Create a Data Filtering Profile on Panorama for Non-File Detection

Create a data filtering profile for the Enterprise DLP (data loss prevention) on the Panorama™ management server to inspect non-file traffic for sensitive data.
Create a data filtering profile on the Panorama management server to scan for sensitive data outside of file-based traffic. After you create a data pattern on Panorama, create a data filtering profile to add multiple data patterns and specify matches and confidence levels for all non-file traffic you need to inspect. All predefined and custom data filtering profiles are available across all device groups.
A data filtering profile configured for detection of non-file traffic allow you to configure URL and application exclusion lists. The URL and application exclusion lists allow you to select
Shared
URL and application traffic to exclude from inspection. For the application exclusion list, at least one application exclusion is required to create a data filtering profile for inspecting non-file traffic. The predefined
DLP App Exclusion Filter
is provided containing commonly used applications that can be safely excluded from inspection.
When you create a data filtering profile using predefined data patterns, be sure to consider the detection type used by the predefined data patterns because the detection type determines how Enterprise data loss prevention (DLP) arrives at a verdict for scanned files. For example, when you create a data filtering profile that includes three machine learning (ML)-based data patterns and seven regex-based data patterns, Enterprise DLP will return verdicts based on the seven regex-based patterns whenever the scanned file exceeds 1MB.
Creating a data filtering profile on Panorama for non-file detection is supported on Panorama and managed firewalls running PAN-OS 10.2.1 or later release and Panorama plugin for Enterprise DLP 3.0.1 or later release. If you downgrade from PAN-OS 10.2.1 or later release and Enterprise DLP plugin 3.0.1 or late release to PAN-OS 10.1 and Enterprise DLP plugin 1.0, data filtering profiles created on Panorama for non-file inspection are automatically converted into file-based data filtering profiles
  1. Edit the Enterprise DLP Non-File Data Filtering Settings to configure the minimum and maximum data size limits and the actions the firewall takes when uploading non-file data to the DLP cloud service.
    Palo Alto Networks recommends verifying that
    Enable Non File DLP
    is enabled after you install Panorama plugin for Enterprise DLP 3.0.1.
  2. (
    Optional
    ) Create a custom application filter or application group to define predefined or custom application traffic you want to exclude from inspection.
    The application filter and application group must be
    Shared
    to be used in the data filtering profile application exclusion list. Data filtering profiles for non-file traffic inspection support either both custom application filters and application groups. You are not required to add both.
  3. (
    Optional
    ) Create a custom URL categoryto define URL traffic you want to exclude from inspection.
    The URL category must be
    Shared
    to be used in the data filtering profile URL exclusion list
    To include the custom URL category in the URL exclusion list of a data filtering profile, adding the custom URL category to a URL Filtering Profile is not required.
  4. (
    Optional
    ) Create one or more Enterprise DLP data patterns.
  5. Select
    Objects
    DLP
    Data Filtering Profiles
    and specify the
    Device Group
    .
  6. Add
    a new data filtering profile.
  7. (
    Optional
    ) Configure the data filtering profile to scan
    File Based
    traffic.
    Data filtering profiles supports scanning both file based and non-file based traffic. Select
    Yes
    to scan for both file based and non-file based traffic. Select
    No
    to only scan for non-file based traffic. Configuring the data filtering profile to not scan for file based traffic has no impact on scanning non-file based traffic.
  8. Configure the data filtering profile to scan
    Non-File Based
    traffic.
    Select
    Yes
    to scan for non-file based traffic.
  9. Configure the primary pattern for the data filtering profile.
    • If you select
      Basic
      , configure the following:
      • Primary Pattern
        Add
        one or more data patterns to specify as the match criteria.
        If you specify more than one data pattern, the managed firewall uses a boolean OR match in the match criteria.
      • Match
        —Select whether the pattern you specify should match (
        include
        ) or not match (
        exclude
        ) the specified criteria.
      • Operator
        —Select a boolean operator to use with the
        Threshold
        parameter. Specify
        Any
        to ignore the threshold.
      • Threshold
        —Specify a value to use with the
        Operator
        you specify.
        For example, to match a pattern that appears three or more times in a file, select
        more_than_or_equal_to
        as the
        Operator
        and specify
        3
        as the
        Threshold
        .
      • Confidence
        —Use this with the proximity keywords you specified in the data pattern you created. Specifying a confidence level of
        Low
        means that the managed firewall will not use proximity keywords. Specifying a Confidence level of
        High
        means that the managed firewall looks for the proximity keywords the first 200 characters of the regular expressions in the pattern before it considers the data pattern in a file to be a match.
    • If you select
      Advanced
      , you can create expressions by dragging and dropping data patterns,
      Confidence
      levels,
      Operators
      , and
      Occurrence
      values into the field in the center of the page.
      Specify the values in the order that they are shown in the following screenshot (data pattern,
      Confidence
      , and
      Operator
      or
      Occurrence
      ).
  10. Select an
    Action
    (
    Alert
    or
    Block
    ) to perform on matching traffic.
    If the data filtering profile has both Primary and Secondary Patterns, changing the data profile Action on Panorama deletes all Secondary Pattern match criteria.
  11. (
    Optional
    ) Configure the URL category list to exclude URL traffic from inspection.
    The URL category list can only be configured when
    Non-File Based
    traffic inspection is enabled.
    1. Select
      URL Category List Excluded From Non-File
      .
    2. Add
      a new URL category list.
    3. Select a predefined URL category, custom URL category or EDL.
  12. Configure the application exclusion list to exclude application traffic from inspection.
    The application list can only be configured when
    Non-File Based
    traffic inspection is enabled. At least one application list or application group is required to create a data filtering profile for inspecting non-file traffic.
    1. Select
      Application List Excluded From Non-File
      .
    2. Add
      an application filter or application group.
      If you did not create a custom application filter or application group, you must add the
      DLP App Exclusion Filter
      .
  13. Specify a
    File Type
    .
    Leave the file type as
    any
    to match any of the supported file types.
  14. Select
    upload
    as the
    Direction
    .
    Downloads are not supported.
  15. (
    Optional
    ) Set the
    Log Severity
    recorded for files that match this rule.
    The default severity is
    Informational
    .
  16. Click
    OK
    to save your changes.
  17. Attach the data filtering profile to a Security policy rule.
    1. Select
      Policies
      Security
      and specify the
      Device Group
      .
    2. Select the Security policy rule to which you want to add the data filtering profile.
    3. Select
      Actions
      and set the
      Profile Type
      to
      Profiles
      .
    4. Select the
      Data Filtering
      profile you created previously.
    5. Click
      OK
      to save your
  18. Commit and push your configuration changes to your managed firewalls that are leveraging Enterprise DLP.
    The
    Commit and Push
    command is not recommended for Enterprise DLP configuration changes. Using the
    Commit and Push
    command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    1. Select
      Commit
      Commit to Panorama
      and
      Commit
      .
    2. Select
      Commit
      Push to Devices
      and
      Edit Selections
      .
    3. Select
      Device Groups
      and
      Include Device and Network Templates
      .
    4. Click
      OK
      .
    5. Push
      your configuration changes to your managed firewalls that are leveraging Enterprise DLP.

Recommended For You