Enterprise DLP
Data Profiles
Table of Contents
Data Profiles
Create and configure an Enterprise Data Loss Prevention (E-DLP) profile.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLP
Release Notes for more
information.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
Enterprise Data Loss Prevention (E-DLP) data profiles are a collection of predefined and custom data patterns, advanced detection methods, or predefined and custom data profiles that
define the sensitive content that want to inspect for.
Data Profiles remain inactive until attached to a Security policy rule. Once attached,
the enforcement point forwards matching traffic to Enterprise DLP for inspection.
Depending on the data filtering profile (Panorama) or DLP rule setting, Enterprise DLP instructs
the enforcement point to either generate an alert or block the traffic.
Enterprise DLP supports two types of detection coverage for data profiles:
- (Default) Cloud OnlyBy default, enforcement points forward traffic to Enterprise DLP when traffic matches any predefined and custom data patterns, advanced detection methods, or predefined and custom data profiles. A data profile configured for Cloud Only detection coverage is a data profile that includes at least one match criteria that requires forwarding traffic to Enterprise DLP to render a verdict.
- Cloud & LocalYou can configure a data profile for Cloud & Local detection coverage on Strata Cloud Manager if you have a Prisma Browser license. For detection methods that support local detection, Prisma Browser inspects all sensitive data that matches a data profile configured locally on the browser. All other enforcement points continue to forward traffic to Enterprise DLP.A data profile configured for Cloud & Local detection is one configured exclusively with detection methods supported for local Prisma Browser detection:
- Predefined and custom regex data patterns. Data patterns supported for local detection display.
![]()
- Data Dictionaries
- (Nested and Granular) predefined and custom data profiles only containing detection methods supported for local Prisma Browser detection
You can toggle the Local Detection filter when creating or editing a data profile to display just the detection methods supported for local detection.
You can create a data profile for either Cloud Only or
Cloud & Local detection. However, You can't disable local
detection. If you want to create a data profile explicitly for Cloud
Only detection, you must only add detection methods supported for cloud
detection.
Enterprise DLP supports the following number of detection methods per data
profile:
- Panorama running PAN-OS 10.2.3 or earlier release and DLP plugin 3.0.3 or earlier release—A data profile supports up to 10 data patterns for a Block rule and 50 data patterns for an Alert rule.
- Panorama running PAN-OS 10.2.4 or later release and DLP plugin 3.0.4 or later release—No limit for the number of data patterns or advanced detection methods you can add to a data profile. No limit to the number of data profiles you can add to a granular data profile.
- Strata Cloud Manager—No limit for the number of data patterns or advanced detection methods you can add to a data profile. No limit to the number of data profiles you can add to a nested or granular data profile.
Even though Panorama running PAN-OS 10.2.4 or later release
and DLP plugin 3.0.4 or later release has no limit to the number of data patterns
you can add to a data profile, the DLP plugin displays only the first 50 predefined or custom data patterns, advanced detection methods, or data profiles added.
However, Enterprise DLP has full knowledge of the entire data profile despite
what the DLP plugin displays.
This applies to data filtering profiles created on Panorama and data
profiles created on Strata Cloud Manager and synchronized to Panorama.
You can't delete data profiles after creation. See the Supported Data Profile Actions for more
information on the data profile actions Enterprise DLP supports.
|
Data Profile Type
|
Description
|
|---|---|
|
Enterprise DLP includes many predefined data profiles that you
can immediately use to detect sensitive data.
| |
|
A data profile that can use any predefined data pattern,
regular expression (regex) data patterns and custom file property
data patterns,
and advanced detection
methods.
| |
|
A nested data profile contains multiple data profiles and enables
your data security administrator to consolidate the match criteria
to prevent exfiltration of sensitive data to a single data profile
that you can associate with a single Security policy rule.
For a nested data profile, the DLP rule settings
apply to all data profiles added to the nested data profile.
| |
|
A granular data profile contains multiple data profiles and enhance
your detection capabilities by enabling your data security
administrators to apply differentiated inline content inspection
requirements and response actions within the same Security policy
rule.
For a granular data profile, your data security administrator
configures the DLP rule settings
for each data profile added to the granular data profile.
| |
|
Update your data profiles to modify the match criteria and
settings.
| |
| Test the efficacy of your data profiles on Strata Cloud Manager before pushing them to your enforcement points. | |
| Resolve data profile synchronization conflicts between Strata Cloud Manager and Panorama that can lead configurations commit failures or for data filtering profiles to be silently overwritten, which can cause security disruptions and protection gaps. |