Install the Enterprise DLP Plugin on Panorama
Focus
Focus
Enterprise DLP

Install the Enterprise DLP Plugin on Panorama

Table of Contents

Install the Enterprise DLP Plugin on Panorama

Install or uninstall the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama™ management server.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama)
  • Prisma Access (Managed by Panorama)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
To use Enterprise Data Loss Prevention (E-DLP), you must first install the device certificate on your Panorama™ management server and all managed NGFW using Enterprise DLP. This is required to successfully connect your Panorama and NGFW to Enterprise DLP to synchronize data patterns and data profiles, and to forward traffic to Enterprise DLP for inspection and verdict rendering.
After you successfully install the device certificate, you must install the Enterprise DLP plugin on Panorama. The Enterprise DLP plugin on Panorama is required to manage your Enterprise DLP configuration and to push Enterprise DLP configuration changes to your managed NGFW. A Panorama with the Enterprise DLP plugin installed is required; managing the Enterprise DLP configuration on your NGFW isn't supported.
You only need to manually upgrade the Enterprise DLP plugin version on Panorama and when upgrading within the same major plugin version. For example, you currently have Enterprise DLP plugin version 5.0.0 installed and want to upgrade to Enterprise DLP plugin version 5.0.1. In this case you download and install this new plugin version just on Panorama.
You only need to install the Enterprise DLP on Panorama. By default, all NGFW have the minimum supported Enterprise DLP plugin version installed based on the currently installed PAN-OS version. The minimum supported plugin installation occurs automatically when you install a new PAN-OS version on your NGFW.
To perform configuration changes on Panorama, the Enterprise DLP plugin creates a temporary __dlp Panorama admin regardless of the admin making the configuration changes. The temporary __dlp admin is only used by the Enterprise DLP plugin for configuration changes and has no login credentials. The __dlp admin can't be used to log in to Panorama and isn't listed as a Panorama administrator account. The __dlp admin has no access privileges beyond the Enterprise DLP plugin.
You can associate up to one Panorama per Customer Support Account tenant with an active Enterprise DLP license when not in a high availability (HA) configuration or up to two Panorama when Panorama is in a active/passive HA configuration.
Enterprise DLP fails to synchronize your Enterprise DLP configuration to Panorama if you have more than one Panorama associated with your Customer Support tenant with an active Enterprise DLP license.
Your existing data patterns (ObjectsCustom ObjectsData Patterns) and data filtering profiles (ObjectsSecurity ProfilesData Filtering) are automatically hidden after you successfully install the Enterprise DLP plugin on Panorama. To display your existing data patterns and filtering profiles when you need to reference them, you can temporarily enable existing data patterns and profiles.
To uninstall the Enterprise Data Loss Prevention (E-DLP) plugin, you must remove all Enterprise DLP data filtering profile references from all your Security policy rules before you can uninstall the plugin from Panorama.

Install the Enterprise DLP Plugin

Install the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama™ management server.
  1. Review the Compatibility Matrix to verify the Enterprise DLP plugin version is supported on the PAN-OS version running on Panorama.
  2. (Best Practices) Before you install the plugin and activate your Enterprise DLP license, select AssetsDevices to locate Panorama and your managed firewalls to verify that they all belong to the same CSP account.
    Panorama and any managed firewalls on which you want to use Enterprise DLP must belong to the same CSP account, which enables you to share data profiles and maintain consistent Security policy rule enforcement.
  3. Add your NGFW or Prisma Access tenants to a device group and template stack.
    Device groups and template stacks are required to manage your NGFW or Prisma Access tenant configurations and are required to push Enterprise DLP configuration changes.
    Skip this step if you already added your NGFW or Prisma Access tenants to a device group and template stack.
  4. Install the Panorama Device Certificate.
    (High Availability) If Panorama is in an active/passive high availability (HA) configuration, install the Panorama device certificate on both HA peers.
  5. Install the Device Certificate for Managed Firewalls.
    The device certificate is required for all managed firewalls using Enterprise DLP.
  6. Install the plugin on Panorama.
    1. Log in to the Panorama web interface.
    2. Select PanoramaPlugins and search for the latest version of the Enterprise DLP plugin.
    3. Download the Enterprise DLP plugin
    4. (HA only) Check (enable) Sync to HA peer to install the Enterprise DLP on the Panorama peer.
      You must install the Enterprise DLP plugin on both HA peers to successfully use Enterprise DLP. Installing the Enterprise DLP plugin on only one of the HA peers might result in configuration push errors and cause the active HA peer to become suspended.
    5. and Install the Enterprise DLP plugin on Panorama.
      Repeat this step on both Panorama HA peers.
  7. Commit and push the new configuration to your managed firewalls to complete the Enterprise DLP plugin installation.
    This step is required for Enterprise DLP data filtering profile names to appear in Data Filtering logs.
    The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select CommitCommit to Panorama and Commit.
      2. Select CommitPush to Devices and Edit Selections.
      3. Select Device Groups and Include Device and Network Templates.
      4. Click OK.
      5. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
    • Partial configuration push from Panorama
      You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and Enterprise DLP in sync.
      For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
      1. Select CommitCommit to Panorama.
      2. Select Commit Changes Made By and then click the current CASB-X admin user to select additional admins to include in the partial commit.
        In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other CASB-X admins they can be selected here as well.
        Click OK to continue.
      3. Commit.
      4. Select CommitPush to Devices.
      5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      6. Select Device Groups and Include Device and Network Templates.
      7. Click OK.
      8. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
  8. Activate your Enterprise DLP license for your managed firewalls.
    Repeat this step for all managed firewalls using Enterprise DLP.
    1. Log in to the Palo Alto Networks Customer Support Portal.
    2. Select AssetsLicenses & Subscriptions and locate the managed firewall for which you want to activate Enterprise DLP
    3. In the Actions column, click Licenses & Subscriptions.
    4. Click Activate License at the bottom of the page.
    5. Select Activate License from the list of Activation Types.
    6. In the Activate Auth-Code field, enter the auth code provided by Palo Alto Networks.
    7. Agree and Submit.
  9. (Optional) Create a Palo Alto Networks Support ticket to enable your Enterprise DLP license to transfer between firewalls.
    Requesting that the Enterprise DLP license is transferable enables you to transfer your DLP license to other managed firewalls.
    In the support ticket, include the following information:
    • The request for a firewall transfer for the Enterprise DLP license.
    • Your CSP account ID and the email associated with your CSP account.
    • The managed firewall serial number. If you activated the Enterprise DLP license on multiple managed firewalls, include the serial numbers for all the managed firewalls in a single support ticket.
    • The auth codes used to activate the Enterprise DLP license on your managed firewalls.
    • Also provide the CSP account ID with which additional managed firewalls are associated if you have managed firewalls that belong to a different CSP account.
  10. Verify that you successfully activated Enterprise DLP.
    1. On Panorama, select ObjectsDLP to confirm that the Data Filtering Patterns and Data Filtering Profiles automatically populate with the predefined data patterns and profiles.
    2. On the firewall web interface, select DeviceLicenses and verify that the Enterprise DLP successfully activated.
  11. After you successfully install the Enterprise DLP plugin on Panorama, you must create Security policy rules to enable your managed firewalls to leverage Enterprise DLP.

Uninstall the Enterprise DLP Plugin

Uninstall the Enterprise Data Loss Prevention (E-DLP) plugin from your Panorama™ management server.
  1. Log in to the Panorama web interface.
  2. Select PoliciesSecurity and remove all Enterprise DLP data filtering profiles from your Security policy rules.
    This step is required to successfully uninstall the Enterprise DLP plugin.
  3. Commit and push your configuration changes to your managed firewalls using Enterprise DLP.
    The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    1. Select CommitCommit to Panorama and Commit.
    2. Select CommitPush to Devices and Edit Selections.
    3. Select Device Groups and Include Device and Network Templates.
    4. Click OK.
    5. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
  4. In the Panorama web interface, select PanoramaPlugins and Uninstall the Enterprise DLP plugin.
    (HA) Repeat this step on both Panorama HA peers if Panorama is an HA configuration.
  5. Commit and push the new configuration to your managed firewalls to uninstall the Enterprise DLP plugin.
    The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select CommitCommit to Panorama and Commit.
      2. Select CommitPush to Devices and Edit Selections.
      3. Select Device Groups and Include Device and Network Templates.
      4. Click OK.
      5. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
    • Partial configuration push from Panorama
      You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and the DLP cloud service in sync.
      For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
      1. Select CommitCommit to Panorama.
      2. Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      3. Commit.
      4. Select CommitPush to Devices.
      5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      6. Select Device Groups and Include Device and Network Templates.
      7. Click OK.
      8. Push your configuration changes to your managed firewalls that are using Enterprise DLP.

Troubleshoot the Enterprise DLP Plugin

Troubleshoot issues when installing the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama™ management server.
Review the information below if you have trouble installing or upgrading the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama™ management server.

Reset the Enterprise DLP Plugin

In some cases, data security administrators need to reset the Enterprise DLP plugin in the Panorama CLI to resolve Enterprise DLP configuration sync or upgrade issues causing Panorama commit failures or failed plugin validation errors. These errors are often related to the device certificate required on Panorama or the NGFW, or a general connectivity issue preventing Panorama or the NGFW from connecting to Enterprise DLP. This issue manifests in two primary ways:
  • Out-of-Sync State—Occurs when Enterprise DLP can't sync data patterns or data filtering profiles on Panorama with Strata Cloud Manager. This results in commit warnings and commit failures on Panorama.
  • Manual Post-Upgrade Sync—After upgrading from Enterprise DLP plugin 1.0.4 or 1.0.5 to a later version, your data security administrator must manually synchronize the Enterprise DLP plugin with Strata Cloud Manager.
Review the steps below to identify and resolve.
  1. Log in to the Panorama CLI.
  2. Reset the Enterprise DLP plugin using either of the following commands. They are functionally the same and both reset the Enterprise DLP plugin.
    • request plugins reset-plugin only plugin plugin-name dlp
    • request plugins reset-plugin plugin-name dlp
  3. Review the plugin reset command responses.
    A successful plugin reset returns one of the following responses.
    • pass dlp reset local state, then synced candidate configuration
    • plugin dlp has been reset
    An unsuccessful plugin reset returns one the following responses.
    • fail DLP reset failure, check DLP plugin log
      Plugin reset failed due to an issue with the device certificate on Panorama and requires the data security administrators to investigate the plugin log.
    • Cannot perform operation : DLP not provisioned for this tenant
      Plugin reset failed due to Panorama not having a valid Enterprise DLP tenant ID.
  4. Investigate further depending on the error message Panorama returned when resetting the plugin,
    • fail DLP reset failure, check DLP plugin log
      Check the Enterprise DLP plugin log on Panorama.
      admin>tail follow yes mp-log plugin_dlp.log
      Look for the following device certificate errors.
      ERROR: [dlp_agent] Cannot load the device certificate for authentication
      ERROR: [dlp_agent] Tenant: , Result: fail, Message: Cannot load the device certificate for authentication
      If you find these device certificate errors, install the Panorama device certificate and reset the plugin.
      If you installed the Panorama device certificate and continue to experience errors after a plugin reset, continue to the next step.
    • Cannot perform operation : DLP not provisioned for this tenant
      1. Check that Panorama successfully provisioned your Enterprise DLP tenant ID.
        admin>show system state | match cfg.platform.dlp_tenant_id
      2. Panorama returns one of the following responses.
        • Provisioned Enterprise DLP Tenant ID:
          cfg.platform.dlp_tenant_id: <numerical tenant ID>
          If Panorama successfully provisioned your Enterprise DLP tenant ID and you continue to experience issues resetting the Enterprise DLP plugin, review your Panorama connectivity and logs. There might be unrelated network configurations causing this error. Additionally, ensure that you enabled Enterprise DLP on your network. Continue to the next step to troubleshoot NGFW connectivity issues.
        • No Provisioned Enterprise DLP Tenant ID:
          cfg.platform.dlp_tenant_id: 0
          Continue to the next step to provision the Enterprise DLP tenant ID on Panorama.
      3. Provision the Enterprise DLP tenant ID on Panorama.
        admin>request plugins dlp provision-tenant
        Panorama returns the following responses.
        • Successful Provisioning:
          Pass
          DLP Provision Successful
        • Failed Provisioning - Generic
          fail
          DLP Provisioning Failed - Empty tenant ID
          If Panorama returns this response, review your Panorama connectivity and logs. There might be unrelated network configurations preventing Panorama from contacting the Enterprise DLP cloud service. Additionally, ensure that you enabled Enterprise DLP on your network.
        • Failed Provisioning - Panorama Device Certificate
          fail
          DLP Provisioning Failed - Thermite Cert is not installed
          If Panorama returns this response, install the Panorama device certificate and provision the Enterprise DLP tenant ID.
  5. Troubleshoot NGFW connectivity issues.
    1. Log in to the NGFW CLI.
    2. Check the CTD-Agent status.
      admin>show ctd-agent status security-client
    3. Review the Cloud connection status.
      If the status displays connected there might issues not related to the Enterprise DLP or the device certificate.
      If the status displays disconnected, install the device certificate on your NGFW.
    4. Restart the Enterprise DLP agent.
      admin>debug software restart process ctd-agent
    5. Check the Cloud connection status again.