>
    Strata Copilot
    Create an Endpoint DLP Policy Rule
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Configure Enterprise DLP
    5. Endpoint DLP
    6. Create an Endpoint DLP Policy Rule
    Download PDF
    Enterprise DLP

    Create an Endpoint DLP Policy Rule

    Table of Contents

    Create an Endpoint DLP Policy Rule

    Create an Endpoint DLP policy rule to prevent exfiltration of sensitive data over peripheral devices or to scan for sensitive data stored on endpoints.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    Prisma Access (Managed by Strata Cloud Manager)
    • Endpoint DLP license
    • Autonomous DEM 5.3.4 or later
    • Prisma Access Agent
    • Prisma Access 5.1 (Preferred or Innovation) or later
    Enterprise Data Loss Prevention (E-DLP) supports creation of the following types of Endpoint DLP policy rules.
    • Peripheral Control—Policy rule to granularly control who in your organization can use peripheral devices. You can block access to multiple user groups while excluding others.
    • Data in Motion—Policy rule to inspect and block exfiltration of sensitive data moving between an endpoint and a peripheral device. Traffic that matches your Endpoint DLP policy rule is forwarded to Enterprise DLP inspection and verdict rendering.
    • Data at Rest—A single policy rule to which you add data profiles in order to scan managed endpoints for sensitive data stored locally stores files. The local detection engine on the Prisma Access Agent performs the scan directly on the endpoint using predefined regular expression (regex) data patterns.
    Endpoint DLP policy rules are evaluated in a top-down priority. This means that in the event that two policy rules in the rule hierarchy apply to the same users and peripherals, Enterprise DLP takes the Response action based on the first policy rule that was matched.
    After pushing your Endpoint DLP policy rule, you can view your audit and push logs to review your configuration change history and to verify the configuration change was successfully pushed to the Prisma Access Agent.
    Palo Alto Networks recommends reviewing the Endpoint DLP policy rule example before you create your Peripheral Control and Data in Motion policy rules. In this example, example, we create two Endpoint DLP policy rules. The first is a Policy Control policy rule to block access to USB peripheral devices for all users while excluding a specific user group for which you allow access to USB peripherals. The second is a Data in Motion policy rule to prevent exfiltration of sensitive data from the endpoint to the peripheral for those users associated with the excluded user group using Enterprise DLP.
    Data in Motion Policy Rules for Printer peripherals
    Enterprise DLP inspects only the first five pages of a document and the first five images included in an inspected file when traffic matches a data in motion policy rules for Printer peripherals.
    The total number of data patterns across all your Endpoint DLP policy rules, the size of the inspected file, and the total number of images within the file all impact the time it takes for Enterprise DLP to inspect the file. This is referred to as the Max Latency. Enterprise DLP is unable to render a verdict if the inspection time exceeds the max latency.
    To control the default action Enterprise DLP takes when the max latency is reached, edit the Action When Max Latency is Reached in the Endpoint DLP Data Transfer settings.

    Endpoint DLP Policy Rule Example

    Example of creating Endpoint DLP policy rules to control access to peripheral devices for some users while allowing access to other users.
    1. Log in to Strata Cloud Manager.
    2. Add a Peripheral to Endpoint DLP and Create a Peripheral Group.
      Adding peripheral devices and creating peripheral groups is required only if you want to allow or block access to specific peripheral devices. You can skip this step if you want to allow or block access to all peripheral devices of any type.
      Repeat this step to add all peripheral devices you want to control access to using Endpoint DLP. In this example, we are allowing access to a specific peripheral group.
    3. Configure the Enterprise DLP match criteria to define custom sensitive data that you want to inspect for and block in your Data in Motion policy rule.
      1. Create custom data patterns to define your match criteria.
        Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
      2. Create a data profile and add your data patterns.
        Alternatively, you can use the predefined data profiles instead of creating custom data profiles.
    4. Select ConfigurationData Loss PreventionEndpoint DLP Policy and Add Policy.
    5. Create a Peripheral Control policy rule.
      In this example, we want to configure a policy rule that restricts endpoint access to all USB peripheral devices for all users, while excluding two users approved to have USB connectivity for their endpoints.
      1. Configure the Basic Information for the Peripheral Control policy rule.
        Make sure that you Enable Policy. Click Next to continue.
      2. For the Scope, select Any Users & Groups.
        This option blocks access to all users regardless of the user group they are associated with. You can exclude one or more users, thereby allowing their endpoint connectivity to USB peripheral devices you specify.
        In the example below, the Peripheral Control policy rule Scope is configured to block access to all users while allowing endpoint connectivity to USB peripheral devices for Alex Smith and Ashok Kachana.
      3. For the Peripherals, select Any to block connectivity to all USB peripheral devices. Alternatively, you can Select specific USB peripheral devices to Include or Exclude.
        • If you Include specific USB peripheral devices then endpoint connectivity to only the specified USB peripheral devices is blocked. All other USB peripheral device connectivity is allowed.
        • If you Exclude specific USB peripheral devices then endpoint connectivity is blocked for all but excluded USB peripheral devices.
        In this example, Any is selected because we want to block endpoint connectivity for all USB peripheral devices. This particular policy rule is specific to USB devices so None is selected for Printers and Network Shares.
        Click Next to continue.
      4. For the Response Action, select Block.
        Click Next to continue.
      5. For the Evaluation Priority, configure the Priority Selection as 1st.
        Palo Alto Networks recommends adding Peripheral Control policy rules designed to block access to peripheral devices at the top of your policy rulebase hierarchy. This ensures that the correct users are blocked and not unintentionally given access.
        Click Next to continue.
      6. Review the Endpoint DLP policy rule Summary and Save.
    6. Create a Data in Motion policy rule.
      In this example, we want to configure a policy rule that restricts uses Enterprise DLP to prevent exfiltration of sensitive data for the users we excluded in the Peripheral Control policy rule.
      1. Configure the Basic Information for the Data in Motion policy rule.
        Make sure that you Enable Policy. Click Next to continue.
      2. For the Classifiers, select the Data Profile you created in the previous step or select a predefined data profile.
        Click Next to continue.
      3. For the Scope, select Select Users.
        This option allows you to select the specific users for to which the policy rule applies while excluding all other users.
        In the example below, the Data in Motion policy rule Scope is configured to inspect file movement from the endpoint devices of Alex Smith and Ashok Kachana to the USB peripheral devices you specify in the next step.
        Click Next to continue.
      4. For the Peripherals, Select a USB peripheral groups to Include or Exclude.
        • If you Include specific USB peripheral group then Enterprise DLP inspects and renders verdicts on file movement between the endpoint device and all the specified USB peripheral devices associated with the selected peripheral groups. Enterprise DLP inspection and verdict rendering doesn't occur for file movement for any other USB device.
        • If you Exclude one or more USB peripheral groups then Enterprise DLP inspects and renders verdicts on file movement between the endpoint device and all but the excluded USB peripheral groups.
        In this example, we included the SANDISK group to allow write access to a specific set of USB devices and we want Enterprise DLP inspection and verdict rendering for these USB peripheral devices when connected to Alex and Ashok's endpoints. This particular policy rule is specific to USB devices so None is selected for Printers and Network Shares.
        Click Next to continue.
      5. For the Response Action, select Block.
        This instructs Enterprise DLP to block file movement from the endpoint to the USB peripheral device if sensitive data is detected.
        Click Next to continue.
      6. For the Evaluation Priority, configure the Priority Selection as 2nd.
        Palo Alto Networks recommends adding the Data in Motion policy rules after your Peripheral Control policy rules to ensure the correct users are blocked and not unintentionally given access while forwarding traffic for allowed users to Enterprise DLP.
        Click Next to continue.
      7. Review the Endpoint DLP policy rule Summary and Save.
    7. Review your Endpoint DLP policy rulebase to verify your policy rules are enabled and ordered correctly.
      Review the Priority to ensure your policy rules are ordered correctly, the Users to confirm your policy rules target the correct set of users, and the Peripherals to ensure the policy rules apply to the intended peripheral device types.
    8. Review your Endpoint DLP Audit and Push Logs.
    9. Review your Enterprise DLP Incidents.
      A DLP incident is generated when a user moves a file from the endpoint to the peripheral device but sensitive data is detected and the file move is blocked because sensitive data was detected.

    Create an Endpoint DLP Peripheral Control Policy Rule

    Create a peripheral control Endpoint DLP policy rule to granularly control who in your organization can use peripheral devices.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationData Loss PreventionEndpoint DLP Policy and Add Policy.
    3. Configure the Basic Information.
      1. For the Policy Type, select Peripheral Control.
      2. Enter a descriptive Name for the Endpoint DLP policy rule.
      3. (Optional) Enter a Description to describe the Endpoint DLP policy rule.
      4. Select the Severity of the Enterprise DLP incident when sensitive data is moved between an endpoint and a peripheral device.
      5. Enable Policy is enabled by default and enables the Endpoint DLP policy rule after you save.
        Disable this setting if you don't want to immediately enable the Endpoint DLP policy rule after creation.
      6. Click Next to continue.
    4. Configure the Scope to define which users can use peripheral devices.
      For Enterprise DLP to take the configured Response action, both Users and Peripherals must be matched.
      1. Select the Users the policy rule applies to.
        • Any Users & Groups
          Create a peripheral control policy rule that applies to all users. Additionally, you can Exclude one or more users from the peripheral control policy rule.
        • Select Users & Groups
          Create a peripheral control policy rule that applies to specific users and groups. You can configure the policy rule to apply to either specific users or user groups, or to both.
          Include
          • Select Users—Select one or more specific users to which the rule applies.
          • Select Groups—Select one or more user groups to which the rule applies.
          Exclude—Select one or more users to exclude from the peripheral control policy group. You must select at least one user group in order to exclude one or more users.
      2. Select the Peripherals you want to allow or block access to.
        You can define user access to USB devices, printers, and network shares in a single peripheral control policy rule. The access configuration for each type of peripheral device are independent of each other and can be configured as needed. For example, you can create a policy rule to block access to all USB devices, allow access to all printers, and allow access to only specific network shares you selected.
        • Any (default)—Policy rule applies all USB, printer, or network share peripherals peripherals added to Enterprise DLP.
        • Select— Policy Rule applies only to the selected peripheral devices or peripheral groups.
        • None—Policy rule doesn't apply to any USB, printer, or network share peripherals added to Enterprise DLP.
      3. Click Next to continue.
    5. Configure the Response to define the action Enterprise DLP takes when a user access a blocked peripheral.
      • Action—Action Enterprise DLP takes if a User accesses a Peripheral device defined in the policy rule Scope.
        • AlertEnterprise DLP generates a DLP incident but allows the endpoint to access the peripheral.
        • BlockEnterprise DLP generates a DLP incident and blocks the endpoint from accessing the peripheral.
      • Incident Assignee—The administrator the Enterprise DLP incident is assigned to if one is generated against the policy rule.
      • Email Notifications—Add administrators to send email notifications when an incident is generated against the policy rule.
      Click Next to continue.
    6. Define the Evaluation Priority for the peripheral control policy rule in your Endpoint DLP policy rulebase.
      You can use the Priority Selection to quickly insert the peripheral control policy rule in the appropriate location in your policy rulebase hierarchy.
      click Next to continue.
    7. Review the policy rule Summary to verify its configured correctly and Save.
    8. Push your Endpoint Policy rule.
      1. Select Push Policies and Push Policies.
      2. (Optional) Enter a Description for the Endpoint DLP policy push.
      3. Review the Push Policies scope to understand which Endpoint DLP policy rules and peripheral group configuration changes are included in the push.
      4. Push.
    9. Review your Endpoint DLP Audit and Push Logs.
    10. Review your Enterprise DLP Incidents.
      A DLP incident is generated when a user moves a file from the endpoint device to the peripheral but you have blocked all access to a peripheral device type.

    Create an Endpoint DLP Data in Motion Policy Rule

    Create a data in motion Endpoint DLP policy rule to inspect and block sensitive data between moving between an endpoint and a peripheral device.
    1. Log in to Strata Cloud Manager.
    2. Configure the Enterprise DLP match criteria to define custom sensitive data that you want to inspect for and block.
      1. Create custom data patterns to define your match criteria.
        Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
      2. Create a data profile and add your data patterns.
        Alternatively, you can use the predefined data profiles instead of creating custom data profiles.
    3. Select ConfigurationData Loss PreventionEndpoint DLP Policy and Add Policy.
    4. Configure the Basic Information.
      1. For the Policy Type, select Data in Motion.
      2. Enter a descriptive Name for the Endpoint DLP policy rule.
      3. (Optional) Enter a Description to describe the Endpoint DLP policy rule.
      4. Select the Severity of the Enterprise DLP incident when sensitive data is moved between an endpoint and a peripheral device.
      5. Enable Policy is enabled by default and enables the Endpoint DLP policy rule after you save.
        Disable this setting if you don't want to immediately enable the Endpoint DLP policy rule after creation.
      6. Click Next to continue.
    5. Configure the policy rule Classifiers to define the match criteria.
      1. Select the Data Profile that contains the match criteria you want to inspect for and block. You can select a predefined or custom data profile.
      2. Select the File Types you want the Endpoint DLP policy rule to apply to.
        You can select Any File Types (default) to inspect all supported file types moved between an endpoint and the peripheral device.
    6. Configure the Scope to define which users and peripheral devices the policy rule applies to.
      For Enterprise DLP to take the configured Response action, both Users and Peripherals must be matched.
      1. Select the Users the policy rule applies to.
        • Any Users & Groups
          Create a peripheral control policy rule that applies to all users. Additionally, you can Exclude one or more users from the peripheral control policy rule.
        • Select Users & Groups
          Create a peripheral control policy rule that applies to specific users and groups. You can configure the policy rule to apply to either specific users or user groups, or to both.
          Include
          • Select Users—Select one or more specific users to which the rule applies.
          • Select Groups—Select one or more user groups to which the rule applies.
          Exclude—Select one or more users to exclude from the peripheral control policy group. You must select at least one user group in order to exclude one or more users.
      2. Select the Peripherals you want to inspect and block file movement to if sensitive data is detected.
        You can add USB devices, printers, and network shares in a single data in motion policy rule. The list of included devices for each type of peripheral device are independent of each other and can be configured as needed. For example, you can create a policy rule that includes no USB devices, all printers, and only specific network shares you selected.
        • Any (default)—Policy rule applies all USB, printer, or network share peripherals added to Enterprise DLP.
        • Select— Policy Rule applies only to the selected peripheral devices or peripheral groups.
        • None—Policy rule doesn't apply to any USB, printer, or network share peripherals added to Enterprise DLP.
      3. Click Next to continue.
    7. Configure the Response to define the action Enterprise DLP takes when sensitive data is detected.
      • Action—Action Enterprise DLP takes if a User accesses a Peripheral device defined in the policy rule Scope.
        • AlertEnterprise DLP generates a DLP incident but allows file movement from the endpoint to the peripheral.
        • BlockEnterprise DLP generates a DLP incident and blocks file movement from the endpoint to the peripheral.
      • Incident Assignee—The administrator the Enterprise DLP incident is assigned to if one is generated against the policy rule.
      • Email Notifications—Add additional administrators to send email notifications when an incident is generated against the policy rule.
      Click Next to continue.
    8. Define the Evaluation Priority for the peripheral control policy rule in your Endpoint DLP policy rulebase.
      You can use the Priority Selection to quickly insert the peripheral control policy rule in the appropriate location in your policy rulebase hierarchy.
      click Next to continue.
    9. Review the policy rule Summary to verify its configured correctly and Save.
    10. Push your Endpoint Policy rule.
      1. Select Push Policies and Push Policies.
      2. (Optional) Enter a Description for the Endpoint DLP policy push.
      3. Review the Push Policies scope to understand which Endpoint DLP policy rules and peripheral group configuration changes are included in the push.
      4. Push.
    11. Review your Endpoint DLP Audit and Push Logs.
    12. Review your Enterprise DLP Incidents.
      A DLP incident is generated when a user moves a file from the endpoint to the peripheral device but sensitive data is detected and the file move is blocked because sensitive data was detected.
    13. (Block policy rule for USB and Network Share Peripherals on macOS only) The Prisma Access Agent automatically moves a blocked file to the following local folder on the endpoint for quarantine for 90 days when Endpoint DLP detects and blocks a file containing sensitive data. The Prisma Access Agent automatically deletes the file from the endpoint after 90 days.
      /Library/Application Support/PaloAltoNetworks/DLP/quarantine/
      This applies to all file movement operations available on macOS. Navigate to the local folder on the endpoint and move the file to a different folder on the endpoint to recover the file.

    Create an Endpoint DLP Data at Rest Policy Rule

    Create a data at rest Endpoint DLP policy rule to scan managed endpoints for sensitive data stored on disk.
    Contact your Palo Alto Networks sales representative to enable this feature on your Enterprise DLP tenant.
    1. Log in to Strata Cloud Manager.
    2. Configure the Enterprise DLP match criteria to define the sensitive data you want to scan for.
      1. Create an Endpoint Compatible custom data patterns to define your match criteria.
        Data at rest scanning uses the local Prisma Access Agent detection engine, which supports predefined regex data patterns.
      2. Create a data profile and add your data patterns.
        You can only add data profiles that contain Endpoint Compatible data patterns. If any pattern in a profile requires the cloud detection engine, the entire profile is classified as cloud-supported and can't be used for data at rest scanning. Alternatively, you can select Endpoint Compatible predefined data profiles.
    3. Select ConfigurationData Loss PreventionEndpoint DLP and edit the Data at Rest Scan policy rule.
    4. Add an Endpoint Compatible data profile to the Data at Rest policy rule.
      1. Add Local Data Profile to search for and select an Endpoint Compatible data profile.
      2. Select whether inspected files on the endpoint containing sensitive data Trigger an Incident.
        This setting applies per data profile. Enterprise DLP generates a DLP incident if Prisma Access Agent detects sensitive data in a file that matches the data profile.
      3. If you enabled Trigger an Incident, select the Severity of the generated incident.
        The severity applies to all incidents generated by this data profile. You can select Critical, High, Medium, Low, or Information.
      4. Repeat this step to add as many Endpoint Compatible data profiles as needed.
    5. Select the File Types to include or exclude in the scan.
      • Any File Types (default)—Scan all supported file types.
        (Optional) Exclude specific file types from the scan.
      • Select File Types—Scan only the file types you select.
    6. Configure the User scope to define which users the data at rest policy rule applies to.
      1. Enable Apply Users match criteria to all enabled data profiles.
      2. Select the Users whose endpoints you want to scan.
        • Any User (default)—Scan endpoints for all users.
          (Optional) Exclude specific users or groups from the scan.
        • Select Users—Scan endpoints only for the users and groups you select.
          (Optional) Exclude individual users from the selected groups.
    7. Configure the Folder Paths to define which directories on the endpoint the scan targets.
      Enter the folder paths for each operating system separately. You can specify paths for macOS, Windows, or both.
      Add Folder Path to include directories in the scan.
      Prisma Access Agent inspects only actual files and directories within the specified paths, not symbolic links (shortcuts that point to files or directories in other locations).
    8. Click Next to continue.
    9. Review the policy rule Summary to verify the configuration is correct and click Save.
    10. Push your Endpoint DLP policy rule.
      1. Select Push Policies and click Push Policies.
      2. (Optional) Enter a Description for the Endpoint DLP policy push.
      3. Review the Push Policies scope to understand which Endpoint DLP policy rules and configuration changes are included in the push.
      4. Click Push.
    11. Review your Endpoint DLP Audit and Push Logs.
    12. Review your DLP incidents.
      A DLP incident is generated when the data at rest scan detects sensitive data on an endpoint that matches the configured data profiles, and you enabled Trigger Incident in the policy rule.

    © 2026 Palo Alto Networks, Inc. All rights reserved.