>
    Strata Copilot
    Configuration Export and Import
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Configure Enterprise DLP
    5. Configuration Export and Import
    Download PDF
    Enterprise DLP

    Configuration Export and Import

    Table of Contents

    Configuration Export and Import

    Export and import your Enterprise Data Loss Prevention (E-DLP) configuration to test changes before deploying to your production environments.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Browser
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Enterprise Data Loss Prevention (E-DLP) configuration export and import enables you to manage Enterprise DLP configurations across different environments. You can use Enterprise DLP configuration export and import to:
    • Implement more rigorous change management processes for your data security policy.
    • Migrate your Enterprise DLP configuration from a test to production environment to test and validate configuration changes thoroughly.
      For example, you can use a dedicated lab Enterprise DLP tenant to develop and test changes to your organization's data security policy. Once you validate the efficacy of these changes, you can export your lab Enterprise DLP tenant configuration and import it to your production Enterprise DLP tenant. This process helps reduce the risk of unintended data leakage in the live environment.
    • Export known good Enterprise DLP configuration as a backup if you need to restore your data security policy.
      This enables you to avoid business disruptions and prevent prolonged periods of data exfiltration vulnerability by quickly restoring your production Enterprise DLP tenant configuration to a known good configuration.
    • Maintain an audit trail to create a detailed record of configuration changes, exports, and imports, which enhances your security posture, supports compliance, and simplifies troubleshooting.
    Enterprise DLP offers two methods to export your configuration in JSON format:
    Individual Configuration Objects
    		Select one or more data patterns, data profiles, or data dictionaries.
    (Data Profiles and DLP Rules) When you create a data profile, Enterprise DLP automatically creates an associated DLP rule. When you export a data profile, Enterprise DLP also exports the DLP rule because the DLP rule is derived from the data profile. Importing a new data profile to an Enterprise DLP tenant also creates the corresponding DLP rule.
    Entire Enterprise DLP Configuration
    Export all your data patterns, data profiles, custom document types, data dictionaries, or EDM datasets.
    (Custom Document Types and EDM Datasets) For custom document types and EDM datasets, Enterprise DLP exports only the metadata, not the binary data. The identical custom document type or EDM dataset must already exist in the destination Enterprise DLP tenant for a successful import.
    Enterprise DLP provides conflict detection and resolution capabilities when importing objects or your entire configuration:
    • Missing or Different Custom Document Types or EDM Datasets
      If you import a configuration that references a custom document type or EDM dataset that does not exist in the destination Enterprise DLP tenant, or if the existing object differs from the one in the source tenant, you must upload the identical custom document type or EDM dataset to the destination Enterprise DLP tenant before the import can continue.
    • Missing Data Patterns or Data Dictionaries
      Enterprise DLP automatically creates the data patterns and data dictionaries included in an imported data profile if they don't already exist in the Enterprise DLP tenant.
    • Identical Object Name and Configuration
      Enterprise DLP skips importing a configuration object with an identical name and configuration.
      For example, a custom regex data pattern named PatternA currently exists on your production tenant. You import the entire Enterprise DLP configuration from your lab to your production tenant. This import includes an identical PatternA. Enterprise DLP skips importing this data pattern.
    • Identical Object Name and Different Configuration
      Enterprise DLP lets you choose whether to override an existing configuration object if the imported object has an identical name but different configuration.
      For example, a custom regex data pattern named PatternB currently exists on your production tenant. You import the entire Enterprise DLP configuration from your lab to your production tenant. This import includes a data pattern named PatternB with a different regex. In this case, you can choose whether to preserve the existing PatternB configuration or overwrite it.
    • Malformed or Unsupported Configuration Object Dependencies
      Enterprise DLP skips importing configuration objects with unsupported dependencies.
      This typically happens if you modify the exported .json file in such a way that prevents Enterprise DLP from importing a configuration dependency.
      For example, the .json includes Data Profile A consisting of Data Dictionary A and Data Pattern A and Data Profile B consisting of Data Dictionary B and Data Pattern A. You modify the .json file and change the name of Data Dictionary B to include an & which Enterprise DLP doesn't support.
      In this case, Enterprise DLP imports Data Profile A but not Data Profile B. When you view the audit log for the import, you will see that Enterprise DLP only imported Data Profile A.
    Enterprise DLP generates an audit log for all export and import activity to maintain a comprehensive history of configuration changes. Audit logs capture details such as the time of the action, the user who performed the export or import, and the specific configurations that were exported or imported.

    Export an Enterprise DLP Configuration Object

    Export one or more Enterprise Data Loss Prevention (E-DLP) data patterns, data profiles, and data dictionaries.
    1. Log in to Strata Cloud Manager.
    2. Select the type of Enterprise DLP configuration object you want to export.
      You can export one type of configuration object at a time. For example, if you want to export a specific set of data patterns, profiles, and data dictionaries, you must first select your data patterns and export them, then select your data profiles, and then your data dictionaries.
      • ConfigurationData Loss PreventionData Profiles
      • ConfigurationData Loss PreventionDetection MethodsData Dictionary
      • ConfigurationData Loss PreventionDetection MethodsData Patterns
    3. (Data Patterns and Data Dictionaries only) Apply filters to narrow down the list of configuration objects you want to export.
    4. Select one or more configuration objects you want to export.
    5. Click Export to export the selected configuration objects.
    6. Enterprise DLP prepares the JSON configuration file and downloads it to your local device.
      Enterprise DLP notifies you when the export completes successfully or if an error prevented a successful export.
    7. Review the downloaded configuration file.
      The configuration file has the following naming convention: export_YYYY-MM-DDTHHMMSS.json. You can rename the file as needed.
    8. Select ConfigurationData Loss PreventionSettingsExport Configuration to review your Enterprise DLP Export History.
      You can use this page to audit all Enterprise DLP configuration object exports and to download previously exported Enterprise DLP configuration object exports.
      • Objects—Type of configuration object you exported.
      • Date Exported—Date and time you exported the configuration object.
      • Exported By—Email of the user who exported the configuration object.
      • Click Action for the configuration object export you want to download.

    Export Your Entire Enterprise DLP Configuration

    Export all your Enterprise Data Loss Prevention (E-DLP) data patterns, data profiles, and data dictionaries.
    1. Log in to Strata Cloud Manager.
    2. ConfigurationData Loss PreventionSettingsExport Configuration.
    3. Click Export to export your Enterprise DLP configuration.
      Enterprise DLP notifies you when the export completes successfully or if an error prevented a successful export.
      Enterprise DLP exports the following configuration objects:
      • ConfigurationData Loss PreventionData Profiles
      • ConfigurationData Loss PreventionDetection MethodsData Dictionary
      • ConfigurationData Loss PreventionDetection MethodsData Patterns
    4. Enterprise DLP prepares the JSON configuration file and downloads it to your local device.
      The configuration file has the following naming convention: export_YYYY-MM-DDTHHMMSS.json. You can rename the file as needed.
    5. Review your Enterprise DLP Export History.
      You can use this page to audit all Enterprise DLP configuration object exports and to download previously exported Enterprise DLP configuration object exports.
      • Objects—Type of configuration object you exported.
      • Date Exported—Date and time you exported the configuration object.
      • Exported By—Email of the user who exported the configuration object.
      • Click Action for the configuration object export you want to download.

    Import an Enterprise DLP Object or Configuration

    Import your Enterprise Data Loss Prevention (E-DLP) data patterns, data profiles, and data dictionaries.
    1. Log in to Strata Cloud Manager.
    2. ConfigurationData Loss PreventionSettingsImport Configuration.
    3. Drag and drop the Enterprise DLP JSON configuration file or Browse file to navigate to it.
    4. Click Import to confirm the configuration import.
      Enterprise DLP displays Import is in progress... during the import.
    5. Resolve any import conflicts.
      • (Custom Document Types and EDM Datasets only) Custom Document Type or EDM Dataset does not exist or differs from source
        Upload the identical custom document type or EDM dataset to the destination Enterprise DLP tenant before you can successfully import the configuration file. The object in the destination tenant must match the one in the source tenant exactly.
      • Existing Object with Identical Name and Configuration
        Enterprise DLP skips importing a configuration object with an identical name and configuration. Enterprise DLP does not provide any warning or notification that it skipped a configuration object.
      • Existing Object with Identical Name But Different Configuration
        Enterprise DLP lets you choose whether to override an existing configuration object if the imported object has an identical name but different configuration.
        Click Replace to override the configuration of one or more existing configuration objects with those from the imported configuration.
        Click Cancel to terminate the configuration import.

    © 2026 Palo Alto Networks, Inc. All rights reserved.