>
    Strata Copilot
    Configuration Export and Import
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Configure Enterprise DLP
    4. Configuration Export and Import
    Download PDF
    Enterprise DLP

    Configuration Export and Import

    Table of Contents

    Configuration Export and Import

    Export and import your Enterprise Data Loss Prevention (E-DLP) configuration to test them before deploying to your production environments.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Enterprise DLP Configuration Export and Import is Limited Availability.
    Contact your Palo Alto Networks sales representative to enable this feature on your Enterprise DLP tenant.
    Enterprise Data Loss Prevention (E-DLP) configuration export and import provides data security administrators the ability to manage Enterprise DLP configurations across different environments. You can use Enterprise DLP configuration export and import to:
    • Implement more rigorous change management processes for your data security policy.
    • Migrate your Enterprise DLP configuration from a test to production environment to test and validate configurations changes thoroughly.
      For example, data security administrators can use a dedicated lab Enterprise DLP tenant to develop and test changes to your organization's data security policy. Once your data security administrators validate the efficacy of these changes, they can export lab Enterprise DLP tenant configuration and import it to your production Enterprise DLP tenant. This process helps reduce the risk of unintended data leakage in the live environment.
    • Export known good Enterprise DLP configuration as a backup if you need to restore your data security policy.
      This enables your organization to avoid business disruptions and prevent prolonged periods of data exfiltration vulnerability by allowing your data security administrators to quickly restore your production Enterprise DLP tenant configuration to a known good configuration.
    • Maintain an audit trail to create a detailed record of configuration changes, exports, and imports, which enhances your security posture, supports compliance, and simplifies troubleshooting.
    Enterprise DLP offers two methods to export your configuration in JSON format:
    Individual Configuration Objects
    		Select one or more data patterns, data profiles, or data dictionaries.
    (Data Profiles and DLP Rules) When you create a data profile Enterprise DLP automatically creates an associated DLP rule. When you export a data profile, Enterprise DLP also exports the DLP rule because the DLP rule is derived from the data profile. Importing a new data profile to an Enterprise DLP tenant also creates the corresponding DLP rule.
    Entire Enterprise DLP Configuration
    Export all your data patterns, data profiles, custom document types, data dictionaries, or EDM datasets.
    (Custom Document Types and EDM Datasets) For custom document types and EDM datasets, Enterprise DLP exports only the metadata not the actual document type or EDM dataset data.
    Enterprise DLP provides conflict detection and resolution capabilities when importing objects or your entire configuration:
    • Missing Custom Document Types or EDM Datasets
      If you import a custom document type or EDM dataset that does not currently exist on the Enterprise DLP tenant, your data security administrator must manually upload them to Enterprise DLP before the import can continue.
    • Missing Data Patterns or Data Dictionaries
      Enterprise DLP automatically creates the data patterns and data dictionaries included in an imported data profile if they don't already exist in the Enterprise DLP tenant.
    • Identical Object Name and Configuration
      Enterprise DLP skips importing a configuration object with an identical name and configuration.
      For example, a custom regex data pattern named PatternA currently exists on your production tenant. Your data security administrator imports the entire Enterprise DLP configuration from your lab to your production tenant. This import includes an identical PatternA. Enterprise DLP skips importing this data pattern.
    • Identical Object Name and Different Configuration
      Enterprise DLP lets your data security administrator choose whether to override an existing configuration object if the imported object has an identical name but different configuration.
      For example, a custom regex data pattern named PatternB currently exists on your production tenant. Your data security administrator imports the entire Enterprise DLP configuration from your lab to your production tenant. This import includes a data pattern named PatternB with a different regex. In this case, your data security administrator can choose whether to preserve the existing PatternB configuration or overwrite it.
    • Malformed or Unsupported Configuration Object Dependencies
      Enterprise DLP skips importing configuration objects with dependencies not supported and can't be imported by Enterprise DLP.
      This will typically happen if a data security administrator somehow modified the exported .json file in such a way that prevents Enterprise DLP from importing a configuration dependency.
      For example, the .json includes Data Profile A consisting of Data Dictionary A and Data Pattern A and Data Profile B consisting of Data Dictionary B and Data Pattern A. A data security administrator modified the .json file and modified the name of Data Dictionary B to include an & which Enterprise DLP doesn't support.
      In this case, Enterprise DLP imports Data Profile A but not Data Profile B. When you view the audit log for the import, you will see that Enterprise DLP only imported Data Profile A.
    Enterprise DLP generate an audit log for all export and import activity to maintain a comprehensive history of configuration changes. Audit logs capture details such as the time of the action, the user who performed the export or import, and the specific configurations that were exported or imported.

    Export an Enterprise DLP Configuration Object

    Export one or more Enterprise Data Loss Prevention (E-DLP) data patterns, data profiles and data dictionaries.
    1. Log in to Strata Cloud Manager.
    2. Navigate to the type of Enterprise DLP configuration object you want to export.
      You can export one type of configuration object at a time. For example, your data security administrator wants to import a specific set of data patterns, profiles, and data dictionaries. They must first navigate to your data patterns and export them, then navigate to your data profiles, and then to your data dictionaries.
      • ConfigurationData Loss PreventionData Profiles
      • ConfigurationData Loss PreventionDetection MethodsData Dictionary
      • ConfigurationData Loss PreventionDetection MethodsData Patterns
    3. (Data Patterns and Data Dictionaries only) Apply filters to narrow down the list of configuration objects you want to export.
    4. Select one or more configuration objects you want to export.
    5. Export the selected configuration objects.
    6. Enterprise DLP begins prepare the JSON configuration file and then downloads it to your local device.
      Enterprise DLP notifies the data security administrator when the export completed successfully or if an error prevented a successful export.
    7. Enterprise DLP begins preparing the JSON configuration file for download and then the configuration file to your local device.
      The configuration file has the following naming convention: export_YYYY-MM-DDTHHMMSS.json. You can rename the file as needed.
    8. Select ConfigurationData Loss PreventionSettingsExport Configuration to review your Enterprise DLP Export History.
      You can use this page to audit all Enterprise DLP configuration object exports and to download previously exported Enterprise DLP configuration object exports.
      • Objects—Type of configuration object the data security administrator exported.
      • Date Exported—Date and time the user exported the configuration object.
      • Exported By—Email of the data security administrator who exported the configuration object.
      • Click Action for the configuration object export you want to download.

    Export Your Entire Enterprise DLP Configuration

    Export all your Enterprise Data Loss Prevention (E-DLP) data patterns, data profiles, and data dictionaries.
    1. Log in to Strata Cloud Manager.
    2. ConfigurationData Loss PreventionSettingsExport Configuration.
    3. Export your Enterprise DLP configuration.
      Enterprise DLP notifies the data security administrator when the export completed successfully or if an error prevented a successful export.
      Enterprise DLP exports the following configuration objects:
      • ConfigurationData Loss PreventionData Profiles
      • ConfigurationData Loss PreventionDetection MethodsData Dictionary
      • ConfigurationData Loss PreventionDetection MethodsData Patterns
    4. Enterprise DLP begins preparing the JSON configuration file and then downloads it to your local device.
      The configuration file has the following naming convention: export_YYYY-MM-DDTHHMMSS.json. You can rename the file as needed.
    5. Review your Enterprise DLP Export History.
      You can use this page to audit all Enterprise DLP configuration object exports and to download previously exported Enterprise DLP configuration object exports.
      • Objects—Type of configuration object the data security administrator exported.
      • Date Exported—Date and time the user exported the configuration object.
      • Exported By—Email of the data security administrator who exported the configuration object.
      • Click Action for the configuration object export you want to download.

    Import an Enterprise DLP Object or Configuration

    Import your Enterprise Data Loss Prevention (E-DLP) data patterns, data profiles, and data dictionaries.
    1. Log in to Strata Cloud Manager.
    2. ConfigurationData Loss PreventionSettingsImport Configuration.
    3. Drag and drop the Enterprise DLP JSON configuration file or Browse file to navigate to it.
    4. Enterprise DLP prompts you to confirm the configuration import.
      Click Import to continue.
      Enterprise DLP displays Import is in progress... during the import.
    5. Resolve any import conflicts.
      • (Custom Document Types and EDM Datasets only) Custom Document Type or EDM Dataset does not exist
        First upload the missing custom document type or EDM dataset to Enterprise DLP before you can successfully import the configuration file.
      • Existing Object with Identical Name and Configuration
        Enterprise DLP skips importing a configuration object with an identical name and configuration. Enterprise DLP does not provide any warning or notification that it skipped imported a configuration object.
      • Existing Object with Identical Name But Different Configuration
        Enterprise DLP lets your data security administrator choose whether to override an existing configuration object if the imported object has an identical name but different configuration.
        Click Replace to override the configuration of one or more existing configuration objects with those from the imported configuration. Replace and override the existing configuration objects to successfully import the configuration file.
        Clicking Cancel terminates the configuration import.

    © 2025 Palo Alto Networks, Inc. All rights reserved.