Panorama

1. Log in to the Panorama web interface.
2. Select ObjectsDLPData Filtering Profiles and specify the Device Group.
3. Select a data filtering profile to edit.
4. Edit the data filtering profile as needed.

   1. Modify the data filtering profile scan for File Based traffic, Non-File Based traffic, or both.
   2. Modify the Primary Pattern and Secondary Pattern match criteria.

      Modifying the data filtering profile match criteria on Panorama is supported only for Enterprise DLP data filtering profiles created on Panorama. See File Based for Panorama for details on configuring data pattern criteria using predefined or custom data patterns.
   3. (Data Filtering Profile for Non-File Traffic Inspection Only) Modify the URL Category Excluded List from Non-File and Application List Excluded from Non-File to configure which URL and application traffic is excluded from Enterprise DLP inspection.

      See Create a Classic Data Profile (Non-File Based for Panorama) for more information.
   4. Edit the data filtering profile settings.

      Enterprise DLP only supports editing the advanced data profile settings from Panorama.

      • Select the data filtering profile Action (Alert or Block)
        If the data profile has both Primary and Secondary Patterns, changing the data filtering profile Action on Panorama deletes all Secondary Pattern match criteria.
      • Specify a File Type.
        Leave the file type as any to match any of the supported file types.
      • Set the Log Severity recorded for files that match this data filtering profile.
5. Click OK.
6. Commit and push the new configuration to your managed firewalls.

   The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.

   • Full configuration push from Panorama
     1. Select CommitCommit to Panorama and Commit.
     2. Select CommitPush to Devices and Edit Selections.
     3. Select Device Groups and Include Device and Network Templates.
     4. Click OK.
     5. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
   • Partial configuration push from Panorama
     You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and the DLP cloud service in sync.

     For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
     1. Select CommitCommit to Panorama.
     2. Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.

     3. Commit.
     4. Select CommitPush to Devices.
     5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.

     6. Select Device Groups and Include Device and Network Templates.
     7. Click OK.
     8. Push your configuration changes to your managed firewalls that are using Enterprise DLP.