Update a Data Profile
Focus
Focus
Enterprise DLP

Update a Data Profile

Table of Contents

Update a Data Profile

Update and modify an existing Enterprise Data Loss Prevention (E-DLP) data profile.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
You can edit and modify an existing custom Enterprise Data Loss Prevention (E-DLP) data profile at any time. Enterprise DLP synchronizes any changes you make to an existing data profile between Panorama and Strata Cloud Manager.
If you update a data profile to include a predefined data pattern, be sure to consider the detection types used by the predefined data patterns because the detection type determines how Enterprise DLP arrives at a verdict for scanned files. For example, when you create a data profile that includes three machine learning (ML)-based data patterns and seven regex-based data patterns, Enterprise DLP will return verdicts based on the seven regex-based patterns whenever the scanned file exceeds 1 MB.
Advanced data profiles and nested data profiles can only be modified from Strata Cloud Manager.
Any changes to the data profile match criteria made on Strata Cloud Manager are synchronized to Panorama but don’t display in the Panorama web interface. Security policy rules using a data profile updated on Strata Cloud Manager inspect traffic using the new or modified match criteria.
(Panorama only) Updating the data profile Name is supported but you must manually update the existing Security policy rules (PoliciesSecurity to reassociate the renamed data filtering profile. Commits on Panorama fail if you do not reassociate the renamed data filtering profile with the Security policy rule after the updated data profile name is synchronized to Panorama.

Update a Data Profile Strata Cloud Manager

Modify an existing Enterprise Data Loss Prevention (E-DLP) data profile on Strata Cloud Manager.
  1. Log in to Strata Cloud Manager.
  2. Select ConfigurationData Loss PreventionData Profiles and navigate to the data profile you want to modify.
  3. Edit (
    ) the data profile.
  4. Modify the data profile as needed.
    • See Create a Classic Data Profile for details on configuring configure a data profile that uses only predefined or custom data patterns.
      Modifying a classic data profile to include advanced detection methods isn’t supported.
    • See Create an Advanced Data Profile for details on configuring a profile that uses any combination of predefined or custom data patterns and advanced detection methods.
      Modifying an advanced data profile to only include data patterns isn’t supported if the advanced data profile included both data patterns and advanced detection methods when it was initially created.
      Enterprise DLP includes predefined document templates that were converted from ML-based data patterns. Palo Alto Networks recommends modifying the match criteria in the event your existing data profile references the list ML-based data patterns that were converted.
    • See Create a Nested Data Profile for details on configuring a single data profile that contains multiple data profiles.
      Adding an advanced data profile to an existing nested data profile if one wasn’t included when the nested data profile was originally created is supported.
    • See Create a Granular Data Profile for details configuring a single data profile that contains multiple data profiles to enable your data security administrators to apply differentiated inline content inspection requirements and response actions within the same Security policy rule.
  5. Test a Data Profile to verify it accurately detects the sensitive data you configured it to detect.
  6. Save your changes.
  7. (Granular Data Profiles only) Select ConfigurationNGFW and Prisma Access and Push Config.
    Enterprise DLP requires you push the Strata Cloud Manager configuration to the enforcement points using the Enterprise DLP when you update a granular data profile.

Update a Data Filtering Profile on Panorama

Modify an existing Enterprise Data Loss Prevention (E-DLP) data filtering profile on the Panorama® management server.
  1. Log in to the Panorama web interface.
  2. Select ObjectsDLPData Filtering Profiles and specify the Device Group.
  3. Select a data filtering profile to edit.
  4. Modify the data filtering profile as needed.
    • See Create a Classic Data Profile for details on configuring configure a File or Non-File data filtering profile that uses only predefined or custom data patterns.
      Enterprise DLP doesn't support modifying a classic data profile to include advanced detection methods.
    • For an advanced data profile created on Strata Cloud Manager, Enterprise DLP only supports editing the advanced data filtering profile settings on Panorama.
      • Select the data filtering profile Action (Alert or Block)
        If the data profile has both Primary and Secondary Patterns, changing the data filtering profile Action on Panorama deletes all Secondary Pattern match criteria.
      • Specify a File Type.
        Leave the file type as any to match any of the supported file types.
      • Set the Log Severity recorded for files that match this data filtering profile.
    • See Create a Granular Data Profile on Panorama for details configuring a single data profile that contains multiple data profiles to enable your data security administrators to apply differentiated inline content inspection requirements and response actions within the same Security policy rule.
  5. Commit and push the new configuration to your managed firewalls.
    The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select CommitCommit to Panorama and Commit.
      2. Select CommitPush to Devices and Edit Selections.
      3. Select Device Groups and Include Device and Network Templates.
      4. Click OK.
      5. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
    • Partial configuration push from Panorama
      You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and the DLP cloud service in sync.
      For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
      1. Select CommitCommit to Panorama.
      2. Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      3. Commit.
      4. Select CommitPush to Devices.
      5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      6. Select Device Groups and Include Device and Network Templates.
      7. Click OK.
      8. Push your configuration changes to your managed firewalls that are using Enterprise DLP.