either Primary Rule or Secondary Rule.
    A data profile containing multiple data profiles support any combination of data profiles with data patterns only, data patterns and EDM data sets, and EDM data sets only.
    Nested data profiles support only the OR operator.
  6. (Optional) Configure a Secondary Rule.
    Add Data Profile to add predefined or custom data profiles. Repeat this step to include additional data profiles.
    Data profile match criteria added to the Secondary Rule block all traffic that meets the match criteria for the data profile by default and can’t be modified. If you want to allow traffic that matches a data profile match criteria, add it to the Primary Rule.
    A data profile containing multiple data profiles support any combination of data profiles with data patterns only, data patterns and EDM data sets, and EDM data sets only.
    Nested data profiles support only the OR operator.
  7. Save the data profile.
  8. Test a Data Profile to verify it accurately detects the sensitive data you configured it to detect.
  9. Verify that the data profile you created.
    • Strata Cloud ManagerLog in to Strata Cloud Manager and select ManageConfigurationData Loss PreventionData Profiles and search for the data profile you created.
    • Panorama and Prisma Access (Managed by Panorama)
      See Update a Data Profile for more information on which data profile settings are editable on Panorama for a data profile created on Strata Cloud Manager.
      If the data profile has both Primary and Secondary Patterns, changing the data profile Action on Panorama deletes all Secondary Pattern match criteria.
      1. Select the data profile created on Strata Cloud Manager.
      2. Set the data profile Action to Block traffic that matches the data profile match criteria.
      3. Select CommitCommit to Panorama and Commit.
      4. Click OK.
      5. Select CommitPush to Devices and Edit Selections.
      6. Select Device Groups and Include Device and Network Templates.
      7. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
  10. Modify a DLP Rule on Strata Cloud Manager to attach the data profile to a Security policy rule.
    The DLP Rule defines the type of traffic to inspect, the impacted file types, action, log severity, and more for the data profile match criteria. Enterprise DLP automatically creates a DLP rule with an identical name as the data profile from which it was created.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.