Enterprise DLP
Strata Cloud Manager
Table of Contents
Strata Cloud Manager
Strata Cloud Manager
Enable
Enterprise Data Loss Prevention (E-DLP)
for Prisma Access (Managed by Strata Cloud Manager)
and SaaS Security
on
Strata Cloud Manager
.- EnableEnterprise DLP.
- Single Prisma SASE Platform Tenant License ActivationActivate a License for Cloud-Managed Prisma Access Through the Prisma SASE Platform for a single tenant deployment. Follow this procedure to activateEnterprise DLPwhen your tenant has no subtenants or tenant hierarchy of any kind.
- Multitenant Prisma SASE Platform License ActivationActivate a License for Prisma Access Multitenant Through the Prisma SASE Platform to activateEnterprise DLPfor a parent tenant or a subtenant.
- CASB-X Platform License ActivationBy default, theEnterprise DLPlicense is included as part of the CASB-X license. To activateEnterprise DLPfor your CASB-X tenants, you only need to activate CASB-X. There’s no individualEnterprise DLPlicense you need to activate when using CASB-X.To useEnterprise DLPfor a CASB-X tenant, you must Activate a Next Generation CASB License on Cross Platforms (CASB-X) Through the Prisma SASE Platform.
- Log in toStrata Cloud Manager.
- Verify that the DLP license is active.
- Selectand navigate to the Licenses widget.ManageConfigurationNGFW and Prisma AccessOverview
- Click the license Quantity and confirm that the Data Loss Prevention license is active.Confirm the Data Loss Prevention license Type displaysPAIDand that an expiration date is displayed.
- Selectand verify thatManageConfigurationData Loss Preventionis displayed.
- Create the decryption profile required forEnterprise DLPto inspect traffic.
- SelectandManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryptionAdd Profile.
- Enter a descriptiveNamefor the decryption profile.
- Review the predefined decryption profile settings.The predefined decryption profile settings enableEnterprise DLPto inspect traffic. Modifying the predefined decryption profile settings isn’t required unless you need to enableStrip ALPN.
- (Software Version 10.2.2 or earlier versions) Configure the decryption profile to remove Application-Layer Protocol Negotiation (ALPN) headers from uploaded files.Remove the ALPN headers from files if anyStrata Cloud Managerdeployment is running software version 10.2.2 or earlier version. If your entireStrata Cloud Managerdeployment is running software version 10.2.3 or later version, stripping ALPN headers isn’t required.A web security admin can also strip ALPN headers in the Web Security decryption settings(and edit the Action Options). Web Security admins don’t need to create a decryption policy rule and can push the setting to Remote Networks and Mobile Users.ManageWeb SecuritySecurity SettingsDecryption
- In the SSL Forward Proxy, clickAdvanced.
- Check (enable)Strip ALPNandSave.
- Savethe Decryption profile group.
- Create a decryption policy rule to decrypt traffic forEnterprise DLPinspection.Cloud Managementincludes the predefinedExclude Microsoft O365 Optimized Endpoints - IPsandExclude Microsoft O365 Optimized Endpoints - URLsdecryption rules that exclude Microsoft Office 365 from decryption.ForEnterprise DLPto successfully inspect traffic for Microsoft Office 365, you must position this new decryption rule before the predefined decryption exclusion rules. Alternatively, you canDisablethese rules orDeletethem.
- SelectandManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryptionAdd Rule.
- Enter a descriptiveNameand configure the decryption policy rule as needed.
- In the Action and Advanced Inspection section, configure the policy rule toDecrypttraffic that matches this rule.
- For the Type, selectSSL Forward Proxy.
- Select the Decryption Profile you created to strip ALPN headers.
- Savethe decryption policy rule.
- Push your data filtering profile.
- Push ConfigandPush.
- Select (enable)Remote NetworksandMobile Users.
- Push.