Create an S3 storage bucket on AWS to store files that match your Enterprise Data Loss Prevention (E-DLP) data profiles.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLPRelease Notes for more
information.
Where Can I Use This?
What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager)
Prisma Access (Managed by Panorama or Strata Cloud Manager)
Enterprise Data Loss Prevention (E-DLP) license
Review the Supported
Platforms for details on the required license
for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
Prisma Access CASB license
Next-Generation
CASB for Prisma Access and NGFW (CASB-X) license
Data Security license
Amazon Web Services (AWS) users can configure an S3 storage bucket to automatically
upload all files that match an Enterprise Data Loss Prevention (E-DLP) data profile for Enterprise DLP.
To store your files scanned by Enterprise DLP, you must create an S3 storage
bucket and Identity and Access Management (IAM) role that allows Enterprise DLP
access to automatically store files. Palo Alto Networks provides you with a JSON
data containing the required policy permissions to create the IAM role. Files
uploaded to your S3 storage bucket are automatically named using a unique Report ID
for each file. The Report ID is used to search and download specific files for more
in-depth investigation.
Enterprise DLP automatically sends email alerts to the data security
administrator who originally connected Enterprise DLP to the S3 storage bucket
and to the data security admin who last modified the storage bucket settings in case
of connection issues Enterprise DLP sends the email alert every 48 hours until
you restore the connection between Enterprise DLP and the storage bucket.
Files that not scanned while Enterprise DLP is disconnected from your
storage bucket can’t be stored and are lost. This means that all impacted files
are not available for download. However, your data security administrator can
still view all snippet data associated with the DLP incident.
Enterprise DLP automatically resumes forwarding files to your storage bucket
after you restore the connection.
Select ConfigurationData Loss PreventionSettingsSensitive Data.
In Evidence Storage, select Configure BucketAWS as the Public Storage Bucket.
In Instructions - AWS, locate the trust
relationship and access policy JSON provided to define the trust
relationship and access policy between the IAM role and Palo Alto
Networks.
The first JSON provided is the trust relationship and the second is
the access policy. Highlighted are the copy buttons that you will
use later on to create the IAM role for the S3 storage bucket.
Leave the Configure Bucket for Evidence
Storage display open and continue to create the
IAM role for the S3 storage bucket in a separate browser window.
Create the IAM role for the S3 storage bucket.
This role is required to allow the DLP cloud service to write to the S3
storage bucket.
Access to evidence storage settings and files on Strata Cloud Manager is allowed only for an account administrator or app
administrator role with Enterprise DLP read and
write privileges. This is to ensure that only the appropriate
users have access to report data and evidence.
Select ConfigurationSecurity ServicesData Loss PreventionSettingsSensitive Data and select AWS as the Public Cloud
Storage Bucket.
Select Input Bucket Details.
Enter the S3 Bucket Name of the bucket you
created.
The name you enter in the Strata Cloud Manager must match the name
of the S3 storage bucket on AWS.
Enter the Role ARN for the IAM role you
created.
The IAM Role ARN can be found in the IAM role
Permissions. The role ARN is displayed in
the Summary.
Select the AWS Region where the bucket is
located.
Select Connect to verify the connections status
your S3 storage bucket.
Select Save if Enterprise DLP can
successfully connect your bucket. A
Palo_Alto_Networks_DLP_Connection_Test.txt
file is uploaded to your storage bucket by the DLP cloud service to
verify connectivity.
If Enterprise DLP can't successfully connect your bucket,
select Previous and edit the bucket
connection settings.
Enable Sensitive Files for your enforcement
points.
You can enable evidence storage of sensitive files for Prisma Access, NGFW, and Endpoint DLP. Enable
evidence storage when prompted to confirm.
Set up Evidence Storage on Strata Cloud Manager Using AWS KMS
Create an S3 storage bucket on AWS using the AWS Key Management Service (KMS) to
store files that match your Enterprise Data Loss Prevention (E-DLP) data profiles on Strata Cloud Manager.
Review the setup prerequisites for Enterprise DLP and enable the required ports, full qualified domain names
(FQDN), and IP addresses on your network.
Create a public S3 storage bucket to store files scanned by the Enterprise DLP cloud service.
Select ConfigurationData Loss PreventionSettingsSensitive Data.
In Evidence Storage, select Configure BucketAWS as the Public Storage Bucket.
Toggle KMS Enabled enable an S3 storage bucket
using AWS KMS.
In Instructions - AWS, locate the trust
relationship and access policy JSON provided to define the trust
relationship and access policy between the IAM role and Palo Alto
Networks.
The first JSON provided is the trust relationship and the second is
the access policy. Highlighted are the copy buttons that you will
use later on to create the IAM role for the S3 storage bucket.
Leave the Configure Bucket for Evidence
Storage display open and continue to create the
IAM role for the S3 storage bucket in a separate browser window.
Create the IAM role for the S3 storage bucket.
This role is required to allow the DLP cloud service to write to the S3
storage bucket.
Access to evidence storage settings and files on Strata Cloud Manager is allowed only for an account administrator or app
administrator role with Enterprise DLP read and
write privileges. This is to ensure that only the appropriate
users have access to report data and evidence.
Select ConfigurationSecurity ServicesData Loss PreventionSettingsSensitive Data and select AWS as the Public Cloud
Storage Bucket.
Select Input Bucket Details.
Enter the S3 Bucket Name of the bucket you
created.
The name you enter in Strata Cloud Manager must match the name of
the S3 storage bucket on AWS.
Enter the Role ARN for the IAM role you
created.
The IAM Role ARN can be found in the IAM role
Permissions. The role ARN is displayed in
the Summary.
Select the AWS Region where the bucket is
located.
Select Connect to verify the connections status
your S3 storage bucket.
Select Save if Enterprise DLP can
successfully connect your bucket. A
Palo_Alto_Networks_DLP_Connection_Test.txt
file is uploaded to your storage bucket by the DLP cloud service to
verify connectivity.
If Enterprise DLP can't successfully connect your bucket,
select Previous and edit the bucket
connection settings.
Enable Sensitive Files for your enforcement
points.
You can enable evidence storage of sensitive files for Prisma Access, NGFW, and Endpoint DLP. Enable
evidence storage when prompted to confirm.