>
    Strata Copilot
    Create a Data Filtering Profile on Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Configure Enterprise DLP
    5. Data Profiles
    6. Create a Data Profile
    7. Create a Data Filtering Profile on Panorama
    Download PDF
    Enterprise DLP

    Create a Data Filtering Profile on Panorama

    Table of Contents

    Create a Data Filtering Profile on Panorama

    Create a new Enterprise Data Loss Prevention (E-DLP) data filtering profile on your Panorama® management server.
    A data filtering profile configured for non-file traffic detection allows you to configure URL and application exclusion lists. The URL and application exclusion lists allow you to select Shared URL and app traffic to exclude from inspection. For the application exclusion list, at least one application exclusion is required to create a data filtering profile for inspecting non-file traffic. The predefined DLP App Exclusion Filter provides commonly used apps that you can safely excluded from inspection. When you create a data filtering profile using predefined data patterns, be sure to consider the detection type used by the predefined data patterns because the detection type determines how Enterprise Data Loss Prevention (E-DLP) arrives at a verdict for scanned files. If you downgrade from PAN-OS 10.2.1 or later release and Enterprise DLP plugin 3.0.1 or late release to PAN-OS 10.1 and Enterprise DLP plugin 1.0, data filtering profiles created on Panorama for non-file inspection are automatically converted into file-based data filtering profiles.
    1. Log in to the Panorama web interface.
    2. Configure your Enterprise DLP settings if not already configured.
      • Cloud Content ServerEdit the Cloud Content settings to specify the Enterprise DLP server to forward traffic to for inspection and verdict rendering. You might need to configure the Cloud Content server if your organization must adhere to specific data residency requirements.
      • Data Filtering SettingsEdit the data filtering settings to specify the traffic forwarding parameters for your enforcement points and Enterprise DLP. This includes settings such as the minimum and maximum data size limits for scanned traffic, latency settings, and the actions the enforcement point or Enterprise DLP takes when encountering issues for both file and non-file traffic.
      • Snippet SettingsEdit the snippet settings to specify if and how Enterprise DLP stores and masks snippets of sensitive data that match your data pattern match criteria in a data profile. Your snippet setting configuration determines how Enterprise DLP displays snippets of matched traffic when you review your DLP incidents.
    3. (Optional for Non-File Traffic Inspection) Create a custom application filter, application group, or URL category to define predefined or custom app and URL traffic you want to exclude from inspection.
      The application filter, application group, and URL category must be Shared to be used in the data filtering profile application exclusion and URL exclusion lists. Data filtering profiles for non-file traffic inspection support either custom application filters and application groups. You'ren’t required to add both.
    4. Create one or more data patterns to define your match criteria if not already created. You can also use any of the predefined data patterns.
    5. Select ObjectsDLPData Filtering Profiles and Add a new data filtering profile.
    6. Enter a descriptive Name for the data filtering profile.
    7. Configure the data filtering profile inspection parameters.
      • Shared—All Enterprise DLP data profiles must be Shared across all device groups. This setting is enabled by default and can’t be disabled.
      • Profile Type—Select the Classic data filtering profile type.
        A Classic data filtering profile supports adding data patterns only.
      • File Based—Specifies whether the data filtering profile applies to file based traffic. Default is Yes. A data filtering profile can apply file based traffic, non-file based traffic, or both.
      • Non-File Based—Specifies whether the data filtering profile applies to non-file based traffic. Default is No. A data filtering profile can apply file based traffic, non-file based traffic, or both.
    8. Define the match criteria.
      • If you select Basic, configure the following:
        • Primary PatternAdd one or more data patterns to specify as the match criteria.
          If you specify more than one data pattern, the managed firewall uses a boolean OR match in the match criteria.
        • Match—Select whether the pattern you specify should match (include) or not match (exclude) the specified criteria.
        • Operator—Select a boolean operator to use with the Threshold parameter. Specify Any to ignore the threshold.
          • Any—Triggers the Security policy rule action if Enterprise DLP detects at least one instance of matched traffic.
          • Less than or equal to—Triggers the Security policy rule action if the number of matched traffic instances Enterprise DLP detects is at or below the specified Threshold.
          • More than or equal to—Triggers the Security policy rule action if the number of matched traffic instances Enterprise DLP detects meets or exceeds the specified Threshold.
          • Between (inclusive)—Triggers the Security policy rule action if the number of matched traffic instances Enterprise DLP detects falls within the specified Threshold range.
        • Occurrence—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
          The minimum supported value is 1 because a value of 0 would generate DLP incidents on forwarded traffic that doesn't match any sensitive data patterns.
          For example, to match sensitive data that appears three or more times in a file, select More than or equal to as the Occurrence Condition and specify 3 as the Threshold.
        • Confidence—Specify the confidence level required for a Security policy rule action to be taken (High or Low).
      • If you select Advanced, you can create expressions by dragging and dropping data patterns, Confidence levels, Operators, and Occurrence values into the field in the center of the page.
        Specify the values in the order that they’re shown in the following example (data pattern, Confidence, and Operator or Occurrence).
    9. Specify the file types Enterprise DLP takes action against.
      • DLP plugin 4.0.0 and earlier releases
        Select the File Type. By default, any is selected and inspects all supported file types.
      • DLP plugin 4.0.1 and later releases
      1. Select File Types.
      2. Select the Scan Type to create a file type include or exclude list.
        • IncludeEnterprise DLP inspects only the file types you add to the File Type Array.
        • (PAN-OS 11.0 and later) ExcludeEnterprise DLP inspects all supported file types except for those added to the File Type Array.
          Exclude mode is supported only on PAN-OS 11.0 and later releases. On PAN-OS 10.2, the enforcement point converts the File Scan Mode to all supported file types in Include mode.
      3. Click Modify to add the file types to the File Type Array and click OK.
    10. Select traffic Direction you want to inspect.
      You can select Upload, Download, or Both.
    11. Set the Log Severity recorded for files that match this rule.
      You can select critical, high, medium, low, or informational. The default severity is informational.
    12. Click OK to save your changes.
    13. (Best Practices for File Based Inspection) Create a File Blocking profile and create a Block Rule to block the file types you don't explicitly forward to Enterprise DLP.
      Palo Alto Networks recommends creating this File Blocking profile to ensure sensitive data can't be exfiltrated in file types Enterprise DLP does not support.
    14. Attach the data filtering profile to a Security policy rule.
      1. Select PoliciesSecurity and specify the Device Group.
      2. Select the Security policy rule to which you want to add the data filtering profile.
      3. Select Actions and set the Profile Type to Profiles.
      4. (Best Practices for File Based Inspection) For the File Blocking Profile, select the File Blocking profile you created in the previous step.
      5. For the Data Filtering profile, select the Enterprise DLP data filtering profile you created.
      6. Click OK.
    15. Commit and push the new configuration to your managed firewalls.
      The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overhead of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
      • Full configuration push from Panorama
        1. Select CommitCommit to Panorama and Commit.
        2. Select CommitPush to Devices and Edit Selections.
        3. Select Device Groups and Include Device and Network Templates.
        4. Click OK.
        5. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
      • Partial configuration push from Panorama
        You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and Enterprise DLP in sync.
        For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
        1. Select CommitCommit to Panorama.
        2. Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
          In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
          Click OK to continue.
        3. Commit.
        4. Select CommitPush to Devices.
        5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
          In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
          Click OK to continue.
        6. Select Device Groups and Include Device and Network Templates.
        7. Click OK.
        8. Push your configuration changes to your managed firewalls that are using Enterprise DLP.

    © 2026 Palo Alto Networks, Inc. All rights reserved.