Use the secure Exact Data Matching (EDM) CLI app to configure an EDM profile for Enterprise Data Loss Prevention (E-DLP).
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLPRelease Notes for more
information.
Where Can I Use This?
What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager)
Prisma Access (Managed by Panorama or Strata Cloud Manager)
Enterprise Data Loss Prevention (E-DLP) license
Review the Supported
Platforms for details on the required license
for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
Prisma Access CASB license
Next-Generation
CASB for Prisma Access and NGFW (CASB-X) license
Data Security license
Exact Data Matching (EDM) for Enterprise Data Loss Prevention (E-DLP) is an advanced detection tool
to monitor and protect sensitive data from exfiltration. Use EDM to detect sensitive and
personally identifiable information (PII) such as social security numbers, Medical
Record Numbers, bank account numbers, and credit card numbers, in a structured data
source such as databases, directory servers, or structured data files, with high
accuracy.
By default, EDM data set values must be within 100 characters in order for Enterprise DLP to successfully detect sensitive data in inspected traffic. Contact
Palo Alto Networks Customer Support to increase the maximum proximity
characters to detect sensitive data.
For example, you upload an EDM data set that contains the following data:
FName
LName
SSN
BankAccNum
CCN
Bill
Smith
123-45-6789
22334455
1111-2222-3333-4444
In this case, Enterprise DLP detects sensitive data in inspected traffic if
Smith and 22334455 are
within 100 characters of each other.
Encryption of Uploaded EDM Data Sets
To use EDM, Enterprise DLP relies on the encrypted hash of the sensitive
data you upload to Enterprise DLP. Enterprise DLP indexes the
encrypted hash of uploaded EDM data sets. To prevent the exfiltration of
sensitive data, Enterprise DLP uses the indexed hash data set in the
Security policy rule for matching outbound traffic.
The EDM CLI App first hashes the data set using the SHA256 hash function when you
initiate an EDM data set upload. The EDM CLI App then encrypts the EDM data set
using AES Symmetric encryption before beginning the EDM data set upload to the
Enterprise DLP EDM data set storage bucket. The raw data in your EDM
data sets never leave your organization's network, and Enterprise DLP does
not store or have access to the raw EDM data set data. Enterprise DLP
stores only hashed and encrypted EDM data set data in the EDM data set storage bucket.
