Enterprise DLP
Enterprise DLP Limitations
Table of Contents
Enterprise DLP Limitations
Enterprise DLP
LimitationsReview the
Enterprise Data Loss Prevention (E-DLP)
cloud service and plugin limitations.The following are limitations associated with
Enterprise Data Loss Prevention (E-DLP)
cloud
service, plugin, and Endpoint DLP.Enterprise DLP Cloud Service and Plugin
Enterprise DLP
Cloud Service and PluginIssue ID | Description |
---|---|
— | When using Enterprise DLP on Hub 1.0, the DLP app on the hub
supports only Superuser administrative privileges. Role based access
control for Enterprise DLP is supported on Hub
2.0 only. |
— | A custom block response page for matched traffic blocked by Enterprise DLP is not supported for NGFW and
Prisma Access managed by Strata Cloud Manager or Panorama . |
WIF-1127 | For PA-3250 firewalls running PAN-OS 10.2.4 or PAN-OS 10.2.5, .zip
file uploads to the Zendesk application cannot be successfully
blocked by Enterprise DLP and do not generate a DLP
Incident on Panorama or the NGFW (Monitor Logs Data Filtering |
WIF-484 | Detection of floating images is not supported when Optical
Character Recognition on Panorama or Prisma Access (Managed by
Strata Cloud Manager) is enabled. |
WIF-215 | On Panorama , the original connection to the Service URL
FQDN is terminated before the connection to the new Service URL
FQDN can be established after reconfiguring the Service URL
Setting (Device Setup Content-ID |
PLUG-12944 | After you upgrade Panorama and managed NGFW to PAN-OS 11.0.2, the Panorama plugin
for Enterprise DLP 4.0.1 you downloaded on Panorama prior to upgrade does not automatically install.Workaround: After you successfully upgrade Panorama to PAN-OS 11.0.2, manually install the
downloaded Enterprise DLP plugin (Panorama Plugins |
PLUG-12756 This limitation is addressed in Enterprise DLP version
3.0.4. | Predefined data filtering profile ( Objects DLP Data Filtering Profiles File Direction
displays Default instead of
Upload . |
PLUG-11837 | On Panorama , downgrading from the following PAN-OS releases does not restore the default
Upload
File Direction for data filtering
profiles (Objects DLP Data Filtering Profiles
|
PLUG-10323 | After you downgrade Panorama and NGFW to
PAN-OS 10.2.0 and Enterprise DLP plugin
3.0.0, the Non-File Based (Objects DLP Data Filtering Profiles Workaround: Disable the Non-File Based setting on the data
filtering profile before downgrading to PAN-OS
10.2.0 and Enterprise DLP plugin 3.0.0.
|
PLUG-10252 | Renaming an existing data profile on the DLP app on the hub
creates an entirely new data filtering profile ( Objects DLP Data Filtering Profiles Panorama . |
PLUG-10172 | On Panorama , the commit fails if the same profile (Objects DLP Data Filtering Profiles Panorama and the DLP
app at the same time.Workaround: If you experience a commit failure when
editing the data filtering profile on Panorama , you
must discard the edits, reset the Enterprise DLP plugin,
and reconfigure the data filtering profile.
|
PLUG-6159 | On the Panorama , all Enterprise DLP
data profiles (Objects DLP Data Filtering Profiles Remove
Config (Panorama Plugins Enterprise DLP plugin and install
the Cloud Services plugin.Workaround: After you successfully Enterprise DLP
plugin configuration, log in to the Panorama
CLI and reset the Enterprise DLP plugin to
display the DLP data profiles.
|
PLUG-6121 | On Panorama , Enterprise DLP data patterns and
profiles do not function as expected after you load or revert a
firewall configuration.Workaround: After you successfully load or revert a NGFW configuration, log in to the Panorama
CLI and reset the Enterprise DLP plugin.
|
PAN-215405 | File uploads to the Box application exceeding 20MB create
multiple sessions if the data filtering profile ( Objects DLP Data Filtering Profile Block .
This results in the Box application requiring multiple retries
before the file upload is successfully attempted and blocked by
the DLP cloud service. |
PAN-211913 | Enterprise DLP does not support maintaining a session
connection to continue inspection if a file download is paused.
The DLP cloud service inspection is terminated for the file if
the download operation is paused. |
PAN-206877 | The Gmail file attachment operation may sometimes get
stuck or fail after multiple attempts if the DLP cloud service
already scanned and blocked the file. |
PAN-142785 | Enterprise DLP does not support custom response pages on Panorama and uses the default File Blocking Block Page
response page (Device Response Pages |
PAN-140057 | Enterprise DLP and IoT logs share log severity levels and
cannot be configured individually. |
DIT-27539 | ( Enterprise DLP 3.0.3 onlyPanorama CLI.
|
Endpoint DLP
Issue ID
| Description
|
---|---|
— | For endpoint devices running macOS, the Prisma Access Agent
inspects file movement within a USB peripheral device connected
to the endpoint device due to a macOS limitation that prevents
macOS from being able to determine the file operation source
path.For example, you move a file from the endpoint device to
Folder A in the connected USB
device and the Prisma Access Agent inspects the file for
sensitive data. A few minutes later you move the same file from
Folder A to
Folder B . In this case, the Prisma Access Agent once again inspects the file for
sensitive data. |
PANG-5687 | Multiple DLP Incidents ( Manage Configuration Data Loss Prevention DLP Incidents
To prevent exfiltration of sensitive data, Enterprise DLP
inspects every file associated with the file move operation from
the endpoint to the peripheral device. This ensures that all
impacted files are captured in your logs and analyzed. However,
this may result in creation of unnecessary DLP Incidents. |
PANG-5530 | Installing the Prisma Access Agent on an endpoint device
with Cortex 8.3.0 or earlier installed generates an error titled
cytray.exe - Bad Image and
alerts the user that DLP is either not designed to run on
Windows or it contains an error.This error can be ignored. It has no impact on the Prisma Access Agent installation or Endpoint DLP policy
rule enforcement. Click OK when prompted
to Finish the Prisma Access Agent installation. |
PANG-5122 | The Prisma Access Agent is unable to enforce policy rules
when the endpoint on which it is installed is in Safe Mode. As a
result, the Prisma Access Agent is unable to inspect and
block files moved between the endpoint and the peripheral device
if the endpoint is in Safe Mode. |
DSS-17434 | For printer peripheral devices, a data profile ( Manage Configuration Data Loss Prevention Data Profile Manage Configuration Data Loss Prevention Document Types matching value results in
Enterprise DLP being unable to render a match verdict for
inspected traffic.Workaround : In your data profile, configure a low
matching value for IDM document
types to increase the likelihood of successful match verdicts
for printer peripheral devices. |