Enterprise DLP
What’s Supported with Enterprise DLP?
Table of Contents
What’s Supported with Enterprise DLP?
Enterprise DLP
?Learn about the supported applications and operational parameters for
Enterprise Data Loss Prevention (E-DLP)
.Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP
license
|
Learn about the products that support
Enterprise Data Loss Prevention (E-DLP)
and its features:Platform Support
Platforms supported by
Enterprise Data Loss Prevention (E-DLP)
.Enterprise Data Loss Prevention (E-DLP)
is supported on the following platforms. Enterprise DLP
data patterns and data filtering profiles are designed to work across all supported
platforms to provide consistent data security across all locations.All PA-Series firewalls and VM-Series firewalls (but not CN-Series firewalls).
- Requires PAN-OS 10.0.2 or a later version.
- Requires aPanoramaM-Series or virtual appliance running PAN-OS 10.0.2 or later version.Enterprise DLPsupports adding a data profile to a Security policy rule or security profile group configured onPanoramaonly. To successfully useEnterprise DLP, you must configure your Security policy rule and Security Profile Group onPanoramaand push these configurations to your managed firewalls.Enterprise DLPdoesn’t support pushing anEnterprise DLPdata filtering profile to your managed firewall and referencing the data filtering profile in a Security policy rule or Security Profile Group created locally on the firewall.
- Requires minimum Application and Threats content release version 8334 or a later version.Upgrade to PAN-OS 10.0.3 and install Application and Threats content release version 8413 or later version for additional application support.
Prisma Access (Managed by Panorama)
- RequiresPrisma Access2.0 Innovation or a later version.
- Requires aPanoramaM-Series or virtual appliance running PAN-OS 10.0.2 or later version.
- Requires minimum Application and Threats content release version 8334 or a later version.Install Application and Threats content release version 8413 or later version for additional application support.
- Enterprise DLPis an add-on license onPrisma Access (Managed by Panorama). You can either start with a 60-day trial or you can purchase a license to useEnterprise DLPonPrisma Access (Managed by Panorama).
- Enterprise DLPsupports multitenancy with the following restrictions:
- A Superuser must commit all changes toPanoramawhenever they make changes to patterns and profiles.
- All tenants share a single copy of pattern and profile configurations; therefore, any changes done to them are reflected across all tenants.
- Since Security policy rules can be different across tenants, each tenant can have different data profiles associated with Security policy rules.
Prisma Access (Managed by Strata Cloud Manager)
and SaaS Security
- Enterprise DLPis supported onStrata Cloud Managerwhen usingPrisma Access (Managed by Strata Cloud Manager),SaaS Security, or both.
- DLP is an add-on license onStrata Cloud Managerwhen usingStrata Cloud Managerfrom a Single Prisma SASE Platform or Multitenant Prisma SASE Platform.Enterprise DLPis included by default and doesn’t require a separate license when usingStrata Cloud Managerfrom the CASB-X Platform.
- Important:InstallPanoramaplugin forEnterprise DLP1.0.6 or later release if you’re usingEnterprise DLPonStrata Cloud Managerand managing theEnterprise DLPconfiguration fromPanoramafor Palo Alto Networks Next-Generation Firewalls (NGFW) andPrisma Access (Managed by Panorama). This is required to ensureEnterprise DLPconfigurations are successfully synchronized across all your security platforms.DLP policy enforcement onStrata Cloud Manageris supported when usingPanoramato manage yourEnterprise DLPconfiguration.
Supported Applications
Applications supported by
Enterprise Data Loss Prevention (E-DLP)
.The following table displays the supported web applications and operational
parameters that you can use with
Enterprise Data Loss Prevention (E-DLP)
. See the Supported File Types
for more information on which file types Enterprise DLP
can inspect and render a
verdict on across all applications. Refer to the Palo
Alto Networks Applipedia for more information on each application App-ID. Some application support might have a
Minimum Version Requirement
.
The minimum version requirement to support inspection of an application might require a
minimum PAN-OS version or an Apps & Threats content release version installed. Some
Enterprise DLP
functionality is dependent on a PAN-OS release. - Any application that supports the Non-File InspectionInspection Typerequires PAN-OS 10.2.3 or later PAN-OS release.
- Any application that supports aMax File Sizelarger than 20 MB requires PAN-OS 10.2.4 or later PAN-OS 10.2 release, or PAN-OS 11.0.2 or later release.
- Any application that supports the DownloadDirectionrequires PAN-OS 10.2.4 or later PAN-OS 10.2 release, or PAN-OS 11.0.2 or later release.
- To upgradePanoramaorStrata Cloud Manager.
- ForPanorama, upgradePanoramaand managed firewalls to theMinimum Version Requirementor later release.
- ForPrisma Access (Managed by Panorama), you must upgradePanoramato theMinimum Version Requirementand ensure yourPrisma Accesstenants are running theMinimum Version Requirementor later release.
- ForCloud Management, a PAN-OS software upgrade in theStrata Cloud Managerinfrastructure to theMinimum Version Requirementor later release is required. You can view theSoftware Versionin theStrata Cloud ManagerOverview.
- Review the Compatibility Matrix for the minimum plugin versions required for your target upgrade version.
To use Gmail, you must disable the Quick UDP Internet Connection (QUIC) protocol.
Palo Alto Networks recommends that you disable QUIC in Chrome. To do so, specify
chrome://flags/
in the Chrome Experimental QUIC
Protocol
, and select Disabled
.Application | App-ID | Inspection Type (File and Non-File) | Direction | Max File Size | Minimum Version Requirement |
---|---|---|---|---|---|
Amazon Cloud Drive Web | amazon-cloud-drive | File Inspection | Upload | 20 MB | None |
Amazon S3 REST API | web-browsing | File Inspection | Upload | 20 MB | None |
Apple iCloud Web | icloud | File Inspection | Upload | 20 MB | None |
Asana Web | asana | File Inspection | Upload | 20 MB | None |
Basecamp Web | basecamp | File Inspection | Upload | 20 MB | None |
Bitrix24 Web | bitrix24 | File Inspection | Upload | 20 MB | None |
Blackboard Web | blackboard | File Inspection | Upload | 20 MB | None |
Blogs (e.g Wordpress, Medium) | blog-posting | File Inspection Non-File Inspection | Upload | 20 MB | None |
Box Desktop - Business | boxnet | File Inspection | Upload Download | 100 MB | Version 8413 |
Box Web | boxnet | File Inspection | Upload Download | 100 MB | Version 8413 |
Canvas Web | canvas | File Inspection | Upload | 20 MB | None |
Confluence Web | confluence-base web-browsing | Non-File Inspection | Upload | N/A | 10.2.3 |
DocSend Web | docsend | File Inspection | Upload | 20 MB | None |
Dropbox Web | dropbox | File Inspection | Upload | 100 MB | 11.1.0 |
Egnyte Web | egnyte | File Inspection | Upload | 20 MB | None |
Evernote Web | evernote | Non-File Inspection | Upload | N/A | 10.2.3 |
( Images only ) Facebook Web | facebook-uploading | File Inspection | Upload | 10 MB | 10.2.3 |
Facebook Messenger Web | facebook-chat | File Inspection | Upload Download | 25MB | None |
FilesAnywhere Web | filesanywhere | File Inspection | Upload | 20 MB | None |
Freshdesk Web | freshdesk | File Inspection | Upload | 20 MB | None |
GitHub Web | github | File Inspection | Upload | 20 MB | Version 8413 |
Gitlab - Web-based File Attachment and Standard Traffic | gitlab | File Inspection Non-File Inspection | Upload | 100 MB | Version 8413 |
Glassdoor Web | web-browsing | Non-File Inspection | Upload | N/A | 10.2.3 |
Gmail Web - Mail Attachments | gmail | File Inspection | Upload | 100 MB | Version 8413 |
Google Chat Web | google-chat | Non-File Inspection | Upload | N/A | 10.2.3 |
Google Cloud Platform | google-cloud-storage-base | File Inspection | Upload Download | 100 MB | None |
Google Drive Web | google-base google-docs | File Inspection | Upload | 100 MB | 10.2.4 |
Google Docs Web | google-docs-editing | Non-File Inspection | Upload | N/A | 10.2.3 |
Google Forms Web | google-docs-editing | Non-File Inspection | Upload | N/A | 10.2.3 |
Google Meet Web | google-meet | Non-File Inspection | Upload | N/A | 10.2.3 Version 8726-8134 |
Google Photos Web | google-photos | File Inspection | Upload | 10 MB | 10.2.3 Version 8745-8229 |
Google Sheets Web | google-docs-editing | Non-File Inspection | Upload | N/A | 10.2.3 |
Google Slides Web | google-docs-editing | Non-File Inspection | Upload | N/A | 10.2.3 |
GSuite (Export via link) | google-base | File Inspection | Download | 25 MB | 10.2.4 Version 8684-7912 |
Hubspot Web | hubspot | File Inspection | Upload | 20 MB | None |
LinkedIn Web | linkedin | File Inspection Non-File Inspection | Download | 25 MB | ( Non-File ) 10.2.3( Download ) 10.2.4Version 8739-17204 |
Jira Web | jira | File Inspection Non-File Inspection | Download | 100 MB | ( Download and Large File ) 10.2.4 |
Mendeley Web | mendeley | File Inspection | Upload | 20 MB | None |
Microsoft Azure Storage | windows-azure | File Inspection | Download | 100 MB | 10.2.4 or 11.0.2 Version 8742-8215 |
Microsoft Excel Desktop | web-browsing | File Inspection Non-File Inspection | Download | 26 MB | 10.2.4 |
Microsoft Excel Web | web-browsing | File Inspection Non-File Inspection | Download | 26 MB | 10.2.4 |
Microsoft OneDrive Web - Business | office365-enterprise-access sharepoint-online | File Inspection | Upload | 100 MB | 10.2.4 ( Large file ) 11.1.0 |
Microsoft OneDrive Desktop - Business | office365-enterprise-access sharepoint-online | File Inspection | Download | 100 MB | 10.2.4 Version 8684-7912 |
Microsoft OneDrive Desktop - Personal | ms-onedrive | File Inspection | Upload | 100 MB | 10.2.4 Version 8684-7912 |
Microsoft OneNote Web | ms-onenote | File Inspection Non-File Inspection | Upload Download | 20 MB | Version 8413 |
Microsoft Outlook Web - Mail Attachments | ms-office365 | File Inspection | Upload | 100 MB | Version 8673-7845 ( Large file ) 11.1.0 |
Microsoft Power BI Web | web-browsing | File Inspection | Upload | 20 MB | None |
Microsoft PowerPoint Desktop | ms-powerpoint-online | File Inspection Non-File Inspection | Download | 100 MB | 10.2.4 |
Microsoft PowerPoint Web | ms-powerpoint-online | File Inspection Non-File Inspection | Download | 100 MB | 10.2.4 |
Microsoft SharePoint Desktop | office365-enterprise-access sharepoint-online | File Inspection Non-File Inspection | Upload Download | 100 MB | None |
Microsoft SharePoint Web | office365-enterprise-access sharepoint-online | File Inspection Non-File Inspection | Upload Download | 100 MB | None |
Microsoft Teams Web | ms-office365 ms-teams | File Inspection Non-File Inspection | Download | 100 MB | Version 8742-8215 |
Microsoft Teams Desktop | ms-office365 ms-teams | Non-File Inspection | N/A | N/A | 10.2.3 |
Miro Web | realtimeboard | File Inspection | Upload | 30 MB | 10.2.3 Version 8756-8298 |
Monday.com Web | monday | File Inspection | Upload | 20 MB | None |
Naver Mail Web | naver-mail | File Inspection | Upload Download | 100 MB | None |
Naverworks | web-browsing | File Inspection | Upload | 20 MB | Version 8711-8058 |
Prezi Web | prezi | File Inspection | Upload | 20 MB | None |
Pastebin Web | pastebin | Non-File Inspection | Upload | 20 MB | 10.2.3 |
Quip | quip | File Inspection | Upload Download | 100 MB | Version 8735-8187 |
Salesforce Web | salesforce | File Inspection | Upload Download | 100 MB | Version 8413 |
ServiceNow Web | service-now | File Inspection Non-File Inspection | Upload Download | 100 MB | Version 8413 |
Slack Web | slack | File Inspection Non-File Inspection | Upload | 20 MB | None |
Smartsheet Web | smartsheet-web | Non-File Inspection | Upload | N/A | 10.2.3 or 11.0.0 |
Splunk Web | web-browsing splunk | File Inspection | Upload | 20 MB | None |
Syncplicity Web | syncplicity | File Inspection | Upload | 20 MB | None |
Trello Web | trello | File Inspection | Upload | 20 MB | None |
Twitter Web | twitter | File Inspection Non-File Inspection | Upload | 20 MB | None |
Udemy Web | udemy-base udemy-business | Non-File Inspection | Upload | N/A | 10.2.3 or 11.0.0 |
Web Browsing | web-browsing | File Inspection | Upload | 100 MB | None |
Webex Desktop | webex | Non-File Inspection | Upload | N/A | Version 8735-8187 |
Workday Web | workday | File Inspection | Upload Download | 30 MB | Version 8702-8012 |
Workplace by Facebook Web App | workplace | File Inspection | Upload | 20 MB | None |
Yahoo Web App Mail Attachments | yahoo-mail-uploading | File Inspection Non-File Inspection | Upload | 25 MB | Version 8413 |
Yammer Web | yammer | File Inspection | Upload | 20 MB | None |
Zendesk Web | zendesk | File Inspection Non-File Inspection | Upload Download | 50 MB | 10.2.3 or 11.0.0 ( Upload ) 10.2.5Version 8757-8277 |
Supported AI Applications
Artificial Intelligence (AI) Applications supported by
Enterprise Data Loss Prevention (E-DLP)
.The following table displays the supported AI web applications and
operational parameters that you can use with
Enterprise Data Loss Prevention (E-DLP)
. Refer to the
Palo Alto Networks Applipedia for more information on each application
App-ID. - All AI app support require PAN-OS 10.2.3 or later release.
- All AI apps support only non-file inspection unless otherwise specified.
Application | App-ID | Notes |
---|---|---|
ChatGPT Web and API | openai-chatgpt | Minimum Content Version —8699 |
Google Bard | google-bard | None |
Hugging Face API | web-browsing | None |
Microsoft Azure OpenAI Studio | azure-openai-studio | None |
Supported File Types
File types supported by
Enterprise Data Loss Prevention (E-DLP)
.Enterprise Data Loss Prevention (E-DLP)
supports the following file operations, upload parameters, file
types, and actions. - File operations—You can upload files using HTTP and HTTPS (no FTP or SMTP) using:
- (DLP 3.0.1 and earlier releases) HTTP/1.1Some applications, such as SharePoint and OneDrive, use HTTP/2 by default. To use HTTP/2 files with HTTP/1.1, you need to create a decryption profile and a Security policy rule to strip out the application-layer protocol negotiation (ALPN) extension in headers. See Enable Enterprise DLP for more information.
- (DLP 3.0.2 and later releases) HTTP/1.1 and HTTP/2
- Data flow—File uploads and downloads are supported. Review the supported applications to learn the data flow direction supported for each application.Enterprise DLPdoesn’t support maintaining a session connection to continue inspection if a file download is paused. The DLP cloud service inspection is terminated for the file if the download operation is paused.
- Concurrent file uploads—25 concurrent file uploads are supported.
- File size—The maximum supported file size is dependent on the application. Review the supported applications for more information.
- File types—Enterprise DLPsupports inspection of the following file types.
- Microsoft Office (.doc, .docx, .ppt, .pptx, .xls, .xlsx)
- Microsoft Visio (.vsd, .vsdm, .vsdx)Requires Application and Threats content release 8656-7766 or later versions installed onPanoramaand managed firewalls, orStrata Cloud Managerdeployment.
- .csv
- .pdf
- .rtf
- .txt
- Image files (.jpg, .jpeg, .png, .tif, .tiff)Detection of image files requires you to enable Optical Character Recognition (OCR).
- Source Code File Types—Enterprise DLPsupports inspection of the following source code file types.
- Cfamily—C, C++, C+, C#, Objective C
- Go
- HTML
- java
- javascript
- JSON
- perl
- powershell
- python
- r
- ruby
- vbs
- verilog
- vhd1
- x86_assembly
- International Characters—Enterprise DLPsupports inspection of any supported file type with the following international characters.
- CJK—Chinese, Japanese, and Korean
- ZIP Files—Enterprise DLPsupports inspection of ZIP and 7Z (7-ZIP file archiver) files containing the supported file types listed above.TheEnterprise DLPcloud service supports single level compression of files only.TheEnterprise DLPcloud service doesn’t support scanning multilevel compressed files. For example, the DLP cloud service can’t scan and render a verdict on the file contents of a zip file if it's been compressed more than once.
- Response—Block and Alert actions are supported for HTTP and HTTPS files. However, the Block page doesn’t display the name of the file that the managed firewall blocked.
Support for Non-File Based Traffic
Enterprise Data Loss Prevention (E-DLP)
supports inspection of non-file based traffic.Enterprise Data Loss Prevention (E-DLP)
supports inspection of non-file based traffic for sensitive
data. A data filtering profile configured for non-file based traffic detection allows
you to configure URL and application exclusion lists to exclude specific URL and
application traffic from Enterprise DLP
inspection. On the
Panorama™ management server
, each data profile you create can be
configured to inspect for either file based traffic or for non-file based traffic, or
for both. On Strata Cloud Manager
, you need to enable non-file based DLP inspection. After you enable this setting on
Strata Cloud Manager
you can modify a DLP rule to inspect for either file
based traffic or for non-file based traffic, or for both.Inspection of non-file based traffic is supported on
Panorama
running
PAN-OS 10.2.1 and later releases and Enterprise DLP
plugin 3.0.1 and later
releases.To upgrade to PAN-OS 10.2.1, you must install Application and Threats content release
version 8552-7333 or later version on
Panorama
and managed
firewalls using Enterprise DLP
. This is required to support non-file based
traffic inspection.Supported Features
Supported
Enterprise Data Loss Prevention (E-DLP)
features.Review the list of supported
Enterprise Data Loss Prevention (E-DLP)
features.Some
Enterprise DLP
features supported on Panorama
and Prisma Access (Managed by Panorama)
require
access to the DLP app on the hub to
enable and configure.See the supported data profile actions for
Enterprise DLP
for more information on which data profile actions are supported. Feature | Description | Panorama | Strata Cloud Manager |
---|---|---|---|
Custom data profile that can include any combination of predefined, regex, or file
property data patterns, and advanced detection methods
such as Exact Data Matching (EDM) or custom document types. | √ Configured in the DLP app on the Hub | √ | |
Custom data profile that can include any combination of predefined, regular
expression (regex), or file property data patterns. | √ | √ | |
Upload custom documents containing intellectual property for which you want to
prevent exfiltration. Custom document types function as traffic match criteria in
advanced data profiles. | √ Configured in the DLP app on the Hub | √ | |
Data dictionaries are a collection of one or more proximity keywords or phrases that you want to detect and
prevent exfilitration. A data dictionary is added as a match criteria alongside the
other supported match criteria in advanced and nested data profiles to increase the Enterprise Data Loss Prevention (E-DLP) detection
accuracy. | √ Configured in the DLP app on the Hub | √ | |
Provides quantifiable metrics to measure the overall data risk for your
organization and gives administrators the ability to analyze and take preventative
action to strengthen your data risk security posture using the Data Risk
Dashboard. | — | √ | |
Enterprise DLP performs inline inspection of outbound emails to prevent
exfiltration of emails containing sensitive information using AI/ML powered data
detections. | — | √ | |
Integrate Enterprise DLP with Cortex XSOAR to use Enterprise DLP
End User Alerting, granting your team members the ability to self-service temporary
exemptions for file uploads that match your data profiles. | √ Configured in the DLP app on the Hub | √ | |
Connect an AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise DLP to automatically store files scanned by the DLP cloud service that
match your data profiles. After a file is successfully stored, you can download the
file for further investigation. | √ Configured in the DLP app on the Hub | √ | |
Upload data sets to detect sensitive and
personally identifiable information (PII) in
structured data sources. EDM data sets function as
traffic match criteria in advanced data
profiles. | √ Configured in the DLP app on the Hub | √ | |
Monitor sharing of sensitive passwords over chat-based applications. Enterprise DLP uses contextual messages to understand instances where a password
might have been shared. When Enterprise DLP detects that a password was shared,
a DLP Incident is generated that displays a snippet of the response containing the
password. | — | √ | |
Custom data profile that contains multiple nested data profiles that allows you to
consolidate the match criteria to prevent exfiltration of sensitive data to a single
data profile that can be used in a single Security policy rule. | √ Configured in the DLP app on the Hub | √ | |
Configure Enterprise DLP data profiles to inspect non-file based traffic to
prevent exfiltration of sensitive data through collaboration applications, web forms,
Cloud applications, and social media. | √ | √ | |
Allows Enterprise DLP to inspect images
containing sensitive data in file-based traffic
inspection. | √ Configured in the DLP app on the Hub | √ |