Create a Data Filtering Profile on Panorama for Non-File Detection

Log in to the Panorama web interface.
Edit the Enterprise DLP Non-File Data Filtering Settings to configure the minimum and maximum data size limits and the actions the firewall takes when uploading non-file data to the DLP cloud service.
Palo Alto Networks recommends verifying that
Enable Non File DLP
is enabled after you install Panorama plugin for Enterprise DLP 3.0.1.
(
Optional
) Create a custom application filter or application group to define predefined or custom application traffic you want to exclude from inspection.
The application filter and application group must be
Shared
to be used in the data filtering profile application exclusion list. Data filtering profiles for non-file traffic inspection support either both custom application filters and application groups. You are not required to add both.
Create a Custom Application Filter
Create an Application Group
(
Optional
) Create a custom URL categoryto define URL traffic you want to exclude from inspection.
The URL category must be
Shared
to be used in the data filtering profile URL exclusion list
To include the custom URL category in the URL exclusion list of a data filtering profile, adding the custom URL category to a URL Filtering Profile is not required.
(
Optional
) Create one or more Enterprise DLP data patterns.
Select
Objects
DLP
Data Filtering Profiles
and specify the
Device Group
.
Add
a new data filtering profile.
(
Optional
) Configure the data filtering profile to scan
File Based
traffic.
Data filtering profiles supports scanning both file based and non-file based traffic. Select
Yes
to scan for both file based and non-file based traffic. Select
No
to only scan for non-file based traffic. Configuring the data filtering profile to not scan for file based traffic has no impact on scanning non-file based traffic.
Configure the data filtering profile to scan
Non-File Based
traffic.
Select
Yes
to scan for non-file based traffic.
Configure the primary pattern for the data filtering profile.
If you select
Basic
, configure the following:
Primary Pattern
—
Add
one or more data patterns to specify as the match criteria.
If you specify more than one data pattern, the managed firewall uses a boolean OR match in the match criteria.
Match
—Select whether the pattern you specify should match (
include
) or not match (
exclude
) the specified criteria.
Operator
—Select a boolean operator to use with the
Threshold
parameter. Specify
Any
to ignore the threshold.
Threshold
—Specify a value to use with the
Operator
you specify.
For example, to match a pattern that appears three or more times in a file, select
more_than_or_equal_to
as the
Operator
and specify
3
as the
Threshold
.
Confidence
—Use this with the proximity keywords you specified in the data pattern you created. Specifying a confidence level of
Low
means that the managed firewall will not use proximity keywords. Specifying a Confidence level of
High
means that the managed firewall looks for the proximity keywords the first 200 characters of the regular expressions in the pattern before it considers the data pattern in a file to be a match.

If you select
Advanced
, you can create expressions by dragging and dropping data patterns,
Confidence
levels,
Operators
, and
Occurrence
values into the field in the center of the page.
Specify the values in the order that they are shown in the following screenshot (data pattern,
Confidence
, and
Operator
or
Occurrence
).

Select an
Action
(
Alert
or
Block
) to perform on matching traffic.
If the data filtering profile has both Primary and Secondary Patterns, changing the data profile Action on Panorama deletes all Secondary Pattern match criteria.
(
Optional
) Configure the URL category list to exclude URL traffic from inspection.
The URL category list can only be configured when
Non-File Based
traffic inspection is enabled.
Select
URL Category List Excluded From Non-File
.
Add
a new URL category list.
Select a predefined URL category, custom URL category or EDL.

Configure the application exclusion list to exclude application traffic from inspection.
The application list can only be configured when
Non-File Based
traffic inspection is enabled. At least one application list or application group is required to create a data filtering profile for inspecting non-file traffic.
Select
Application List Excluded From Non-File
.
Add
an application filter or application group.
If you did not create a custom application filter or application group, you must add the
DLP App Exclusion Filter
.

Specify a
File Type
.
Leave the file type as
any
to match any of the supported file types.
Select
upload
as the
Direction
.
Downloads are not supported.
(
Optional
) Set the
Log Severity
recorded for files that match this rule.
The default severity is
Informational
.
Click
OK
to save your changes.
Attach the data filtering profile to a Security policy rule.
Select
Policies
Security
and specify the
Device Group
.
Select the Security policy rule to which you want to add the data filtering profile.
Select
Actions
and set the
Profile Type
to
Profiles
.
Select the
Data Filtering
profile you created previously.
Click
OK
to save your
Commit and push your configuration changes to your managed firewalls that are leveraging Enterprise DLP.
The
Commit and Push
command is not recommended for Enterprise DLP configuration changes. Using the
Commit and Push
command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
Select
Commit
Commit to Panorama
and
Commit
.
Select
Commit
Push to Devices
and
Edit Selections
.
Select
Device Groups
and
Include Device and Network Templates
.
Click
OK
.
Push
your configuration changes to your managed firewalls that are leveraging Enterprise DLP.