Create a Data Filtering Profile on Panorama for Non-File Detection
Create a data filtering profile for the
Enterprise data loss prevention (DLP)
on the Panorama™
management server to inspect non-file traffic for sensitive data.Create a data filtering profile on the Panorama management server to scan for
sensitive data outside of file-based traffic. After you create a data pattern on Panorama, create a data
filtering profile to add multiple data patterns and specify matches and confidence
levels for all non-file traffic you need to inspect. All predefined and custom data
filtering profiles are available across all device groups.
A data filtering profile configured for detection of non-file traffic allows you to
configure URL and application exclusion lists. The URL and application exclusion
lists allow you to select
Shared
URL and application traffic
to exclude from inspection. For the application exclusion list, at least one
application exclusion is required to create a data filtering profile for inspecting
non-file traffic. The predefined DLP App Exclusion
Filter
is provided containing commonly used applications that can
be safely excluded from inspection. When you create a data filtering profile using predefined data patterns, be sure to
consider the detection type used by the
predefined data patterns because the detection type determines how
Enterprise data loss prevention (DLP)
arrives at a verdict for scanned files. For example, when
you create a data filtering profile that includes three machine learning (ML)-based
data patterns and seven regex-based data patterns, Enterprise DLP
will return
verdicts based on the seven regex-based patterns whenever the scanned file exceeds 1
MB.Creating a data filtering profile on Panorama for non-file detection is supported on
Panorama and managed firewalls running PAN-OS 10.2.1 or later release and Panorama
plugin for
Enterprise DLP
3.0.1 or later release. If you downgrade from PAN-OS
10.2.1 or later release and Enterprise DLP
plugin 3.0.1 or late release to
PAN-OS 10.1 and Enterprise DLP
plugin 1.0, data filtering profiles created on
Panorama for non-file inspection are automatically converted into file-based data
filtering profiles.- Edit the Enterprise DLP Non-File Data Filtering Settings to configure the minimum and maximum data size limits and the actions the firewall takes when uploading non-file data to the DLP cloud service.Palo Alto Networks recommends verifying thatEnable Non File DLPis enabled after you install Panorama plugin forEnterprise DLP3.0.1.
- (Optional) Create a custom application filter or application group to define predefined or custom application traffic you want to exclude from inspection.The application filter and application group must beSharedto be used in the data filtering profile application exclusion list. Data filtering profiles for non-file traffic inspection support either both custom application filters and application groups. You aren’t required to add both.
- (Optional) Create a custom URL category to define URL traffic you want to exclude from inspection.The URL category must beSharedto be used in the data filtering profile URL exclusion list.To include the custom URL category in the URL exclusion list of a data filtering profile, adding the custom URL category to a URL Filtering profile isn’t required.
- (Optional) Create one or more Enterprise DLP data patterns.
- Select and specify theDevice Group.
- Adda new data filtering profile.
- (Optional) Configure the data filtering profile to scanFile Basedtraffic.Data filtering profiles support scanning both file based and non-file based traffic. SelectYesto scan for both file based and non-file based traffic. SelectNoto only scan for non-file based traffic. Configuring the data filtering profile not to scan for file based traffic has no impact on scanning non-file based traffic.
- Configure the data filtering profile to scanNon-File Basedtraffic.SelectYesto scan for non-file based traffic.
- Define the match criteria.
- If you selectBasic, configure the following:
- Primary Pattern—Addone or more data patterns to specify as the match criteria.If you specify more than one data pattern, the managed firewall uses a boolean OR match in the match criteria.
- Match—Select whether the pattern you specify should match (include) or not match (exclude) the specified criteria.
- Operator—Select a boolean operator to use with theThresholdparameter. SpecifyAnyto ignore the threshold.
- Any—Security policy rule action triggered ifEnterprise DLPdetects at least one instance of matched traffic.
- Less than or equal to—Security policy rule action triggered ifEnterprise DLPdetects instances of matched traffic, with the maximum being the specifiedThreshold.
- More than or equal to—Security policy rule action triggered ifEnterprise DLPdetects instances of matched traffic, with a minimum being the specifiedThreshold.
- Between (inclusive)—Security policy rule action triggered ifEnterprise DLPdetects any number of instances of matched traffic between the specificThresholdrange.
- Threshold—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is1-500.For example, to match a pattern that appears three or more times in a file, selectmore_than_or_equal_toas theOperatorand specify3as theThreshold.
- Confidence—Specify the confidence level required for a Security policy rule action to be taken (HighorLow).
- If you selectAdvanced, you can create expressions by dragging and dropping data patterns,Confidencelevels,Operators, andOccurrencevalues into the field in the center of the page.Specify the values in the order that they’re shown in the following screenshot (data pattern,Confidence, andOperatororOccurrence).
- Select anAction(AlertorBlock) to perform on matching traffic.If the data filtering profile has both Primary and Secondary Patterns, changing the data profile Action on Panorama deletes all Secondary Pattern match criteria.
- (Optional) Configure the URL category list to exclude URL traffic from inspection.The URL category list can only be configured whenNon-File Basedtraffic inspection is enabled.
- SelectURL Category List Excluded From Non-File.
- Adda new URL category list.
- Select a predefined URL category, custom URL category or EDL.
- Configure the application exclusion list to exclude application traffic from inspection.The application list can only be configured whenNon-File Basedtraffic inspection is enabled. At least one application list or application group is required to create a data filtering profile for inspecting non-file traffic.
- SelectApplication List Excluded From Non-File.
- Addan application filter or application group.If you didn’t create a custom application filter or application group, you must add theDLP App Exclusion Filter.
- Specify aFile Type.Leave the file type asanyto match any of the supported file types.
- Selectuploadas theDirection.Downloads aren’t supported.
- (Optional) Set theLog Severityrecorded for files that match this rule.The default severity isInformational.
- ClickOKto save your changes.
- Attach the data filtering profile to a Security policy rule.
- Select and specify theDevice Group.
- Select the Security policy rule to which you want to add the data filtering profile.
- SelectActionsand set theProfile TypetoProfiles.
- Select theData Filteringprofile you created previously.
- ClickOK.
- Commit and push your configuration changes to your managed firewalls that are usingEnterprise DLP.TheCommit and Pushcommand isn’t recommended forEnterprise DLPconfiguration changes. Using theCommit and Pushcommand requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Select andCommit.
- Select andEdit Selections.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
