Enable Enterprise DLP
Focus
Focus
Enterprise DLP

Enable Enterprise DLP

Table of Contents

Enable
Enterprise DLP

Create policy rules to enable firewalls to forward traffic to
Enterprise Data Loss Prevention (E-DLP)
to prevent exfiltration of sensitive data.
Where Can I Use This?
What Do I Need?
  • NGFW (Panorama Managed)
  • Prisma Access (Cloud Management)
  • SaaS Security
  • NGFW (Cloud Managed)
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • NGFW (Panorama Managed)
    —Support and
    Panorama
    device management licenses
  • Prisma Access (Cloud Management)
    Prisma Access
    license
  • SaaS Security
    SaaS Security
    license
  • NGFW (Cloud Managed)
    —Support and
    AIOps for NGFW Premium
    licenses
Or any of the following licenses that include the
Enterprise DLP
license
  • Prisma Access
    CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
    license
  • Data Security
    license
Some applications, such as SharePoint and OneDrive, use HTTP/2 by default. For firewalls managed by a
Panorama™ management server
or by
Strata Cloud Manager
running PAN-OS 10.2.2 and earlier releases, you must create a decryption profile and a Security policy rule to strip out the application-layer protocol negotiation (ALPN) extension in headers. Complete these steps to configure your managed firewalls to successfully use
Enterprise Data Loss Prevention (E-DLP)
.

Strata Cloud Manager

Enable
Enterprise Data Loss Prevention (E-DLP)
for
Prisma Access (Cloud Management)
and
SaaS Security
on
Strata Cloud Manager
.
  1. Enable
    Enterprise DLP
    .
  2. Log in to
    Strata Cloud Manager
    .
  3. Verify that the DLP license is active.
    1. Select
      Manage
      Overview
      and navigate to the Licenses widget.
    2. Click the license Quantity and confirm that the Data Loss Prevention license is active.
      Confirm the Data Loss Prevention license Type displays
      PAID
      and that an expiration date is displayed.
    3. Select
      Manage
      Configuration
      Security Services
      and verify
      Data Loss Prevention
      is displayed.
    4. Select
      Activity
      Logs
      and verify
      DLP Incidents
      is displayed.
  4. Create the decryption profile required for
    Enterprise DLP
    to inspect traffic.
    1. Select
      Manage
      Configuration
      Security Services
      Decryption
      and
      Add Profile
      .
    2. Enter a descriptive
      Name
      for the decryption profile.
    3. Review the predefined decryption profile settings.
      The predefined decryption profile settings enable
      Enterprise DLP
      to inspect traffic. Modifying the predefined decryption profile settings isn’t required unless you need to enable
      Strip ALPN
      .
    4. (
      Software Version 10.2.2 or earlier versions
      ) Configure the decryption profile to remove Application-Layer Protocol Negotiation (ALPN) headers from uploaded files.
      Remove the ALPN headers from files if any
      Strata Cloud Manager
      deployment is running software version 10.2.2 or earlier version. If your entire
      Strata Cloud Manager
      deployment is running software version 10.2.3 or later version, stripping ALPN headers isn’t required.
      A web security admin can also strip ALPN headers in the Web Security decryption settings(
      Manage
      Web Security
      Security Settings
      Decryption
      and edit the Action Options). Web Security admins don’t need to create a decryption policy rule and can push the setting to Remote Networks and Mobile Users.
      1. In the SSL Forward Proxy, click
        Advanced.
      2. Check (enable)
        Strip ALPN
        and
        Save
        .
    5. Save
      the Decryption profile group.
  5. Create a decryption policy rule to decrypt traffic for
    Enterprise DLP
    inspection.
    Cloud Management
    includes the predefined
    Exclude Microsoft O365 Optimized Endpoints - IPs
    and
    Exclude Microsoft O365 Optimized Endpoints - URLs
    decryption rules that exclude Microsoft Office 365 from decryption.
    For
    Enterprise DLP
    to successfully inspect traffic for Microsoft Office 365, you must position this new decryption rule before the predefined decryption exclusion rules. Alternatively, you can
    Disable
    these rules or
    Delete
    them.
    1. Select
      Manage
      Configuration
      Decryption
      and
      Add Rule
      .
    2. Enter a descriptive
      Name
      and configure the decryption policy rule as needed.
    3. In the Action and Advanced Inspection section, configure the policy rule to
      Decrypt
      traffic that matches this rule.
    4. For the Type, select
      SSL Forward Proxy
      .
    5. Select the Decryption Profile you created to strip ALPN headers.
    6. Save
      the decryption policy rule.
  6. Push your data filtering profile.
    1. Push Config
      and
      Push
      .
    2. Select (enable)
      Remote Networks
      and
      Mobile Users
      .
    3. Push
      .

Panorama

Create policy rules to enable firewalls to successfully use
Enterprise Data Loss Prevention (E-DLP)
.
  1. Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
  2. Log in to the
    Panorama
    web interface.
  3. Configure the proxy server settings to enable the
    Panorama™ management server
    to successfully communicate with the
    Enterprise DLP
    cloud service.
    This step is required if using a proxy server for
    Panorama
    Continue to the next step if you aren’t using a proxy server or have already configured your
    Panorama
    proxy server settings.
    1. Select
      Panorama
      Setup
      Services
      and edit the
      Services
      settings.
    2. Configure the proxy server settings.
      • Server
        —IP address or hostname of the proxy server.
      • Port
        —Port for the proxy server.
      • User
        —Administrator username to access the proxy server.
      • Password
        —Password for the user to access the proxy server. Reenter the password why you
        Confirm Password
        .
      • (
        Optional
        )
        Use proxy to fetch logs from Cortex Data Lake
        —If you’re using Cortex Data Lake for log storage, enable this setting.
    3. Click
      OK
      .
  4. (
    Best Practices
    ) Create a service route to enable firewalls to connect to the internet.
    Palo Alto Networks recommends configuring a service route to ensure a high level of performance for Next-Gen firewalls using
    Enterprise DLP
    .
    By default, matched traffic is sent to the DLP cloud service for inspection through the management interface. Configuring a service route allows you to dedicate a specific Ethernet interface from which to send matched traffic to the DLP cloud service.
    For a multi-vsys firewall, the service route is a global configuration and is applied to all vsys of a multi-vsys firewall regardless of which vsys the service route belongs to.
    Create a service route for all supported firewall models running PAN-OS 10.1 or a later release.
    1. Select
      Device
      Setup
      Services
      and select the template that contains the
      Enterprise DLP
      configuration.
    2. Select
      Service Route Configuration
      in the
      Service Features
      and select
      Customize
      .
    3. Select
      Data Services
      and configure the
      Source Interface
      and
      Source Address
      .
      The source interface must have internet connectivity. See Configure Interfaces and Create an Address Object for more information on creating the source interface and address.
    4. Enable
      Data Services
      and click
      OK
      .
    5. Select
      Device
      Setup
      Content-ID
      and copy the
      Content Cloud Settings
      FQDN in the
      Service URL
      section.
    6. Select
      Policies
      Security
      and
      Add
      a Security policy rule that allows addresses to the Content Cloud Settings FQDN.
  5. Add a Security policy rule for dataplane service route traffic from the
    127.168.0.0/16
    source address to allow traffic originating from the firewall dataplane.
    You’re required to create this Security policy rule to enable the DLP cloud service to successfully scan files in specific scenarios. You can skip this step if these two scenarios below regarding the
    intrazone-default
    Security policy rule don’t apply to your configuration.
    • If you created a cleanup
      Deny
      Security policy rule that precedes the
      intrazone-default
      Security policy rule. In this scenario, the
      intrazone-default
      action is set to
      Allow
      .
    • If you modified the
      intrazone-default
      Security policy rule action from
      Allow
      to
      Deny
      .
  6. (
    Required for DLP 3.0.1 and earlier releases only
    ) Create a decryption profile to remove application-layer protocol negotiation (ALPN) headers from uploaded files.
    Enterprise DLP
    supports HTTP/1.1. Some applications, such as SharePoint and OneDrive, support HTTP/2 for uploads by default. Strip ALPN is required to force application using HTTP/2 to use HTTP/1.1 to make them compatible with
    Enterprise DLP
    .
    1. Select
      Objects
      Decryption
      Decryption Profile
      and specify the
      Device Group
      .
    2. Add
      a new decryption profile.
    3. Specify a descriptive
      Name
      .
    4. (
      Optional
      ) Enable the
      Shared
      option to make this decryption profile available across all device groups.
    5. Select
      SSL Decryption
      SSL Forward Proxy
      and enable
      Strip ALPN
      in the
      Client Extension
      .
    6. Click
      OK
      .
  7. (
    Required for DLP 3.0.1 and earlier releases only
    ) Create a policy rule to remove ALPN headers from uploaded files.
    1. Select
      Policies
      Decryption
      and specify the
      Device Group
      .
    2. Add
      a new decryption policy rule and configure as appropriate.
    3. Select
      Options
      .
    4. For the
      Action
      , select
      Decrypt
      .
    5. Select the
      Decryption Profile
      you created.
    6. Click
      OK
      .
  8. Disable the Quick UDP Internet Connection (QUIC) protocol to deny traffic on ports 80 and 443.
    Many supported web applications, such as Gmail, require that you disable the QUIC protocol for
    Enterprise DLP
    to function correctly.
    1. Select
      Policies
      Security
      and specify the
      Device Group
      .
    2. Add
      a Security policy rule that denies traffic that uses the
      quic
      application.
    3. Select
      Objects
      Services
      and specify the
      Device Group
      .
    4. Add
      two services: one for UDP on port 80 and one for UDP on port 443.
      Newer versions of QUIC might be misidentified as
      unknown-udp
      . To account for this, Palo Alto Networks recommends that you add an additional Security policy rule to deny UDP traffic on those ports.
    5. Select
      Policies
      Security
      and specify the
      Device Group
      .
    6. Add
      a Security policy rule that includes the services you created to deny traffic to UDP ports 80 and 443.
      When complete, you will have two Security policy rules; one that blocks the QUIC protocol and one that blocks UDP traffic on ports 80 and 443.
  9. Attach the data filtering profile to a Security policy rule. If needed, create a Security policy rule.
    To downgrade
    Panorama
    to an earlier PAN-OS version that doesn’t support
    Enterprise DLP
    , you must remove all
    Enterprise DLP
    data patterns and data filtering profiles referenced in your Security policy rules. Consider this when creating and organizing your policy rules that reference
    Enterprise DLP
    data patterns and filtering profiles.
    For example, create a device group to contain all your Security policy rules that contain references to
    Enterprise DLP
    data patterns and filtering profiles. This enables you to quickly modify relevant policy rules should you need to downgrade
    Panorama
    to PAN-OS 10.0.1 or an earlier PAN-OS version.
    1. Select
      Policies
      Security
      Pre Rules
      and specify the
      Device Group
      .
    2. Select the Security policy rule to which you want to add the data filtering profile.
    3. Select
      Actions
      and set the
      Profile Type
      to
      Profiles
      .
    4. Select the
      Data Filtering
      profile you created.
    5. Click
      OK
      .-
  10. Commit and push the new configuration to your managed firewalls to complete the
    Enterprise DLP
    plugin installation.
    This step is required for
    Enterprise DLP
    data filtering profile names to appear in Data Filtering logs.
    The
    Commit and Push
    command isn’t recommended for
    Enterprise DLP
    configuration changes. Using the
    Commit and Push
    command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select
        Commit
        Commit to
        Panorama
        and
        Commit
        .
      2. Select
        Commit
        Push to Devices
        and
        Edit Selections
        .
      3. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      4. Click
        OK
        .
      5. Push
        your configuration changes to your managed firewalls that are using
        Enterprise DLP
        .
    • Partial configuration push from Panorama
      You must always include the temporary
      __dlp
      administrator when performing a partial configuration push. This is required to keep
      Panorama
      and the DLP cloud service in sync.
      For example, you have an
      admin
      Panorama
      admin user who is allowed to commit and push configuration changes. The
      admin
      user made changes to the
      Enterprise DLP
      configuration and only wants to commit and push these changes to managed firewalls. In this case, the
      admin
      user is required to also select the
      __dlp
      user in the partial commit and push operations.
      1. Select
        Commit
        Commit to
        Panorama
        .
      2. Select
        Commit Changes Made By
        and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the
        admin
        user is currently logged in and performing the commit operation. The
        admin
        user must click
        admin
        and then select the
        __dlp
        user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click
        OK
        to continue.
      3. Commit
        .
      4. Select
        Commit
        Push to Devices
        .
      5. Select
        Push Changes Made By
        and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the
        admin
        user is currently logged in and performing the push operation. The
        admin
        user must click
        admin
        and then select the
        __dlp
        user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click
        OK
        to continue.
      6. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      7. Click
        OK
        .
      8. Push
        your configuration changes to your managed firewalls that are using
        Enterprise DLP
        .

Recommended For You