Create a Data Profile With Nested Data Profiles on Prisma Access (Cloud Managed)

Create and configure an Enterprise data loss prevention (DLP) data profile containing multiple data profiles on Prisma Access (Cloud Managed).
Enterprise data loss prevention (DLP) supports creating a single data profile that contains multiple nested data profiles. Creating a single data profile that contains multiple nested data profile allows you to consolidate the match criteria to prevent exfiltration of sensitive data to a single data profile that can be leveraged in a single Security policy rule. This allows you to simplify the management of sensitive data leaving your network and reduces the need to manage multiple Security policy rules and data profiles. A data profile that contains multiple nested data profiles created on Prisma Access (Cloud Managed) is viewable on Panorama, Prisma Access (Panorama Managed), Prisma Access (Cloud Managed), and the DLP app on the hub. Viewing a data profile created on the DLP app on Panorama requires Panorama plugin for Enterprise DLP 1.0.4 or later release.
When you create a data profile that contains predefined data profiles and patterns, be sure to consider the detection types used by the predefined data patterns because the detection type determines how Enterprise data loss prevention (DLP) arrives at a verdict for scanned files. For example, when you create a data profile that includes three machine learning (ML)-based data patterns and seven regex-based data patterns, Enterprise DLP will return verdicts based on the seven regex-based patterns whenever the scanned file exceeds 1MB.
Adding, deleting, or otherwise modifying the nested data profiles you add to data profile is supported only from the DLP app on the hub and Prisma Access (Cloud Managed), but not from Panorama.
Nesting a data profile that includes an EDM dataset to an existing data profile if one was not included when the data profile was originally created is supported.
  1. (
    Optional
    ) Create your data profiles on Prisma Access (Cloud Managed).
  2. Select
    Manage
    Configuration
    Security Services
    Data Loss Prevention
    Data Profiles
    and
    Add Data Profiles
    With multiple Data Profiles
    .
    You can also create a new data profile by copying an existing data profile that already contains multiple data profiles. This allows you to quickly modify an existing data profile with additional data profile match criteria while preserving the original data profile from which the new data profile was copied.
    Data profiles created by copying an existing data profile are appended with
    Copy - <name_of_original_data_profile>
    .
  3. Enter the
    Data Profile Name
    .
  4. Configure the Primary Rule for the data profile.
    Add Data Profile
    to add predefined or custom data profiles. Repeat this step to include additional data profiles.
    Data profile match criteria for traffic that you want to allow must be added to the Primary Rule. Data profiles match criteria for traffic that you want to block can be added to either Primary Rule or Secondary Rule.
    A data profile containing multiple data profiles support any combination of data profiles with data patterns only, data patterns and EDM datasets, and EDM datasets only.
    Only the
    OR
    operator is supported.
  5. (
    Optional
    ) Configure a Secondary Rule.
    Add Data Profile
    to add predefined or custom data profiles. Repeat this step to include additional data profiles.
    Data profile match criteria added to the Secondary Rule block all traffic that meet the match criteria for the data profile by default and cannot be modified. If you want to allow traffic that matches a data profile match criteria, add it to the Primary Rule.
    A data profile containing multiple data profiles support any combination of data profiles with data patterns only, data patterns and EDM datasets, and EDM datasets only.
    Only the
    OR
    operator is supported.
  6. Save
    the data profile.
  7. Verify that the data profile you created.
    • DLP App on the hub—
      Log in to the DLP app on the hub as a Superuser and select
      Data Profiles
      to view the data profile you created.
    • SaaS Security
      —Review the shared data profiles and data patterns and locate the data profile you created. Add a new asset rule and specify the match criteria using data profile you created.
    • Prisma Access (Cloud Managed)
      1. Select
        Manage
        Configuration
        Security Services
        Data Loss Prevention
        and search for the data profile you created.
    • Panorama and Prisma Access (Panorama Managed)
      See Update a Data Filtering Profile on Panorama for more information on which data profile settings are editable on Panorama for a data profile created on Prisma Access (Cloud Managed).
      If the data profile has both Primary and Secondary Patterns, changing the data profile Action on Panorama deletes all Secondary Pattern match criteria.
      1. Select the data profile created on Prisma Access (Cloud Managed).
      2. Set the data profile Action to
        Block
        traffic that matches the data profile match criteria.
      3. Select
        Commit
        Commit to Panorama
        and
        Commit
        .
      4. Click
        OK
        .
      5. Select
        Commit
        Push to Devices
        and
        Edit Selections
        .
      6. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      7. Push
        your configuration changes to your managed firewalls that are leveraging Enterprise DLP.

Recommended For You