Enterprise DLP
Panorama
Table of Contents
Panorama
Panorama
Create a security policy rule to prevent exfiltration of sensitive data to ChatGPT on
the
Panorama™ management server
.- UpgradePanorama, managed firewalls, and theEnterprise DLPplugin to the minimum required versions.
- Upgrade to PAN-OS 10.2.3 or later release.
- Upgrade the plugin to 3.0.2 or later release.
- Upgrade managed firewalls to PAN-OS 10.2.3 or later release.
- Log in to thePanoramaweb interface.
- Create the decryption policy rule required forEnterprise DLP.
- Selectand specify theObjectsDecryptionDecryption ProfileDevice Group.Adda new decryption profile. The default decryption profile configuration is all that is required forEnterprise DLPto inspect traffic.Do not enableStrip ALPNin the decryption profile.Enterprise DLPcannot inspect egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN) headers from decrypted traffic.
- Selectand specify thePoliciesDecryptionDevice Group.Adda new decryption policy rule. SelectOptionsand assign the decryption profile.
- For theAction, selectDecrypt.
- Select theDecryption Profileyou created.
- ClickOK.
- Data filtering profiles configured for non-file detection are required to prevent exfiltration of sensitive data to ChatGPT. You can create a new data filtering profile or use existing data filtering profiles as needed. You can add any combination of custom or predefined data patterns to define the match criteria.
- Create a data profile onPanoramaor the DLP app on the Hub, or use an existing data profile.
- Attach the data filtering profile to a Security policy rule.
- Select.PoliciesSecurityYou can select an existing Security policy rule orAdda new Security policy rule.
- Configure theGeneralandSourceas needed.
- Configure theDestinationas needed.
- For theApplication,Addand search foropenai-chatgpt.Skip this step if your Security policy rule applies toAnyapplication. ChatGPT is automatically included for a Security policy rule that applies toAnyapplication.
- SelectActionsand configure the Profile Settings.SelectProfilesand select theData Filteringprofile you created in the previous step.If the data filtering profile is part of a Security Profile Group (), selectObjectsSecurity Profile GroupsGroupand select the Security Profile Group the data filtering profile is associated with.
- Configure the rest of the Security policy rule as needed.TheActionyou specify in the data filtering profile determines whether egress traffic to ChatGPT is blocked. The Security policy ruleActiondoes not impact whether matched traffic is blocked.For example, if you configured the data filtering profile toBlockmatching egress traffic but configure the Security policy ruleActiontoAllow, the matching egress traffic to ChatGPT will be blocked.
- ClickOK.
- Commit and push the new configuration to your managed firewalls to complete theEnterprise DLPplugin installation.This step is required forEnterprise DLPdata filtering profile names to appear in Data Filtering logs.TheCommit and Pushcommand isn’t recommended forEnterprise DLPconfiguration changes. Using theCommit and Pushcommand requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Full configuration push from Panorama
- SelectandCommitCommit toPanoramaCommit.
- SelectandCommitPush to DevicesEdit Selections.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
- Partial configuration push from PanoramaYou must always include the temporary__dlpadministrator when performing a partial configuration push. This is required to keepPanoramaand the DLP cloud service in sync.For example, you have anadminPanoramaadmin user who is allowed to commit and push configuration changes. Theadminuser made changes to theEnterprise DLPconfiguration and only wants to commit and push these changes to managed firewalls. In this case, theadminuser is required to also select the__dlpuser in the partial commit and push operations.
- Select.CommitCommit toPanorama
- SelectCommit Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial commit.In this example, theadminuser is currently logged in and performing the commit operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- Commit.
- Select.CommitPush to Devices
- SelectPush Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial push.In this example, theadminuser is currently logged in and performing the push operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.