: Create a Data Filtering Profile on Panorama
Focus
Focus

Create a Data Filtering Profile on Panorama

Table of Contents

Create a Data Filtering Profile on Panorama

Create a data filtering profile for the
Enterprise Data Loss Prevention (E-DLP)
on the Panorama™ management server.
After you create a data pattern on Panorama or Prisma Access (Panorama Managed), create a data filtering profile to add multiple data patterns and specify matches and confidence levels. All predefined and custom data filtering profiles are available across all device groups.
When you create a data filtering profile using predefined data patterns, be sure to consider the detection type used by the predefined data patterns because the detection type determines how
Enterprise Data Loss Prevention (E-DLP)
arrives at a verdict for scanned files.
  1. Edit the Enterprise DLP Data Filtering Settings to configure the minimum and maximum data size limits and the actions the firewall takes when uploading files to the DLP cloud service.
  2. (
    Optional
    ) Create one or more Enterprise DLP data patterns.
  3. Select
    Objects
    DLP
    Data Filtering Profiles
    and specify the
    Device Group
    .
  4. Add
    a new data filtering profile.
  5. Define the match criteria.
    • If you select
      Basic
      , configure the following:
      • Primary Pattern
        Add
        one or more data patterns to specify as the match criteria.
        If you specify more than one data pattern, the managed firewall uses a boolean OR match in the match criteria.
      • Match
        —Select whether the pattern you specify should match (
        include
        ) or not match (
        exclude
        ) the specified criteria.
      • Operator
        —Select a boolean operator to use with the
        Threshold
        parameter. Specify
        Any
        to ignore the threshold.
        • Any
          —Security policy rule action triggered if
          Enterprise DLP
          detects at least one instance of matched traffic.
        • Less than or equal to
          —Security policy rule action triggered if
          Enterprise DLP
          detects instances of matched traffic, with the maximum being the specified
          Threshold
          .
        • More than or equal to
          —Security policy rule action triggered if
          Enterprise DLP
          detects instances of matched traffic, with a minimum being the specified
          Threshold
          .
        • Between (inclusive)
          —Security policy rule action triggered if
          Enterprise DLP
          detects any number of instances of matched traffic between the specific
          Threshold
          range.
      • Threshold
        —Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is
        1
        -
        500
        .
        For example, to match a pattern that appears three or more times in a file, select
        more_than_or_equal_to
        as the
        Operator
        and specify
        3
        as the
        Threshold
        .
      • Confidence
        —Specify the confidence level required for a Security policy rule action to be taken (
        High
        or
        Low
        ).
    • If you select
      Advanced
      , you can create expressions by dragging and dropping data patterns,
      Confidence
      levels,
      Operators
      , and
      Occurrence
      values into the field in the center of the page.
      Specify the values in the order that they’re shown in the following screenshot (data pattern,
      Confidence
      , and
      Operator
      or
      Occurrence
      ).
  6. Select an
    Action
    (
    Alert
    or
    Block
    ) to perform on the file.
    If the data filtering profile has both Primary and Secondary Patterns, changing the data profile Action on Panorama deletes all Secondary Pattern match criteria.
  7. Specify the file types the DLP cloud service takes action against.
    • DLP plugin 4.0.0 and earlier releases
      Select the
      File Type
      . By default,
      any
      is selected and inspects all supported file types.
    • DLP plugin 4.0.1 and later releases
    1. Select
      File Types
      .
    2. Select the Scan Type to create a file type include or exclude list.
      • Include
        —DLP cloud service inspects only the file types you add to the File Type Array.
      • Exclude
        —DLP cloud service inspects all supported file types except for those added to the File Type Array.
    3. Click
      Modify
      to add the file types to the File Type Array and click
      OK
      .
  8. Select
    upload
    as the
    Direction
    .
    Downloads aren’t supported.
  9. (
    Optional
    ) Set the
    Log Severity
    recorded for files that match this rule.
    The default severity is
    Informational
    .
  10. Click
    OK
    to save your changes.
  11. Attach the data filtering profile to a Security policy rule.
    1. Select
      Policies
      Security
      and specify the
      Device Group
      .
    2. Select the Security policy rule to which you want to add the data filtering profile.
    3. Select
      Actions
      and set the
      Profile Type
      to
      Profiles
      .
    4. Select the
      Data Filtering
      profile you created previously.
    5. Click
      OK
      .
  12. Commit and push your configuration changes to your managed firewalls that are using
    Enterprise DLP
    .
    The
    Commit and Push
    command isn’t recommended for
    Enterprise DLP
    configuration changes. Using the
    Commit and Push
    command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    1. Select
      Commit
      Commit to Panorama
      and
      Commit
      .
    2. Select
      Commit
      Push to Devices
      and
      Edit Selections
      .
    3. Select
      Device Groups
      and
      Include Device and Network Templates
      .
    4. Click
      OK
      .
    5. Push
      your configuration changes to your managed firewalls that are using
      Enterprise DLP
      .

Recommended For You