Modify a DLP Rule on Strata Cloud Manager

1. Log in to Strata Cloud Manager.
2. Create a data profile.
3. Select ConfigurationData Loss PreventionDLP Rules and in the Actions column, Edit the DLP rule.

   Enterprise DLP assigns the DLP rule an identical name as the data profile from which it was automatically created. You can't change this name.
4. (Optional) Enter a Description for the DLP rule.
5. Modify the DLP rule Match Criteria.

   • File Based
     1. Enable DLP rule match criteria for file-based traffic.
     2. (Prisma Access 5.1 and later) Select the File Scan Mode to explicitly include or exclude specific file types.
        A DLP rule supports only one type of file mode. You can't configure a DLP rule to both include and exclude specific file types.
        • Include—Enterprise DLP only inspects the selected file types. The enforcement point ignores all other file types and does not forward them to Enterprise DLP for inspection and verdict rendering.
        • (PAN-OS 11.0 and later) Exclude—The enforcement point excludes the selected file types and does not send them Enterprise DLP for inspection and verdict rendering. The enforcement point forwards all other file types to Enterprise DLP but Enterprise DLP inspects and renders verdicts only on supported file types.
          Exclude mode is supported only on PAN-OS 11.0 and later releases. On PAN-OS 10.2, the enforcement point converts the File Scan Mode to all supported file types in Include mode.
     3. Specify one or more supported file types to include in the match criteria.
        Enterprise DLP includes all supported file types in the match criteria by default.
     4. Specify the File Direction (Upload, Download, or Both).
        The default file direction is Upload. File direction support is dependent on the app. Review the list of supported apps to learn which file directions Enterprise DLP supports.

   • Non-File Based
     1. Enable DLP rule match criteria for non-file based traffic.
     2. (Optional) Select the URL Category List Exclusions to exclude forwarding traffic from one or more specific URLs to Enterprise DLP.
        You can use a predefined URL category or create a custom URL category in the Global Configuration Scope. You can select multiple URL categories to exclude traffic from non-file inspection.
     3. (Required for Non-File Based Match Criteria) Select the Application List Exclusion to exclude forwarding traffic from one or more specific apps to Enterprise DLP.
        Enterprise DLP requires at least one Application Filter if you enable exclusions for non-file based traffic inspection. Palo Alto Networks recommends adding the predefined DLP App Exclusion application filter if you don't have a custom or predefined application filter you want to add. Alternatively, you can create a custom application filter in the Global Configuration Scope. You can select multiple application filters to exclude app traffic from non-file inspection.

6. Configure the Action & Log settings.

   1. Select the Action (Alert, or Block) taken when Enterprise DLP detects sensitive data.

      The default action is Alert.
   2. Set the Log Severity when Enterprise DLP detects traffic that matches the DLP rule.

      The default severity is Low.
7. (Best Practices for File Based Inspection) Create a File Blocking profile and create a Block Rule to block the file types you don't explicitly forward to Enterprise DLP.

   Palo Alto Networks recommends creating this File Blocking profile to ensure sensitive data can't be exfiltrated in file types Enterprise DLP does not support.
8. Create a Shared Profile Group for the Enterprise DLP data filtering profile.

   1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesProfile Groups and Add Profile Group.
   2. Enter a descriptive Name for the Profile Group.
   3. (Best Practices for File Based Inspection) For the File Blocking Profile, select the File Blocking profile you created in the previous step.
   4. For the Data Loss Prevention Profile, select the Enterprise DLP data profile.
   5. Add any other additional profiles as needed.
   6. Save the profile group.
9. Create a Security policy rule and attached the Profile Group.

   1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy and Add Rule.

      You can also update an existing Security policy to attach a Profile Group for Enterprise DLP filtering.
   2. Configure the Security policy as needed.
   3. Navigate to the Action and Advanced Inspection section, and select the Profile Group you created in the previous step.
   4. Save the Security policy.
10. Push Config and push your configuration changes.