>
    Update a Data Profile
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administration
    4. Configure Enterprise DLP
    5. Data Profiles
    6. Update a Data Profile
    Download PDF
    Enterprise DLP

    Update a Data Profile

    Table of Contents

    Update a Data Profile

    Update and modify an existing
    Enterprise Data Loss Prevention (E-DLP)
     data profile.
    Where Can I Use This?
    What Do I Need?
    • NGFW (Managed by Panorama)
    • Prisma Access (Managed by Strata Cloud Manager)
    • SaaS Security
    • NGFW (Managed by Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP)
       license
    • NGFW (Managed by Panorama)
      —Support and
      Panorama
       device management licenses
    • Prisma Access (Managed by Strata Cloud Manager)
      Prisma Access
       license
    • SaaS Security
      SaaS Security
       license
    • NGFW (Managed by Strata Cloud Manager)
      —Support and
      AIOps for NGFW Premium
       licenses
    Or any of the following licenses that include the
    Enterprise DLP
     license
    • Prisma Access
       CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
       license
    • Data Security
       license
    You can edit and modify an existing custom
    Enterprise Data Loss Prevention (E-DLP)
     data profile at any time. Any changes you make to an existing data profile from the DLP app on the hub is automatically synchronized to
    Panorama
    ,
    Prisma Access (Managed by Panorama)
    , and
    Strata Cloud Manager
     where the data profile is supported.
    If you update a data profile to include a predefined data pattern, be sure to consider the detection types used by the predefined data patterns because the detection type determines how
    Enterprise Data Loss Prevention (E-DLP)
     arrives at a verdict for scanned files. For example, when you create a data profile that includes three machine learning (ML)-based data patterns and seven regex-based data patterns,
    Enterprise DLP
     will return verdicts based on the seven regex-based patterns whenever the scanned file exceeds 1 MB.
    Advanced data profiles can only be modified from
    Strata Cloud Manager
     or the DLP app on the hub.
    Any changes to the data profile match criteria made on
    Strata Cloud Manager
     are synchronized to
    Panorama
     but don’t display in the
    Panorama
     web interface. Security policy rules using a data profile updated on
    Strata Cloud Manager
     inspect traffic using the new or modified match criteria.
    (
    Panorama
     only
    ) Updating the data profile
    Name
     is supported but you must manually update the existing Security policy rules (
    Policies
    Security
     to reassociate the renamed data filtering profile. Commits on
    Panorama
     fail if you do not reassociate the renamed data filtering profile with the Security policy rule after the updated data profile name is synchronized to
    Panorama
    .

    Strata Cloud Manager

    Modify an existing
    Enterprise Data Loss Prevention (E-DLP)
     data profile on
    Strata Cloud Manager
    .
    1. Log in to
      Strata Cloud Manager
      .
    2. Select
      Manage
      Configuration
      Security Services
      Data Loss Prevention
      Data Profiles
       and navigate to the data profile you want to modify.
    3. Edit ( ) the data profile.
    4. Modify the data profile as needed.
      • See Create a Classic Data Profile for details on configuring configure a data profile that uses only predefined or custom data patterns.
        Modifying a classic data profile to include advanced detection methods isn’t supported.
      • See Create an Advanced Data Profile for details on configuring a profile that uses any combination of prdefined or custom data patterns and advanced detection methods.
        Modifying an advanced data profile to only include data patterns isn’t supported if the advanced data profile included both data patterns and advanced detection methods when it was initially created.
        Enterprise DLP
         includes predefined document templates that were converted from ML-based data patterns. Palo Alto Networks recommends modifying the match criteria in the event your existing data profile references the list ML-based data patterns that were converted.
      • See Create a Nested Data Profile for details on configuring a single data profile that contains multiple data profiles.
        Adding an advanced data profile to an existing nested data profile if one wasn’t included when the nested data profile was originally created is supported.
    5. Save
       your changes.

    DLP App

    Modify an existing
    Enterprise Data Loss Prevention (E-DLP)
     data profile on the DLP app on the hub.
    1. Log in to the DLP app on the hub.
      If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
    2. Select
      Data Profiles
       and select a data profile to display the data profile preview window.
    3. Edit ( ) the data profile.
    4. Modify the data profile as needed.
      • See Create a Classic Data Profile for details on configuring configure a data profile that uses only predefined or custom data patterns.
        Modifying a classic data profile to include advanced detection methods isn’t supported.
      • See Create an Advanced Data Profile for details on configuring a profile that uses any combination of prdefined or custom data patterns and advanced detection methods.
        Modifying an advanced data profile to only include data patterns isn’t supported if the advanced data profile included both data patterns and advanced detection methods when it was initially created.
        Enterprise DLP
         includes predefined document templates that were converted from ML-based data patterns. Palo Alto Networks recommends modifying the match criteria in the event your existing data profile references the list ML-based data patterns that were converted.
      • See Create a Nested Data Profile for details on configuring a single data profile that contains multiple data profiles.
        Adding an advanced data profile to an existing nested data profile if one wasn’t included when the nested data profile was originally created is supported.
    5. Save
       your changes.

    Panorama

    Modify an existing
    Enterprise Data Loss Prevention (E-DLP)
     data filtering profile on the
    Panorama™ management server
    .
    1. Log in to the
      Panorama
       web interface.
    2. Select
      Objects
      DLP
      Data Filtering Profiles
       and specify the
      Device Group
      .
    3. Select a data filtering profile to edit.
    4. Edit the data filtering profile as needed.
      1. Modify the data filtering profile scan for
        File Based
         traffic,
        Non-File Based
         traffic, or both.
      2. Modify the
        Primary Pattern
         and
        Secondary Pattern
         match criteria.
        Modifying the data filtering profile match criteria on
        Panorama
         is supported only for
        Enterprise DLP
         data filtering profiles created on
        Panorama
        . See File Based for Panorama for details on configuring data pattern criteria using predefined or custom data patterns.
      3. (
        Data Filtering Profile for Non-File Traffic Inspection Only
        ) Modify the
        URL Category Excluded List from Non-File
         and
        Application List Excluded from Non-File
         to configure which URL and application traffic is excluded from
        Enterprise DLP
         inspection.
        See Non-File Based for Panorama for more information.
      4. Edit the data filtering profile settings.
        Enterprise DLP
         only supports editing the advanced data profile settings from
        Panorama
        .
        • Select the data filtering profile
          Action
           (
          Alert
           or
          Block
          )
          If the data profile has both Primary and Secondary Patterns, changing the data filtering profile Action on
          Panorama
           deletes all Secondary Pattern match criteria.
        • Specify a
          File Type
          .
          Leave the file type as
          any
           to match any of the supported file types.
        • Set the
          Log Severity
           recorded for files that match this data filtering profile.
    5. Click
      OK
      .
    6. Commit and push the new configuration to your managed firewalls to complete the
      Enterprise DLP
       plugin installation.
      This step is required for
      Enterprise DLP
       data filtering profile names to appear in Data Filtering logs.
      The
      Commit and Push
       command isn’t recommended for
      Enterprise DLP
       configuration changes. Using the
      Commit and Push
       command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
      • Full configuration push from Panorama
        1. Select
          Commit
          Commit to
          Panorama
           and
          Commit
          .
        2. Select
          Commit
          Push to Devices
           and
          Edit Selections
          .
        3. Select
          Device Groups
           and
          Include Device and Network Templates
          .
        4. Click
          OK
          .
        5. Push
           your configuration changes to your managed firewalls that are using
          Enterprise DLP
          .
      • Partial configuration push from Panorama
        You must always include the temporary
        __dlp
         administrator when performing a partial configuration push. This is required to keep
        Panorama
         and the DLP cloud service in sync.
        For example, you have an
        admin
        Panorama
         admin user who is allowed to commit and push configuration changes. The
        admin
         user made changes to the
        Enterprise DLP
         configuration and only wants to commit and push these changes to managed firewalls. In this case, the
        admin
         user is required to also select the
        __dlp
         user in the partial commit and push operations.
        1. Select
          Commit
          Commit to
          Panorama
          .
        2. Select
          Commit Changes Made By
           and then click the current Panorama admin user to select additional admins to include in the partial commit.
          In this example, the
          admin
           user is currently logged in and performing the commit operation. The
          admin
           user must click
          admin
           and then select the
          __dlp
           user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
          Click
          OK
           to continue.
        3. Commit
          .
        4. Select
          Commit
          Push to Devices
          .
        5. Select
          Push Changes Made By
           and then click the current Panorama admin user to select additional admins to include in the partial push.
          In this example, the
          admin
           user is currently logged in and performing the push operation. The
          admin
           user must click
          admin
           and then select the
          __dlp
           user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
          Click
          OK
           to continue.
        6. Select
          Device Groups
           and
          Include Device and Network Templates
          .
        7. Click
          OK
          .
        8. Push
           your configuration changes to your managed firewalls that are using
          Enterprise DLP
          .
    7. Verify the changes you made to the data filtering profile.
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select
        Data Profiles
         and search for the data filtering profile you updated.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.