Enterprise DLP
Reasons for Inspection Failure
Table of Contents
Reasons for Inspection Failure
Review and understand the reasons why Enterprise Data Loss Prevention (E-DLP) was unable to scan
traffic
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLP
Release Notes for more
information.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
In some cases, Enterprise Data Loss Prevention (E-DLP) is unable to inspect and render a verdict on
either file or non-file based traffic that match an Enterprise DLP
data profile, and as a result Enterprise DLP doesn't
generate an incident. However, a log is generated if Enterprise DLP is unable to
inspect matched traffic.
- Strata Cloud Manager—View the File log ()Apply a Sub Type = dlp or Sub Type = dlp-non-file filter to narrow down the list of file logs.If the Reason for Data Filtering Action column isn’t displayed, expand the menu for any displayed column to search for and check (enable) Reason for Data Filtering Action.
![]()
- Panorama® management server—View the Data Filtering log ().Apply a (subtype eq dlp) filter to narrow down the list of data filtering logs.If the Reason for Action column isn’t displayed, expand the menu for any displayed column and click Columns and check (enable) Reason for Action.
![]()
File logs display a Reason for Data Filtering Action and
data filtering logs display a Reason for Action column
describing what data filtering action was taken by your security endpoint. In this case,
the reason why Enterprise DLP was unable to inspect the matched traffic is
described. Review the list of reasons why Enterprise DLP was unable to inspect
matched traffic.
|
Reason for Data Filtering Action Text
|
Error Description
|
Recommended Action
|
|---|---|---|
|
DLP Error: 400
|
Enterprise DLP couldn't inspect forwarded traffic due to issues
fetching your Enterprise DLP configuration or related
failures.
|
These errors can be ignored as transient issues if they occur
infrequently and intermittently.
Contact Palo Alto Networks Support
for investigation if you observe a large volume of these errors
consistently during normal operations.
|
|
DLP Error:dss max retry reached
|
File forwarding to Enterprise DLP failed after multiple retry
attempts. This is typically caused by a transient connectivity
issue.
|
Contact Palo Alto Networks Support
for investigation if this error persists or occurs frequently.
|
|
FW Skipped: data length > Limit
Scan Skipped: Internal Err 614
|
Enterprise DLP didn't inspect the forwarded non-file data
because it exceeded your max configured data size.
Enterprise DLP also skips non-file data over 500 KB.
|
Raise the max data Size limit for Non-file in
the Data Filtering Settingsto
500 KB to reduce these events. Use the Action on Max Data
Size setting to define how Enterprise Data Loss Prevention (E-DLP)
handles oversized non-file data.
|
|
FW Skipped: Fail to Start
|
The NGFW or Prisma Access tenant couldn't forward
traffic to Enterprise DLP because it was unable to initialize
the forwarding session. This can occur when resources allocated for
Enterprise DLP on the enforcement point reaches roughly 80%
or higher.
|
Contact Palo Alto Networks Support
for further troubleshooting if this error persists or occurs
frequently.
|
|
FW Skipped: Resource Limit
|
The NGFW or Prisma Access tenant couldn't forward
traffic to Enterprise DLP due to the resource allocation for
Enterprise DLP on the enforcement point reaching full
utilization.
|
Intermittent occurrences point to temporary Enterprise DLP
resource contention. Persistent or frequent occurrences indicate
sustained capacity exhaustion and may require enforcement point
capacity scaling.
Contact Palo Alto Networks Support
if traffic levels are within capacity limits and you continue to see
this error.
|
|
FW Skipped: Transmit Pkts
|
The NGFW or Prisma Access tenant encountered an
error while transmitting packets to Enterprise DLP or when
completing the forwarding operation. This typically occurs when
resource usage on the enforcement point reaches full
utilization.
|
Contact Palo Alto Networks Support
for further troubleshooting if this error persists or occurs
frequently.
|
|
FW Skipped: wif not ready
|
The NGFW or Prisma Access tenant couldn't forward
traffic to Enterprise DLP because the connection to Enterprise DLP is not established.
|
This might be a transient (e.g., NGFW startup) or
might indicate a configuration or licensing issue.
Contact Palo Alto Networks Support
for investigation if this error persists or occurs frequently.
|
|
Scan ERR: file corrupted
|
Enterprise DLP couldn't extract the text from the forwarded file
because it was incomplete or corrupted when received by Enterprise DLP.
|
No Action needed. If you believe the file was valid and this error is
unexpected, please contact Palo Alto Networks Support for further
investigation.
|
|
Scan ERR: file is password prot
| Enterprise DLP couldn't open the forwarded file because it was
password protected or encrypted. Enterprise DLP can't inspect
password protected or encrypted files. |
Contact Palo Alto Networks Support
for investigation if you believe the file was not protected or
encrypted and this error is unexpected.
|
|
Scan ERR: Internal Err 0
Scan ERR: Internal Err 500
Other Internal Errors
|
Internal failure error during Enterprise DLP inspection that
cannot be attributed to a specific or actionable cause.
|
These errors can be ignored as transient issues if they occur
infrequently and intermittently.
Contact Palo Alto Networks Support
for investigation if you observe a large volume of these errors
consistently during normal operations.
|
|
Scan ERR: Internal Err 1005
Scan ERR: scan timeout
Scan Skipped: Scan req timeout
Scan Skipped: Latency > Limit
|
Enterprise DLP didn't finish inspection within the configured
max latency. The different timeout errors reflect the stage at which
the delay is detected by Enterprise DLP.
|
Raise the Max Latency setting (up to
240 seconds for files and up to 30 seconds for non-file data) to
reduce these events.
Palo Alto Networks recommends increasing the max latency if you
recently increased the max file and non-file size limits.
|
|
Scan ERR: Rule1 invalid action
|
Inspected traffic matched the Primary rule in the data profile, but
the Action is invalid.
|
Review and modify your DLP rule (Strata Cloud Manager or data
filtering profile Panorama. The
Action must be either Block or Alert.
|
|
Scan ERR: Rule2 invalid action
|
Inspected traffic matched the Secondary rule in the data profile, but
the Action is invalid.
|
Review and modify your DLP rule (Strata Cloud Manager or data
filtering profile Panorama. The
Action must be either Block or Alert.
|
|
Scan Skipped: File Size > Limit
|
Enterprise DLP didn't inspect the forwarded file because it
exceeded the configured max file size.
Enterprise DLP also skips any file larger than 100 MB.
|
Raise the Max File Size in the Data Filtering Settings to
100 MB to reduce these events. Use the Action on Max File
Size setting to define how Enterprise DLP
handles oversized files.
|
|
Scan Skipped: Internal Err 601
Scan Skipped: Internal Err 602
Scan Skipped: Internal Err 604
Scan Skipped: Internal Err 606
Scan Skipped: Internal Err 607
Scan Skipped: Internal Err 609
Scan Skipped: Internal Err 610
Scan Skipped: Internal Err 611
Scan Skipped: Internal Err 613
Scan Skipped: Internal Err 629
Scan Skipped: Internal Err 630
Scan Skipped: Internal Err 631
|
Enterprise DLP encountered an error while parsing forwarded data
for an unsupported protocol or app. This typically indicates that
Enterprise DLP doesn't support the protocol or app.
|
Review the list of supported supports protocol and
apps.
Contact Palo Alto Networks Support
for investigation if you observe this error for a supported protocol
or app.
|
|
Scan Skipped: Internal Err 605
Scan Skipped: Internal Err 616
Scan Skipped: Internal Err 617
Scan Skipped: Internal Err 618
Scan Skipped: Internal Err 619
Scan Skipped: Internal Err 628
|
Enterprise DLP encountered a parsing error due to a potentially
malformed data.
|
These errors can be ignored as transient issues if they occur
infrequently and intermittently.
Contact Palo Alto Networks Support
for investigation if you observe a large volume of these errors
consistently during normal operations.
|
|
Scan Skipped: Internal Err 620
Scan Skipped: Internal Err 621
Scan Skipped: Internal Err 622
Scan Skipped: Internal Err 623
Scan Skipped: Internal Err 624
Scan Skipped: Internal Err 625
Scan Skipped: Internal Err 626
Scan Skipped: Internal Err 627
|
Enterprise DLP encountered an error parsing data from Google
Drive.
|
These errors can be ignored as transient issues if they occur
infrequently and intermittently.
Contact Palo Alto Networks Support
for investigation if you observe a large volume of these errors
consistently during normal operations.
|
|
Scan Skipped: Out of memory
|
Inspection skipped because Enterprise DLP memory usage was
exceeded.
|
This indicates memory resource exhaustion. Contact Palo Alto Networks Support if this error
occurs frequently.
|
|
Scan Skipped: Profile not found
|
Inspection skipped because the enforcement point couldn't find the
configured data profile.
|
Review your Security policy rules to ensure the associated data
profile exists.
If you use Panorama, ensure you synchronized your data
profiles.
|
|
Scan Skipped: Rate > Limit
|
Inspection skipped because Enterprise DLP received the maximum
number of inspection requests.
|
This indicates rate limiting is in effect. Monitor traffic patterns
and consider adjusting rate limits if appropriate.
|