>
    Enterprise DLP Migrator
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administration
    4. Configure Enterprise DLP
    5. Enterprise DLP Migrator
    Download PDF
    Enterprise DLP

    Enterprise DLP Migrator

    Table of Contents

    Enterprise DLP
     Migrator

    Migrate your existing data loss prevention policy rules from your old data loss prevention service provider to
    Enterprise Data Loss Prevention (E-DLP)
    .
    Where Can I Use This?
    What Do I Need?
    • SaaS Security
    • One or more Symantec DLP 16.0 policy rules
    • Enterprise Data Loss Prevention (E-DLP)
       license
    • SaaS Security
       license
    Or the following license that includes the
    Enterprise DLP
     license
    • Data Security
       license
    Use the
    Enterprise Data Loss Prevention (E-DLP)
     Migrator to migrate your Symantec DLP policy rules and convert them into
    SaaS Security
     Data Asset policy rules. This allows you to quickly transition to Palo Alto Networks
    Enterprise DLP
     without the need to manually recreate all your Data Asset policy rules designed to prevent exfiltration of sensitive data.
    To migrate your existing Symantec DLP policy rules, you simply need to export them from Symantec DLP and import them into the
    Enterprise DLP
     migration tool. The imported Security policy rules are then evaluated to verify that they are compatible with
    Enterprise DLP
     and
    SaaS Security
    . When a Symantec DLP policy rule is successfully migrated to
    Enterprise DLP
    , a data pattern and a classic data profile with names identical to the migrated policy rule are automatically created as part of the migration to capture the traffic match criteria.
    If
    Enterprise DLP
     detects an incompatible Security policy rule traffic match criteria, you can choose to delete the incompatible match criteria from the Symantec DLP policy rule before the migration begins or choose to exclude that specific Symantec DLP policy from migration. A successfully migrated Symantec DLP policy rule is added as a
    Disabled
    SaaS Security
     Data Asset policy rule. You can then review the Data Asset policy rule, make changes if needed, and enable the policy rule.
    Enterprise DLP
     supports migration of Symantec DLP policy rules in
    .xml
     format and must be configured with one or more of the following match criteria:
    • Regular expressions
      —A customized expression that defines a specific text pattern to inspect for and block.
    • Keywords
      —Specific words specified to improve detection accuracy and reduce false positives. Referred to as Proximity Keywords in Palo Alto Networks
      Enterprise DLP
      .
    • Data Identifiers
      —The data match criteria added to a Symantec DLP policy rule Referred to as a data pattern in Palo Alto Networks
      Enterprise DLP
      .
    • Response Action
      —Only one Response Action is supported per Symantec DLP policy rule. If
      Enterprise DLP
       detects a Symantec DLP policy rule with more than one Response Action then the Response Action with the highest priority is applied.
      The priority list of Symantec DLP Response Actions is:
      1. Quarantine
      2. Remove Collaboration Action and Remove Collaboration Link
        In
        SaaS Security
        , the Change Sharing
        Action
         in a Data Asset policy rule allows you to remove collaborators and links using one Data Asset policy rule.
      3. Notify Owner
    1. Export your existing Symantec DLP policy rules in
      .xml
       format.
    2. Log in to
      Strata Cloud Manager
      .
    3. Select
      Manage
      Configuration
      SaaS Security
      Settings
      All Settings
      DLP Migration Assistant
      .
    4. Upload the Symantec DLP policy rules to the
      Enterprise DLP
       Migrator.
      1. Enter a descriptive
        Migration Name
         for the Symantec DLP policy rule migration.
      2. In the
        Upload XML Files
         section, drag and drop the Symantec DLP policy rules files in
        .xml
         format.
    5. Import
       the XML files you uploaded to the
      Enterprise DLP
       Migrator.
      Enterprise DLP
       begins to import and analyze your uploaded policy rules to verify compatibility. Continue to the next step once the import status reaches
      100%
      .
    6. Review your uploaded policy rules.
      Enterprise DLP
       lists the number of compatible, partially compatible, and incompatible policy rules from the total number of policy rules uploaded in the previous step.
      • Compatible
        —Policy rule is compatible with
        Enterprise DLP
         and is ready for migration. No further review is needed to prepare the policy rule for migration to
        Enterprise DLP
        .
      • Partially Compatible
        —Policy rule contains one or more traffic match criteria that are incompatible with
        Enterprise DLP
        . Review and delete the incompatible traffic match conditions before you can migrate the policy rule to
        Enterprise DLP
        .
      • Incompatible
        —All traffic match criteria in the policy rule are incompatible with
        Enterprise DLP
        . The Symantec DLP policy rule can't be migrated to
        Enterprise DLP
        .
      The
      Notes
       column displays the specific issue causing the traffic match incompatibility with
      Enterprise DLP
      .
    7. Review and address your
      Partially Compatible
       policy rules.
      Skip this step if you want to only migrate
      Compatible
       rules and don't want to migrate any
      Partially Compatible
       policy rules.
      You can also select multiple
      Partially Compatible
       policy rules to review. If you select multiple policy rules, you must switch between them to address each policy rule individually.
      Enterprise DLP
       Migrator does not support turning an
      Incompatible
       policy rule into a
      Compatible
       policy rule.
      Below is an example of
      Partially Compatible
       Symantec DLP policy rules that need to be reviewed before they can be migrated to
      Enterprise DLP
      .
      1. Select one or more
        Partially Compatible
         policy rules you want to review.
      2. Review Selected
        .
      3. Select the
        Incompatible
         traffic match criteria and
        Delete
        .
        When prompted, confirm you want to
        Delete
         the selected incompatible traffic match criteria.
        If you selected multiple policy rules, use the navigation arrows in the top-right corner of the
        Review Policy
         page and repeat this step until all incompatible traffic match criteria is deleted.
        After you delete all incompatible traffic match criteria from the selected
        Partially Compatible
         policy rules, click the
        X
         in the top-right corner to continue migration to
        Enterprise DLP
        .
      4. The policy rules now show that they are
        Compatible
         and
        Ready to Migrate
        .
    8. Migrate one or more policy rules to
      Enterprise DLP
      .
      1. In the
        Review Policies
         page, select one or more policy rules and
        Migrate to PANW
        .
      2. A verification window is displayed detailing the number of
        Compatible
         policy rules are selected for migration.
        Additionally, you can specify whether these policy rules are automatically
        Enabled
         after successful migration. By default, all migrated policy rules are
        Disabled
        .
      3. Migrate
         the selected policy rules.
      4. A progress bar is displayed detailing the current policy rule migration status.
    9. Your policy rules are now successfully migrated to
      Enterprise DLP
      .
      A summary of the migration operation is displayed. Additionally, you can:
      • Export PDF
        —Export a PDF file of the policy rules you migrated to
        Enterprise DLP
        . This PDF is downloaded to your local device.
      • Migration History
        —Redirected to the view the history of all previous successful policy rule migrations.
      • View Policies
        —Redirected to view your migrated policy rules in the
        SaaS Security
        Data Asset Policies
         to review and enable.
      Click
      View Policies
       to continue to the next step.
    10. Review and enable your migrated policy rules.
      1. After a successful policy rule migration, click
        View Policies
         or select
        Manage
        Configuration
        SaaS Security
        Data Security
        Policies
        Data Asset Policies
        .
        If you manually navigated to the
        SaaS Security
        Data Asset Policies
        , you also need to apply the
        Status: Disabled
         filter.
      2. Click the
        Policy Name
         to review the traffic match criteria and verify it was successfully migrated.
        The Data Asset policy rule name is the same as the Symantec DLP policy rule XML file name you uploaded in the previous step. The following Data Asset policy rule settings are also automatically populated:
        • Description
          —Original Symantec DLP policy rule honored during migration and applied to the new Data Asset policy rule to preserve any important information and descriptions about the policy rule.
        • Data Profile
          Data Pattern/Profile
           match criteria is selected and the
          Data Profile
           created during the migration that contains all the traffic match criteria is attached to the Data Asset policy rule.
          Classic data profiles support predefined, custom, and file property data patterns only.
          If you want to improve
          Enterprise DLP
           detection capabilities and accuracy with advanced detection methods, you must recreate the data profile as an advanced data profile or create a nested data profile. In either case, you must reattach the new data profile to the Data Asset policy rule.
        • Action
          —The
          SaaS Security
           equivalent of the Response Action from the Symantec DLP policy rule.
        You can edit the migrated Data Asset policy rule
        Policy Name
         or make any other changes as needed from this page. Click
        Save
         if you made any changes or
        Cancel
         if you reviewed the migrated policy rule match criteria and confirmed no changes are needed.
      3. Expand the
        Action
         column and
        Enable
         the policy rule.
      4. Apply the
        Status: Enabled
         filter and order your policy rule as needed.
        Refer to the Recommendations for Security Policy Rules for more information on how to order your policy rules in your policy rulebase.
      5. Repeat this step for all migrated policy rules.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.