Enterprise DLP
Edit the Enterprise DLP Data Filtering Settings
Table of Contents
Edit the Enterprise DLP Data Filtering Settings
Enterprise DLP
Data Filtering SettingsEdit the
Enterprise Data Loss Prevention (E-DLP)
data filtering settings to specify the actions the
firewall using Enterprise DLP
takes if the data filtering settings are
exceeded.Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
Edit and apply
Enterprise Data Loss Prevention (E-DLP)
data filtering settings. These network
settings are determine the networking and file size parameters for files scanned by
the DLP cloud service and specify the actions Enterprise DLP
takes when these
parameters are exceeded. Strata Cloud Manager
Strata Cloud Manager
Edit the
Enterprise Data Loss Prevention (E-DLP)
data filtering settings for Prisma Access Prisma Access (Managed by Strata Cloud Manager)
and SaaS Security
on Strata Cloud Manager
.- Log in toStrata Cloud Manager.
- Selectand edit the Data Transfer settings.ManageConfigurationData Loss PreventionSettingsData Transfer
- Edit the File Based Settings.
- Specify theMax Latency (sec)for a file upload before an action is taken byStrata Cloud Manager.For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than60seconds.
- Specify theAction on Max Latency(AlloworBlock)Strata Cloud Managertakes if no verdict was received for a file upload due to the upload time exceeding the configuredMax Latency.SelectingBlockapplies only to DLP rules configured to block files. This setting doesn’t impactEnterprise DLPdata profiles configured to alert when traffic containing sensitive data is scanned.
- Specify theMax File Size (MB)to enforce the maximum file size for files uploaded to the DLP cloud service for inspection.
- Specify theAction on Max File Size(BlockorAllow)Strata Cloud Managertakes if no verdict was received for a file upload due to the file size being larger than the configuredMax File Size.SelectingBlockapplies only to DLP rules configured to block files. This setting doesn’t impactEnterprise DLPdata filtering profiles configured to alert when traffic containing sensitive data is scanned.
- Check (enable)Log Files Not Scannedto generate an alert in the DLP incident when a file can’t be scanned to the DLP cloud service.
- Save.
- Edit the Non-File Based Settings.
- Enable non-file based DLP.Enable this setting to prevent exfiltration of sensitive data in non-file format traffic for collaboration applications, web forms, cloud and SaaS applications, and social media on your network
- Specify theMax Latency (sec)to configure the allowable time for a non-file data uploads to determine the allowable time before an action is taken byCloud Management.
- Specify theAction on Max Latency(AlloworBlock)Strata Cloud Managertakes if no verdict was received for a non-file traffic data upload due to the upload time exceeding the configuredMax Latency.SelectingBlockapplies only to DLP rules configured to block non-file data. This setting doesn’t impactEnterprise DLPdata profiles configured to alert when traffic containing sensitive data is scanned.
- Specify theMin Data Size (B)to enforce a minimum size for non-file data to be scanned by the DLP cloud service.
- Specify theMax Data Size (KB)to enforce a maximum size for non-file data to be scanned by the DLP cloud service.
- Specify theAction on Data File Size(AlloworBlock)Strata Cloud Managertakes if no verdict was received for a non-file traffic data upload due to the traffic data size being larger than the configuredMax Data Size.SelectingBlockapplies only to DLP rules configured to block non-file data. This setting doesn’t impactEnterprise DLPdata profiles configured to alert when traffic containing sensitive data is scanned.
- Check (enable)Log Data Not Scannedto generate an alert in the DLP incident when non-file data can’t be scanned by the DLP cloud service.
- Save.
- In the DLP Settings, specify the actionStrata Cloud Managertakes when an error is encountered while being scanned by the DLP cloud service.SelectAllowto allow the file upload to continue when an error is encountered orBlockto block the upload.Saveto apply the setting.
- Push your data filtering profile.
- Push ConfigandPush.
- Select (enable)Remote NetworksandMobile Users.
- Push.
Panorama
Panorama
Edit the data filtering settings to specify the actions the managed firewall takes on
traffic scanned to the DLP cloud service.
- Log in to thePanoramaweb interface.
- Selectand select theDeviceSetupDLPTemplateassociated with the managed firewalls usingEnterprise DLP.
- Edit the Data Filtering Settings.
- Specify theMax Latency (sec)for a file upload before an action is taken by the firewall.For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than60seconds.
- Specify theAction on Max Latency(BlockorAllow) the firewall takes if no verdict was received for a file upload due to the upload time exceeding theMax Latency.SelectingBlockapplies only to data profiles configured to block files. This setting doesn’t impactEnterprise DLPdata filtering profiles configured to alert when traffic containing sensitive data is scanned.
- Specify theMax File Size (MB)to enforce a maximum file size for files uploaded to the DLP cloud service for inspection.
- Specify theAction on Max File Size(BlockorAllow) the firewall takes if no verdict was received for a file upload due to the file size being larger than the configuredMax File Size.SelectingBlockapplies only to data profiles configured to block files. This setting doesn’t impactEnterprise DLPdata filtering profiles configured to alert when traffic containing sensitive data is scanned.(DLP 3.0.3 only) Increasing the max file size for theEnterprise DLPdata filtering settings to 21 MB or greater whenPanoramahas theEnterprise DLP3.0.3 plugin installed is supported only from thePanoramaCLI.admin>configureadmin#set template <template_name> config shared dlp-settings max-file-size <1 - 100>Check (enable)Log Files Not Scannedto generate an alert in the data filtering log when a file can’t be scanned to the DLP cloud service.ClickOKto save your configuration changes.
- Edit the Non-File Data Filtering Settings.
- Verify thatEnable Non File DLPis checked (enabled).Non-File DLP is enabled by default when you installPanoramaplugin forEnterprise DLP3.0.1.
- Specify theMax Latency (sec)to configure the allowable time for non-file data uploads to determine the allowable time before an action is taken by the firewall.
- Specify theAction on Max Latency(AlloworBlock) the firewall takes if no verdict was received for a non-file traffic data upload due to the upload time exceeding the configuredMax Latency.SelectingBlockapplies only to data profiles configured to block non-file data. This setting doesn’t impactEnterprise DLPfiltering profiles configured to alert when traffic containing sensitive data is scanned.
- Specify theMin Data Size (B)to enforce a minimum size for non-file data to be scanned by the DLP cloud service.
- Specify theMax Data Size (KB)to enforce a maximum size for non-file data to be scanned by the DLP cloud service.
- Specify theAction on Data File Size(AlloworBlock) the firewall takes if no verdict was received for a non-file traffic data upload due to the traffic data size being larger than the configuredMax Data Size.SelectingBlockapplies only to data profiles configured to block non-file data. This setting doesn’t impactEnterprise DLPdata filtering profiles configured to alert when traffic containing sensitive data is scanned.
- Check (enable)Log Data Not Scannedto generate an alert in the data filtering log when non-file data can’t be scanned by the DLP cloud service.
- ClickOKto save your configuration changes.
- Specify theAction on any Errorthe firewall takes if an error is encountered during upload to the DLP cloud service.
- SelectAllow(default) to continue uploading if the firewall experiences any type of error.
- SelectBlockto stop uploading if the firewall experiences any type of error.
ClickOKto continue. - Commit and push the new configuration to your managed firewalls to complete theEnterprise DLPplugin installation.This step is required forEnterprise DLPdata filtering profile names to appear in Data Filtering logs.TheCommit and Pushcommand isn’t recommended forEnterprise DLPconfiguration changes. Using theCommit and Pushcommand requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Full configuration push from Panorama
- SelectandCommitCommit toPanoramaCommit.
- SelectandCommitPush to DevicesEdit Selections.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
- Partial configuration push from PanoramaYou must always include the temporary__dlpadministrator when performing a partial configuration push. This is required to keepPanoramaand the DLP cloud service in sync.For example, you have anadminPanoramaadmin user who is allowed to commit and push configuration changes. Theadminuser made changes to theEnterprise DLPconfiguration and only wants to commit and push these changes to managed firewalls. In this case, theadminuser is required to also select the__dlpuser in the partial commit and push operations.
- Select.CommitCommit toPanorama
- SelectCommit Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial commit.In this example, theadminuser is currently logged in and performing the commit operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- Commit.
- Select.CommitPush to Devices
- SelectPush Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial push.In this example, theadminuser is currently logged in and performing the push operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
SaaS Security (Email DLP Only)
SaaS Security
(Email DLP Only)Edit the
Enterprise Data Loss Prevention (E-DLP)
data filtering settings for Email DLP in SaaS Security
on Strata Cloud Manager
.- Log in toStrata Cloud Manager.
- Select.ManageConfigurationSaaS SecuritySettingsEmail DLP Settings
- Edit thePolicy Evaluation Timeoutto configure whatEnterprise DLPdoes when Email DLP policy evaluation exceeds the configured timeout.
- Maximum Timeout—Maximum time allowed forEnterprise DLPto inspect an outbound email. Minimum timeout is1 minute. Maximum timeout is5 minutes.
- Action on Max Timeout—The actionEnterprise DLPtakes if the maximum timeout is exceeded. The possible actions are the same as those you configure in the Email DLP policy ruleResponse. Default isMonitor.
- Save Settings.