What’s Supported with Enterprise DLP?
Focus
Focus
Enterprise DLP

What’s Supported with Enterprise DLP?

Table of Contents

What’s Supported with
Enterprise DLP
?

Learn about the supported applications and operational parameters for
Enterprise Data Loss Prevention (E-DLP)
.
Where Can I Use This?
What Do I Need?
  • NGFW (Panorama Managed)
  • Prisma Access (Cloud Management)
  • SaaS Security
  • NGFW (Cloud Managed)
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • NGFW (Panorama Managed)
    —Support and
    Panorama
    device management licenses
  • Prisma Access (Cloud Management)
    Prisma Access
    license
  • SaaS Security
    SaaS Security
    license
  • NGFW (Cloud Managed)
    —Support and
    AIOps for NGFW Premium
    licenses
Or any of the following licenses that include the
Enterprise DLP
license
  • Prisma Access
    CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
    license
  • Data Security
    license
Learn about the products that support
Enterprise Data Loss Prevention (E-DLP)
and its features:

Platform Support

Platforms supported by
Enterprise Data Loss Prevention (E-DLP)
.
Enterprise Data Loss Prevention (E-DLP)
is supported on the following platforms.
Enterprise DLP
data patterns and data filtering profiles are designed to work across all supported platforms to provide consistent data security across all locations.
All PA-Series firewalls and VM-Series firewalls (but not CN-Series firewalls).
  • Requires PAN-OS 10.0.2 or a later version.
  • Requires a
    Panorama
    M-Series or virtual appliance running PAN-OS 10.0.2 or later version.
    Enterprise DLP
    supports adding a data profile to a Security policy rule or security profile group configured on
    Panorama
    only. To successfully use
    Enterprise DLP
    , you must configure your Security policy rule and Security Profile Group on
    Panorama
    and push these configurations to your managed firewalls.
    Enterprise DLP
    doesn’t support pushing an
    Enterprise DLP
    data filtering profile to your managed firewall and referencing the data filtering profile in a Security policy rule or Security Profile Group created locally on the firewall.
  • Requires minimum Application and Threats content release version 8334 or a later version.
    Upgrade to PAN-OS 10.0.3 and install Application and Threats content release version 8413 or later version for additional application support.
Prisma Access (Panorama Managed)
  • Requires
    Prisma Access
    2.0 Innovation or a later version.
  • Requires a
    Panorama
    M-Series or virtual appliance running PAN-OS 10.0.2 or later version.
  • Requires minimum Application and Threats content release version 8334 or a later version.
    Install Application and Threats content release version 8413 or later version for additional application support.
  • Enterprise DLP
    is an add-on license on
    Prisma Access (Panorama Managed)
    . You can either start with a 60-day trial or you can purchase a license to use
    Enterprise DLP
    on
    Prisma Access (Panorama Managed)
    .
  • Enterprise DLP
    supports multitenancy with the following restrictions:
    • Only a Superuser on
      Panorama
      can create
      Enterprise DLP
      patterns and profiles, and can associate profiles to Security policy rules for tenants.
    • A Superuser must commit all changes to
      Panorama
      whenever they make changes to patterns and profiles.
    • All tenants share a single copy of pattern and profile configurations; therefore, any changes done to them are reflected across all tenants.
    • Since Security policy rules can be different across tenants, each tenant can have different data profiles associated with Security policy rules.
Prisma Access (Cloud Management)
and
SaaS Security
  • Enterprise DLP
    is supported on
    Strata Cloud Manager
    when using
    Prisma Access (Cloud Management)
    ,
    SaaS Security
    , or both.
  • Enterprise DLP
    is supported on PA-Series firewalls managed by
    Strata Cloud Manager
    .
  • DLP is an add-on license on
    Strata Cloud Manager
    when using
    Strata Cloud Manager
    from a Single Prisma SASE Platform or Multitenant Prisma SASE Platform.
    Enterprise DLP
    is included by default and doesn’t require a separate license when using
    Strata Cloud Manager
    from the CASB-X Platform.
  • Important:
    Install
    Panorama
    plugin for
    Enterprise DLP
    1.0.6 or later release if you’re using
    Enterprise DLP
    on
    Strata Cloud Manager
    and managing the
    Enterprise DLP
    configuration from
    Panorama
    for Palo Alto Networks Next-Generation Firewalls (NGFW) and
    Prisma Access (Panorama Managed)
    . This is required to ensure
    Enterprise DLP
    configurations are successfully synchronized across all your security platforms.
    DLP policy enforcement on
    Strata Cloud Manager
    is supported when using
    Panorama
    to manage your
    Enterprise DLP
    configuration.

Supported Applications

Applications supported by
Enterprise Data Loss Prevention (E-DLP)
.
The following table displays the supported web applications and operational parameters that you can use with
Enterprise Data Loss Prevention (E-DLP)
. See the Supported File Types for more information on which file types
Enterprise DLP
can inspect and render a verdict on across all applications. Refer to the Palo Alto Networks Applipedia for more information on each application App-ID.
Some application support might have a
Minimum Version Requirement
. The minimum version requirement to support inspection of an application might require a minimum PAN-OS version or an Apps & Threats content release version installed.
Some
Enterprise DLP
functionality is dependent on a PAN-OS release.
  • Any application that supports the Non-File Inspection
    Inspection Type
    requires PAN-OS 10.2.3 or later PAN-OS release.
  • Any application that supports a
    Max File Size
    larger than 20 MB requires PAN-OS 10.2.4 or later PAN-OS 10.2 release, or PAN-OS 11.0.2 or later release.
  • Any application that supports the Download
    Direction
    requires PAN-OS 10.2.4 or later PAN-OS 10.2 release, or PAN-OS 11.0.2 or later release.
  • To upgrade
    Panorama
    or
    Strata Cloud Manager
    .
    • For
      Panorama
      , upgrade
      Panorama
      and managed firewalls to the
      Minimum Version Requirement
      or later release.
    • For
      Prisma Access (Panorama Managed)
      , you must upgrade
      Panorama
      to the
      Minimum Version Requirement
      and ensure your
      Prisma Access
      tenants are running the
      Minimum Version Requirement
      or later release.
    • For
      Cloud Management
      , a PAN-OS software upgrade in the
      Strata Cloud Manager
      infrastructure to the
      Minimum Version Requirement
      or later release is required. You can view the
      Software Version
      in the
      Strata Cloud Manager
      Overview.
    • Review the Compatibility Matrix for the minimum plugin versions required for your target upgrade version.
To use Gmail, you must disable the Quick UDP Internet Connection (QUIC) protocol. Palo Alto Networks recommends that you disable QUIC in Chrome. To do so, specify
chrome://flags/
in the Chrome
Experimental QUIC Protocol
, and select
Disabled
.
Application
App-ID
Inspection Type
(File and Non-File)
Direction
Max File Size
Minimum Version Requirement
Amazon Cloud Drive Web
amazon-cloud-drive
File Inspection
Upload
20 MB
None
Amazon S3 REST API
web-browsing
File Inspection
Upload
20 MB
None
Apple iCloud Web
icloud
File Inspection
Upload
20 MB
None
Asana Web
asana
File Inspection
Upload
20 MB
None
Basecamp Web
basecamp
File Inspection
Upload
20 MB
None
Bitrix24 Web
bitrix24
File Inspection
Upload
20 MB
None
Blackboard Web
blackboard
File Inspection
Upload
20 MB
None
Blogs (e.g Wordpress, Medium)
blog-posting
File Inspection
Non-File Inspection
Upload
20 MB
None
Box Desktop - Business
boxnet
File Inspection
Upload
Download
100 MB
Version 8413
Box Web
boxnet
File Inspection
Upload
Download
100 MB
Version 8413
Canvas Web
canvas
File Inspection
Upload
20 MB
None
Confluence Web
confluence-base
web-browsing
Non-File Inspection
Upload
N/A
10.2.3
DocSend Web
docsend
File Inspection
Upload
20 MB
None
Dropbox Web
dropbox
File Inspection
Upload
100 MB
11.1.0
Egnyte Web
egnyte
File Inspection
Upload
20 MB
None
Evernote Web
evernote
Non-File Inspection
Upload
N/A
10.2.3
(
Images only
) Facebook Web
facebook-uploading
File Inspection
Upload
10 MB
10.2.3
Facebook Messenger Web
facebook-chat
File Inspection
Upload
Download
25MB
None
FilesAnywhere Web
filesanywhere
File Inspection
Upload
20 MB
None
Freshdesk Web
freshdesk
File Inspection
Upload
20 MB
None
GitHub Web
github
File Inspection
Upload
20 MB
Version 8413
Gitlab - Web-based File Attachment and Standard Traffic
gitlab
File Inspection
Non-File Inspection
Upload
100 MB
Version 8413
Glassdoor Web
web-browsing
Non-File Inspection
Upload
N/A
10.2.3
Gmail Web - Mail Attachments
gmail
File Inspection
Upload
100 MB
Version 8413
Google Chat Web
google-chat
Non-File Inspection
Upload
N/A
10.2.3
Google Cloud Platform
google-cloud-storage-base
File Inspection
Upload
Download
100 MB
None
Google Drive Web
google-base
google-docs
File Inspection
Upload
100 MB
10.2.4
Google Docs Web
google-docs-editing
Non-File Inspection
Upload
N/A
10.2.3
Google Forms Web
google-docs-editing
Non-File Inspection
Upload
N/A
10.2.3
Google Meet Web
google-meet
Non-File Inspection
Upload
N/A
10.2.3
Version 8726-8134
Google Photos Web
google-photos
File Inspection
Upload
10 MB
10.2.3
Version 8745-8229
Google Sheets Web
google-docs-editing
Non-File Inspection
Upload
N/A
10.2.3
Google Slides Web
google-docs-editing
Non-File Inspection
Upload
N/A
10.2.3
GSuite (Export via link)
google-base
File Inspection
Download
25 MB
10.2.4
Version 8684-7912
Hubspot Web
hubspot
File Inspection
Upload
20 MB
None
LinkedIn Web
linkedin
File Inspection
Non-File Inspection
Download
25 MB
(
Non-File
) 10.2.3
(
Download
) 10.2.4
Version 8739-17204
Jira Web
jira
File Inspection
Non-File Inspection
Download
100 MB
(
Download and Large File
) 10.2.4
Mendeley Web
mendeley
File Inspection
Upload
20 MB
None
Microsoft Azure Storage
windows-azure
File Inspection
Download
100 MB
10.2.4 or 11.0.2
Version 8742-8215
Microsoft Excel Desktop
web-browsing
File Inspection
Non-File Inspection
Download
26 MB
10.2.4
Microsoft Excel Web
web-browsing
File Inspection
Non-File Inspection
Download
26 MB
10.2.4
Microsoft OneDrive Web - Business
office365-enterprise-access
sharepoint-online
File Inspection
Upload
100 MB
10.2.4
(
Large file
) 11.1.0
Microsoft OneDrive Desktop - Business
office365-enterprise-access
sharepoint-online
File Inspection
Download
100 MB
10.2.4
Version 8684-7912
Microsoft OneDrive Desktop - Personal
ms-onedrive
File Inspection
Upload
100 MB
10.2.4
Version 8684-7912
Microsoft OneNote Web
ms-onenote
File Inspection
Non-File Inspection
Upload
Download
20 MB
Version 8413
Microsoft Outlook Web - Mail Attachments
ms-office365
File Inspection
Upload
100 MB
Version 8673-7845
(
Large file
) 11.1.0
Microsoft Power BI Web
web-browsing
File Inspection
Upload
20 MB
None
Microsoft PowerPoint Desktop
ms-powerpoint-online
File Inspection
Non-File Inspection
Download
100 MB
10.2.4
Microsoft PowerPoint Web
ms-powerpoint-online
File Inspection
Non-File Inspection
Download
100 MB
10.2.4
Microsoft SharePoint Desktop
office365-enterprise-access
sharepoint-online
File Inspection
Non-File Inspection
Upload
Download
100 MB
None
Microsoft SharePoint Web
office365-enterprise-access
sharepoint-online
File Inspection
Non-File Inspection
Upload
Download
100 MB
None
Microsoft Teams Web
ms-office365
ms-teams
File Inspection
Non-File Inspection
Download
100 MB
Version 8742-8215
Microsoft Teams Desktop
ms-office365
ms-teams
Non-File Inspection
N/A
N/A
10.2.3
Miro Web
realtimeboard
File Inspection
Upload
30 MB
10.2.3
Version 8756-8298
Monday.com Web
monday
File Inspection
Upload
20 MB
None
Naver Mail Web
naver-mail
File Inspection
Upload
Download
100 MB
None
Naverworks
web-browsing
File Inspection
Upload
20 MB
Version 8711-8058
Prezi Web
prezi
File Inspection
Upload
20 MB
None
Pastebin Web
pastebin
Non-File Inspection
Upload
20 MB
10.2.3
Quip
quip
File Inspection
Upload
Download
100 MB
Version 8735-8187
Salesforce Web
salesforce
File Inspection
Upload
Download
100 MB
Version 8413
ServiceNow Web
service-now
File Inspection
Non-File Inspection
Upload
Download
100 MB
Version 8413
Slack Web
slack
File Inspection
Non-File Inspection
Upload
20 MB
None
Smartsheet Web
smartsheet-web
Non-File Inspection
Upload
N/A
10.2.3 or 11.0.0
Splunk Web
web-browsing
splunk
File Inspection
Upload
20 MB
None
Syncplicity Web
syncplicity
File Inspection
Upload
20 MB
None
Trello Web
trello
File Inspection
Upload
20 MB
None
Twitter Web
twitter
File Inspection
Non-File Inspection
Upload
20 MB
None
Udemy Web
udemy-base
udemy-business
Non-File Inspection
Upload
N/A
10.2.3 or 11.0.0
Web Browsing
web-browsing
File Inspection
Upload
100 MB
None
Webex Desktop
webex
Non-File Inspection
Upload
N/A
Version 8735-8187
Workday Web
workday
File Inspection
Upload
Download
30 MB
Version 8702-8012
Workplace by Facebook Web App
workplace
File Inspection
Upload
20 MB
None
Yahoo Web App Mail Attachments
yahoo-mail-uploading
File Inspection
Non-File Inspection
Upload
25 MB
Version 8413
Yammer Web
yammer
File Inspection
Upload
20 MB
None
Zendesk Web
zendesk
File Inspection
Non-File Inspection
Upload
Download
50 MB
10.2.3 or 11.0.0
(
Upload
) 10.2.5
Version 8757-8277

Supported AI Applications

Artificial Intelligence (AI) Applications supported by
Enterprise Data Loss Prevention (E-DLP)
.
The following table displays the supported AI web applications and operational parameters that you can use with
Enterprise Data Loss Prevention (E-DLP)
. Refer to the Palo Alto Networks Applipedia for more information on each application App-ID.
  • All AI app support require PAN-OS 10.2.3 or later release.
  • All AI apps support only non-file inspection unless otherwise specified.
Application
App-ID
Notes
ChatGPT Web and API
openai-chatgpt
Minimum Content Version
—8699
Google Bard
google-bard
None
Hugging Face API
web-browsing
None
Microsoft Azure OpenAI Studio
azure-openai-studio
None
Microsoft Bing
bing-ai
None

Supported File Types

File types supported by
Enterprise Data Loss Prevention (E-DLP)
.
Enterprise Data Loss Prevention (E-DLP)
supports the following file operations, upload parameters, file types, and actions.
  • File operations
    —You can upload files using HTTP and HTTPS (no FTP or SMTP) using:
    • (
      DLP 3.0.1 and earlier releases
      ) HTTP/1.1
      Some applications, such as SharePoint and OneDrive, use HTTP/2 by default. To use HTTP/2 files with HTTP/1.1, you need to create a decryption profile and a Security policy rule to strip out the application-layer protocol negotiation (ALPN) extension in headers. See Enable Enterprise DLP for more information.
    • (
      DLP 3.0.2 and later releases
      ) HTTP/1.1 and HTTP/2
  • Data flow
    —File uploads and downloads are supported. Review the supported applications to learn the data flow direction supported for each application.
    Enterprise DLP
    doesn’t support maintaining a session connection to continue inspection if a file download is paused. The DLP cloud service inspection is terminated for the file if the download operation is paused.
  • Concurrent file uploads
    —25 concurrent file uploads are supported.
  • File size
    —The maximum supported file size is dependent on the application. Review the supported applications for more information.
  • File types
    Enterprise DLP
    supports inspection of the following file types.
    • Microsoft Office (.doc, .docx, .ppt, .pptx, .xls, .xlsx)
    • Microsoft Visio (.vsd, .vsdm, .vsdx)
      Requires Application and Threats content release 8656-7766 or later versions installed on
      Panorama
      and managed firewalls, or
      Strata Cloud Manager
      deployment.
    • .csv
    • .pdf
    • .rtf
    • .txt
    • Image files (.jpg, .jpeg, .png, .tif, .tiff)
      Detection of image files requires you to enable Optical Character Recognition (OCR).
    • Source Code File Types
      Enterprise DLP
      supports inspection of the following source code file types.
      • Cfamily—C, C++, C+, C#, Objective C
      • Go
      • HTML
      • java
      • javascript
      • JSON
      • perl
      • powershell
      • python
      • r
      • ruby
      • vbs
      • verilog
      • vhd1
      • x86_assembly
  • International Characters
    Enterprise DLP
    supports inspection of any supported file type with the following international characters.
    • CJK
      —Chinese, Japanese, and Korean
  • ZIP Files
    Enterprise DLP
    supports inspection of ZIP and 7Z (7-ZIP file archiver) files containing the supported file types listed above.
    The
    Enterprise DLP
    cloud service supports single level compression of files only.
    The
    Enterprise DLP
    cloud service doesn’t support scanning multilevel compressed files. For example, the DLP cloud service can’t scan and render a verdict on the file contents of a zip file if it's been compressed more than once.
  • Response
    —Block and Alert actions are supported for HTTP and HTTPS files. However, the Block page doesn’t display the name of the file that the managed firewall blocked.

Support for Non-File Based Traffic

Enterprise Data Loss Prevention (E-DLP)
supports inspection of non-file based traffic.
Enterprise Data Loss Prevention (E-DLP)
supports inspection of non-file based traffic for sensitive data. A data filtering profile configured for non-file based traffic detection allows you to configure URL and application exclusion lists to exclude specific URL and application traffic from
Enterprise DLP
inspection.
On the
Panorama™ management server
, each data profile you create can be configured to inspect for either file based traffic or for non-file based traffic, or for both. On
Strata Cloud Manager
, you need to enable non-file based DLP inspection. After you enable this setting on
Strata Cloud Manager
you can modify a DLP rule to inspect for either file based traffic or for non-file based traffic, or for both.
Inspection of non-file based traffic is supported on
Panorama
running PAN-OS 10.2.1 and later releases and
Enterprise DLP
plugin 3.0.1 and later releases.
To upgrade to PAN-OS 10.2.1, you must install Application and Threats content release version 8552-7333 or later version on
Panorama
and managed firewalls using
Enterprise DLP
. This is required to support non-file based traffic inspection.

Supported Features

Supported
Enterprise Data Loss Prevention (E-DLP)
features.
Review the list of supported
Enterprise Data Loss Prevention (E-DLP)
features.
Some
Enterprise DLP
features supported on
Panorama
and
Prisma Access (Panorama Managed)
require access to the DLP app on the hub to enable and configure.
See the supported data profile actions for
Enterprise DLP
for more information on which data profile actions are supported.
Feature
Description
Panorama
Strata Cloud Manager
Custom data profile that can include any combination of predefined, regex, or file property data patterns, and advanced detection methods such as Exact Data Matching (EDM) or custom document types.
Configured in the DLP app on the Hub
Custom data profile that can include any combination of predefined, regular expression (regex), or file property data patterns.
Upload custom documents containing intellectual property for which you want to prevent exfiltration. Custom document types function as traffic match criteria in advanced data profiles.
Configured in the DLP app on the Hub
Provides quantifiable metrics to measure the overall data risk for your organization and gives administrators the ability to analyze and take preventative action to strengthen your data risk security posture using the Data Risk Dashboard.
Enterprise DLP
performs inline inspection of outbound emails to prevent exfiltration of emails containing sensitive information using AI/ML powered data detections.
Integrate
Enterprise DLP
with
Cortex XSOAR
to use
Enterprise DLP
End User Alerting, granting your team members the ability to self-service temporary exemptions for file uploads that match your data profiles.
Configured in the DLP app on the Hub
Connect an AWS storage bucket, Azure storage bucket, or SFTP server to
Enterprise DLP
to automatically store files scanned by the DLP cloud service that match your data profiles. After a file is successfully stored, you can download the file for further investigation.
Configured in the DLP app on the Hub
Upload data sets to detect sensitive and personally identifiable information (PII) in structured data sources. EDM data sets function as traffic match criteria in advanced data profiles.
Configured in the DLP app on the Hub
Monitor sharing of sensitive passwords over chat-based applications.
Enterprise DLP
uses contextual messages to understand instances where a password might have been shared. When
Enterprise DLP
detects that a password was shared, a DLP Incident is generated that displays a snippet of the response containing the password.
Custom data profile that contains multiple nested data profiles that allows you to consolidate the match criteria to prevent exfiltration of sensitive data to a single data profile that can be used in a single Security policy rule.
Configured in the DLP app on the Hub
Configure
Enterprise DLP
data profiles to inspect non-file based traffic to prevent exfiltration of sensitive data through collaboration applications, web forms, Cloud applications, and social media.
Allows
Enterprise DLP
to inspect images containing sensitive data in file-based traffic inspection.
Configured in the DLP app on the Hub

Recommended For You