>
    Strata Copilot
    Modify a DLP Rule on Strata Cloud Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Configure Enterprise DLP
    5. Modify a DLP Rule on Strata Cloud Manager
    Download PDF
    Enterprise DLP

    Modify a DLP Rule on Strata Cloud Manager

    Table of Contents

    Modify a DLP Rule on Strata Cloud Manager

    Modify an Enterprise Data Loss Prevention (E-DLP) rule to enforce data security standards on Strata Cloud Manager.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Browser
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Configure a DLP rule to define the type of traffic to inspect, the impacted file types, action, and log severity for the data profile match criteria. Enterprise Data Loss Prevention (E-DLP) automatically creates a DLP rule when you create a new data profile. After you configure the data filtering profile, you must create a Profile Group containing the data filtering profile and attached it to a Security policy rule so the NGFW or Prisma Access tenant can enforce your data security standards.
    Enterprise DLP displays DLP rules only when you manage enforcement points from Strata Cloud Manager. Enterprise DLP doesn't display the DLP rules if you manage enforcement points from a Panorama® management server.

    Modify a DLP Rule on Strata Cloud Manager

    Configure the Enterprise Data Loss Prevention (E-DLP) DLP rule settings for a regular and nested data profile on Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. Create a data profile.
    3. Select ConfigurationData Loss PreventionDLP Rules and in the Actions column, Edit the DLP rule.
      Enterprise DLP assigns the DLP rule an identical name as the data profile from which it was automatically created. You can't change this name.
    4. (Optional) Enter a Description for the DLP rule.
    5. Modify the DLP rule Match Criteria.
      • File Based
        1. Enable DLP rule match criteria for file-based traffic.
        2. (Prisma Access 5.1 and later) Select the File Scan Mode to explicitly include or exclude specific file types.
          A DLP rule supports only one type of file mode. You can't configure a DLP rule to both include and exclude specific file types.
          • IncludeEnterprise DLP only inspects the selected file types. The enforcement point ignores all other file types and does not forward them to Enterprise DLP for inspection and verdict rendering.
          • (PAN-OS 11.0 and later) Exclude—The enforcement point excludes the selected file types and does not send them Enterprise DLP for inspection and verdict rendering. The enforcement point forwards all other file types to Enterprise DLP but Enterprise DLP inspects and renders verdicts only on supported file types.
            Exclude mode is supported only on PAN-OS 11.0 and later releases. On PAN-OS 10.2, the enforcement point converts the File Scan Mode to all supported file types in Include mode.
        3. Specify one or more supported file types to include in the match criteria.
          Enterprise DLP includes all supported file types in the match criteria by default.
        4. Specify the File Direction (Upload, Download, or Both).
          The default file direction is Upload. File direction support is dependent on the app. Review the list of supported apps to learn which file directions Enterprise DLP supports.
      • Non-File Based
        1. Enable DLP rule match criteria for non-file based traffic.
        2. (Optional) Select the URL Category List Exclusions to exclude forwarding traffic from one or more specific URLs to Enterprise DLP.
          You can use a predefined URL category or create a custom URL category in the Global Configuration Scope. You can select multiple URL categories to exclude traffic from non-file inspection.
        3. (Required for Non-File Based Match Criteria) Select the Application List Exclusion to exclude forwarding traffic from one or more specific apps to Enterprise DLP.
          Enterprise DLP requires at least one Application Filter if you enable exclusions for non-file based traffic inspection. Palo Alto Networks recommends adding the predefined DLP App Exclusion application filter if you don't have a custom or predefined application filter you want to add. Alternatively, you can create a custom application filter in the Global Configuration Scope. You can select multiple application filters to exclude app traffic from non-file inspection.
    6. Configure the Action & Log settings.
      1. Select the Action (Alert, or Block) taken when Enterprise DLP detects sensitive data.
        The default action is Alert.
      2. Set the Log Severity when Enterprise DLP detects traffic that matches the DLP rule.
        The default severity is Low.
    7. (Best Practices for File Based Inspection) Create a File Blocking profile and create a Block Rule to block the file types you don't explicitly forward to Enterprise DLP.
      Palo Alto Networks recommends creating this File Blocking profile to ensure sensitive data can't be exfiltrated in file types Enterprise DLP does not support.
    8. Create a Shared Profile Group for the Enterprise DLP data filtering profile.
      1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesProfile Groups and Add Profile Group.
      2. Enter a descriptive Name for the Profile Group.
      3. (Best Practices for File Based Inspection) For the File Blocking Profile, select the File Blocking profile you created in the previous step.
      4. For the Data Loss Prevention Profile, select the Enterprise DLP data profile.
      5. Add any other additional profiles as needed.
      6. Save the profile group.
    9. Create a Security policy rule and attached the Profile Group.
      1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy and Add Rule.
        You can also update an existing Security policy to attach a Profile Group for Enterprise DLP filtering.
      2. Configure the Security policy as needed.
      3. Navigate to the Action and Advanced Inspection section, and select the Profile Group you created in the previous step.
      4. Save the Security policy.
    10. Push Config and push your configuration changes.

    Modify a DLP Rule on Strata Cloud Manager for a Granular Data Profile

    Modify a granular Enterprise Data Loss Prevention (E-DLP) data profile rule to enforce data security standards on Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. Create a Granular Data Profile on Strata Cloud Manager.
    3. Select ConfigurationData Loss PreventionDLP Rules and in the Actions column, Edit the DLP rule.
      Enterprise DLP assigns the DLP rule an identical name as the data profile from which it was automatically created. You can't change this name.
    4. Define the Basic Information for the granular data profile.
      1. Select the File Mode to explicitly include or exclude specific file types from Enterprise DLP inspection.
        • IncludeEnterprise DLP only inspects the selected file types configured in the data profiles added to the granular data profile. The enforcement point ignores all other file types and does not send them Enterprise DLP for inspection and verdict rendering.
        • (PAN-OS 11.0 and later) Exclude—The enforcement point ignores the selected File Types and does not send them Enterprise DLP for inspection and verdict rendering. The enforcement point forwards all other file types to Enterprise DLP.
          Exclude mode is supported only on PAN-OS 11.0 and later releases. On PAN-OS 10.2, the enforcement point converts the File Scan Mode to all supported file types in Include mode.
      2. (Optional) Enter a Description for the DLP rule.
      3. Click Next to continue.
    5. Define the granular data profile Match Criteria.
      Define the match criteria for each data profile added to the granular data profile.
      1. Enable file inspection, non-file inspection, or both.
        Review the supported file types and apps that support file and non-file based traffic inspection.
        • File Based Match Criteria—Forwards file-based traffic to Enterprise DLP.
        • Non-File Based Match Criteria—Forwards non-file based traffic to Enterprise DLP.
      2. Select the File Direction you want to inspect.
        You can select Upload (default), Download, or Both.
      3. Select the Action Enterprise DLP takes if inspected traffic contains sensitive data.
        You can select Alert (default) or Block.
      4. Set the Log Severity for the DLP incident when Enterprise DLP detects sensitive data that matches this data profile.
        You can select Critical, High, Medium, Low, or Informational (default).
      5. (File Based Match Criteria only) Select the File Type you want to forward to Enterprise DLP. Click Modify to add one or more supported file types.
        Add at least one file type to forward to Enterprise DLP. Skip this step if you disabled File Based Match Criteria in the previous step.
      6. Click Next to continue.
    6. (Optional) Create an Exception Rule.
      Exception rules let you override the DLP rule action for specific users, groups, and destinations. The Policy Actions available in an exception rule depend on the action configured in the DLP rule:
      • Alert DLP rule—You can choose Allow to suppress alerts for the exempted users or groups, or leave it as Alert to continue generating alerts for them. Block is not available because the enforcement point already forwards traffic that matches an Alert DLP rule.
      • Block DLP rule—You can choose Allow to permit traffic for specific users or groups that the DLP rule would otherwise block, or choose Alert to generate an alert without blocking their traffic. For example, if you want to block 1,000 out of 10,000 users, configure the DLP rule to Block all traffic and add an exception rule with Allow for the 9,000 users you don't want to block.
      For example, you created a granular profile that includes the U.K POPCP, SOX, and Secrets and Credentials data profiles. However, you want to allow a specific user to upload files that match the Secrets and Credentials data profile to your corporate GitHub Copilot Business. Additionally, you want this traffic to generate an Informational DLP incident. In this case, you would add an exception rule with the following configuration:
      • Data ProfilesSecrets and Credentials
      • Source—Specific user traffic you want to allow
      • Destinationgithub-copilot-business
      • Policy ActionAlert
      • Log SeverityInformational
      1. Add Exception Rule.
      2. Remove any data profiles that you don't want traffic from the user or user group inspected against.
        Enterprise DLP supports only removing data profiles added to the granular profile, and does not support adding new data profiles.
      3. Select the traffic Source.
        User Groups and User data requires integration with Cloud Identity Engine (CIE) to display.
        • Any—Exception rule applies to all User Group or User traffic sources.
        • Select—Select one or more User Groups or Users to which the exception rule applies.
      4. Select the traffic Destination.
        Enterprise DLP supports writing exception rules for supported GenAI apps delivered through App-ID Cloud Engine (ACE).
        • Any—Exception rule applies to all app or URL destinations.
        • Select—Select one or more Applications, or add any URL to which the exception rule applies.
          • URL Exception Rule Using Ant-Style Pattern Matching
            Enterprise DLP supports Ant-style pattern matching URL exception rules. This approach uses wildcards to allow for flexible URL pattern matching rather than using full regular expressions.
            Ant-style pattern matching doesn't support regular expression features such as Anchors (^, $), Quantifiers (.*, +, {n,m}), and Character Classes ([a-z], \d).
            URLs must start with a scheme (https://, http://, ftp://, and so on) or a wildcard (* or **). Enterprise DLP rejects bare domains such as example.sharepoint.com/** because they lack a scheme and the rule won't trigger. To match a subdomain across all paths, use one of these two forms:
            • Explicit scheme: https://*example.sharepoint.com/**
            • Any scheme using a leading wildcard: **/*example.sharepoint.com/**
            • Single Wildcard (*)—Matches zero or more characters with in a single part of a URL.
            • Double Wildcard (**) as a standalone segment—Matches zero or more /-separated path segments (for example, example.com/**/file).
            • Double Wildcard (**) within a segment—Behaves identically to * and matches characters within a single path segment only (for example, **example.sharepoint.com).
            • Single Character (?)—Matches exactly one character.
            Sample
            Description
            Example Matches
            https://example.com/data/*
            Matches a single path segment directly under /data/ on example.com
            https://example.com/data/report
            https://example.com/data/image
            https://example.com/**/*.pdf
            Matches any PDF file anywhere under example.com, across multiple path segments.
            https://example.com/docs/file.pdf
            https://example.com/archive/2023/report.pdf
            https://example.com/users/?/profile
            Matches profiles for user IDs consisting of exactly one character.
            https://example.com/users/a/profile
            https://example.com/users/1/profile
            https://example.com/assets/**
            Matches all assets on example.com, including nested directories
            https://example.com/assets/css/style.css
            https://example.com/assets/images/logo.png
            **/login
            Matches any URL containing /login as the final path segment, regardless of scheme, domain, or preceding path depth.
            https://app.com/login
            https://secure.example.org/login
      5. Select the Policy Action for traffic that matches the exception rule.
        Available actions depend on the DLP rule action. If the DLP rule is Alert, you can choose Allow (suppress alerts) or Alert (continue alerting). If the DLP rule is Block, you can choose Allow (permit the traffic) or Alert (alert without blocking).
      6. Select the Log Severity of the DLP incident generated when traffic matches the exception rule.
      7. Add Exception Rule to add any additional exceptions as needed.
        A granular data profile supports multiple exception rules.
      8. Click Next to continue.
    7. Configure the URL Category and Application Exclusion lists.
      • (Optional) URL Category List —Exclude forwarding traffic from one or more specific URLs to Enterprise DLP.
        You can use a predefined URL category or create a custom URL category in the Global Configuration Scope. You can select multiple URL categories to exclude traffic from non-file inspection.
      • (Required for Non-File Based Match Criteria) Application List Exclusion—Exclude forwarding traffic from one or more specific apps to Enterprise DLP.
        Enterprise DLP requires at least one Application Filter if you enable exclusions for non-file based traffic inspection. Palo Alto Networks recommends adding the predefined DLP App Exclusion application filter if you don't have a custom or predefined application filter you want to add. Alternatively, you can create a custom application filter in the Global Configuration Scope. You can select multiple application filters to exclude app traffic from non-file inspection.
      Click Next to continue.
    8. Review the Summary of the granular data profile.
      Edit the Basic Information, Match Criteria, Exclusions or Exception Rules to modify the granular data profile configuration if needed.
      Save the granular data profile if you don’t need to make any further edits.
    9. (Best Practices for File Based Inspection) Create a File Blocking profile and create a Block Rule to block the file types you don't explicitly forward to Enterprise DLP.
      Palo Alto Networks recommends creating this File Blocking profile to ensure sensitive data can't be exfiltrated in file types Enterprise DLP does not support.
    10. Create a Shared Profile Group for the Enterprise DLP data filtering profile.
      1. Select ConfigurationSecurity ServicesProfile Groups and Add Profile Group.
      2. Enter a descriptive Name for the Profile Group.
      3. (Best Practices for File Based Inspection) For the File Blocking Profile, select the File Blocking profile you created in the previous step.
      4. For the Data Loss Prevention Profile, select the Enterprise DLP data profile.
      5. Add any other additional profiles as needed.
      6. Save the profile group.
    11. Create a Security policy rule and attached the Profile Group.
      1. Select ConfigurationSecurity Policy and Add Rule.
        You can also update an existing Security policy to attach a Profile Group for Enterprise DLP filtering.
      2. Configure the Security policy as needed.
      3. Navigate to the Action and Advanced Inspection section, and select the Profile Group you created in the previous step.
      4. Save the Security policy.
    12. Push Config and push your configuration changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.