>
    Strata Copilot
    Reasons for Inspection Failure
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Monitor Enterprise DLP
    4. Enterprise DLP Incident Management
    5. Reasons for Inspection Failure
    Download PDF
    Enterprise DLP

    Reasons for Inspection Failure

    Table of Contents

    Reasons for Inspection Failure

    Review and understand the reasons why Enterprise Data Loss Prevention (E-DLP) was unable to scan traffic
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    In some cases, Enterprise Data Loss Prevention (E-DLP) is unable to inspect and render a verdict on either file or non-file based traffic that match an Enterprise DLP data profile, and as a result Enterprise DLP doesn't generate an incident. However, a log is generated if Enterprise DLP is unable to inspect matched traffic.
    • Strata Cloud Manager—View the File log (Incident & AlertsLog Viewer)
      Apply a Sub Type = dlp or Sub Type = dlp-non-file filter to narrow down the list of file logs.
      If the Reason for Data Filtering Action column isn’t displayed, expand the menu for any displayed column to search for and check (enable) Reason for Data Filtering Action.
    • Panorama® management server—View the Data Filtering log (MonitorLogsData Filtering).
      Apply a (subtype eq dlp) filter to narrow down the list of data filtering logs.
      If the Reason for Action column isn’t displayed, expand the menu for any displayed column and click Columns and check (enable) Reason for Action.
    File logs display a Reason for Data Filtering Action and data filtering logs display a Reason for Action column describing what data filtering action was taken by your security endpoint. In this case, the reason why Enterprise DLP was unable to inspect the matched traffic is described. Review the list of reasons why Enterprise DLP was unable to inspect matched traffic.
    Reason for Action
    Description
    Scan Skipped: File Size > Limit
    Inspection skipped because the maximum file size limit was exceeded.
    To avoid this in the future, you can increase the Max File Size.
    Scan Skipped: Latency > Limit
    Inspection skipped because the maximum latency limit was exceeded.
    To avoid this in the future, you can increase the Max Latency
    Scan Skipped: Rate > Limit
    Inspection skipped because Enterprise DLP received the maximum number of inspection requests.
    Scan Skipped: Out of memory
    Inspection skipped because Enterprise DLP memory usage was exceeded.
    Scan Skipped: Profile not found
    Inspection skipped because NGFW or Prisma Access tenant couldn't find the matched data profile.
    Review your Security policy rules to ensure the associated data profile exists.
    Scan Skipped: Scan req timeout
    Inspection was skipped because the inspection request timed out.
    Scan ERR: Rule1 invalid action
    Inspected traffic matched the Primary rule in the data profile, but the Action is invalid. The Action must be either Block or Alert.
    Scan ERR: Rule2 invalid action
    Inspected traffic matched the Secondary rule in the data profile, but the Action is invalid. The Action must be either Block or Alert.
    FW Skipped: Data Length > Limit
    NGFW or Prisma Access tenant did not forward traffic to Enterprise DLP due to the non-file traffic exceeding the Max Data Size in the Non-File Based Settings.
    To avoid this, you can increase the Max Data Size for non-file traffic.
    FW Skipped: Resource Limit
    Enterprise DLP was unable to inspect traffic due to an error when forwarding traffic. This can occur when the NGFW or Prisma Access tenant memory usage reaches 100%.
    FW Skipped: Fail to Start
    NGFW or Prisma Access tenant was unable to forward traffic to Enterprise DLP for inspection because the session between the NGFW or Prisma Access tenant and Enterprise DLP couldn't be initialized. This can occur when the NGFW or Prisma Access tenant memory usage reaches 80% or higher.
    FW Skipped: Transmit Pkts
    The NGFW or Prisma Access tenant encountered an error when forwarding packets or finishing the forwarding operation to Enterprise DLP. This can occur when the firewall memory usage reaches 100%.
    Internal Errors
    Generic error due to an internal error. Requires troubleshooting by Palo Alto Networks Support to understand the cause of the error that prevented traffic inspection by Enterprise DLP.

    © 2025 Palo Alto Networks, Inc. All rights reserved.