Update a Data Profile
Focus
Focus
Enterprise DLP

Update a Data Profile

Table of Contents

Update a Data Profile

Update and modify an existing
Enterprise Data Loss Prevention (E-DLP)
data profile.
Where Can I Use This?
What Do I Need?
  • NGFW (Panorama Managed)
  • Prisma Access (Managed by Strata Cloud Manager)
  • SaaS Security
  • NGFW (Cloud Managed)
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • NGFW (Panorama Managed)
    —Support and
    Panorama
    device management licenses
  • Prisma Access (Managed by Strata Cloud Manager)
    Prisma Access
    license
  • SaaS Security
    SaaS Security
    license
  • NGFW (Cloud Managed)
    —Support and
    AIOps for NGFW Premium
    licenses
Or any of the following licenses that include the
Enterprise DLP
license
  • Prisma Access
    CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
    license
  • Data Security
    license
You can edit and modify an existing custom
Enterprise Data Loss Prevention (E-DLP)
data profile at any time. Any changes you make to an existing data profile from the DLP app on the hub is automatically synchronized to
Panorama
,
Prisma Access (Managed by Panorama)
, and
Strata Cloud Manager
where the data profile is supported.
If you update a data profile to include a predefined data pattern, be sure to consider the detection types used by the predefined data patterns because the detection type determines how
Enterprise Data Loss Prevention (E-DLP)
arrives at a verdict for scanned files. For example, when you create a data profile that includes three machine learning (ML)-based data patterns and seven regex-based data patterns,
Enterprise DLP
will return verdicts based on the seven regex-based patterns whenever the scanned file exceeds 1 MB.
Advanced data profiles can only be modified from
Strata Cloud Manager
or the DLP app on the hub.
Any changes to the data profile match criteria made on
Strata Cloud Manager
are synchronized to
Panorama
but don’t display in the
Panorama
web interface. Security policy rules using a data profile updated on
Strata Cloud Manager
inspect traffic using the new or modified match criteria.
(
Panorama
only
) Updating the data profile
Name
is supported but you must manually update the existing Security policy rules (
Policies
Security
to reassociate the renamed data filtering profile. Commits on
Panorama
fail if you do not reassociate the renamed data filtering profile with the Security policy rule after the updated data profile name is synchronized to
Panorama
.

Strata Cloud Manager

Modify an existing
Enterprise Data Loss Prevention (E-DLP)
data profile on
Strata Cloud Manager
.
  1. Log in to
    Strata Cloud Manager
    .
  2. Select
    Manage
    Configuration
    Security Services
    Data Loss Prevention
    Data Profiles
    and navigate to the data profile you want to modify.
  3. Edit ( ) the data profile.
  4. Modify the data profile as needed.
    • See Create a Classic Data Profile for details on configuring configure a data profile that uses only predefined or custom data patterns.
      Modifying a classic data profile to include advanced detection methods isn’t supported.
    • See Create an Advanced Data Profile for details on configuring a profile that uses any combination of prdefined or custom data patterns and advanced detection methods.
      Modifying an advanced data profile to only include data patterns isn’t supported if the advanced data profile included both data patterns and advanced detection methods when it was initially created.
      Enterprise DLP
      includes predefined document templates that were converted from ML-based data patterns. Palo Alto Networks recommends modifying the match criteria in the event your existing data profile references the list ML-based data patterns that were converted.
    • See Create a Nested Data Profile for details on configuring a single data profile that contains multiple data profiles.
      Adding an advanced data profile to an existing nested data profile if one wasn’t included when the nested data profile was originally created is supported.
  5. Save
    your changes.

DLP App

Modify an existing
Enterprise Data Loss Prevention (E-DLP)
data profile on the DLP app on the hub.
  1. Log in to the DLP app on the hub.
    If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
  2. Select
    Data Profiles
    and select a data profile to display the data profile preview window.
  3. Edit ( ) the data profile.
  4. Modify the data profile as needed.
    • See Create a Classic Data Profile for details on configuring configure a data profile that uses only predefined or custom data patterns.
      Modifying a classic data profile to include advanced detection methods isn’t supported.
    • See Create an Advanced Data Profile for details on configuring a profile that uses any combination of prdefined or custom data patterns and advanced detection methods.
      Modifying an advanced data profile to only include data patterns isn’t supported if the advanced data profile included both data patterns and advanced detection methods when it was initially created.
      Enterprise DLP
      includes predefined document templates that were converted from ML-based data patterns. Palo Alto Networks recommends modifying the match criteria in the event your existing data profile references the list ML-based data patterns that were converted.
    • See Create a Nested Data Profile for details on configuring a single data profile that contains multiple data profiles.
      Adding an advanced data profile to an existing nested data profile if one wasn’t included when the nested data profile was originally created is supported.
  5. Save
    your changes.

Panorama

Modify an existing
Enterprise Data Loss Prevention (E-DLP)
data filtering profile on the
Panorama™ management server
.
  1. Log in to the
    Panorama
    web interface.
  2. Select
    Objects
    DLP
    Data Filtering Profiles
    and specify the
    Device Group
    .
  3. Select a data filtering profile to edit.
  4. Edit the data filtering profile as needed.
    1. Modify the data filtering profile scan for
      File Based
      traffic,
      Non-File Based
      traffic, or both.
    2. Modify the
      Primary Pattern
      and
      Secondary Pattern
      match criteria.
      Modifying the data filtering profile match criteria on
      Panorama
      is supported only for
      Enterprise DLP
      data filtering profiles created on
      Panorama
      . See File Based for Panorama for details on configuring data pattern criteria using predefined or custom data patterns.
    3. (
      Data Filtering Profile for Non-File Traffic Inspection Only
      ) Modify the
      URL Category Excluded List from Non-File
      and
      Application List Excluded from Non-File
      to configure which URL and application traffic is excluded from
      Enterprise DLP
      inspection.
      See Non-File Based for Panorama for more information.
    4. Edit the data filtering profile settings.
      Enterprise DLP
      only supports editing the advanced data profile settings from
      Panorama
      .
      • Select the data filtering profile
        Action
        (
        Alert
        or
        Block
        )
        If the data profile has both Primary and Secondary Patterns, changing the data filtering profile Action on
        Panorama
        deletes all Secondary Pattern match criteria.
      • Specify a
        File Type
        .
        Leave the file type as
        any
        to match any of the supported file types.
      • Set the
        Log Severity
        recorded for files that match this data filtering profile.
  5. Click
    OK
    .
  6. Commit and push the new configuration to your managed firewalls to complete the
    Enterprise DLP
    plugin installation.
    This step is required for
    Enterprise DLP
    data filtering profile names to appear in Data Filtering logs.
    The
    Commit and Push
    command isn’t recommended for
    Enterprise DLP
    configuration changes. Using the
    Commit and Push
    command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select
        Commit
        Commit to
        Panorama
        and
        Commit
        .
      2. Select
        Commit
        Push to Devices
        and
        Edit Selections
        .
      3. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      4. Click
        OK
        .
      5. Push
        your configuration changes to your managed firewalls that are using
        Enterprise DLP
        .
    • Partial configuration push from Panorama
      You must always include the temporary
      __dlp
      administrator when performing a partial configuration push. This is required to keep
      Panorama
      and the DLP cloud service in sync.
      For example, you have an
      admin
      Panorama
      admin user who is allowed to commit and push configuration changes. The
      admin
      user made changes to the
      Enterprise DLP
      configuration and only wants to commit and push these changes to managed firewalls. In this case, the
      admin
      user is required to also select the
      __dlp
      user in the partial commit and push operations.
      1. Select
        Commit
        Commit to
        Panorama
        .
      2. Select
        Commit Changes Made By
        and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the
        admin
        user is currently logged in and performing the commit operation. The
        admin
        user must click
        admin
        and then select the
        __dlp
        user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click
        OK
        to continue.
      3. Commit
        .
      4. Select
        Commit
        Push to Devices
        .
      5. Select
        Push Changes Made By
        and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the
        admin
        user is currently logged in and performing the push operation. The
        admin
        user must click
        admin
        and then select the
        __dlp
        user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click
        OK
        to continue.
      6. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      7. Click
        OK
        .
      8. Push
        your configuration changes to your managed firewalls that are using
        Enterprise DLP
        .
  7. Verify the changes you made to the data filtering profile.
    1. Log in to the DLP app on the hub.
      If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
    2. Select
      Data Profiles
      and search for the data filtering profile you updated.

Recommended For You