Enterprise DLP
Enterprise DLP Migrator
Table of Contents
Enterprise DLP Migrator
Enterprise DLP
MigratorMigrate your existing data loss prevention policy rules from your old data loss
prevention service provider to
Enterprise Data Loss Prevention (E-DLP)
.Where Can I Use This? | What Do I Need? |
---|---|
|
Or the following license that includes the Enterprise DLP
license
|
Use the
Enterprise Data Loss Prevention (E-DLP)
Migrator to migrate your Symantec DLP policy rules
and convert them into SaaS Security
Data Asset policy rules. This allows
you to quickly transition to Palo Alto Networks Enterprise DLP
without the need
to manually recreate all your Data Asset policy rules designed to prevent
exfiltration of sensitive data. To migrate your existing Symantec DLP policy rules, you simply need to export them
from Symantec DLP and import them into the
Enterprise DLP
migration tool. The
imported Security policy rules are then evaluated to verify that they are compatible
with Enterprise DLP
and SaaS Security
. When a Symantec DLP policy
rule is successfully migrated to Enterprise DLP
, a data pattern and a classic data profile with names identical to the migrated policy rule
are automatically created as part of the migration to capture the traffic match
criteria. If
Enterprise DLP
detects an incompatible Security policy rule traffic match
criteria, you can choose to delete the incompatible match criteria from the Symantec
DLP policy rule before the migration begins or choose to exclude that specific
Symantec DLP policy from migration. A successfully migrated Symantec DLP policy rule
is added as a Disabled
SaaS Security
Data Asset policy rule. You can then review the Data Asset
policy rule, make changes if needed, and enable the policy rule.Enterprise DLP
supports migration of Symantec DLP policy rules in
.xml
format and must be configured with one or more
of the following match criteria:- Regular expressions—A customized expression that defines a specific text pattern to inspect for and block.
- Keywords—Specific words specified to improve detection accuracy and reduce false positives. Referred to as Proximity Keywords in Palo Alto NetworksEnterprise DLP.
- Data Identifiers—The data match criteria added to a Symantec DLP policy rule Referred to as a data pattern in Palo Alto NetworksEnterprise DLP.
- Response Action—Only one Response Action is supported per Symantec DLP policy rule. IfEnterprise DLPdetects a Symantec DLP policy rule with more than one Response Action then the Response Action with the highest priority is applied.The priority list of Symantec DLP Response Actions is:
- Quarantine
- Remove Collaboration Action and Remove Collaboration LinkInSaaS Security, the Change SharingActionin a Data Asset policy rule allows you to remove collaborators and links using one Data Asset policy rule.
- Notify Owner
- Export your existing Symantec DLP policy rules in.xmlformat.
- Log in toStrata Cloud Manager.
- Select.ManageConfigurationSaaS SecuritySettingsAll SettingsDLP Migration Assistant
- Upload the Symantec DLP policy rules to theEnterprise DLPMigrator.
- Enter a descriptiveMigration Namefor the Symantec DLP policy rule migration.
- In theUpload XML Filessection, drag and drop the Symantec DLP policy rules files in.xmlformat.
- Importthe XML files you uploaded to theEnterprise DLPMigrator.Enterprise DLPbegins to import and analyze your uploaded policy rules to verify compatibility. Continue to the next step once the import status reaches100%.
- Review your uploaded policy rules.Enterprise DLPlists the number of compatible, partially compatible, and incompatible policy rules from the total number of policy rules uploaded in the previous step.
- Compatible—Policy rule is compatible withEnterprise DLPand is ready for migration. No further review is needed to prepare the policy rule for migration toEnterprise DLP.
- Partially Compatible—Policy rule contains one or more traffic match criteria that are incompatible withEnterprise DLP. Review and delete the incompatible traffic match conditions before you can migrate the policy rule toEnterprise DLP.
- Incompatible—All traffic match criteria in the policy rule are incompatible withEnterprise DLP. The Symantec DLP policy rule can't be migrated toEnterprise DLP.
TheNotescolumn displays the specific issue causing the traffic match incompatibility withEnterprise DLP. - Review and address yourPartially Compatiblepolicy rules.Skip this step if you want to only migrateCompatiblerules and don't want to migrate anyPartially Compatiblepolicy rules.You can also select multiplePartially Compatiblepolicy rules to review. If you select multiple policy rules, you must switch between them to address each policy rule individually.Enterprise DLPMigrator does not support turning anIncompatiblepolicy rule into aCompatiblepolicy rule.Below is an example ofPartially CompatibleSymantec DLP policy rules that need to be reviewed before they can be migrated toEnterprise DLP.
- Select one or morePartially Compatiblepolicy rules you want to review.
- Review Selected.
- Select theIncompatibletraffic match criteria andDelete.When prompted, confirm you want toDeletethe selected incompatible traffic match criteria.If you selected multiple policy rules, use the navigation arrows in the top-right corner of theReview Policypage and repeat this step until all incompatible traffic match criteria is deleted.After you delete all incompatible traffic match criteria from the selectedPartially Compatiblepolicy rules, click theXin the top-right corner to continue migration toEnterprise DLP.
- The policy rules now show that they areCompatibleandReady to Migrate.
- Migrate one or more policy rules toEnterprise DLP.
- In theReview Policiespage, select one or more policy rules andMigrate to PANW.
- A verification window is displayed detailing the number ofCompatiblepolicy rules are selected for migration.Additionally, you can specify whether these policy rules are automaticallyEnabledafter successful migration. By default, all migrated policy rules areDisabled.
- Migratethe selected policy rules.
- A progress bar is displayed detailing the current policy rule migration status.
- Your policy rules are now successfully migrated toEnterprise DLP.A summary of the migration operation is displayed. Additionally, you can:
- Export PDF—Export a PDF file of the policy rules you migrated toEnterprise DLP. This PDF is downloaded to your local device.
- Migration History—Redirected to the view the history of all previous successful policy rule migrations.
- View Policies—Redirected to view your migrated policy rules in theSaaS SecurityData Asset Policiesto review and enable.
ClickView Policiesto continue to the next step. - Review and enable your migrated policy rules.
- After a successful policy rule migration, clickView Policiesor select.ManageConfigurationSaaS SecurityData SecurityPoliciesData Asset PoliciesIf you manually navigated to theSaaS SecurityData Asset Policies, you also need to apply theStatus: Disabledfilter.
- Click thePolicy Nameto review the traffic match criteria and verify it was successfully migrated.The Data Asset policy rule name is the same as the Symantec DLP policy rule XML file name you uploaded in the previous step. The following Data Asset policy rule settings are also automatically populated:
- Description—Original Symantec DLP policy rule honored during migration and applied to the new Data Asset policy rule to preserve any important information and descriptions about the policy rule.
- Data Profile—Data Pattern/Profilematch criteria is selected and theData Profilecreated during the migration that contains all the traffic match criteria is attached to the Data Asset policy rule.If you want to improveEnterprise DLPdetection capabilities and accuracy with advanced detection methods, you must recreate the data profile as an advanced data profile or create a nested data profile. In either case, you must reattach the new data profile to the Data Asset policy rule.
- Action—TheSaaS Securityequivalent of the Response Action from the Symantec DLP policy rule.
You can edit the migrated Data Asset policy rulePolicy Nameor make any other changes as needed from this page. ClickSaveif you made any changes orCancelif you reviewed the migrated policy rule match criteria and confirmed no changes are needed. - Expand theActioncolumn andEnablethe policy rule.
- Apply theStatus: Enabledfilter and order your policy rule as needed.Refer to the Recommendations for Security Policy Rules for more information on how to order your policy rules in your policy rulebase.
- Repeat this step for all migrated policy rules.