Configure Enterprise DLP for Prisma Access (Cloud Managed)

Important: If you’re already using Panorama to manage Enterprise DLP for next-gen firewalls, your DLP configuration (data patterns and DLP profiles) in Prisma Access cloud management is read-only; continue to manage DLP from Panorama.
Enterprise DLP for Prisma Access (Cloud Managed) includes built-in settings that you can use to quickly start protecting your most sensitive content:
  • Predefined data patterns specify common types of sensitive information (like credit cards and social security numbers) that you might want to scan for and protect
  • Predefined DLP profiles group together data patterns that likely require the same type of enforcement
If you’re using SaaS Security with Enterprise DLP, your DLP configuration is shared across SaaS Security and Prisma Access (Cloud Managed). This means that if there is an advanced setting or customization option available in SaaS Security, you can set it up there and leverage it in Prisma Access (Cloud Managed).
Here’s an example of DLP profiles that are shared across SaaS Security and Prisma Access (Cloud Managed).

Get Started

  • Go to the Data Loss Prevention dashboard to get started:
    1. Log in to Prisma Access (Cloud Managed).
    2. Go to
      Security Services
      Data Loss Prevention
  • Review the built-in DLP settings (predefined data patterns and predefined DLP profiles).
    • You cannot make changes to the predefined data patterns or predefined DLP profiles within Prisma Access (Cloud Management).
    • You also cannot create custom data patterns directly from Prisma Access (Cloud Managed). Go to SaaS Security to create a custom data pattern that you can use here.
  • Create a custom DLP profile.
    You can create a custom DLP profile. Add the data patterns that the profile scans for, and set conditions that would trigger an action like block or alert.
    Certain advanced settings are available only in the SaaS Security app. If you go to SaaS Security and configure a DLP profile there, that profile will be visible to you here and can be used in your Prisma Access (Cloud Managed) security policy.
  • To start scanning traffic based on a DLP profile, attach the profile to a security rule.
    Security profiles (including data loss prevention profiles) are active only when they are attached to a security rule. Here’s how to add a profile to a security rule.
    When you’re ready,
    Push Config
    to send the updates to Prisma Access (Cloud Managed) and begin DLP scanning and enforcement.
  • Continue to Monitor Enterprise DLP using logs (see file logs) and the DLP app.

Recommended For You