Resolve Data Profile Synchronization Conflicts

Table of Contents

Enable Existing Data Patterns and Filtering Profiles

Resolve Data Profile Synchronization Conflicts

Resolve Enterprise Data Loss Prevention (E-DLP) data filtering profile synchronization issues on your Panorama™ management server.

Where Can I Use This?	What Do I Need?
NGFW (Managed by Panorama) Prisma Access (Managed by Panorama)	Enterprise Data Loss Prevention (E-DLP) license Review the Supported Platforms for details on the required license for each enforcement point.

When managing your Enterprise Data Loss Prevention (E-DLP) data filtering profiles across your Panorama™ management server and Strata Cloud Manager, configuration drift might occur because the Enterprise DLP plugin's local configuration only syncs with Strata Cloud Manager when you commit Enterprise DLP configuration changes on Panorama. This can lead to configurations commit failures or for data filtering profiles to be silently overwritten, which can cause security disruptions and protection gaps.

To resolve data filtering profile synchronization conflicts, you must install Enterprise DLP plugin 5.0.0 or later release. Review the Compatibility Matrix to learn more about the plugin versions supported on each PAN-OS release.

If you decide to ignore any data filtering profile conflict errors, be aware that Enterprise DLP synchronizes data patterns and data profiles changes on Panorama with Strata Cloud Manager every time you commit configuration changes on Panorama.

This might in result in Enterprise DLP overwriting the correct configuration on Strata Cloud Manager with the incorrect configuration from Panorama.

Log in to the Panorama web interface.
Select ObjectsDLPData Filtering Profiles.
A banner displays at the top of the data filtering profile list when Enterprise DLP detects a synchronization conflict between the Enterprise DLP plugin installed on Panorama and the data profiles on Strata Cloud Manager. This banner displays the total number of synchronization conflicts detected.

Click the Resolve Conflicts link to continue.
Select a data filtering profile with conflicts to review. You can review one data filtering profile at a time.
Review the Local Changes on Panorama and the Remote Changes on Strata Cloud Manager and decide which configuration you want to keep.
Use the Legend to identify the conflicts between the data filtering profile on Panorama and the data profile on Strata Cloud Manager.
- Apply Local—Enterprise DLP preserves the local configuration on Panorama. Enterprise DLP synchronizes the data filtering profile configuration you preserved on Panorama with Strata Cloud Manager after you commit and push your Enterprise DLP configuration changes.
- Apply Cloud—Enterprise DLP applies the data profile configuration detected on Strata Cloud Manager to the data filtering profile on Panorama. Enterprise DLP synchronizes the data filtering profile configuration applied from Strata Cloud Manager to the data filtering profile on Panorama after you commit and push your Enterprise DLP configuration changes.
When prompted, Confirm you want to apply the changes from the local data filtering profile on Panorama or from the data profile on Strata Cloud Manager.
Commit and push your configuration changes.
The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Full configuration push from Panorama
  1. Select CommitCommit to Panorama and Commit.
  2. Select CommitPush to Devices and Edit Selections.
  3. Select Device Groups and Include Device and Network Templates.
  4. Click OK.
  5. Push your configuration changes to your NGFW are using Enterprise DLP.
- Partial configuration push from Panorama
  
  You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and Enterprise DLP in sync.
  For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to your NGFW. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
  1. Select CommitCommit to Panorama.
  2. Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
    In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
    Click OK to continue.
  3. Commit.
  4. Select CommitPush to Devices.
  5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
    In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
    Click OK to continue.
  6. Select Device Groups and Include Device and Network Templates.
  7. Click OK.
  8. Push your configuration changes to your managed firewalls that are using Enterprise DLP.