Focus

Enterprise DLP

Set Up the EDM CLI Application

Table of Contents

Enable Exact Data Matching (EDM)

Configure Connectivity to the DLP Cloud Service

Set Up the EDM CLI Application

Download the secure Exact Data Matching (EDM) CLI application on your local Windows or Linux device.

Where Can I Use This?	What Do I Need?
NGFW (Managed by Panorama) Prisma Access (Managed by Strata Cloud Manager) SaaS Security NGFW (Managed by Strata Cloud Manager)	Enterprise Data Loss Prevention (E-DLP) license NGFW (Managed by Panorama) —Support and Panorama device management licenses Prisma Access (Managed by Strata Cloud Manager) — Prisma Access license SaaS Security — SaaS Security license NGFW (Managed by Strata Cloud Manager) —Support and AIOps for NGFW Premium licenses Or any of the following licenses that include the Enterprise DLP license Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license Data Security license

Where Can I Use This?

What Do I Need?

NGFW (Managed by Panorama)

Prisma Access (Managed by Strata Cloud Manager)

SaaS Security

NGFW (Managed by Strata Cloud Manager)

Enterprise Data Loss Prevention (E-DLP)

license

NGFW (Managed by Panorama)
—Support and

Panorama

device management licenses

Prisma Access (Managed by Strata Cloud Manager)
—

Prisma Access

license

SaaS Security
—

SaaS Security

license

NGFW (Managed by Strata Cloud Manager)
—Support and

AIOps for NGFW Premium

licenses

Or any of the following licenses that include the

Enterprise DLP

license

Prisma Access

CASB license

Next-Generation CASB for Prisma Access and NGFW (CASB-X)

license

Data Security

license

The Exact Data Matching (EDM) CLI application is a secure CLI tool used to upload hash encrypted EDM data sets to the DLP cloud service. The EDM CLI application accepts a source file in CSV or TSV format. The EDM CLI application then generates an encrypted hash EDM data set with AES-256 encryption of the source file which is saved as zip file that can be uploaded to the DLP cloud service. The EDM CLI application applies a one-way hash to each field in the CSV or TSV file that is then encoded in Base64. After securing the file, the EDM CLI application generates a zip file containing the secured data set.

The EDM CLI application is supported on Microsoft Windows and Linux operating systems such as Ubuntu, Debian, and CentOS.

The EDM CLI application is downloaded from the DLP app on the hub and includes the following:

README.TXT
—Quick overview of the EDM CLI application functionality, including descriptions of data types and column values.

edm-secure-cli-<version>.jar
—The executable Java application.

config.properties
—Configuration file you can prepopulate to upload a file to the DLP cloud service.

upload_config.properties
—Configuration file for the connectivity settings to connect to the DLP cloud service.

lib
—Directory containing all the dependency libraries required by the EDM Secure CLI application.

log4j2.xml
—Configuration files for debugging and logging.

sample_dataset.csv
—Sample CSV file you can use a template for upload to the DLP cloud service.

(Windows) edm-secure-cli.bat
—Windows batch file used to create and upload an EDM data set to the DLP cloud service.

(Linux) edm-secure-cli.sh
—Bash script used to create and upload an EDM data set to the DLP cloud service.

Review the Setup Prerequisites for Enterprise DLP before you set up the EDM CLI application.

You must allow the required FQDNs and IP addresses listed here to successfully uploaded EDM data sets and forward traffic to the DLP cloud service for inspection.

Deploy the device you will use to upload EDM data sets to the DLP cloud services.

You can upload EDM data sets to the DLP cloud service using any physical or virtual device running a Windows or Linux operating system.

If you plan to deploy a dedicated virtual machine to upload EDM data sets to the DLP cloud service, Palo Alto Networks recommends you allocate a minimum of four CPUs and 8 GB memory to the virtual machine.

Strata Cloud Manager

or the DLP app on the hub.

If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.

If you’re leveraging

Enterprise DLP

from the

Panorama™ management server

for Next-Generation and VM-Series firewall or are using

Prisma Access (Managed by Panorama)

, the EDM CLI application is available only from the DLP app on the hub.

If using

Enterprise DLP

for

Prisma Access (Managed by Strata Cloud Manager)

, the EDM CLI application is available from

Strata Cloud Manager

or from the DLP app on the hub.

Enable Exact Data Matching (EDM).

It might take up to 24 hours for Palo Alto Networks to enable EDM functionality for your DLP app.

Continue to the next step after Palo Alto Networks has successfully enabled EDM for your DLP app. You can verify that EDM is enabled when have the ability to download the EDM CLI application to your local device.

Download the EDM CLI application.

The entire contents of the EDM CLI application are downloaded as a .zip file.

Navigate to the download location.

DLP app on the hub—
Select

Detection Methods

Exact Data Matching

and expand the

EDM Setup Guide

Prisma Access (Managed by Strata Cloud Manager)
—
Select

Manage

Configuration

Data Loss Prevention

Detection Methods

and select

Exact Data Matching

Click

Download CLI Tool

and

Download

the latest version of the EDM CLI application.

Select

Windows 64-bit

if you’re installing the EDM CLI application on a Microsoft Windows device.

Select

Linux 64-bit

if you are installing the EDM CLI application on a Linux device.

Select the latest version available.

(SASE Platform) If you’re using

Enterprise DLP

from the SASE Platform, you must select version 3.0 or later release.

If you use an older unsupported version of the CLI, the CLI will display an error message:

Please use the latest version of cli tool. Latest version: <latest-version>

(Optional) Create a new folder for EDM on your local device.

The EDM CLI application generates secured versions of all EDM data sets uploaded to the DLP cloud service and logs for EDM CLI application activity. As a best practice, create a folder just for the EDM CLI application to contain all EDM-specific files to a single folder.

Refer to the documentation for Microsoft Windows or your specific Linux OS for more information on creating a new folder.

Extract the EDM zip file contents.

On your local device, navigate to the downloaded

package-edm-secure-cli-<version>-<platform>.zip

file.

Right-click the

package-edm-secure-cli-<version>-<platform>.zip

file and click

Extract To

Select a folder and

Extract

(Best Practices) Select the folder you created for your EDM CLI application files.

Verify the extracted .zip file contains all the required EDM CLI application files.

Install Java on your local device.

A 64-bit Java version, such as

JDK 64-Bit

, is required to run the EDM CLI application.

Open the terminal and view the Java version currently installed.

admin: java -version

Install version of Java.

Skip this step if you already have a 64-bit Java version, such as

JDK 64-Bit

, already installed. Refer to the Microsoft Windows or your Linux OS documentation for the command to install the latest version of Java.

(Linux only) Make the EDM CLI application script readable, writable, and executable.

Navigate to the directory where the EDM CLI application .zip contents were extracted.

In this example, the

package-edm-secure-cli-<version>-<platform>.zip

contents were extracted to the

EDM

directory.

Make the EDM CLI application script readable, writable, and executable.

admin: chmod 777 ./edm-secure-cli.sh

Enable Exact Data Matching (EDM)

Configure Connectivity to the DLP Cloud Service

Enterprise DLP Docs

Set Up the EDM CLI Application

Enterprise DLP Docs

Set Up the EDM CLI Application

Recommended For You

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Agents & Agentless

Visibility & Monitoring

Best Practices

Experts Corner