: Create a Security Rule Policy for ChatGPT on Panorama
Focus
Focus

Create a Security Rule Policy for ChatGPT on Panorama

Table of Contents

Create a Security Rule Policy for ChatGPT on Panorama

Create a security policy rule to prevent exfiltration of sensitive data to ChatGPT on the Panorama management server.
Use
Enterprise Data Loss Prevention (E-DLP)
to prevent exfiltration of sensitive data to ChatGPT in a new or existing Security policy rule. This is supported for
Panorama
and
Prisma Access (Panorama Managed)
.
Support for non-file based HTTP/2 traffic inspection is required to successfully prevent exfiltration to ChatGPT. You must upgrade Panorama and all managed firewalls to PAN-OS 10.2.3 or later release. Additionally, you must upgrade the Panorama plugin for
Enterprise DLP
to 3.0.2 or later release.
  1. Upgrade Panorama, managed firewalls, and the
    Enterprise DLP
    plugin to the minimum required versions.
    1. Upgrade Panorama to PAN-OS 10.2.3 or later release.
    2. Upgrade the Enterprise DLP plugin to 3.0.2 or later release.
    3. Upgrade managed firewalls to PAN-OS 10.2.3 or later release.
  2. Create the decryption policy rule required for Enterprise DLP.
    1. Select
      Objects
      Decryption
      Decryption Profile
      and specify the
      Device Group
      .
      Add
      a new decryption profile. The default decryption profile configuration is all that is required for
      Enterprise DLP
      to inspect traffic.
      Do not enable
      Strip ALPN
      in the decryption profile.
      Enterprise DLP
      cannot inspect egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN) headers from decrypted traffic.
    2. Select
      Policies
      Decryption
      and specify the
      Device Group
      .
      Add
      a new decryption policy rule. Select
      Options
      and assign the decryption profile.
      1. For the
        Action
        , select
        Decrypt
        .
      2. Select the
        Decryption Profile
        you created.
      3. Click
        OK
        .
  3. Create a custom regex data pattern to define your own match criteria. Skip this step if you plan to use predefined or existing custom data data patterns to define match criteria in your data filtering profile.
  4. Data filtering profiles configured for non-file detection are required to prevent exfiltration of sensitive data to ChatGPT. You can create a new data filtering profile or use existing data filtering profiles as needed. You can add any combination of custom or predefined data patterns to define the match criteria.
  5. Attach the data filtering profile to a Security policy rule.
    1. Select
      Policies
      Security
      .
      You can select an existing Security policy rule or
      Add
      a new Security policy rule.
    2. Configure the
      General
      and
      Source
      as needed.
    3. Configure the
      Destination
      as needed.
    4. For the
      Application
      ,
      Add
      and search for
      openai-chatgpt
      .
      Skip this step if your Security policy rule applies to
      Any
      application. ChatGPT is automatically included for a Security policy rule that applies to
      Any
      application.
    5. Select
      Actions
      and configure the Profile Settings.
      Select
      Profiles
      and select the
      Data Filtering
      profile you created in the previous step.
      If the data filtering profile is part of a Security Profile Group (
      Objects
      Security Profile Groups
      ), select
      Group
      and select the Security Profile Group the data filtering profile is associated with.
    6. Configure the rest of the Security policy rule as needed.
      The
      Action
      you specify in the data filtering profile determines whether egress traffic to ChatGPT is blocked. The Security policy rule
      Action
      does not impact whether matched traffic is blocked.
      For example, if you configured the data filtering profile to
      Block
      matching egress traffic but configure the Security policy rule
      Action
      to
      Allow
      , the matching egress traffic to ChatGPT will be blocked.
    7. Click
      OK
      .
  6. Commit and push your configuration changes to your managed firewalls that are using
    Enterprise DLP
    .
    The
    Commit and Push
    command isn’t recommended for
    Enterprise DLP
    configuration changes. Using the
    Commit and Push
    command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    1. Select
      Commit
      Commit to Panorama
      and
      Commit
      .
    2. Select
      Commit
      Push to Devices
      and
      Edit Selections
      .
    3. Select
      Device Groups
      and
      Include Device and Network Templates
      .
    4. Click
      OK
      .
    5. Push
      your configuration changes to your managed firewalls that are using
      Enterprise DLP
      .

Recommended For You