Enable Enterprise DLP on Strata Cloud Manager

1. Enable Enterprise DLP.

   • Single Prisma SASE Platform Tenant License Activation
     Activate a License for Cloud-Managed Prisma Access Through the Prisma SASE Platform for a single tenant deployment. Follow this procedure to activate Enterprise DLP when your tenant has no subtenants or tenant hierarchy of any kind.
   • Multitenant Prisma SASE Platform License Activation
     Activate a License for Prisma Access Multitenant Through the Prisma SASE Platform to activate Enterprise DLP for a parent tenant or a subtenant.
   • CASB-X Platform License Activation
     By default, the Enterprise DLP license is included as part of the CASB-X license. To activate Enterprise DLP for your CASB-X tenants, you only need to activate CASB-X. There’s no individual Enterprise DLP license you need to activate when using CASB-X.
     To use Enterprise DLP for a CASB-X tenant, you must Activate a Next Generation CASB License on Cross Platforms (CASB-X) Through the Prisma SASE Platform.
2. Log in to Strata Cloud Manager.
3. Verify that the DLP license is active.

   1. Select ManageConfigurationNGFW and Prisma AccessOverview and navigate to the Licenses widget.
   2. Click the license Quantity and confirm that the Data Loss Prevention license is active.

      Confirm the Data Loss Prevention license Type displays PAID and that an expiration date is displayed.

   3. Select ManageConfiguration and verify that Data Loss Prevention is displayed.
4. Create the decryption profile required for Enterprise DLP to inspect traffic.

   1. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryption and Add Profile.
   2. Enter a descriptive Name for the decryption profile.
   3. Review the predefined decryption profile settings.

      The predefined decryption profile settings enable Enterprise DLP to inspect traffic. Modifying the predefined decryption profile settings isn’t required unless you need to enable Strip ALPN.

   4. (Software Version 10.2.2 or earlier versions) Configure the decryption profile to remove Application-Layer Protocol Negotiation (ALPN) headers from uploaded files.

      Remove the ALPN headers from files if any Strata Cloud Manager deployment is running software version 10.2.2 or earlier version. If your entire Strata Cloud Manager deployment is running software version 10.2.3 or later version, stripping ALPN headers isn’t required.

      A web security admin can also strip ALPN headers in the Web Security decryption settings(ManageWeb SecuritySecurity SettingsDecryption and edit the Action Options). Web Security admins don’t need to create a decryption policy rule and can push the setting to Remote Networks and Mobile Users.

      1. In the SSL Forward Proxy, click Advanced.
      2. Check (enable) Strip ALPN and Save.

   5. Save the Decryption profile group.
5. Create a decryption policy rule to decrypt traffic for Enterprise DLP inspection.

   Cloud Management includes the predefined Exclude Microsoft O365 Optimized Endpoints - IPs and Exclude Microsoft O365 Optimized Endpoints - URLs decryption rules that exclude Microsoft Office 365 from decryption.

   For Enterprise DLP to successfully inspect traffic for Microsoft Office 365, you must position this new decryption rule before the predefined decryption exclusion rules. Alternatively, you can Disable these rules or Delete them.

   1. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryption and Add Rule.
   2. Enter a descriptive Name and configure the decryption policy rule as needed.
   3. In the Action and Advanced Inspection section, configure the policy rule to Decrypt traffic that matches this rule.
   4. For the Type, select SSL Forward Proxy.
   5. Select the Decryption Profile you created to strip ALPN headers.

   6. Save the decryption policy rule.
6. Push your data filtering profile.

   1. Push Config and Push.
   2. Select (enable) Remote Networks and Mobile Users.
   3. Push.
7. Enable Role Based Access for Enterprise DLP.