>
    Create a Security Policy Rule for ChatGPT
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administration
    4. Configure Enterprise DLP
    5. Enterprise DLP and AI Apps
    6. Create a Security Policy Rule for ChatGPT
    Download PDF
    Enterprise DLP

    Create a Security Policy Rule for ChatGPT

    Table of Contents

    Create a Security Policy Rule for ChatGPT

    Use
    Enterprise Data Loss Prevention (E-DLP)
     in a Security policy rule to prevent exfiltration of sensitive data to ChatGPT.
    Where Can I Use This?
    What Do I Need?
    • NGFW (Managed by Panorama)
    • Prisma Access (Managed by Strata Cloud Manager)
    • SaaS Security
    • NGFW (Managed by Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP)
       license
    • NGFW (Managed by Panorama)
      —Support and
      Panorama
       device management licenses
    • Prisma Access (Managed by Strata Cloud Manager)
      Prisma Access
       license
    • SaaS Security
      SaaS Security
       license
    • NGFW (Managed by Strata Cloud Manager)
      —Support and
      AIOps for NGFW Premium
       licenses
    Or any of the following licenses that include the
    Enterprise DLP
     license
    • Prisma Access
       CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
       license
    • Data Security
       license
    Use
    Enterprise Data Loss Prevention (E-DLP)
    to prevent exfiltration of sensitive data to ChatGPT. in a new or existing Security policy rule.
    (
    SaaS Security
     only
    ) If you would rather block access to ChatGPT on your network, you can do so from the
    SaaS Security
     Applications dashboard (
    Manage
    Configuration
    Security Services
    SaaS Application Management
    Discovered Apps
    Applications
    ). Using the
    SaaS Security
     Application dashboard to
    Block Access
     allows you to quickly generate a policy rule recommendation, rather than manually creating one on your own.
    (
    Strata Cloud Manager
     and
    SaaS Security
    ) Support for non-file based HTTP/2 traffic inspection is required to successfully prevent exfiltration to ChatGPT. Your
    Strata Cloud Manager
     tenant must be running Software Version 10.2.3 or later release.
    (
    Panorama
    ) Support for non-file based HTTP/2 traffic inspection is required to successfully prevent exfiltration to ChatGPT. You must upgrade
    Panorama
     and all managed firewalls to PAN-OS 10.2.3 or later release. Additionally, you must upgrade the
    Panorama
     plugin for
    Enterprise DLP
     to 3.0.2 or later release.

    Strata Cloud Manager

    Create a security policy rule to prevent exfiltration of sensitive data to ChatGPT for
    Prisma Access (Managed by Strata Cloud Manager)
     on
    Strata Cloud Manager
    .
    1. Log into
      Strata Cloud Manager
      .
    3. Select
      Manage
      Configuration
      Security Services
      Decryption
       and create the decryption profile and policy rule required to enable
      Enterprise DLP
       on
      Strata Cloud Manager
      .
      Do not enable
      Strip ALPN
       in the decryption profile.
      Enterprise DLP
       cannot inspect egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN) headers from decrypted traffic.
    4. Create a custom regex data pattern to define your own match criteria. You can skip this step if you plan to use predefined or existing data patterns to define match criteria in your data filtering profile.
    5. Create a data profile or use an existing data profile.
    6. Select
      Manage
      Configuration
      Security Services
      Data Loss Prevention
      DLP Rules
       and in the Actions column,
      Edit
       the DLP rule.
      1. Enable
        Non-File Based Match Criteria
        .
        DLP rules configured for non-file detection are required to prevent exfiltration of sensitive data to ChatGPT. You can further modify the DLP rule to enforce your organization’s data security standards. The DLP rule has an identical name as the data profile from which it was automatically created.
        You can keep
        File Based Matched Criteria
         enabled or disable as needed. Enabling this setting has no impact on detection of egress traffic to ChatGPT as long as
        Non-File Based Match Criteria
         is enabled.
      2. Modify the
        Action
         and
        Log Severity
        .
      3. Modify the rest of the DLP rule as needed.
      4. Save
        .
    7. Create a Shared Profile Group for the
      Enterprise DLP
       data filtering profile.
      1. Select
        Manage
        Configuration
        Security Services
        Profile Groups
         and
        Add Profile Group
        .
      2. Enter a descriptive
        Name
         for the Profile Group.
      3. For the Data Loss Prevention Profile, select the
        Enterprise DLP
         data profile.
      4. Add any other additional profiles as needed.
      5. Save
         the profile group.
    8. Create a Security policy and attach the Profile Group.
      Alternatively, you can select
      Manage
      Configuration
      Web Security
       to create or add ChatGPT to a Web Security Policy. You can skip this step if you create a Web Security Policy for ChatGPT.
      1. Select
        Manage
        Configuration
        Security Services
        Security Policy
         and
        Add Rule
        .
        You can also update an existing Security policy to attach a Profile Group for
        Enterprise DLP
         filtering.
      2. In the Applications, Services, and URLs section,
        Add Applications
         to search for and select
        openai-chatgpt
        .
      3. Navigate to the Action and Advanced Inspection section, and select the
        Profile Group
         you created in the previous step.
      4. Configure the Security policy as needed.
        The
        Action
         you specify in the data profile determines whether egress traffic to ChatGPT is blocked. The Security policy rule
        Action
         does not impact whether matched traffic is blocked.
        For example, you configured the data filtering profile to
        Block
         matching egress traffic but configure the Security policy rule
        Action
         to
        Allow
        . In this scenario, the matching egress traffic to ChatGPT is blocked.
      5. Save
         the Security policy.
    9. Push your data filtering profile.
      1. Push Config
         and
        Push
        .
      2. Select (enable)
        Remote Networks
         and
        Mobile Users
        .
      3. Push
        .

    SaaS Security

    Create a security policy rule to prevent exfiltration of sensitive data to ChatGPT for
    SaaS Security
     on
    Strata Cloud Manager
    .
    1. Log into
      Strata Cloud Manager
      .
    3. Select
      Manage
      Configuration
      Security Services
      Decryption
       and create the decryption profile and policy rule required to enable
      Enterprise DLP
       on
      Strata Cloud Manager
      .
      Do not enable
      Strip ALPN
       in the decryption profile.
      Enterprise DLP
       cannot inspect egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN) headers from decrypted traffic.
    4. Create a custom regex data pattern to define your own match criteria. You can skip this step if you plan to use predefined or existing data patterns to define match criteria in your data filtering profile.
    5. Create a data profile or use an existing data profile.
    6. Select
      Manage
      Configuration
      Security Services
      Data Loss Prevention
      DLP Rules
       and in the Actions column,
      Edit
       the DLP rule.
      1. Enable
        Non-File Based Match Criteria
        .
        DLP rules configured for non-file detection are required to prevent exfiltration of sensitive data to ChatGPT. You can further modify the DLP rule to enforce your organization’s data security standards. The DLP rule has an identical name as the data profile from which it was automatically created.
        You can keep
        File Based Matched Criteria
         enabled or disable as needed. Enabling this setting has no impact on detection of egress traffic to ChatGPT as long as
        Non-File Based Match Criteria
         is enabled.
      2. Modify the
        Action
         and
        Log Severity
        .
      3. Modify the rest of the DLP rule as needed.
      4. Save
        .
    7. Select
      Manage
      Configuration
      Security Services
      SaaS Security
      Discovered Apps
      Policy Recommendations
       to create a Security policy rule recommendation.
      A SaaS policy rule recommendation is required to leverage the
      Enterprise Data Loss Prevention (E-DLP)
       data profile in
      SaaS Security
      .
      1. In the Select Applications section, search for and select
        ChatGPT
        .
      2. In the Data Profile section, search for and select the data profile you enabled in the previous step.
      3. Configure the policy rule recommendation as needed.
      4. Save
        .

    Panorama

    Create a security policy rule to prevent exfiltration of sensitive data to ChatGPT on the
    Panorama™ management server
    .
    1. Upgrade
      Panorama
      , managed firewalls, and the
      Enterprise DLP
       plugin to the minimum required versions.
      1. Upgrade to PAN-OS 10.2.3 or later release.
      2. Upgrade the plugin to 3.0.2 or later release.
      3. Upgrade managed firewalls to PAN-OS 10.2.3 or later release.
    2. Log in to the
      Panorama
       web interface.
    3. Create the decryption policy rule required for
      Enterprise DLP
      .
      1. Select
        Objects
        Decryption
        Decryption Profile
         and specify the
        Device Group
        .
        Add
         a new decryption profile. The default decryption profile configuration is all that is required for
        Enterprise DLP
         to inspect traffic.
        Do not enable
        Strip ALPN
         in the decryption profile.
        Enterprise DLP
         cannot inspect egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN) headers from decrypted traffic.
      2. Select
        Policies
        Decryption
         and specify the
        Device Group
        .
        Add
         a new decryption policy rule. Select
        Options
         and assign the decryption profile.
        1. For the
          Action
          , select
          Decrypt
          .
        2. Select the
          Decryption Profile
           you created.
        3. Click
          OK
          .
    4. Data filtering profiles configured for non-file detection are required to prevent exfiltration of sensitive data to ChatGPT. You can create a new data filtering profile or use existing data filtering profiles as needed. You can add any combination of custom or predefined data patterns to define the match criteria.
    5. Create a data profile on
      Panorama
       or the DLP app on the Hub, or use an existing data profile.
    6. Attach the data filtering profile to a Security policy rule.
      1. Select
        Policies
        Security
        .
        You can select an existing Security policy rule or
        Add
         a new Security policy rule.
      2. Configure the
        General
         and
        Source
         as needed.
      3. Configure the
        Destination
         as needed.
      4. For the
        Application
        ,
        Add
         and search for
        openai-chatgpt
        .
        Skip this step if your Security policy rule applies to
        Any
         application. ChatGPT is automatically included for a Security policy rule that applies to
        Any
         application.
      5. Select
        Actions
         and configure the Profile Settings.
        Select
        Profiles
         and select the
        Data Filtering
         profile you created in the previous step.
        If the data filtering profile is part of a Security Profile Group (
        Objects
        Security Profile Groups
        ), select
        Group
         and select the Security Profile Group the data filtering profile is associated with.
      6. Configure the rest of the Security policy rule as needed.
        The
        Action
         you specify in the data filtering profile determines whether egress traffic to ChatGPT is blocked. The Security policy rule
        Action
         does not impact whether matched traffic is blocked.
        For example, if you configured the data filtering profile to
        Block
         matching egress traffic but configure the Security policy rule
        Action
         to
        Allow
        , the matching egress traffic to ChatGPT will be blocked.
      7. Click
        OK
        .
    7. Commit and push the new configuration to your managed firewalls to complete the
      Enterprise DLP
       plugin installation.
      This step is required for
      Enterprise DLP
       data filtering profile names to appear in Data Filtering logs.
      The
      Commit and Push
       command isn’t recommended for
      Enterprise DLP
       configuration changes. Using the
      Commit and Push
       command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
      • Full configuration push from Panorama
        1. Select
          Commit
          Commit to
          Panorama
           and
          Commit
          .
        2. Select
          Commit
          Push to Devices
           and
          Edit Selections
          .
        3. Select
          Device Groups
           and
          Include Device and Network Templates
          .
        4. Click
          OK
          .
        5. Push
           your configuration changes to your managed firewalls that are using
          Enterprise DLP
          .
      • Partial configuration push from Panorama
        You must always include the temporary
        __dlp
         administrator when performing a partial configuration push. This is required to keep
        Panorama
         and the DLP cloud service in sync.
        For example, you have an
        admin
        Panorama
         admin user who is allowed to commit and push configuration changes. The
        admin
         user made changes to the
        Enterprise DLP
         configuration and only wants to commit and push these changes to managed firewalls. In this case, the
        admin
         user is required to also select the
        __dlp
         user in the partial commit and push operations.
        1. Select
          Commit
          Commit to
          Panorama
          .
        2. Select
          Commit Changes Made By
           and then click the current Panorama admin user to select additional admins to include in the partial commit.
          In this example, the
          admin
           user is currently logged in and performing the commit operation. The
          admin
           user must click
          admin
           and then select the
          __dlp
           user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
          Click
          OK
           to continue.
        3. Commit
          .
        4. Select
          Commit
          Push to Devices
          .
        5. Select
          Push Changes Made By
           and then click the current Panorama admin user to select additional admins to include in the partial push.
          In this example, the
          admin
           user is currently logged in and performing the push operation. The
          admin
           user must click
          admin
           and then select the
          __dlp
           user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
          Click
          OK
           to continue.
        6. Select
          Device Groups
           and
          Include Device and Network Templates
          .
        7. Click
          OK
          .
        8. Push
           your configuration changes to your managed firewalls that are using
          Enterprise DLP
          .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.