Focus

Enterprise DLP

Edit the Enterprise DLP Data Filtering Settings

Table of Contents

Edit the Cloud Content Settings

Edit the Enterprise DLP Snippet Settings

Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings to specify the actions the firewall using Enterprise DLP takes if the data filtering settings are exceeded.

Where Can I Use This?	What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager) Prisma Access (Managed by Panorama or Strata Cloud Manager)	Enterprise Data Loss Prevention (E-DLP) license Review the Supported Platforms for details on the required license for each enforcement point. (`Email DLP only`) Data Security and Email DLP licenses (`Endpoint DLP only`) Endpoint DLP license Or any of the following licenses that include the Enterprise DLP license Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license Data Security license

Edit and apply Enterprise Data Loss Prevention (E-DLP) data filtering settings. These network settings are determine the networking and file size parameters for files scanned by the DLP cloud service and specify the actions Enterprise DLP takes when these parameters are exceeded.

(NGFW and Prisma Access managed by Panorama) If you want to enable non-file inspection for your NGFW and Prisma Access tenants you must enable the setting from Panorama. For NGFW and Prisma Access managed by Panorama, enabling non-file inspection from Strata Cloud Manager is not supported and causes Panorama commits to fail.

Strata Cloud Manager
Panorama
Email DLP
Endpoint DLP

Edit the Enterprise DLP Data Filtering Settings on Strata Cloud Manager

Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Prisma Access (Managed by Strata Cloud Manager) and NGFW (Managed by Strata Cloud Manager).

Log in to Strata Cloud Manager.
Select ManageConfigurationData Loss PreventionSettingsData Transfer and edit the Data Transfer settings.
Edit the File Based Settings.
1. Specify the File Movement Max Latency (sec) for a file forward before an action is taken by Enterprise DLP.
  
  For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
2. Specify the Action When Max Latency is Reached (Allow or Block) Enterprise DLP takes if no verdict was received for a file forward due to the file forward time exceeding the configured Max Latency.
  
  Selecting Block applies only to DLP rules configured to block files. This setting does not impact Enterprise DLP data profiles configured to alert when traffic containing sensitive data is scanned.
3. Specify the Scan Limit Max File Size for Alert (MB) to enforce the maximum file size for file forwarded to Enterprise DLP when a DLP rules is configured to Alert.
4. Specify the Scan Limit Max File Size for Block (MB) to enforce the maximum file size for files forwarded to Enterprise DLP for inspection.
5. Specify the Action on Max File Size (Allow or Block) Enterprise DLP takes if no verdict was received for a file forward due to the file size being larger than the configured Max File Size.
  
  Selecting Block applies only to DLP rules configured to block files. This setting does not impact Enterprise DLP data filtering profiles configured to alert when traffic containing sensitive data is scanned.
6. Check (enable) Log Files Not Scanned to generate an alert in the DLP incident when Enterprise DLP can't scan a forwarded file.
7. Specify the Action When Scanning Error Occurred (Alert or Block) the NGFW or Prisma Access tenant takes when any kind of error occurs that prevents Enterprise DLP from inspecting a forwarded file and rendering a verdict.
8. Save.
Edit the Non-File Based Settings.
1. Enable non-file based DLP.
  
  Enable this setting to prevent exfiltration of sensitive data in non-file format traffic for collaboration apps, web forms, cloud and SaaS apps, and social media on your network.
2. Specify the Max Latency (sec) to configure the allowable time for a non-file data forwards to determine the allowable time before the NGFW or Prisma Access tenant take the configured Action on Max Latency.
3. Specify the Action on Max Latency (Allow or Block) NGFW or Prisma Access tenant takes if it did not receive a verdict from Enterprise DLP due to the forward time exceeding the configured Max Latency.
  
  Selecting Block applies only to DLP rules configured to block non-file data. This setting does not impact Enterprise DLP data profiles configured to alert when traffic containing sensitive data is scanned.
4. Specify the Min Data Size (B) to enforce a minimum size for non-file data to be scanned by Enterprise DLP. By default, Enterprise DLP supports a minimum non-file traffic data size of 250 bytes.
5. Specify the Max Data Size (KB) to enforce a maximum size for non-file data to be scanned by Enterprise DLP.
6. Specify the Action on Data Size (Allow or Block) NGFW or Prisma Access tenant takes if it did not receive a verdict from Enterprise DLP for a non-file traffic due to the traffic data size being larger than the Max Data Size.
  
  Selecting Block applies only to DLP rules configured to block non-file data. This setting does not impact Enterprise DLP data profiles configured to alert when traffic containing sensitive data is scanned.
7. Check (enable) Log Data Not Scanned to generate an alert in the DLP incident when Enterprise DLP can't scan non-file traffic.
8. Save.
In the DLP Settings, configure the Action on any Error to specify the action the NGFW or Prisma Access tenant takes when any kind of error occurs that prevents Enterprise DLP from inspecting forwarded file or non-file traffic and rendering a verdict.

Select Allow to allow the file or non-file traffic to continue to the intended destination when Enterprise DLP encounters an error or select Block to block the file or non-file traffic. This includes when the NGFW or Prisma Access tenant encounter file or non-file traffic smaller than the configured Min Data Size (B) (non-file), and the Action on Max File Size (file) and Max Data Size (KB) (non-file).

Save.
Push your DLP rule.
1. Push Config and Push.
2. Select (enable) Remote Networks and Mobile Users.
3. Push.

Edit the Enterprise DLP Data Filtering Settings on Panorama

Edit the data filtering settings to specify the actions the NGFW or Prisma Access tenant takes on traffic scanned to the DLP cloud service.

Log in to the Panorama web interface.
Select DeviceSetupDLP and select the Template associated with the NGFW or Prisma Access tenant using Enterprise DLP.
Edit the Data Filtering Settings.
1. Specify the Max Latency (sec) for a file upload before an action is taken by the NGFW or Prisma Access tenant.
  
  For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
2. Specify the Action on Max Latency (Block or Allow) the NGFW or Prisma Access tenant takes if no verdict was received for a file upload due to the upload time exceeding the Max Latency.
  
  Selecting Block applies only to data profiles configured to block files. This setting doesn’t impact Enterprise DLP data filtering profiles configured to alert when traffic containing sensitive data is scanned.
3. Specify the Max File Size (MB) to enforce a maximum file size for files uploaded to the DLP cloud service for inspection.
4. Specify the Action on Max File Size (Block or Allow) the NGFW or Prisma Access tenant takes if no verdict was received for a file upload due to the file size being larger than the configured Max File Size.
  Selecting Block applies only to data profiles configured to block files. This setting doesn’t impact Enterprise DLP data filtering profiles configured to alert when traffic containing sensitive data is scanned.
  
  (DLP 3.0.3 only) Increasing the max file size for the Enterprise DLP data filtering settings to 21 MB or greater when Panorama has the Enterprise DLP 3.0.3 plugin installed is supported only from the Panorama CLI.
  admin>configure
  Code copied to clipboard
  
  Unable to copy due to lack of browser support.
  
  admin#set template <template_name> config shared dlp-settings max-file-size <1 - 100>
  Code copied to clipboard
  
  Unable to copy due to lack of browser support.
5. Check (enable) Log Files Not Scanned to generate an alert in the data filtering log when a file can’t be scanned to the DLP cloud service.
6. Click OK to save your configuration changes.
Edit the Non-File Data Filtering Settings.
1. Verify that Enable Non File DLP is checked (enabled).
  Non-File DLP is enabled by default when you install Panorama plugin for Enterprise DLP 3.0.1.
2. Specify the Max Latency (sec) to configure the allowable time for non-file data uploads to determine the allowable time before an action is taken by the NGFW or Prisma Access tenant.
3. Specify the Action on Max Latency (Allow or Block) the NGFW or Prisma Access tenant takes if no verdict was received for a non-file traffic data upload due to the upload time exceeding the configured Max Latency.
  
  Selecting Block applies only to data profiles configured to block non-file data. This setting doesn’t impact Enterprise DLP filtering profiles configured to alert when traffic containing sensitive data is scanned.
4. Specify the Min Data Size (B) to enforce a minimum size for non-file data to be scanned by Enterprise DLP.
5. Specify the Max Data Size (KB) to enforce a maximum size for non-file data to be scanned by Enterprise DLP.
6. Specify the Action on Data File Size (Allow or Block) the NGFW or Prisma Access tenant takes if no verdict was received for a non-file traffic data upload due to the traffic data size being larger than the configured Max Data Size.
  
  Selecting Block applies only to data profiles configured to block non-file data. This setting doesn’t impact Enterprise DLP data filtering profiles configured to alert when traffic containing sensitive data is scanned.
7. Check (enable) Log Data Not Scanned to generate an alert in the data filtering log when non-file data can’t be scanned by the DLP cloud service.
8. Click OK to save your configuration changes.
Specify the Action on any Error the NGFW or Prisma Access tenant takes when any kind of error occurs that prevents Enterprise DLP from inspecting forwarded file or non-file traffic and rendering a verdict.
This includes when the NGFW or Prisma Access tenant encounter file or non-file traffic smaller than the configured Min Data Size (B) (non-file), and the Action on Max File Size (file) and Max Data Size (KB) (non-file).
- Select Allow (default) to continue if the NGFW or Prisma Access tenant experiences any type of error.
- Select Block to stop uploading if the NGFW or Prisma Access tenant experiences any type of error.
Click OK to continue.
Commit and push the new configuration to your NGFW or Prisma Access tenant.
The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and NGFW or Prisma Access tenant in the Push Scope Selection.
- Full configuration push from Panorama
  Select CommitCommit to Panorama and Commit.
  Select CommitPush to Devices and Edit Selections.
  Select Device Groups and Include Device and Network Templates.
  Click OK.
  Push your configuration changes to your NGFW or Prisma Access tenant that are using Enterprise DLP.
- Partial configuration push from Panorama
  You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and the DLP cloud service in sync.
  For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to NGFW or Prisma Access tenant. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
  
  Select CommitCommit to Panorama.
  Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
  In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
  Click OK to continue.
  
  Commit.
  Select CommitPush to Devices.
  Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
  In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
  Click OK to continue.
  
  Select Device Groups and Include Device and Network Templates.
  Click OK.
  Push your configuration changes to your NGFW or Prisma Access tenant that using Enterprise DLP.

Edit the Enterprise DLP Data Filtering Settings for Email DLP

Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Email DLP on Strata Cloud Manager.

Log in to Strata Cloud Manager.
Select ManageConfigurationSaaS SecuritySettingsEmail DLP Settings.
Edit the Policy Evaluation Timeout to configure what Enterprise DLP does when Email DLP policy evaluation exceeds the configured timeout.
- Maximum Timeout—Maximum time allowed for Enterprise DLP to inspect an outbound email. Minimum timeout is 1 minute. Maximum timeout is 5 minutes.
- Action on Max Timeout—The action Enterprise DLP takes if the maximum timeout is exceeded. The possible actions are the same as those you configure in the Email DLP policy rule Response. Default is Monitor.
Save Settings.

Edit the Enterprise DLP Data Filtering Settings for Endpoint DLP

Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Endpoint DLP on Strata Cloud Manager.

You can customize the data filtering settings for your USB, printer, and Network Share peripheral devices independently of one another.

Log in to Strata Cloud Manager.
Select ManageConfigurationData Loss PreventionSettingsData Transfer to edit the data filtering settings.
Edit the File Based Settings for Endpoint DLP.

You can configure the data filtering settings for each type of peripheral device (USB Devices, Printers, and Network Shares) independently of one another.
1. Verify that the correct Endpoint DLP Data Scan Region is selected.
  
  By default, the Nearest Data Scan Region is selected and automatically resolves to the region closest to your Enterprise DLP tenant. You can select a specific region to ensure you meet any data residency requirements if required.
  
  For example, your Endpoint DLP administrator sets the Data Scan Region to America instead of Nearest Data Scan Region. Your US based worker travels to Europe with their protected endpoint and generates a DLP Incident. In this case, the traffic is forwarded to an Enterprise DLP cloud service tenant in the US for inspection and verdict rendering even though the endpoint was in Europe when the incident was generated. Additionally the DLP Incident displays under the US Region when filtering your incidents.
  
  The data filtering settings are shared across all data scan regions. You cannot configure unique data filtering settings for each data scan region. Changing the data filtering settings for one data scan region changes it for all other supported data scan regions.
2. Specify the File Movement Max Latency (Sec) for a file upload to a peripheral device before an action is taken by Enterprise DLP.
  
  For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
3. Specify the Action When Max Latency is Reached (Alert or Block) Enterprise DLP takes if no verdict was received for a file upload to a peripheral device due to the upload time exceeding the configured Max Latency.
  
  Selecting Alert allows the file upload to the peripheral device but generates a DLP Incident.
  
  Selecting Block blocks the file upload to the peripheral device and generates a DLP incident.
4. Specify the Scan Limit Max File Size for Block (MB) to enforce the maximum file size for file uploads to a peripheral device for a Data in Motion Endpoint DLP policy rule configured to Block.
5. Specify the Scan Limit Max File Size for Alert (MB) to enforce the maximum file size for file uploads to a peripheral device for a Data in Motion Endpoint DLP policy rule configured to Alert.
6. Specify the Scan Limit Action on Max File Size (Alert or Block) Enterprise DLP takes if no verdict was received for a file upload due to the file size being larger than the configured Max File Size.
  
  Selecting Block applies only to DLP rules configured to block files. This setting doesn’t impact Enterprise DLP data filtering profiles configured to alert when traffic containing sensitive data is scanned.
7. Specify the Action When File Size Exceeds Max Limit (Alert or Block) Enterprise DLP takes if an inspected file exceeds the maximum alert or block file size limit configured in the previous steps.
8. Check (enable) Log Files Not Scanned to generate an alert in the DLP incident when a file can’t be scanned to the DLP cloud service.
9. Specify the Action When Scanning Error Occurred (Alert or Block) when any kind of error occurs that prevents Enterprise DLP from inspecting a file upload to a peripheral device and rendering a verdict.
10. Specify the Action When Endpoint is Offline (Alert or Block) Enterprise DLP takes if the peripheral device is offline and cannot forward traffic for inspection.
11. Save.
Push your new Endpoint DLP data filtering settings to the Prisma Access Agent.
1. Select Endpoint DLP PolicyPush Policies and Push Policies.
2. (Optional) Enter a Description for the Endpoint DLP policy push.
3. Review the Push Policies scope to understand the changes included the Endpoint DLP configuration push.
4. Push.

Edit the Cloud Content Settings

Edit the Enterprise DLP Snippet Settings

© 2025 Palo Alto Networks, Inc. All rights reserved.