>
    Strata Copilot
    How Does Endpoint DLP Work?
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Configure Enterprise DLP
    5. Endpoint DLP
    6. How Does Endpoint DLP Work?
    Download PDF
    Enterprise DLP

    How Does Endpoint DLP Work?

    Table of Contents

    How Does Endpoint DLP Work?

    Learn how Endpoint DLP prevents exfiltration of sensitive data over peripheral devices and discovers sensitive data stored on managed endpoints.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    Prisma Access (Managed by Strata Cloud Manager)
    • Endpoint DLP license
    • Autonomous DEM 5.3.4 or later
    • Prisma Access Agent
    • Prisma Access 5.1 (Preferred or Innovation) or later
    Endpoint DLP enables you to allow or block peripheral devices to prevent exfiltration of sensitive data. Endpoint DLP uses Enterprise Data Loss Prevention (E-DLP) advanced detection methods, as well as custom data profiles to define custom traffic match criteria or predefined ML-based and regex data profiles.
    Endpoint DLP enforces data in motion policy rules at the point of file transfer between an endpoint and a peripheral device. When Prisma Access Agent detects file movement, it evaluates the Endpoint DLP policy rulebase and forwards the file to Enterprise DLP for inspection when necessary. Enterprise DLP renders a verdict and communicates it to Prisma Access Agent, which executes the action you configured in the policy rule. Prisma Access Agent also displays a notification to the end user when they generate a DLP incident.
    The following example illustrates how Enterprise DLP inspects endpoints. This process requires Prisma Access Agent and your Endpoint DLP policy rules.
    1. A user connects a peripheral device to their endpoint.
    2. The user moves a file from the endpoint to the connected peripheral device.
    3. Prisma Access Agent registers that the user attempted to move a file from the endpoint to the peripheral device and evaluates your Endpoint DLP policy rules.
      • No Policy Rule Match—If no Endpoint DLP policy rule matches, the agent allows the peripheral device to connect and the endpoint retains full read and write access to the peripheral device.
      • Peripheral Control Policy Rule—If you created a peripheral control policy rule, the agent executes the allow or block action you configured.
        For example, if the policy rule blocks the connection, the agent revokes write privileges and the endpoint can't upload files to the peripheral device.
        If the policy rule allows the connection, the agent grants write access and the endpoint can upload files to the peripheral device.
      • Data in Motion Policy Rule—The agent allows the connection. When Prisma Access Agent detects file movement from the endpoint to a peripheral device, it forwards the file to Enterprise DLP for inspection and verdict rendering. The agent also forwards file metadata, such as the fileSHA, which Enterprise DLP uses to identify each forwarded file.
        Enterprise DLP sends the verdict to Prisma Access Agent. If Enterprise DLP detects sensitive data, the agent takes the Endpoint DLP policy rule action. If Enterprise DLP detects a forwarded file that was already inspected based on the fileSHA, Enterprise DLP returns the existing verdict without reinspecting the file.
    4. Prisma Access Agent executes the Endpoint DLP policy rule action that you configured in the Peripheral Control or Data in Motion policy rule.
    5. Enterprise DLP generates a DLP incident when appropriate. If you configured End User Coaching, Prisma Access Agent displays a notification on the endpoint to alert the user.

    How Does Data at Rest Scanning Work?

    Contact your Palo Alto Networks sales representative to enable this feature on your Enterprise DLP tenant.
    Endpoint DLP data at rest scanning discovers sensitive data stored on managed endpoints. You can identify improperly stored or unsecured sensitive information, such as personal data, financial records, and intellectual property, that increases your risk of data breaches and regulatory noncompliance with GDPR, HIPAA, and PCI-DSS.
    Data at rest scans run locally on the endpoint using the local detection engine on Prisma Access Agent, which minimizes latency and maintains protection even when the endpoint is offline. You create data at rest policy rules in Strata Cloud Manager to define which data profiles, file types, folder paths, and users the scan targets. The local detection engine uses predefined regular expression (regex) data patterns to identify sensitive data.
    Prisma Access Agent uses delta scanning after the initial full scan, inspecting only files created or modified since the last scan. Prisma Access Agent crawls the folder paths you configured, discovers files, and ignores symbolic links. Prisma Access Agent also monitors file system events to track file creations, modifications, and deletions. Each scan verdict expires after 90 days, at which point Prisma Access Agent automatically rescans the file regardless of whether the content changed.
    When a scan identifies sensitive data that matches your data profiles, Enterprise DLP generates a DLP incident that you can investigate and remediate through the centralized incident management workflow in Strata Cloud Manager. You can view scan results for all discovered assets in the Data Asset Explorer, including matched data profiles, scan policies, and last scan times for each asset. If the endpoint is offline during a scan, Prisma Access Agent queues incidents locally and sends them to Enterprise DLP when connectivity is restored.
    Data at rest scanning uses the local detection engine, which supports regex-based data patterns only. Classifiers that require cloud infrastructure, such as ML, EDM, IDM, and trainable classifiers, aren't supported for data at rest scans.

    What Operating Systems Does Endpoint DLP Support?

    Endpoints running the following operating systems support Endpoint DLP.
    Operating System
    Version
    Microsoft Windows
    Windows 10 version 2004 or later release
    macOS
    		12 (Monterey) or later release

    What File Types Does Endpoint DLP Support?

    Endpoint DLP supports inspection and verdict rendering for the following file types.
    File Characteristic
    Support
    File Type
    Endpoint DLP can inspect all file types supported by Enterprise DLP.
    File Size
    The maximum file size depends on the Endpoint DLP policy rule Action.
    • Alert— Up to 100 MB
    • Block—Up to 50 MB

    Which Protocols Does Endpoint DLP Support for Network Shares?

    Endpoint DLP supports the following network protocols for network share peripheral devices.
    Operating System
    Version
    Microsoft Windows
    Common Internet File System (CIFS)
    Server Message Block (SMB)
    macOS
    These protocols are supported only if you mount the protocol as a network share
    Common Internet File System (CIFS)
    File Transfer Protocol (FTP)
    FTP Secure (FTPS)
    Network File System (NFS)
    Server Message Block (SMB)
    Secure File Transfer Protocol (SFTP)

    Which Languages Does Endpoint DLP Support for Printing?

    Endpoint DLP supports the following printing languages for printer peripheral devices depending on the printer and driver combination in use.
    Enterprise DLP performs a best-effort inspection on printing outputs if the printer and driver combination produces output in a language not explicitly supported by Enterprise DLP. Enterprise DLP might not detect sensitive data in these outputs.
    Operating System
    Language
    Printer Brands
    Microsoft Windows
    PostScript (PS)
    Printer Command Language (PCL)
    XML Paper Specifications (XPS)
    Cannon
    Epson
    Kyocera
    Ricoh
    Sharp
    Xerox
    Contact Palo Alto Networks Support if a printer brand you use isn't listed here.
    macOS
    		Enterprise DLP inspection is language agnostic and supports all printing languages supported by macOS.

    © 2026 Palo Alto Networks, Inc. All rights reserved.