Edit the Enterprise DLP Data Filtering Settings for Endpoint DLP
Focus
Focus
Enterprise DLP

Edit the Enterprise DLP Data Filtering Settings for Endpoint DLP

Table of Contents


Edit the Enterprise DLP Data Filtering Settings for Endpoint DLP

Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Endpoint DLP on Strata Cloud Manager.
You can customize the data filtering settings for your USB, printer, and Network Share peripheral devices independently of one another.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationData Loss PreventionSettingsData Transfer to edit the data filtering settings.
  3. Edit the File Based Settings for Endpoint DLP.
    You can configure the data filtering settings for each type of peripheral device (USB Devices, Printers, and Network Shares) independently of one another. You must Save any changes to your Endpoint DLP file based settings for them to take effect and be enforced
    • Data Scan Region—By default, the Nearest Data Scan Region is selected and automatically resolves to the region closest to your Enterprise DLP tenant. You can select a specific region to ensure you meet any data residency requirements if required.
      For example, your Endpoint DLP administrator sets the Data Scan Region to America instead of Nearest Data Scan Region. Your US based worker travels to Europe with their protected endpoint and generates a DLP Incident. In this case, the traffic is forwarded to an Enterprise DLP cloud service tenant in the US for inspection and verdict rendering even though the endpoint was in Europe when the incident was generated. Additionally, the DLP incident displays under the US Region when filtering your incidents.
      The data filtering settings are shared across all data scan regions. You can’t configure unique data filtering settings for each data scan region. Changing the data filtering settings for one data scan region changes it for all other supported data scan regions.
    • File Movement Max Latency (sec)—Maximum allowed time it takes for the peripheral device to forward a file to Enterprise DLP for inspection.
      For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
    • Action When Max Latency is Reached —Action the Prisma Access Agent takes if Enterprise DLP can't inspect and render a verdict on a file upload because the time it takes to forward a file to Enterprise DLP exceeds the File Movement Max Latency (sec) setting.
      Selecting Alert allows the file upload to the peripheral device but generates a DLP incident.
      Selecting Block blocks the file upload to the peripheral device and generates a DLP incident.
    • Scan Limit Max File Size for Block (MB)—Enforce a maximum file size for file uploads to a peripheral device for a Data in Motion Endpoint DLP policy rule configured to Block.
      The maximum supported file size is 20 MB.
    • Scan Limit Max File Size for Alert (MB)—Enforce a maximum file size for file uploads to a peripheral device for a Data in Motion Endpoint DLP policy rule configured to Alert.
      The maximum supported file size is 100 MB.
    • Action When File Size Exceeds Scan Limit—Action Prisma Access Agent takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the inspected file size exceeds the Scan Limit Max File Size for Alert (MB) or Scan Limit Max File Size for Block (MB) settings.
      Supported actions are Allow (default) or Block.
      If the file exceeds the Scan Limit Max File Size for Block (MB) or Scan Limit Max File Size for Alert (MB):
      • The DLP incident details does not display a Data Profile match.
      • If you have End User Coaching configured, the end user who generated the DLP incident does not receive a data security notification.
    • Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect a forwarded file for any reason.
    • Action When Scanning Error Occurred—Action the enforcement point takes when Enterprise DLP encounters any errors inspecting a forwarded file that prevents rendering a verdict.
      Supported actions are Allow (default) or Block.
    • Action When Endpoint is Offline—Action Prisma Access Agent takes if the peripheral device is offline and can't forward traffic to Enterprise DLP for inspection and verdict rendering.
      Supported actions are Allow (default) or Block.
  4. Push your new Endpoint DLP data filtering settings to the Prisma Access Agent.
    1. Select Endpoint DLP PolicyPush Policies and Push Policies.
    2. (Optional) Enter a Description for the Endpoint DLP configuration push.
    3. Review the Push Policies scope to understand the changes include the Endpoint DLP configuration push.
    4. Push.