Activation & Onboarding
  • Activation & Onboarding
  • Enterprise DLP Documentation
  • All Documentation
>
Activate Endpoint DLP
Focus
Download PDF
Focus
  1. Home
  2. Enterprise DLP
  3. Activate Endpoint DLP
Download PDF
Enterprise DLP

Activate Endpoint DLP

Table of Contents

Activate Endpoint DLP

Activate Endpoint DLP to stop accidental or malicious data lose over peripheral devices.
Where Can I Use This?What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
  • Endpoint DLP license
  • Enterprise Data Loss Prevention (E-DLP) license
  • Autonomous DEM 5.3.4 or later
  • Prisma Access Agent
  • One of the following Prisma Access versions
    • 10.2Prisma Access 5.2
    • 11.2Prisma Access 5.1 or 5.2
Activate Endpoint DLP for single tenant or multitenant Customer Support Portal (CSP) account.

Single Tenant

Activate Endpoint DLP to prevent exfiltration of sensitive data over peripheral devices for a single tenant Customer Support Portal account.
  1. Log in to Strata Cloud Manager.
  2. Enable Enterprise Data Loss Prevention (E-DLP) for Strata Cloud Manager if not already enabled.
    Enterprise DLP must be active on your tenant to enable and use Endpoint DLP.
  3. Install the following Microsoft Redistributable libraries on all endpoints where you installed the Prisma Access Agent.
    Install the latest versions for the Microsoft Windows version running on the endpoint. This is required enable the Prisma Access Agent to inspect file movement between the endpoint and a peripheral device to prevent exfiltration of sensitive data.
  4. Install the Prisma Access Agent on all endpoints you want to protect.
  5. Contact your Palo Alto Networks representative to purchase the Endpoint DLP subscription.
  6. Click the magic link provided to you by Palo Alto Networks when you purchased the Endpoint DLP subscription.
  7. Activate Subscription to begin activating Endpoint DLP.
  8. Enter your Email Address and click Next to continue.
    This email address must match the email that received the magic link to activate Endpoint DLP and must have a valid Palo Alto Networks Customer Support Portal account.
    Click Create a New Account if you're a security administrator who does not yet have a valid Palo Alto Networks Customer Support Portal account for your organization. This is required before you can continue activating Endpoint DLP.
  9. Verify the tenant details for which you're activating Endpoint DLP.
    This information is populated by default when the magic link is generated. Palo Alto Networks recommends verifying the following tenant details before activation to resolve any issues before activation.
    • Customer Support Account—Endpoint DLP must be activate on the same Customer Support Portal account as Enterprise DLP.
    • Region—Region is populated by default and is based on the region configured for the Customer Support Portal tenant. This cannot be changed.
    • Endpoint DLP Licenses—Endpoint DLP license must be Fully Assigned and display the total number of supported users.
  10. Agree to the Terms and Conditions.
  11. Activate Now.
  12. Log in to Strata Cloud Manager and set up Endpoint DLP.
    1. Edit the Endpoint DLP data filtering settings and snippet settings to define the operational parameters.
    2. Enable Optical Character Recognition on Strata Cloud Manager to scan files with images containing sensitive information.
    3. (Optional) Save evidence for investigative analysis with Enterprise DLP to connect an AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise DLP to automatically store evidence of traffic scanned by the DLP cloud service
    4. (Optional) Create a User Coaching Notification Template for Endpoint DLP.
      The End User Coaching Notification Template allows you to configure the notification displayed to your users in the Access Experience User Interface (UI) when they generate a DLP incident.
      For the Product Name, select Endpoint Data Loss Prevention. Configure the Applied Rules and Notification Message as needed.
    5. Add peripheral devices to Endpoint DLP.
    6. Create a peripheral group to group similar types of peripheral devices together for easier application of Endpoint DLP policy rules.
    7. Create an Endpoint DLP policy rule to control access to peripheral devices and prevent exfiltration of sensitive data.

Multitenant

Activate Endpoint DLP to prevent exfiltration of sensitive data over peripheral devices for a multitenant Customer Support Portal (CSP) account.
  1. Log in to Strata Cloud Manager.
  2. Enable Enterprise Data Loss Prevention (E-DLP) for Strata Cloud Manager if not already enabled.
    Enterprise DLP must be active on your tenant to enable and use Endpoint DLP.
  3. Install the following Microsoft Redistributable libraries on all endpoints where you installed the Prisma Access Agent.
    Install the latest versions for the Microsoft Windows version running on the endpoint. This is required enable the Prisma Access Agent to inspect file movement between the endpoint and a peripheral device to prevent exfiltration of sensitive data.
  4. Install the Prisma Access Agent on all endpoints you want to protect.
  5. Contact your Palo Alto Networks representative to purchase the Endpoint DLP subscription.
  6. Click the magic link provided to you by Palo Alto Networks when you purchased the Endpoint DLP subscription.
  7. Activate Subscription to begin activating Endpoint DLP.
  8. Enter your Email Address and click Next to continue.
    This email address must match the email that received the magic link to activate Endpoint DLP and must have a valid Palo Alto Networks Customer Support Portal account.
    Click Create a New Account if you're a security administrator who does not yet have a valid Palo Alto Networks Customer Support Portal account for your organization. This is required before you can continue activating Endpoint DLP.
  9. Verify you are activating Endpoint DLP for the correct Customer Support Portal account.
  10. In Specify the Tenant, select the child tenant for which you want to activate Endpoint DLP.
    Enterprise DLP must be active on the tenant for which you activating Endpoint DLP.
    Click Done to continue.
  11. Verify the tenant details for which you're activating Endpoint DLP.
    • Region—Region is populated by default and is based on the child tenant you selected in the previous step. This cannot be changed.
    • Endpoint DLP Licenses—Endpoint DLP license must be Fully Assigned and display the total number of supported users.
  12. For the Cloud Identity Engine, select the CIE instance associated with your Customer Support Portal account and click Done.
  13. Agree to the Terms and Conditions.
  14. Activate Now.
  15. Log in to Strata Cloud Manager and set up Endpoint DLP.
    1. Edit the Endpoint DLP data filtering settings and snippet settings to define the operational parameters.
    2. Enable Optical Character Recognition on Strata Cloud Manager to scan files with images containing sensitive information.
    3. (Optional) Save evidence for investigative analysis with Enterprise DLP to connect an AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise DLP to automatically store evidence of traffic scanned by the DLP cloud service
    4. (Optional) Create a User Coaching Notification Template for Endpoint DLP.
      The End User Coaching Notification Template allows you to configure the notification displayed to your users in the Access Experience User Interface (UI) when they generate a DLP incident.
      For the Product Name, select Endpoint Data Loss Prevention. Configure the Applied Rules and Notification Message as needed.
    5. Add peripheral devices to Endpoint DLP.
    6. Create a peripheral group to group similar types of peripheral devices together for easier application of Endpoint DLP policy rules.
    7. Create an Endpoint DLP policy rule to control access to peripheral devices and prevent exfiltration of sensitive data.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.