Enterprise DLP
Enterprise DLP Plugin
Table of Contents
Enterprise DLP Plugin
Install or uninstall the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama™ management server.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
To use Enterprise Data Loss Prevention (E-DLP), you must first install the device certificate on
your Panorama™ management server and all managed NGFW using Enterprise DLP. This is required to successfully connect your Panorama
and NGFW to the DLP cloud service to synchronize data patterns and
data profiles, and to forward traffic to the DLP cloud service for inspection and
verdict rendering.
After you successfully install the device certificate, you must install the Enterprise DLP plugin on Panorama. The Enterprise DLP plugin on
Panorama is required to manage your Enterprise DLP configuration
and to push Enterprise DLP configuration changes to your managed NGFW. A Panorama with the Enterprise DLP plugin
installed is required; managing the Enterprise DLP configuration on your NGFW isn't supported.
You only need to manually upgrade the Enterprise DLP plugin
version on Panorama and when upgrading within the same major plugin
version. For example, you currently have Enterprise DLP plugin version 5.0.0
installed and want to upgrade to Enterprise DLP plugin version 5.0.1. In this
case you download and install this new plugin version just on Panorama.
You only need to install the Enterprise DLP on Panorama. By default,
all NGFW have the minimum supported
Enterprise DLP plugin version installed based on the currently installed PAN-OS version. The minimum supported plugin installation occurs
automatically when you install a new PAN-OS version on your NGFW.
To perform configuration changes on Panorama, the Enterprise DLP plugin
creates a temporary __dlp
Panorama admin regardless of the admin making the configuration changes.
The temporary __dlp admin is only used by the Enterprise DLP plugin for configuration changes and has no login credentials.
The __dlp admin can't be used to log in to Panorama and isn't listed as a Panorama administrator account. The
__dlp admin has no access privileges beyond the Enterprise DLP plugin.
Your existing data patterns (ObjectsCustom ObjectsData Patterns) and data filtering profiles (ObjectsSecurity ProfilesData Filtering) are automatically hidden after you successfully install the Enterprise DLP plugin on Panorama. To display your existing data
patterns and filtering profiles when you need to reference them, you can
temporarily Enable Existing Data Patterns and Filtering Profiles.
To uninstall the Enterprise Data Loss Prevention (E-DLP) plugin, you must remove all Enterprise DLP data filtering profile references from all your Security policy
rules before you can uninstall the plugin from Panorama.
Install the Plugin
Install the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama™ management server.
- Review the Compatibility Matrix to verify the Enterprise DLP plugin version is supported on the PAN-OS version running on Panorama.(Best Practices) Before you install the plugin and activate your Enterprise DLP license, select AssetsDevices to locate Panorama and your managed firewalls to verify that they all belong to the same CSP account.Panorama and any managed firewalls on which you want to use Enterprise DLP must belong to the same CSP account, which enables you to share data profiles and maintain consistent Security policy rule enforcement.Install the Panorama Device Certificate.Install the Device Certificate for Managed Firewalls.The device certificate is required for all managed firewalls using Enterprise DLP.Install the plugin on Panorama.
- Log in to the Panorama web interface.Select PanoramaPlugins and search for the latest version of the Enterprise DLP plugin.Download and Install the Enterprise DLP plugin on Panorama.Commit and push the new configuration to your managed firewalls to complete the Enterprise DLP plugin installation.This step is required for Enterprise DLP data filtering profile names to appear in Data Filtering logs.The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Full configuration push from Panorama
- Select CommitCommit to Panorama and Commit.
- Select CommitPush to Devices and Edit Selections.
- Select Device Groups and Include Device and Network Templates.
- Click OK.
- Push your configuration changes to your managed firewalls that are using Enterprise DLP.
- Partial configuration push from PanoramaYou must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and the DLP cloud service in sync.For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
- Select CommitCommit to Panorama.
- Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.Click OK to continue.
- Commit.
- Select CommitPush to Devices.
- Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.Click OK to continue.
- Select Device Groups and Include Device and Network Templates.
- Click OK.
- Push your configuration changes to your managed firewalls that are using Enterprise DLP.
Activate your Enterprise DLP license for your managed firewalls.Repeat this step for all managed firewalls using Enterprise DLP.- Log in to the Palo Alto Networks Customer Support Portal.Select AssetsLicenses & Subscriptions and locate the managed firewall for which you want to activate Enterprise DLPIn the Actions column, click Licenses & Subscriptions.Click Activate License at the bottom of the page.Select Activate License from the list of Activation Types.In the Activate Auth-Code field, enter the auth code provided by Palo Alto Networks.Agree and Submit.Activate the Enterprise DLP tenant for your Customer Support (CSP) tenant.This is required to connect Panorama and managed firewalls to the DLP cloud service to forward traffic for verdict rendering and to allow synchronization between Panorama and the DLP cloud service.
- Select Activate ProductsReady for Activation.Locate Enterprise DLP from the list of applications ready for activation.Activate Now.(Optional) Create a Palo Alto Networks Support ticket to enable your Enterprise DLP license to transfer between firewalls.Requesting that the Enterprise DLP license is transferable enables you to transfer your DLP license to other managed firewalls.In the support ticket, include the following information:
- The request for a firewall transfer for the Enterprise DLP license.
- Your CSP account ID and the email associated with your CSP account.
- The managed firewall serial number. If you activated the Enterprise DLP license on multiple managed firewalls, include the serial numbers for all the managed firewalls in a single support ticket.
- The auth codes used to activate the Enterprise DLP license on your managed firewalls.
- Also provide the CSP account ID with which additional managed firewalls are associated if you have managed firewalls that belong to a different CSP account.
Activate the Enterprise DLP plugin on your managed firewalls.- Select PanoramaDevice DeploymentLicense and Activate the Enterprise DLP plugin.Enter the Auth Code for the target managed firewalls.The auth code is automatically provided to you by Palo Alto Networks in an email after you complete your purchase of the Enterprise DLP plugin license.Activate the Enterprise DLP plugin license on your managed firewalls.Select ObjectsDLP Data Filtering Profiles and verify that the predefined data filtering profiles are displayed.Panorama is automatically populated with predefined data filtering profiles when Panorama successfully connects to the DLP cloud service.Verify that the Enterprise DLP license is successfully activated on your managed firewalls.
- Launch the firewall web interface.Select DeviceLicenses and verify that the license is successfully activated.After you successfully install the Enterprise DLP plugin on Panorama, you must create Security policy rules to enable your managed firewalls to leverage Enterprise DLP.
Uninstall the Plugin
Uninstall the Enterprise Data Loss Prevention (E-DLP) plugin from your Panorama™ management server.- Log in to the Panorama web interface.Select PoliciesSecurity and remove all Enterprise DLP data filtering profiles from your Security policy rules.This step is required to successfully uninstall the Enterprise DLP plugin.Commit and push your configuration changes to your managed firewalls using Enterprise DLP.The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Select CommitCommit to Panorama and Commit.Select CommitPush to Devices and Edit Selections.Select Device Groups and Include Device and Network Templates.Click OK.Push your configuration changes to your managed firewalls that are using Enterprise DLP.In the Panorama web interface, select PanoramaPlugins and Uninstall the Enterprise DLP plugin.Commit and push the new configuration to your managed firewalls to uninstall the Enterprise DLP plugin.The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Full configuration push from Panorama
- Select CommitCommit to Panorama and Commit.
- Select CommitPush to Devices and Edit Selections.
- Select Device Groups and Include Device and Network Templates.
- Click OK.
- Push your configuration changes to your managed firewalls that are using Enterprise DLP.
- Partial configuration push from PanoramaYou must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and the DLP cloud service in sync.For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
- Select CommitCommit to Panorama.
- Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.Click OK to continue.
- Commit.
- Select CommitPush to Devices.
- Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.Click OK to continue.
- Select Device Groups and Include Device and Network Templates.
- Click OK.
- Push your configuration changes to your managed firewalls that are using Enterprise DLP.