Enterprise DLP
Create a Classic Data Profile
Table of Contents
Create a Classic Data Profile
Create a classic
Enterprise Data Loss Prevention (E-DLP)
data profile that contains predefined,
custom regular expression, or file property data patterns.Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
After you create a data pattern, you need to create a
data profile to add those data patterns and specify matches and confidence levels.
All data profiles you create are shared across
Panorama™ management server
and Strata Cloud Manager
deployments associated with the tenant. All classic data
profiles created on Panorama
or Strata Cloud Manager
can be edited and
copied as needed. Viewing a data profile created on the DLP on Panorama
requires Panorama
plugin for Enterprise DLP
1.0.4 or later
release.() A data profile configured for detection of
non-file traffic allows you to configure URL and application exclusion lists. The
URL and application exclusion lists allow you to select
Panorama
onlyShared
URL and application traffic to exclude from
inspection. For the application exclusion list, at least one application exclusion
is required to create a data filtering profile for inspecting non-file traffic. The
predefined DLP App Exclusion Filter
is provided
containing commonly used applications that can be safely excluded from inspection.
When you create a data filtering profile using predefined data patterns, be sure to
consider the detection type used by the
predefined data patterns because the detection type determines how Enterprise Data Loss Prevention (E-DLP)
arrives at a verdict for scanned files. If you downgrade
from PAN-OS 10.2.1 or later release and Enterprise DLP
plugin 3.0.1 or late
release to PAN-OS 10.1 and Enterprise DLP
plugin 1.0, data filtering profiles
created on Panorama
for non-file inspection are automatically converted
into file-based data filtering profiles.When you create a data profile using predefined data patterns, be sure to consider
the detection types used by the
predefined data patterns because the detection type determines how
Enterprise Data Loss Prevention (E-DLP)
arrives at a verdict for scanned files.Updating a classic data profile to include an advanced detection method such as
Exact Data Matching (EDM) and custom document types set isn’t
supported.
You need to create an advanced data profile if you
want to create a data profile that combines a predefined or custom data pattern
and advanced detection methods, see
Strata Cloud Manager
Strata Cloud Manager
Create an
Enterprise Data Loss Prevention (E-DLP)
data profile on Strata Cloud Manager
.- Log in toStrata Cloud Manager.
- Edit the Data Filtering Settings onStrata Cloud Managerto configure the minimum and maximum data size limits and the actions the firewall takes when uploading files or to the DLP cloud service or when inspecting non-file based traffic.
- SelectandManageConfigurationData Loss PreventionData Profiles.Add Data ProfileClassic Data ProfileYou can also create a new data profile by copying an existing data profile. This allows you to quickly modify an existing data profile with additional match criteria while preserving the original data profile from which the new data profile was copied.Data profiles created by copying an existing data profile are appended withCopy - <name_of_original_data_profile>. This name can be edited as needed.Adding an EDM data set to a copied data profile is supported only if the original data profile had an EDM data set to begin with. Adding an EDM data set to a data profile that doesn’t already have an EDM data set isn’t supported.
- Configure the Primary Rule for the data profile.Data pattern match criteria for traffic that you want to allow must be added to the Primary Rule. Data pattern match criteria for traffic that you want to block can be added to either Primary Rule or Secondary Rule.
- Enter a descriptiveData Profile Name.
- Add Pattern GroupandAdd Data Pattern.
- Configure the match criteria.
- Data Pattern—Select a custom or predefined data pattern.
- Occurrence Condition—Specify the occurrences condition required to trigger a Security policy rule action.
- Any—Security policy rule action triggered ifEnterprise DLPdetects at least one instance of matched traffic.
- Less than or equal to—Security policy rule action triggered ifEnterprise DLPdetects instances of matched traffic, with the maximum being the specifiedCount.
- More than or equal to—Security policy rule action triggered ifEnterprise DLPdetects instances of matched traffic, with a minimum being the specifiedCount.
- Between (inclusive)—Security policy rule action triggered ifEnterprise DLPdetects any number of instances of matched traffic between the specificCountrange.
- Count—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is1-500.For example, to match a pattern that appears three or more times in a file, selectMore than or equal toas theOccurrence Conditionand specify3as theThreshold.
- Confidence—Specify the confidence level required for a Security policy rule action to be taken (HighorLow).
- (Optional)Add Data Patternto add additional data pattern match criteria to the Primary rule.
- (Optional)Add Data Pattern Groupto add additional data pattern conditions usingANDorORoperators to the Primary Rule.Refer to the descriptions above to configure any additional data pattern conditions as needed.
- (Optional) Configure a Secondary Rule.Data pattern match criteria added to the Secondary Rule block all traffic that meets the match criteria for the data pattern conditions. If you want to allow traffic that matches a data pattern match criteria, add it to the Primary Rule.
- Review theData Profile Previewto verify the data profile match criteria.
- Savethe data profile.
- Selectand search for the data profile you created to verify it was successfully created.ManageConfigurationSecurity ServicesData Loss Prevention
- Attach the data profile to a Security policy rule.
- —Modify a DLP Rule for Prisma Access on Strata Cloud Manager.Prisma Access (Managed by Strata Cloud Manager)
DLP App
Configure an
Enterprise Data Loss Prevention (E-DLP)
data profile on the DLP app on the hub. - Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- Select.Data ProfilesAdd Data ProfileClassic Data ProfileYou can also create a new data profile by copying an existing data profile. This allows you to quickly modify an existing data profile with additional match criteria while preserving the original data profile from which the new data profile was copied.Data profiles created by copying an existing data profile are appended withCopy - <name_of_original_data_profile>. This name can be edited as needed.Adding an EDM data set to a copied data profile is supported only if the original data profile had an EDM data set to begin with. Adding an EDM data set to a data profile that doesn’t already have an EDM data set isn’t supported.
- Configure the Primary Rule for the data profile.Data pattern match criteria for traffic that you want to allow must be added to the Primary Rule. Data pattern match criteria for traffic that you want to block can be added to either Primary Rule or Secondary Rule.
- Enter a descriptiveData Profile Name.
- Add Pattern GroupandAdd Data Pattern.
- Define the match criteria.
- Data Pattern—Select a custom or predefined data pattern.
- Occurrence Condition—Specify the occurrences condition required to trigger a Security policy rule action.
- Any—Security policy rule action triggered ifEnterprise DLPdetects at least one instance of matched traffic.
- Less than or equal to—Security policy rule action triggered ifEnterprise DLPdetects instances of matched traffic, with the maximum being the specifiedCount.
- More than or equal to—Security policy rule action triggered ifEnterprise DLPdetects instances of matched traffic, with a minimum being the specifiedCount.
- Between (inclusive)—Security policy rule action triggered ifEnterprise DLPdetects any number of instances of matched traffic between the specificCountrange.
- Count—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is1-500.For example, to match a pattern that appears three or more times in a file, selectMore than or equal toas theOccurrence Conditionand specify3as theThreshold.
- Confidence—Specify the confidence level required for a Security policy rule action to be taken (HighorLow).
- (Optional)Add Data Patternto add additional data pattern match criteria to the Primary rule.
- (Optional)Add Data Pattern Groupto add additional data pattern conditions usingANDorORoperators to the Primary Rule.Refer to the descriptions above to configure any additional data pattern conditions as needed.
- (Optional) Configure a Secondary Rule.Data pattern match criteria added to the Secondary Rule block all traffic that meets the match criteria for the data patterns by default and can’t be modified. If you want to allow traffic that matches a data pattern match criteria, add it to the Primary Rule.
- Review theData Profile Previewto verify the data profile match criteria.
- Savethe data profile.
- Verify that the data profile you created.
- DLP App on the hub—Log in to the DLP app on the hub as a Superuser and selectData Profilesto view the data profile you created.
- —Log in toStrata Cloud ManagerStrata Cloud Managerand selectand search for the data profile you created.ManageConfigurationSecurity ServicesData Loss Prevention
- PanoramaandPrisma Access (Managed by Panorama)See Update a Data Profile for more information on which data profile settings are editable onPanoramafor a data profile created onStrata Cloud Manager.
- Log in to thePanoramaweb interface.
- Selectand navigate to the data profile you created.ObjectsDLPData Filtering Profiles
- (Optional) Edit the data profile Action to block traffic.The Action for a data profile created onStrata Cloud Manageris configured toAlertby default.If the data profile has both Primary and Secondary Patterns, changing the data profile Action onPanoramadeletes all Secondary Pattern match criteria.
- Select the data profile created onStrata Cloud Manager.
- Set the data profile Action toBlocktraffic that matches the data profile match criteria.
- SelectandCommitCommit toPanoramaCommit.
- ClickOK.
- SelectandCommitPush to DevicesEdit Selections.
- SelectDevice GroupsandInclude Device and Network Templates.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
- Attach the data profile to a Security policy rule.
- —Modify a DLP Rule for Prisma Access on Strata Cloud Manager.Prisma Access (Managed by Strata Cloud Manager)
- PanoramaandPrisma Access (Managed by Panorama)
- Log in to thePanoramaweb interface.
- Selectand specify thePoliciesSecurityDevice Group.
- Select the Security policy rule to which you want to add the data profile.
- SelectActionsand set theProfile TypetoProfiles.
- Select theData Filteringprofile you created.
- ClickOK.
- SelectCommitandCommit and Push.
File Based for Panorama
Panorama
Create a data filtering profile for the
Enterprise Data Loss Prevention (E-DLP)
on the Panorama™ management server
.- Log in to thePanoramaweb interface.
- Edit the Data Filtering Settings onPanoramato configure the minimum and maximum data size limits and the actions the firewall takes when uploading files to the DLP cloud service.
- Create one or more data patterns.
- Select.ObjectsDLPData Filtering Profiles
- Adda new data filtering profile.
- Enter a descriptiveNamefor the data profile.
- Verify the following settings are enabled.
- File Based—New data profiles haveYesselected by default.
- Shared—AllEnterprise DLPdata profiles must beSharedacross all device groups. This setting is enabled by default and cannot be disabled.
- Define the match criteria.
- If you selectBasic, configure the following:
- Primary Pattern—Addone or more data patterns to specify as the match criteria.If you specify more than one data pattern, the managed firewall uses a boolean OR match in the match criteria.
- Match—Select whether the pattern you specify should match (include) or not match (exclude) the specified criteria.
- Operator—Select a boolean operator to use with theThresholdparameter. SpecifyAnyto ignore the threshold.
- Any—Security policy rule action triggered ifEnterprise DLPdetects at least one instance of matched traffic.
- Less than or equal to—Security policy rule action triggered ifEnterprise DLPdetects instances of matched traffic, with the maximum being the specifiedThreshold.
- More than or equal to—Security policy rule action triggered ifEnterprise DLPdetects instances of matched traffic, with a minimum being the specifiedThreshold.
- Between (inclusive)—Security policy rule action triggered ifEnterprise DLPdetects any number of instances of matched traffic between the specificThresholdrange.
- Occurrence—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is1-500.For example, to match a pattern that appears three or more times in a file, selectmore_than_or_equal_toas theOperatorand specify3as theThreshold.
- Confidence—Specify the confidence level required for a Security policy rule action to be taken (HighorLow).
- If you selectAdvanced, you can create expressions by dragging and dropping data patterns,Confidencelevels,Operators, andOccurrencevalues into the field in the center of the page.Specify the values in the order that they’re shown in the following screenshot (data pattern,Confidence, andOperatororOccurrence).
- Select anAction(AlertorBlock) to perform on the file.If the data profile has both Primary and Secondary Patterns, changing the data profile Action onPanoramadeletes all Secondary Pattern match criteria.
- Specify the file types the DLP cloud service takes action against.
- DLP plugin 4.0.0 and earlier releases
- DLP plugin 4.0.1 and later releases
- SelectFile Types.
- Select the Scan Type to create a file type include or exclude list.
- Include—DLP cloud service inspects only the file types you add to the File Type Array.
- Exclude—DLP cloud service inspects all supported file types except for those added to the File Type Array.
- ClickModifyto add the file types to the File Type Array and clickOK.
- Select trafficDirectionyou want to inspect.You can selectUpload,Download, orBoth.
- Set theLog Severityrecorded for files that match this rule.You can selectcritical,high,medium,low, orinformational. The default severity isinformational.
- ClickOKto save your changes.
- Attach the data filtering profile to a Security policy rule.
- Selectand specify thePoliciesSecurityDevice Group.
- Select the Security policy rule to which you want to add the data filtering profile.
- SelectActionsand set theProfile TypetoProfiles.
- Select theData Filteringprofile you created previously.
- ClickOK.
- Commit and push the new configuration to your managed firewalls to complete theEnterprise DLPplugin installation.This step is required forEnterprise DLPdata filtering profile names to appear in Data Filtering logs.TheCommit and Pushcommand isn’t recommended forEnterprise DLPconfiguration changes. Using theCommit and Pushcommand requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Full configuration push from Panorama
- SelectandCommitCommit toPanoramaCommit.
- SelectandCommitPush to DevicesEdit Selections.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
- Partial configuration push from PanoramaYou must always include the temporary__dlpadministrator when performing a partial configuration push. This is required to keepPanoramaand the DLP cloud service in sync.For example, you have anadminPanoramaadmin user who is allowed to commit and push configuration changes. Theadminuser made changes to theEnterprise DLPconfiguration and only wants to commit and push these changes to managed firewalls. In this case, theadminuser is required to also select the__dlpuser in the partial commit and push operations.
- Select.CommitCommit toPanorama
- SelectCommit Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial commit.In this example, theadminuser is currently logged in and performing the commit operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- Commit.
- Select.CommitPush to Devices
- SelectPush Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial push.In this example, theadminuser is currently logged in and performing the push operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
Non-File Based for Panorama
Panorama
Create a data filtering profile for the
Enterprise Data Loss Prevention (E-DLP)
on the Panorama™ management server
to inspect non-file traffic for sensitive data.- Log in to thePanoramaweb interface.
- Edit the Data Filtering Settings onPanoramato configure the minimum and maximum data size limits and the actions the firewall takes when uploading non-file data to the DLP cloud service.Palo Alto Networks recommends verifying youEnable Non File DLPafter you installPanoramaplugin forEnterprise DLP3.0.1.
- Create one or more data patterns.
- (Optional) Create a custom application filter or application group to define predefined or custom application traffic you want to exclude from inspection.The application filter and application group must beSharedto be used in the data filtering profile application exclusion list. Data filtering profiles for non-file traffic inspection support either both custom application filters and application groups. You aren’t required to add both.
- (Optional) Create a custom URL category to define URL traffic you want to exclude from inspection.The URL category must beSharedto be used in the data filtering profile URL exclusion list.To include the custom URL category in the URL exclusion list of a data filtering profile, adding the custom URL category to a URL Filtering profile isn’t required.
- Select.ObjectsDLPData Filtering Profiles
- Adda new data filtering profile.
- (Optional) Configure the data filtering profile to scanFile Basedtraffic.Data filtering profiles support scanning both file based and non-file based traffic. SelectYesto scan for both file based and non-file based traffic. SelectNoto only scan for non-file based traffic. Configuring the data filtering profile not to scan for file based traffic has no impact on scanning non-file based traffic.
- Configure the data filtering profile to scanNon-File Basedtraffic.SelectYesto scan for non-file based traffic.
- Verify thatSharedis enabled.AllEnterprise DLPdata profiles must beSharedacross all device groups. This setting is enabled by default and cannot be disabled.
- Define the match criteria.
- If you selectBasic, configure the following:
- Primary Pattern—Addone or more data patterns to specify as the match criteria.If you specify more than one data pattern, the managed firewall uses a boolean OR match in the match criteria.
- Match—Select whether the pattern you specify should match (include) or not match (exclude) the specified criteria.
- Operator—Select a boolean operator to use with theThresholdparameter. SpecifyAnyto ignore the threshold.
- Any—Security policy rule action triggered ifEnterprise DLPdetects at least one instance of matched traffic.
- Less than or equal to—Security policy rule action triggered ifEnterprise DLPdetects instances of matched traffic, with the maximum being the specifiedThreshold.
- More than or equal to—Security policy rule action triggered ifEnterprise DLPdetects instances of matched traffic, with a minimum being the specifiedThreshold.
- Between (inclusive)—Security policy rule action triggered ifEnterprise DLPdetects any number of instances of matched traffic between the specificThresholdrange.
- Occurrence—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is1-500.For example, to match a pattern that appears three or more times in a file, selectmore_than_or_equal_toas theOperatorand specify3as theThreshold.
- Confidence—Specify the confidence level required for a Security policy rule action to be taken (HighorLow).
- If you selectAdvanced, you can create expressions by dragging and dropping data patterns,Confidencelevels,Operators, andOccurrencevalues into the field in the center of the page.Specify the values in the order that they’re shown in the following screenshot (data pattern,Confidence, andOperatororOccurrence).
- Select anAction(AlertorBlock) to perform on matching traffic.If the data profile has both Primary and Secondary Patterns, changing the data profile Action onPanoramadeletes all Secondary Pattern match criteria.
- (Optional) Configure the URL category list to exclude URL traffic from inspection.The URL category list can only be configured whenNon-File Basedtraffic inspection is enabled.
- SelectURL Category List Excluded From Non-File.
- Adda new URL category list.
- Select a predefined URL category, custom URL category or EDL.
- Configure the application exclusion list to exclude application traffic from inspection.The application list can only be configured whenNon-File Basedtraffic inspection is enabled. At least one application list or application group is required to create a data filtering profile for inspecting non-file traffic.
- SelectApplication List Excluded From Non-File.
- Addan application filter or application group.If you didn’t create a custom application filter or application group, you must add theDLP App Exclusion Filter.
- For theDirection, onlyUploadis supported for inspection of non-file based traffic.
- Set theLog Severityrecorded for files that match this rule.You can selectcritical,high,medium,low, orinformational. The default severity isinformational.
- ClickOKto save your changes.
- Attach the data filtering profile to a Security policy rule.
- Selectand specify thePoliciesSecurityDevice Group.
- Select the Security policy rule to which you want to add the data filtering profile.
- SelectActionsand set theProfile TypetoProfiles.
- Select theData Filteringprofile you created previously.
- ClickOK.
- Commit and push the new configuration to your managed firewalls to complete theEnterprise DLPplugin installation.This step is required forEnterprise DLPdata filtering profile names to appear in Data Filtering logs.TheCommit and Pushcommand isn’t recommended forEnterprise DLPconfiguration changes. Using theCommit and Pushcommand requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Full configuration push from Panorama
- SelectandCommitCommit toPanoramaCommit.
- SelectandCommitPush to DevicesEdit Selections.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
- Partial configuration push from PanoramaYou must always include the temporary__dlpadministrator when performing a partial configuration push. This is required to keepPanoramaand the DLP cloud service in sync.For example, you have anadminPanoramaadmin user who is allowed to commit and push configuration changes. Theadminuser made changes to theEnterprise DLPconfiguration and only wants to commit and push these changes to managed firewalls. In this case, theadminuser is required to also select the__dlpuser in the partial commit and push operations.
- Select.CommitCommit toPanorama
- SelectCommit Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial commit.In this example, theadminuser is currently logged in and performing the commit operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- Commit.
- Select.CommitPush to Devices
- SelectPush Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial push.In this example, theadminuser is currently logged in and performing the push operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.