Save Evidence for Investigative Analysis with Enterprise DLP
Create a storage bucket to store and download files that match your Enterprise Data Loss Prevention (E-DLP) data profiles.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLPRelease Notes for more
information.
Where Can I Use This?
What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager)
Prisma Access (Managed by Panorama or Strata Cloud Manager)
Enterprise Data Loss Prevention (E-DLP) license
Review the Supported
Platforms for details on the required license
for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
Prisma Access CASB license
Next-Generation
CASB for Prisma Access and NGFW (CASB-X) license
Data Security license
Connect an AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise Data Loss Prevention (E-DLP) to automatically store evidence of traffic
scanned by the Enterprise DLP that match your Enterprise DLP data
profiles. After evidence is successfully stored, you can download a file of
the matched traffic for further investigation. Enterprise DLP supports
setting up and connecting only one storage bucket to automatically store
evidence of scanned traffic. You can't set up and connect multiple storage
buckets to Enterprise DLP.
Enterprise DLP supports evidence storage for file based traffic, non-file
based traffic, and Email DLP.
