Enterprise DLP
Update a Data Profile
Table of Contents
Update a Data Profile
Update and modify an existing
Enterprise Data Loss Prevention (E-DLP)
data profile.Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
You can edit and modify an existing custom
Enterprise Data Loss Prevention (E-DLP)
data profile at
any time. Any changes you make to an existing data profile from the DLP app on the
hub is automatically synchronized to Panorama
, Prisma Access (Managed by Panorama)
, and Strata Cloud Manager
where the data profile is supported.If you update a data profile to include a predefined data pattern, be sure to
consider the detection types used by the
predefined data patterns because the detection type determines how
Enterprise Data Loss Prevention (E-DLP)
arrives at a verdict for scanned files. For example, when
you create a data profile that includes three machine learning (ML)-based data
patterns and seven regex-based data patterns, Enterprise DLP
will return
verdicts based on the seven regex-based patterns whenever the scanned file exceeds 1
MB.Advanced data profiles can only be modified from
Strata Cloud Manager
or the DLP app on the hub.Any changes to the data profile match criteria made on
Strata Cloud Manager
are
synchronized to Panorama
but don’t display in the Panorama
web
interface. Security policy rules using a data profile updated on Strata Cloud Manager
inspect traffic using the new or modified match
criteria.() Updating the data profile
to reassociate the renamed data filtering profile. Commits on
Panorama
onlyName
is supported but you must manually update the
existing Security policy rules (Policies
Security
Panorama
fail if you do not reassociate the renamed data filtering
profile with the Security policy rule after the updated data profile name is
synchronized to Panorama
.Strata Cloud Manager
Strata Cloud Manager
Modify an existing
Enterprise Data Loss Prevention (E-DLP)
data profile on Strata Cloud Manager
.- Log in toStrata Cloud Manager.
- Selectand navigate to the data profile you want to modify.ManageConfigurationSecurity ServicesData Loss PreventionData Profiles
- Edit ( ) the data profile.
- Modify the data profile as needed.
- See Create a Classic Data Profile for details on configuring configure a data profile that uses only predefined or custom data patterns.Modifying a classic data profile to include advanced detection methods isn’t supported.
- See Create an Advanced Data Profile for details on configuring a profile that uses any combination of prdefined or custom data patterns and advanced detection methods.Modifying an advanced data profile to only include data patterns isn’t supported if the advanced data profile included both data patterns and advanced detection methods when it was initially created.Enterprise DLPincludes predefined document templates that were converted from ML-based data patterns. Palo Alto Networks recommends modifying the match criteria in the event your existing data profile references the list ML-based data patterns that were converted.
- See Create a Nested Data Profile for details on configuring a single data profile that contains multiple data profiles.Adding an advanced data profile to an existing nested data profile if one wasn’t included when the nested data profile was originally created is supported.
- Saveyour changes.
DLP App
Modify an existing
Enterprise Data Loss Prevention (E-DLP)
data profile on the DLP app on the
hub.- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectData Profilesand select a data profile to display the data profile preview window.
- Edit ( ) the data profile.
- Modify the data profile as needed.
- See Create a Classic Data Profile for details on configuring configure a data profile that uses only predefined or custom data patterns.Modifying a classic data profile to include advanced detection methods isn’t supported.
- See Create an Advanced Data Profile for details on configuring a profile that uses any combination of prdefined or custom data patterns and advanced detection methods.Modifying an advanced data profile to only include data patterns isn’t supported if the advanced data profile included both data patterns and advanced detection methods when it was initially created.Enterprise DLPincludes predefined document templates that were converted from ML-based data patterns. Palo Alto Networks recommends modifying the match criteria in the event your existing data profile references the list ML-based data patterns that were converted.
- See Create a Nested Data Profile for details on configuring a single data profile that contains multiple data profiles.Adding an advanced data profile to an existing nested data profile if one wasn’t included when the nested data profile was originally created is supported.
- Saveyour changes.
Panorama
Panorama
Modify an existing
Enterprise Data Loss Prevention (E-DLP)
data filtering profile on the Panorama™ management server
.- Log in to thePanoramaweb interface.
- Selectand specify theObjectsDLPData Filtering ProfilesDevice Group.
- Select a data filtering profile to edit.
- Edit the data filtering profile as needed.
- Modify the data filtering profile scan forFile Basedtraffic,Non-File Basedtraffic, or both.
- Modify thePrimary PatternandSecondary Patternmatch criteria.Modifying the data filtering profile match criteria onPanoramais supported only forEnterprise DLPdata filtering profiles created onPanorama. See File Based for Panorama for details on configuring data pattern criteria using predefined or custom data patterns.
- (Data Filtering Profile for Non-File Traffic Inspection Only) Modify theURL Category Excluded List from Non-FileandApplication List Excluded from Non-Fileto configure which URL and application traffic is excluded fromEnterprise DLPinspection.See Non-File Based for Panorama for more information.
- Edit the data filtering profile settings.
- Select the data filtering profileAction(AlertorBlock)If the data profile has both Primary and Secondary Patterns, changing the data filtering profile Action onPanoramadeletes all Secondary Pattern match criteria.
- Specify aFile Type.Leave the file type asanyto match any of the supported file types.
- Set theLog Severityrecorded for files that match this data filtering profile.
- ClickOK.
- Commit and push the new configuration to your managed firewalls to complete theEnterprise DLPplugin installation.This step is required forEnterprise DLPdata filtering profile names to appear in Data Filtering logs.TheCommit and Pushcommand isn’t recommended forEnterprise DLPconfiguration changes. Using theCommit and Pushcommand requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Full configuration push from Panorama
- SelectandCommitCommit toPanoramaCommit.
- SelectandCommitPush to DevicesEdit Selections.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
- Partial configuration push from PanoramaYou must always include the temporary__dlpadministrator when performing a partial configuration push. This is required to keepPanoramaand the DLP cloud service in sync.For example, you have anadminPanoramaadmin user who is allowed to commit and push configuration changes. Theadminuser made changes to theEnterprise DLPconfiguration and only wants to commit and push these changes to managed firewalls. In this case, theadminuser is required to also select the__dlpuser in the partial commit and push operations.
- Select.CommitCommit toPanorama
- SelectCommit Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial commit.In this example, theadminuser is currently logged in and performing the commit operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- Commit.
- Select.CommitPush to Devices
- SelectPush Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial push.In this example, theadminuser is currently logged in and performing the push operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
- Verify the changes you made to the data filtering profile.
- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectData Profilesand search for the data filtering profile you updated.