Enterprise DLP
Set Up the EDM CLI Application
Table of Contents
Set Up the EDM CLI Application
Download the secure Exact Data Matching (EDM) CLI application on your local Windows or
Linux device.
Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
The Exact Data Matching (EDM) CLI application is a secure CLI tool used to upload hash encrypted
EDM data sets to the DLP cloud service. The EDM CLI application accepts a source
file in CSV or TSV format. The EDM CLI application then generates an encrypted hash
EDM data set with AES-256 encryption of the source file which is saved as zip file
that can be uploaded to the DLP cloud service. The EDM CLI application applies a
one-way hash to each field in the CSV or TSV file that is then encoded in Base64.
After securing the file, the EDM CLI application generates a zip file containing the
secured data set.
The EDM CLI application
is supported on Microsoft Windows and Linux operating systems such
as Ubuntu, Debian, and CentOS.
The EDM CLI application is
downloaded from the DLP app on the hub and includes the following:
- README.TXT—Quick overview of the EDM CLI application functionality, including descriptions of data types and column values.
- edm-secure-cli-<version>.jar—The executable Java application.
- config.properties—Configuration file you can prepopulate to upload a file to the DLP cloud service.
- upload_config.properties—Configuration file for the connectivity settings to connect to the DLP cloud service.
- lib—Directory containing all the dependency libraries required by the EDM Secure CLI application.
- log4j2.xml—Configuration files for debugging and logging.
- sample_dataset.csv—Sample CSV file you can use a template for upload to the DLP cloud service.
- (Windows)edm-secure-cli.bat—Windows batch file used to create and upload an EDM data set to the DLP cloud service.(Linux)edm-secure-cli.sh—Bash script used to create and upload an EDM data set to the DLP cloud service.
- Review the Setup Prerequisites for Enterprise DLP before you set up the EDM CLI application.You must allow the required FQDNs and IP addresses listed here to successfully uploaded EDM data sets and forward traffic to the DLP cloud service for inspection.
- Deploy the device you will use to upload EDM data sets to the DLP cloud services.You can upload EDM data sets to the DLP cloud service using any physical or virtual device running a Windows or Linux operating system.If you plan to deploy a dedicated virtual machine to upload EDM data sets to the DLP cloud service, Palo Alto Networks recommends you allocate a minimum of four CPUs and 8 GB memory to the virtual machine.
- If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.If you’re leveragingEnterprise DLPfrom thePanorama™ management serverfor Next-Generation and VM-Series firewall or are usingPrisma Access (Managed by Panorama), the EDM CLI application is available only from the DLP app on the hub.If usingEnterprise DLPforPrisma Access (Managed by Strata Cloud Manager), the EDM CLI application is available fromStrata Cloud Manageror from the DLP app on the hub.
- It might take up to 24 hours for Palo Alto Networks to enable EDM functionality for your DLP app.Continue to the next step after Palo Alto Networks has successfully enabled EDM for your DLP app. You can verify that EDM is enabled when have the ability to download the EDM CLI application to your local device.
- Download the EDM CLI application.The entire contents of the EDM CLI application are downloaded as a .zip file.
- Navigate to the download location.
- DLP app on the hub—Selectand expand theDetection MethodsExact Data MatchingEDM Setup Guide.
- SelectPrisma Access (Managed by Strata Cloud Manager)—and selectManageConfigurationData Loss PreventionDetection MethodsExact Data Matching.
- ClickDownload CLI ToolandDownloadthe latest version of the EDM CLI application.
- SelectWindows 64-bitif you’re installing the EDM CLI application on a Microsoft Windows device.
- SelectLinux 64-bitif you are installing the EDM CLI application on a Linux device.
- Select the latest version available.(SASE Platform) If you’re usingEnterprise DLPfrom the SASE Platform, you must select version 3.0 or later release.If you use an older unsupported version of the CLI, the CLI will display an error message:Please use the latest version of cli tool. Latest version: <latest-version>.
- (Optional) Create a new folder for EDM on your local device.The EDM CLI application generates secured versions of all EDM data sets uploaded to the DLP cloud service and logs for EDM CLI application activity. As a best practice, create a folder just for the EDM CLI application to contain all EDM-specific files to a single folder.Refer to the documentation for Microsoft Windows or your specific Linux OS for more information on creating a new folder.
- Extract the EDM zip file contents.
- On your local device, navigate to the downloadedpackage-edm-secure-cli-<version>-<platform>.zipfile.
- Right-click thepackage-edm-secure-cli-<version>-<platform>.zipfile and clickExtract To.
- Select a folder andExtract.(Best Practices) Select the folder you created for your EDM CLI application files.
- Verify the extracted .zip file contains all the required EDM CLI application files.
- Install Java on your local device.A 64-bit Java version, such asJDK 64-Bit, is required to run the EDM CLI application.
- Open the terminal and view the Java version currently installed.admin:java -versionInstall version of Java.Skip this step if you already have a 64-bit Java version, such asJDK 64-Bit, already installed. Refer to the Microsoft Windows or your Linux OS documentation for the command to install the latest version of Java.
- (Linux only) Make the EDM CLI application script readable, writable, and executable.
- Navigate to the directory where the EDM CLI application .zip contents were extracted.In this example, thepackage-edm-secure-cli-<version>-<platform>.zipcontents were extracted to theEDMdirectory.
- Make the EDM CLI application script readable, writable, and executable.admin:chmod 777 ./edm-secure-cli.sh