>
    Strata Copilot
    Edit the Enterprise DLP Data Filtering Settings
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Edit the Enterprise DLP Data Filtering Settings
    Download PDF
    Enterprise DLP

    Edit the Enterprise DLP Data Filtering Settings

    Table of Contents

    Edit the Enterprise DLP Data Filtering Settings

    Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings to specify the actions the firewall using Enterprise DLP takes if the data filtering settings are exceeded.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    • (Email DLP only) Data Security and Email DLP licenses
    • (Endpoint DLP only) Endpoint DLP license
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Edit and apply Enterprise Data Loss Prevention (E-DLP) data filtering settings. These network settings are determine the networking and file size parameters for files scanned by Enterprise DLP and specify the actions Enterprise DLP takes when these parameters are exceeded.
    All data filtering settings are global settings that take precedence over the Action setting configured in your DLP rule (Strata Cloud Manager or data filtering profile (Panorama). For example, you create an Alert DLP rule and configure the Scan Limit Max File Size for Alert (MB) as 20 MB and Action on Max File Size as Block. A user attempts to upload a 40 MB. In this case, Enterprise DLP returns a block verdict because the uploaded file forwarded to Enterprise DLP exceeds the maximum file size you configured in the data filtering settings.
    (NGFW and Prisma Access managed by Panorama) If you want to enable non-file inspection for your NGFW and Prisma Access tenants you must enable the setting from Panorama. For NGFW and Prisma Access managed by Panorama, enabling non-file inspection from Strata Cloud Manager is not supported and causes Panorama commits to fail.

    Edit the Enterprise DLP Data Filtering Settings on Strata Cloud Manager

    Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Prisma Access (Managed by Strata Cloud Manager) and NGFW (Managed by Strata Cloud Manager).
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationData Loss PreventionSettingsData Transfer and edit the Data Transfer settings.
    3. Configure the File Based Settings.
      You can configure any of these settings as needed. You must Save any changes to your file based settings for them to take effect and be enforced.
      • File Movement Max Latency (sec)—Maximum allowed time it takes for the enforcement point to forward a file to Enterprise DLP for inspection.
        For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
      • Action When Max Latency is Reached —Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the time it takes to forward a file to Enterprise DLP exceeds the File Movement Max Latency (sec) setting.
        Supported actions are Allow (default) or Block.
      • Scan Limit Max File Size for Alert (MB)—Enforce a maximum file size for files forwarded to Enterprise DLP when a traffic matches a DLP rule configured to Alert.
      • Action When File Size Exceeds Scan Limit—Action the enforcement point takes if Enterprise DLP the file size forwarded to Enterprise DLP exceeds the Scan Limit Max File Size for Alert (MB).
        Supported actions are Allow (default) or Block.
      • Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect a forwarded file for any reason.
      • Action When Scanning Error Occurred—Action the enforcement point takes when Enterprise DLP encounters any errors inspecting a forwarded file that prevents rendering a verdict.
        Supported actions are Allow (default) or Block.
    4. Edit the Non-File Based Settings.
      You can configure any of these settings as needed. You must Save any changes to your non-file based settings for them to take effect and be enforced.
      • Enable non-file based DLP—Enable this setting to prevent exfiltration of sensitive data in non-file format traffic for collaboration apps, web forms, cloud and SaaS apps, and social media on your network.
        You must enable this setting for Enterprise DLP to scan non-file based traffic and enforce all non-file based settings.
      • Max Latency (sec)—Maximum allowed time it takes for the enforcement point to forward non-file traffic to Enterprise DLP for inspection.
      • Action on Max Latency—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the time it takes to forward non-file traffic to Enterprise DLP exceeds the Max Latency (sec) setting.
        Supported actions are Allow (default) or Block.
      • Min Data Size (B)—Enforce a minimum data size for non-file traffic forwarded to Enterprise DLP.
        Enterprise DLP supports a minimum non-file traffic data size of 250 - 4000 bytes.
      • Max Data Size (KB)—Enforce a maximum data size for non-file traffic forwarded to Enterprise DLP.
        Enterprise DLP supports a maximum non-file traffic data size of 1-500 KB.
      • Action on Max Data Size—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the inspected non-file traffic exceeds the Max Data Size (KB) setting.
        Supported actions are Allow (default) or Block.
      • Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect forwarded non-file traffic for any reason.
    5. In the DLP Settings, configure the Action on any Error to specify the action the NGFW or Prisma Access tenant takes when any kind of error occurs that prevents Enterprise DLP from inspecting forwarded file or non-file traffic and rendering a verdict.
      Select Allow to allow the file or non-file traffic to continue to the intended destination when Enterprise DLP encounters an error or select Block to block the file or non-file traffic. This includes when the NGFW or Prisma Access tenant encounter file or non-file traffic smaller than the configured Min Data Size (B) (non-file), and the Action on Max File Size (file) and Max Data Size (KB) (non-file).
      Save.
    6. Push your data filtering settings.
      1. Push Config and Push.
      2. Select (enable) Remote Networks and Mobile Users.
      3. Push.

    Edit the Enterprise DLP Data Filtering Settings on Panorama

    Edit the data filtering settings to specify the actions the NGFW or Prisma Access tenant takes on traffic scanned by Enterprise DLP.
    1. Log in to the Panorama web interface.
    2. Select DeviceSetupDLP and select the Template associated with the NGFW or Prisma Access tenant using Enterprise DLP.
    3. Edit the Data Filtering Settings.
      You can configure any of these settings as needed. Click OK to save any changes to your file based settings for them to take effect and be enforced.
      • Max Latency (sec)—Maximum allowed time it takes for the enforcement point to forward a file to Enterprise DLP for inspection.
        For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
      • Action on Max Latency—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the time it takes to forward a file to Enterprise DLP exceeds the Max Latency (sec) setting.
        Supported actions are Allow (default) or Block.
      • Max File Size (MB)—Enforce a maximum file size for files forwarded to Enterprise DLP for inspection.
      • Action on Max File Size—Action the enforcement point takes if the file forwarded to Enterprise DLP exceeds the Max File Size setting.
        Supported actions are Allow (default) or Block.
        (DLP 3.0.3 only) Increasing the max file size for the Enterprise DLP data filtering settings to 21 MB or greater when Panorama has the Enterprise DLP 3.0.3 plugin installed is supported only from the Panorama CLI.
        admin>configure
        admin#set template <template_name> config shared dlp-settings max-file-size <1 - 100>
      • Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect a forwarded file for any reason.
      • Action When Scanning Error Occurred—Action the enforcement point takes when Enterprise DLP encounters any errors inspecting a forwarded file that prevents rendering a verdict.
        Supported actions are Allow (default) or Block.
    4. Edit the Non-File Data Filtering Settings.
      You can configure any of these settings as needed. Click OK to save any changes to your file based settings for them to take effect and be enforced.
      • Enable Non File DLP—Enable this setting to prevent exfiltration of sensitive data in non-file format traffic for collaboration apps, web forms, cloud and SaaS apps, and social media on your network.
        You must enable this setting for Enterprise DLP to scan non-file based traffic and enforce all non-file based settings.
      • Max Latency (sec)—Maximum allowed time it takes for the enforcement point to forward non-file traffic to Enterprise DLP for inspection.
      • Action on Max Latency—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the time it takes to forward non-file traffic to Enterprise DLP exceeds the Max Latency (sec) setting.
        Supported actions are Allow (default) or Block.
      • Min Data Size (B)—Enforce a minimum data size for non-file traffic forwarded to Enterprise DLP.
        Enterprise DLP supports a minimum non-file traffic data size of 250 - 4000 bytes.
      • Max Data Size (KB)—Enforce a maximum data size for non-file traffic forwarded to Enterprise DLP.
        Enterprise DLP supports a maximum non-file traffic data size of 1-500 KB.
      • Action on Max Data Size—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the inspected non-file traffic exceeds the Max Data Size (KB) setting.
        Supported actions are Allow (default) or Block.
      • Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect forwarded non-file traffic for any reason.
    5. Specify the Action on any Error the NGFW or Prisma Access tenant takes when any kind of error occurs that prevents Enterprise DLP from inspecting forwarded file or non-file traffic and rendering a verdict.
      This includes when the NGFW or Prisma Access tenant encounter file or non-file traffic smaller than the configured Min Data Size (B) (non-file), and the Action on Max File Size (file) and Max Data Size (KB) (non-file).
      • Select Allow (default) to continue if the NGFW or Prisma Access tenant experiences any type of error.
      • Select Block to stop uploading if the NGFW or Prisma Access tenant experiences any type of error.
      Click OK to continue.
    6. Commit and push the new configuration to your NGFW or Prisma Access tenant.
      The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and NGFW or Prisma Access tenant in the Push Scope Selection.
      • Full configuration push from Panorama
        1. Select CommitCommit to Panorama and Commit.
        2. Select CommitPush to Devices and Edit Selections.
        3. Select Device Groups and Include Device and Network Templates.
        4. Click OK.
        5. Push your configuration changes to your NGFW or Prisma Access tenant that are using Enterprise DLP.
      • Partial configuration push from Panorama
        You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and Enterprise DLP in sync.
        For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to NGFW or Prisma Access tenant. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
        1. Select CommitCommit to Panorama.
        2. Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
          In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
          Click OK to continue.
        3. Commit.
        4. Select CommitPush to Devices.
        5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
          In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
          Click OK to continue.
        6. Select Device Groups and Include Device and Network Templates.
        7. Click OK.
        8. Push your configuration changes to your NGFW or Prisma Access tenant that using Enterprise DLP.

    Edit the Enterprise DLP Data Filtering Settings for Email DLP

    Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Email DLP on Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationSaaS SecuritySettingsEmail DLP Settings.
    3. (Optional) Configure the Email DLP snippet settings.
      You can configure if and how Enterprise Data Loss Prevention (E-DLP) stores and masks snippets of sensitive data that match your data pattern match criteria in an Enterprise DLP data profiles. Your snippet setting configuration determines how snippets of matched traffic are displayed when you review your DLP incidents.
    4. Edit the Policy Evaluation Timeout to configure what Enterprise DLP does when Email DLP policy evaluation exceeds the configured timeout.
      • Maximum Timeout—Maximum time allowed for Enterprise DLP to inspect an outbound email. Minimum timeout is 1 minute. Maximum timeout is 5 minutes.
      • Action on Max Timeout—The action Enterprise DLP takes if the maximum timeout is exceeded. The possible actions are the same as those you configure in the Email DLP policy rule Response. Default is Monitor.
    5. Edit the Maximum Message Size Policy to configure the maximum email message size you want to forward to Enterprise DLP and the action taken when an email exceeds the configured maximum size.
      • Maximum Size to Scan—Enforce a maximum outbound email size that can be forwarded to Enterprise DLP when a traffic matches an Email DLP policy rule. The outbound email size includes all text in the email subject and body, as well as any attachments.
        Supports 1- 150 MB. Default is 150 MB.
      • Action on Oversized Message—Specifies the type of X-PANW-Processing-Status or x-panw-action email header Enterprise DLP adds when a forwarded outbound email exceeds the Maximum Size to Scan. Enterprise DLP generates an Email DLP incident when any action is taken.
        • (Default) Monitor—Outbound email is allowed to continue to recipient.
          X-PANW-Processing-Status: limited and x-panw-action: monitor added to the email header.
        • Block—Outbound email blocked by Enterprise DLP.
          x-panw-action: block added to the email header.
        • (Microsoft Exchange only) Forward Email for Approval to End User's Manager— Outbound email is transported back to Microsoft Exchange and sent to the sender's manager for approval. Independent review is required by the sender's manager before the email is allowed to leave your organization's network.
          The action Microsoft Exchange takes on a Forward email for approval by end user's manager action is based on the transport for manager approval rule.
          x-panw-action: fwd_to_manager added to the email header.
        • (Microsoft Exchange only) Forward Email for Approval to Admin—Outbound email is transported back to Microsoft Exchange and sent to the specified email admin for approval. Independent review is required by the specified email administrator before the email is allowed to leave your organization's network.
          The action Microsoft Exchange takes on a Forward email for approval admin action is based on the transport for admin approval rule.
          x-panw-action: fwd_to_admin added to the email header.
        • Quarantine—Outbound email is transported back to the email server and quarantined. The email is forwarded to the hosted quarantine spam inbox and requires review by an email administrator before the email is allowed to leave your organization's network.
          The action Microsoft Exchange or Gmail takes on a Quarantine action is based on the quarantine transport rule you created.
          x-panw-action: quarantine added to the email header.
        • Encrypt—Outbound email is encrypted before being allowed to leave your organization and continuing its path to the intended recipient.
          x-panw-action: encrypt added to the email header.
    6. Save Settings.

    Edit the Enterprise DLP Data Filtering Settings for Endpoint DLP

    Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Endpoint DLP on Strata Cloud Manager.
    You can customize the data filtering settings for your USB, printer, and Network Share peripheral devices independently of one another.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationData Loss PreventionSettingsData Transfer to edit the data filtering settings.
    3. Edit the File Based Settings for Endpoint DLP.
      You can configure the data filtering settings for each type of peripheral device (USB Devices, Printers, and Network Shares) independently of one another. You must Save any changes to your Endpoint DLP file based settings for them to take effect and be enforced
      • Data Scan Region—By default, the Nearest Data Scan Region is selected and automatically resolves to the region closest to your Enterprise DLP tenant. You can select a specific region to ensure you meet any data residency requirements if required.
        For example, your Endpoint DLP administrator sets the Data Scan Region to America instead of Nearest Data Scan Region. Your US based worker travels to Europe with their protected endpoint and generates a DLP Incident. In this case, the traffic is forwarded to an Enterprise DLP cloud service tenant in the US for inspection and verdict rendering even though the endpoint was in Europe when the incident was generated. Additionally, the DLP incident displays under the US Region when filtering your incidents.
        The data filtering settings are shared across all data scan regions. You can’t configure unique data filtering settings for each data scan region. Changing the data filtering settings for one data scan region changes it for all other supported data scan regions.
      • File Movement Max Latency (sec)—Maximum allowed time it takes for the peripheral device to forward a file to Enterprise DLP for inspection.
        For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
      • Action When Max Latency is Reached —Action the Prisma Access Agent takes if Enterprise DLP can't inspect and render a verdict on a file upload because the time it takes to forward a file to Enterprise DLP exceeds the File Movement Max Latency (sec) setting.
        Selecting Alert allows the file upload to the peripheral device but generates a DLP incident.
        Selecting Block blocks the file upload to the peripheral device and generates a DLP incident.
      • Scan Limit Max File Size for Block (MB)—Enforce a maximum file size for file uploads to a peripheral device for a Data in Motion Endpoint DLP policy rule configured to Block.
        The maximum supported file size is 20 MB.
      • Scan Limit Max File Size for Alert (MB)—Enforce a maximum file size for file uploads to a peripheral device for a Data in Motion Endpoint DLP policy rule configured to Alert.
        The maximum supported file size is 100 MB.
      • Action When File Size Exceeds Scan Limit—Action Prisma Access Agent takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the inspected file size exceeds the Scan Limit Max File Size for Alert (MB) or Scan Limit Max File Size for Block (MB) settings.
        Supported actions are Allow (default) or Block.
        If the file exceeds the Scan Limit Max File Size for Block (MB) or Scan Limit Max File Size for Alert (MB):
        • The DLP incident details does not display a Data Profile match.
        • If you have End User Coaching configured, the end user who generated the DLP incident does not receive a data security notification.
      • Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect a forwarded file for any reason.
      • Action When Scanning Error Occurred—Action the enforcement point takes when Enterprise DLP encounters any errors inspecting a forwarded file that prevents rendering a verdict.
        Supported actions are Allow (default) or Block.
      • Action When Endpoint is Offline—Action Prisma Access Agent takes if the peripheral device is offline and can't forward traffic to Enterprise DLP for inspection and verdict rendering.
        Supported actions are Allow (default) or Block.
    4. Push your new Endpoint DLP data filtering settings to the Prisma Access Agent.
      1. Select Endpoint DLP PolicyPush Policies and Push Policies.
      2. (Optional) Enter a Description for the Endpoint DLP configuration push.
      3. Review the Push Policies scope to understand the changes include the Endpoint DLP configuration push.
      4. Push.

    © 2026 Palo Alto Networks, Inc. All rights reserved.