Reasons for Inspection Failure
Focus
Focus
Enterprise DLP

Reasons for Inspection Failure

Table of Contents

Reasons for Inspection Failure

Review and understand the reasons why
Enterprise Data Loss Prevention (E-DLP)
was unable to scan traffic
Where Can I Use This?
What Do I Need?
  • NGFW (Panorama Managed)
  • Prisma Access (Managed by Strata Cloud Manager)
  • SaaS Security
  • NGFW (Cloud Managed)
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • NGFW (Panorama Managed)
    —Support and
    Panorama
    device management licenses
  • Prisma Access (Managed by Strata Cloud Manager)
    Prisma Access
    license
  • SaaS Security
    SaaS Security
    license
  • NGFW (Cloud Managed)
    —Support and
    AIOps for NGFW Premium
    licenses
Or any of the following licenses that include the
Enterprise DLP
license
  • Prisma Access
    CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
    license
  • Data Security
    license
In some cases,
Enterprise Data Loss Prevention (E-DLP)
is unable to inspect and render a verdict on either file or non-file based traffic that match an
Enterprise DLP
data profile, and as a result no DLP incident is generated. However, a log is generated if
Enterprise DLP
is unable to inspect matched traffic.
  • Strata Cloud Manager
    —View the File log (
    Incident & Alerts
    Log Viewer
    )
    Apply a
    Sub Type = dlp
    or
    Sub Type = dlp-non-file
    filter to narrow down the list of file logs.
    If the
    Reason for Data Filtering Action
    column is not displayed, expand the menu for any displayed column to search for and check (enable)
    Reason for Data Filtering Action
    .
  • Panorama™ management server
    —View the Data Filtering log (
    Monitor
    Logs
    Data Filtering
    ).
    Apply a
    (subtype eq dlp)
    filter to narrow down the list of data filtering logs.
    If the
    Reason for Action
    column is not displayed, expand the menu for any displayed column and click
    Columns
    and check (enable)
    Reason for Action
    .
File logs display a
Reason for Data Filtering Action
and data filtering logs display a
Reason for Action
column describing what data filtering action was taken by your security endpoint. In this case, the reason why
Enterprise DLP
was unable to inspect the matched traffic is described. Review the list of reasons why
Enterprise DLP
was unable to inspect matched traffic.
Reason for Action
Description
Scan Skipped: File Size > Limit
Inspection skipped because the maximum file size limit was exceeded.
To avoid this in the future, you can increase the
Max File Size
.
Scan Skipped: Latency > Limit
Inspection skipped because the maximum latency limit was exceeded.
To avoid this in the future, you can increase the
Max Latency
Scan Skipped: Rate > Limit
Inspection skipped because the DLP cloud service received the maximum number of inspection requests.
Scan Skipped: Out of memory
Inspection skipped because the DLP cloud service memory usage was exceeded.
Scan Skipped: Profile not found
Inspection skipped because the matched data profile cannot be found.
Review your Security policy rules to ensure the associated data profile exists.
Scan Skipped: Scan req timeout
Inspection skipped because the inspection request timed out.
San ERR: Rule1 invalid action
Inspected traffic matched the Primary rule in the data profile, but the
Action
is invalid. The
Action
must be either
Block
or
Alert
.
Scan ERR: Rule2 invalid action
Inspected traffic matched the Secondary rule in the data profile, but the
Action
is invalid. The
Action
must be either
Block
or
Alert
.
FW Skipped: Resource Limit
DLP cloud service was unable to inspection traffic due to an error when forwarding traffic. This can occur when the firewall memory usage reaches 100%.
FW Skipped: Fail to Start
Firewall was unable to forward logs to the DLP cloud service for inspection because the session between the firewall and DLP cloud service could be initialized. This can occur when the firewall memory usage reaches 80% or higher.
FW Skipped: Transmit Pkts
Firewall encountered an error when forwarding packets or finishing the forwarding operation to the DLP cloud service. This can occur when the firewall memory usage reaches 100%.
Internal Errors
Generic error due to an internal error. Requires troubleshooting by Palo Alto Networks Support to understand the cause of the error that prevent traffic inspection by the DLP cloud service.

Recommended For You