>
    Strata Copilot
    Create a Data Profile
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Configure Enterprise DLP
    5. Data Profiles
    6. Create a Data Profile
    Download PDF
    Enterprise DLP

    Create a Data Profile

    Table of Contents

    Create a Data Profile

    Create a data profile that can use regular expression (regex) data patterns and custom file property data patterns, and advanced detection methods.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Browser
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    After you create a data pattern, you need to create a data profile to add those data patterns and specify matches and confidence levels. A classic data profile is a data profile that includes only regular expression (regex) data patterns, or a data profile created on a Panorama® management server. Enterprise Data Loss Prevention (E-DLP) synchronizes all data profiles you create across Panorama, Strata Cloud Manager, and Prisma Browser deployments associated with the tenant. You can edit all classic data profiles created on Panorama or Strata Cloud Manager as needed.
    (Panorama) A data profile for non-file traffic uses URL and application exclusion lists. These lists let data security administrators exclude specific traffic from inspection, with a predefined DLP App Exclusion Filter available for common apps. When you create a data filtering profile using predefined data patterns, be sure to consider the detection type used by the predefined data patterns because the detection type determines how Enterprise DLP arrives at a verdict for scanned traffic. Downgrading from PAN-OS 10.2.1 to 10.1 automatically converts non-file data filtering profiles to file-based data filtering profiles.
    When you create a data profile using predefined data patterns, be sure to consider the detection type used by the predefined data patterns because the detection type determines how Enterprise Data Loss Prevention (E-DLP) arrives at a verdict for scanned files.

    Create a Data Profile on Strata Cloud Manager

    Create a new Enterprise Data Loss Prevention (E-DLP) data profile on Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. Configure your Enterprise DLP settings if not already configured.
      • Data Filtering SettingsEdit the data filtering settings to specify the traffic forwarding parameters for your enforcement points and Enterprise DLP. This includes settings such as the minimum and maximum data size limits for scanned traffic, latency settings, and the actions the enforcement point or Enterprise DLP takes when encountering issues for both file and non-file traffic.
      • Snippet SettingsEdit the snippet settings to specify if and how Enterprise DLP stores and masks snippets of sensitive data that match your data pattern match criteria in a data profile. Your snippet setting configuration determines how Enterprise DLP displays snippets of matched traffic when you review your DLP incidents.
    3. Create one or more data patterns to define your match criteria if not already created. You can also use any of the predefined data patterns.
    4. Select ConfigurationData Loss PreventionData ProfilesNew Data Profile and click Custom Data Profile.
      You can copy an existing data profile to modify its match criteria while preserving the original. Enterprise DLP names the copied data profile Copy - <name_of_original_data_profile>. You can edit the name as needed.
      (Prisma Browser) If you copied a Cloud Only data profile, click Convert to Local Supported Profile in the Preview panel to remove all match criteria not supported by local Prisma Browser detection. This converts the data profile into a data profile with Cloud & Local detection coverage.
    5. Enter a descriptive Data Profile Name.
    6. (Optional) Enter a Description for the data profile.
    7. (Prisma Browser) Toggle Local Detection to filter and display only the detection methods supported for local Prisma Browser detection.
      Required for Prisma Browser users without an active Enterprise DLP license.
    8. Select the match criteria operator (AND or OR).
    9. Configure the Primary Rule.
      Add data pattern match criteria for traffic that you want to allow to the Primary Rule. You can add data pattern match criteria for traffic that you want to block to either Primary Rule or Secondary Rule.
      1. Add your detection methods to define the data profile match criteria.
        • Data Pattern
          Select AddData Pattern and define the data pattern match criteria.
          • Data Pattern—Select a custom or predefined data pattern.
            Predefined ML-based data patterns support only the Any occurrence condition with either High or Lowconfidence. You can't configure any other traffic match criteria other than the confidence level for Predefined ML-based data patterns.
            If you enabled Local Detection, Enterprise DLP displays the supported regex data patterns only.
          • Occurrence Condition—Select when the Security policy rule action triggers based on the number of matched traffic instances Enterprise DLP detects.
            • Any—Triggers the Security policy rule action if Enterprise DLP detects at least one instance of matched traffic.
            • Less than or equal to—Triggers the Security policy rule action if the number of matched traffic instances Enterprise DLP detects is at or below the specified Count.
            • More than or equal to—Triggers the Security policy rule action if the number of matched traffic instances Enterprise DLP detects meets or exceeds the specified Count.
            • Between (inclusive)—Triggers the Security policy rule action if the number of matched traffic instances Enterprise DLP detects falls within the specified Count range.
          • Count—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
            The minimum supported value is 1 because a value of 0 would generate DLP incidents on forwarded traffic that doesn't match any sensitive data patterns.
            For example, to match sensitive data that appears three or more times in a file, select More than or equal to as the Occurrence Condition and specify 3 as the Threshold.
          • Confidence—Specify the confidence level required for a Security policy rule action to be taken (High or Low).
          • Unique Occurrences—Check (enable) to detect only unique instances of traffic matches. Only unique occurrences of traffic matches are counted toward the specified Count.
            This setting is disabled by default. Keep Unique Occurrences disabled if you want all instances of traffic matches to count toward the specified Count.
        • Data Dictionary
          Select AddData Dictionary and define the data dictionary match criteria.
          • Dictionary—Select a custom or predefined data pattern.
          • Occurrence Condition—Select when the Security policy rule action triggers based on the number of matched traffic instances Enterprise DLP detects.
            • Any—Triggers the Security policy rule action if Enterprise DLP detects at least one instance of matched traffic.
            • Less than or equal to—Triggers the Security policy rule action if the number of matched traffic instances Enterprise DLP detects is at or below the specified Count.
            • More than or equal to—Triggers the Security policy rule action if the number of matched traffic instances Enterprise DLP detects meets or exceeds the specified Count.
            • Between (inclusive)—Triggers the Security policy rule action if the number of matched traffic instances Enterprise DLP detects falls within the specified Count range.
          • Count—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
            The minimum supported value is 1 because a value of 0 would generate DLP incidents on forwarded traffic that doesn't match any sensitive data patterns.
            For example, to match sensitive data that appears three or more times in a file, select More than or equal to as the Occurrence Condition and specify 3 as the Threshold.
          • Confidence—Specify the confidence level required for a Security policy rule action to be taken (High or Low).
          • Unique Occurrences—Check (enable) to detect only unique instances of traffic matches. Only unique occurrences of traffic matches are counted toward the specified Count.
            This setting is disabled by default. Keep Unique Occurrences disabled if you want all instances of traffic matches to count toward the specified Count.
        • Custom Document Types
          Select AddDocument Types and define the custom document type match criteria.
          Prisma Browser supports custom document types for cloud detections only. You can't add a custom document type to a data profile with Local Detection enabled.
          • Document Type—Select a predefined or custom document type you uploaded to Enterprise DLP.
          • Overlapping Score Condition—Specify the custom document overlapping score required to trigger a Security policy rule action.
            • Greater Than or Equal To—Security policy rule triggered if Enterprise DLP detects an instance of matched traffic with the specified minimum overlapping score.
            • Between (Inclusive)—Security policy rule action triggered if Enterprise DLP detects an instance of matched traffic with an overlapping score between the specified min and max overlapping scores.
        • EDM
          Select AddEDM Dataset and define the EDM match criteria.
          Prisma Browser supports custom document types for cloud detections only. You can't add a custom document type to a data profile with Local Detection enabled.
          • EDM Dataset—Select an EDM data set uploaded to the DLP cloud service.
          • Occurrence Condition—Specify the occurrences condition required to trigger a Security policy rule action.
          • Count—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
          • Configure EDM data set Primary Fields values to specify whether a Security policy rule action is taken if Any (OR) or All (AND) primary fields are matched and if Any (OR) or All (AND) secondary fields are matched.
          • (Any(OR) only) Enter the Count to specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
            When you select Any (OR), the maximum Count setting is one less than the total number of fields included in the Primary Field or Secondary Field.
          • Select the Primary Fields values.
            The list of available values is populated from the selected EDM data set. Select at least one primary field value.
            You’re required to add at least one column where the column values occurs up to 12 times in the selected EDM data set for the Primary Field. For example, if the EDM data set contains columns for first name, last name, social security number, and credit card number, add social security number and credit card in the primary field.
        • Data Profiles
          See Create a Nested Data Profile for detailed information.
          Select AddData Profile to add a granular or nested data profile to enhance your Enterprise DLP detection capabilities by enabling you to apply differentiated inline content inspection requirements and response actions within the same Security policy rule.
          For example, you can use a granular profile to block high-risk data patterns while alerting on lower-risk ones, set varying log severities for different data profiles, and selecting specific file types for each data profile included the granular data profile. Granular profiles simplify policy rulebase management by consolidating multiple rules into a single, more flexible policy. This allows your security administrators to streamline Security policy rulebase administration. It reduces false positive detections and achieves a more nuanced approach to data protection that aligns closely with your organization's risk management strategy while maintaining a lean and efficient policy rulebase.
          (Enterprise DLP Plugin 5.0 and earlier releases) Granular profiles are backwards compatible. This means that if you can configure a granular profile on Strata Cloud Manager, Enterprise DLP can successfully synchronize the granular data profile and make it available for use on Panorama and NGFW running PAN-OS 11.1 or earlier releases and Enterprise DLP plugin 5.0 and earlier releases.
          Search for and select one or more compatible predefined or custom data profiles and click Apply to add them. Enterprise DLP does not support adding a granular or nested profile to another granular or nested profile.
          If you enabled Local Detection, you can only add other data profiles with Local Detection enabled.
        • Group
          Select AddGroup to nest and group additional match criteria so you can more accurately define your compliance rules.
          When you click add a new Group, the new match criteria group is nested under the most recently added match criteria. You can’t nest a new match criteria group between existing match criteria. If you add multiple match criteria, you must remove the match criteria that follow the match criteria that you want to add.
          For example, you added EDM_Dataset1, Data_Pattern2, and EDM_Dataset3 to the Primary Rule. If you wanted to added nested match criteria to Data_Pattern2, you must first remove EDM_Dataset3 from the Primary Rule.
          You can select the same match criteria or different match criteria to more accurately define your compliance rules. Enterprise DLP supports up to three level of additional groups for each match criteria.
          Nested match criteria support the AND, OR, and NOT operators. Refer to the descriptions above to configure the nested match criteria.
    10. (Optional) Configure a Secondary Rule.
      Enterprise DLP automatically blocks traffic containing sensitive data that matches a Secondary Rule. Add match criteria to the Primary Rule to generate an Alert for allowed traffic.
      Prisma Browser doesn't support Secondary Rules for data profiles and ignores them.
    11. Select the Match Scope to configure which part of the traffic payload Enterprise DLP inspects.
      You can select one or both match scopes. Enterprise DLP requires at least one selection.
      • Content—Inspect the contents of file-based or non-file-based traffic. Enterprise DLP selects this match scope by default.
        For file-based traffic, Enterprise DLP inspects actual file content and any watermarks applied to the file. Review the list of supported file types to learn which file types support watermark inspection.
      • (Beta) File Name—Inspect the file name for forwarded file-based traffic.
        File Name is a Beta feature and might generate false positive detections.
        Palo Alto Networks recommends validating data profile detection accuracy with the File Name match scope in a test environment before deploying to production.
        Enterprise DLP supports file name inspection for predefined and custom regex data patterns, data dictionaries, and EDM data sets.
        You can't use File Name inspection with a data profile that includes a custom document type.
        Enterprise DLP inspects only the top-level archive file name and doesn't inspect sub file names within the archive.
      • Metadata—Inspect free-form text-based metadata fields (such as comments, title, and other editable properties) in file-based traffic.
        Enterprise DLP supports metadata inspection for predefined and custom regex data patterns, data dictionaries, and EDM data sets.
      • (Beta) URL—Inspect the URL string for file-based and non-file-based traffic across all predefined and custom data patterns and advanced detection methods.
        URL scan is a Beta feature and might generate false positive detections.
        Palo Alto Networks recommends validating data profile detection accuracy with the URL match scope in a test environment before deploying to production.
    12. Review your data profile configuration.
      Use the Preview to view of your Primary and Secondary Rule configuration, the Detection Coverage (Cloud & Local or Cloud Only), and the Match Scope.
      • Example of No Local Detection Support
        A data profile with Cloud Only detection coverage includes cloud-assisted detection method which makes the data profile not compatible local Prisma Browser detection.
        Click Convert to Local Detection Compatible Profile to remove any cloud-assisted detection methods not compatible with local Prisma Browser detection. This converts the data profile into a data profile with Cloud & Local detection coverage.
      • Example of Local Detection Support
        A data profile with Cloud & Local detection coverage includes only the detection methods that are compatible with local Prisma Browser detection.
    13. Click Test Run to test and verify the data profile accurately detects the sensitive data you configured it to detect.
    14. Save the data profile.
    15. In Data Profiles, search for the data profile you created to verify it was successfully created.
    16. Modify the DLP rule or add the data profile to a Data Control Rule.
      • NGFW and Prisma Access TenantsModify a DLP rule to define the type of traffic to inspect, the impacted file types and apps, the action Enterprise DLP takes when sensitive data is detected, log severity, and more for the data profile match criteria. Enterprise DLP automatically creates a DLP rule with an identical name as the data profile from which it was created.
      • Prisma BrowserCreate or edit a Data Control rule to prevent exfiltration of sensitive data for specific apps, website classifications, or URLs.

    Create a Data Filtering Profile on Panorama

    Create a new Enterprise Data Loss Prevention (E-DLP) data filtering profile on your Panorama® management server.
    A data filtering profile configured for non-file traffic detection allows you to configure URL and application exclusion lists. The URL and application exclusion lists allow you to select Shared URL and app traffic to exclude from inspection. For the application exclusion list, at least one application exclusion is required to create a data filtering profile for inspecting non-file traffic. The predefined DLP App Exclusion Filter provides commonly used apps that you can safely excluded from inspection. When you create a data filtering profile using predefined data patterns, be sure to consider the detection type used by the predefined data patterns because the detection type determines how Enterprise Data Loss Prevention (E-DLP) arrives at a verdict for scanned files. If you downgrade from PAN-OS 10.2.1 or later release and Enterprise DLP plugin 3.0.1 or late release to PAN-OS 10.1 and Enterprise DLP plugin 1.0, data filtering profiles created on Panorama for non-file inspection are automatically converted into file-based data filtering profiles.
    1. Log in to the Panorama web interface.
    2. Configure your Enterprise DLP settings if not already configured.
      • Cloud Content ServerEdit the Cloud Content settings to specify the Enterprise DLP server to forward traffic to for inspection and verdict rendering. You might need to configure the Cloud Content server if your organization must adhere to specific data residency requirements.
      • Data Filtering SettingsEdit the data filtering settings to specify the traffic forwarding parameters for your enforcement points and Enterprise DLP. This includes settings such as the minimum and maximum data size limits for scanned traffic, latency settings, and the actions the enforcement point or Enterprise DLP takes when encountering issues for both file and non-file traffic.
      • Snippet SettingsEdit the snippet settings to specify if and how Enterprise DLP stores and masks snippets of sensitive data that match your data pattern match criteria in a data profile. Your snippet setting configuration determines how Enterprise DLP displays snippets of matched traffic when you review your DLP incidents.
    3. (Optional for Non-File Traffic Inspection) Create a custom application filter, application group, or URL category to define predefined or custom app and URL traffic you want to exclude from inspection.
      The application filter, application group, and URL category must be Shared to be used in the data filtering profile application exclusion and URL exclusion lists. Data filtering profiles for non-file traffic inspection support either custom application filters and application groups. You'ren’t required to add both.
    4. Create one or more data patterns to define your match criteria if not already created. You can also use any of the predefined data patterns.
    5. Select ObjectsDLPData Filtering Profiles and Add a new data filtering profile.
    6. Enter a descriptive Name for the data filtering profile.
    7. Configure the data filtering profile inspection parameters.
      • Shared—All Enterprise DLP data profiles must be Shared across all device groups. This setting is enabled by default and can’t be disabled.
      • Profile Type—Select the Classic data filtering profile type.
        A Classic data filtering profile supports adding data patterns only.
      • File Based—Specifies whether the data filtering profile applies to file based traffic. Default is Yes. A data filtering profile can apply file based traffic, non-file based traffic, or both.
      • Non-File Based—Specifies whether the data filtering profile applies to non-file based traffic. Default is No. A data filtering profile can apply file based traffic, non-file based traffic, or both.
    8. Define the match criteria.
      • If you select Basic, configure the following:
        • Primary PatternAdd one or more data patterns to specify as the match criteria.
          If you specify more than one data pattern, the managed firewall uses a boolean OR match in the match criteria.
        • Match—Select whether the pattern you specify should match (include) or not match (exclude) the specified criteria.
        • Operator—Select a boolean operator to use with the Threshold parameter. Specify Any to ignore the threshold.
          • Any—Triggers the Security policy rule action if Enterprise DLP detects at least one instance of matched traffic.
          • Less than or equal to—Triggers the Security policy rule action if the number of matched traffic instances Enterprise DLP detects is at or below the specified Threshold.
          • More than or equal to—Triggers the Security policy rule action if the number of matched traffic instances Enterprise DLP detects meets or exceeds the specified Threshold.
          • Between (inclusive)—Triggers the Security policy rule action if the number of matched traffic instances Enterprise DLP detects falls within the specified Threshold range.
        • Occurrence—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
          The minimum supported value is 1 because a value of 0 would generate DLP incidents on forwarded traffic that doesn't match any sensitive data patterns.
          For example, to match sensitive data that appears three or more times in a file, select More than or equal to as the Occurrence Condition and specify 3 as the Threshold.
        • Confidence—Specify the confidence level required for a Security policy rule action to be taken (High or Low).
      • If you select Advanced, you can create expressions by dragging and dropping data patterns, Confidence levels, Operators, and Occurrence values into the field in the center of the page.
        Specify the values in the order that they’re shown in the following example (data pattern, Confidence, and Operator or Occurrence).
    9. Specify the file types Enterprise DLP takes action against.
      • DLP plugin 4.0.0 and earlier releases
        Select the File Type. By default, any is selected and inspects all supported file types.
      • DLP plugin 4.0.1 and later releases
      1. Select File Types.
      2. Select the Scan Type to create a file type include or exclude list.
        • IncludeEnterprise DLP inspects only the file types you add to the File Type Array.
        • (PAN-OS 11.0 and later) ExcludeEnterprise DLP inspects all supported file types except for those added to the File Type Array.
          Exclude mode is supported only on PAN-OS 11.0 and later releases. On PAN-OS 10.2, the enforcement point converts the File Scan Mode to all supported file types in Include mode.
      3. Click Modify to add the file types to the File Type Array and click OK.
    10. Select traffic Direction you want to inspect.
      You can select Upload, Download, or Both.
    11. Set the Log Severity recorded for files that match this rule.
      You can select critical, high, medium, low, or informational. The default severity is informational.
    12. Click OK to save your changes.
    13. (Best Practices for File Based Inspection) Create a File Blocking profile and create a Block Rule to block the file types you don't explicitly forward to Enterprise DLP.
      Palo Alto Networks recommends creating this File Blocking profile to ensure sensitive data can't be exfiltrated in file types Enterprise DLP does not support.
    14. Attach the data filtering profile to a Security policy rule.
      1. Select PoliciesSecurity and specify the Device Group.
      2. Select the Security policy rule to which you want to add the data filtering profile.
      3. Select Actions and set the Profile Type to Profiles.
      4. (Best Practices for File Based Inspection) For the File Blocking Profile, select the File Blocking profile you created in the previous step.
      5. For the Data Filtering profile, select the Enterprise DLP data filtering profile you created.
      6. Click OK.
    15. Commit and push the new configuration to your managed firewalls.
      The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overhead of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
      • Full configuration push from Panorama
        1. Select CommitCommit to Panorama and Commit.
        2. Select CommitPush to Devices and Edit Selections.
        3. Select Device Groups and Include Device and Network Templates.
        4. Click OK.
        5. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
      • Partial configuration push from Panorama
        You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and Enterprise DLP in sync.
        For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
        1. Select CommitCommit to Panorama.
        2. Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
          In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
          Click OK to continue.
        3. Commit.
        4. Select CommitPush to Devices.
        5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
          In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
          Click OK to continue.
        6. Select Device Groups and Include Device and Network Templates.
        7. Click OK.
        8. Push your configuration changes to your managed firewalls that are using Enterprise DLP.

    © 2026 Palo Alto Networks, Inc. All rights reserved.