Review your Email DLP and Enterprise Data Loss Prevention (E-DLP) configurations to understand why
an email containing sensitive data wasn't blocked.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLPRelease Notes for more
information.
Where Can I Use This?
What Do I Need?
Data Security
One of the following licenses that include the Enterprise DLP license
Review the Supported
Platforms for details on the required license
for each enforcement point.
Prisma Access CASB license
Next-Generation
CASB for Prisma Access and NGFW (CASB-X) license
Data Security license
Email DLP license
Review your Email DLP and Enterprise Data Loss Prevention (E-DLP) configurations to help you
investigate why an email containing sensitive data wasn't blocked by Enterprise DLP. To investigate, you will need to review the DLP logs, the
connectors and transport rules, as well as your data patterns, profiles, and
Security policy rules to understand why one or more emails containing sensitive data
are not being blocked.
Review your Email DLP logs to confirm that the email you believe contains
sensitive data really contained sensitive data.
If the email you want to investigate is listed here, it means that Email DLP
configuration for Microsoft Exchange or
Gmail are configured correctly. An Email DLP
incident and log indicate that the email was forwarded to Enterprise DLP.
If you can't find the email you want to investigate, it might mean that
something is wrong with the Email DLP configurations for Microsoft Exchange or Gmail.
Select Add FilterAction and for the Action filter,
select Monitored to quickly filter for emails
that were allowed to leave your network. If the email you are
interested in is listed, view the Incident Details to gather the
email Created On date,
Sender, and
Subject for the email. You can also
download the email for your review.
Additionally, make note of the Policy the
email matched against. As part of the investigation, you need to
review your Email DLP policy to ensure it is configured
correctly.
Locate the email you want to investigate using the Time
Captures and Sender User
columns.
Review the Subject column for the email to
understand whether sensitive data was detected in the email.
Review the Status Note to gather additional
information about the email.
If the Email did not match with an Email DLP
Policy or Email matched with a
DLP Profile in a policy and evaluation was
completed are displayed, it might mean you
need to review and modify your data profile match criteria
or Email DLP policy.
For example, if the Action on Max
Latency is set to
Allow, it means that Enterprise DLP allowed the outbound email to leave your
network even though the forwarded email evaluation timed
out.
Review the Email DLP policy the email matched
against to ensure it is configured correctly.
Important Email DLP configurations to verify are the email sender conditions,
the sender email domain, email recipient conditions, and recipient email
domains to confirm that they are defined correctly. If these are not
configured correctly, Email DLP is unable to inspect for and prevent
exfiltration of outbound emails containing sensitive data.
Additionally, you can review the Recommendations for Security Policy Rules for more information on recommendations
and best practices for writing Security policy rules and managing your
policy rulebase.
For example, review your custom and file property data patterns to ensure the
match criteria defined in them are configured correctly to inspect for and
block the correct sensitive data. Incorrectly defined match criteria results
in Enterprise DLP being unable to inspect for and prevent exfiltration
of outbound emails containing sensitive data.
If you are using predefined data patterns in your data profiles, you can
add custom match criteria
like proximity keywords to increase detection accuracy.
Review the Email DLP configuration for your email provider.
Microsoft Exchange Online or Gmail are unable to forward emails to Enterprise DLP if
they are incorrectly configured and are unable forward outbound emails for
inspection. Additionally, Email DLP is designed to inspect outbound emails
only. Inspection of emails from within your network is not supported.
When reviewing your Email DLP configurations, consider the following:
Have you updated your SFP record to add the required Enterprise DLP service IP addresses for Microsoft Exchange
Online or Gmail?
This is required to successfully forward outbound emails to Enterprise DLP.
(Microsoft Exchange Online only) Are your transport rules enabled?
In some cases, a newly created Microsoft Exchange transport rule
might be disabled and require you to manually enable it. All
transport rules, especially the transport and block rules, must be
enabled to successfully forward outbound emails to Enterprise DLP and for Microsoft Exchange to take action based on the verdict
rendered.
For example, if there is a typo when you define the x-panw-action: block header
that your email provider should take a block action on then the
email continues to its intended recipient.
(Microsoft Exchange Online only) Are managers assigned
correctly in Active Directory configured?
By default, Microsoft Exchange sends the outbound email to the target
recipient if a manager isn't correctly assigned for the sender when
you create a transport rule for manager
approval.
