Create a Security Rule Policy for ChatGPT on Panorama
Table of Contents
Expand all | Collapse all
-
- Register and Activate Enterprise DLP on Prisma Access (Panorama Managed)
- Edit the Enterprise DLP Snippet Settings on the DLP App
- Enable Role Based Access to Enterprise DLP on Cloud Management
- Enable Optical Character Recognition on Cloud Management
- Enable Optical Character Recognition for Enterprise DLP
-
-
- Create a Data Profile on the DLP App
- Create a Data Profile with EDM Data Sets on the DLP App
- Create a Data Profile with Data Patterns and EDM Data Sets on the DLP App
- Create a Data Profile with Nested Data Profiles on the DLP App
- Create a Data Profile on Cloud Management
- Create a Data Profile with EDM Data Sets on Cloud Management
- Create a Data Profile with Data Patterns and EDM Data Sets on Cloud Management
- Create a Data Profile with Nested Data Profiles on Cloud Management
- Create a Data Filtering Profile on Panorama
- Create a Data Filtering Profile on Panorama for Non-File Detection
- Update a Data Profile on the DLP App
- Update a Data Profile on Cloud Management
- Update a Data Filtering Profile on Panorama
- Enable Existing Data Patterns and Filtering Profiles
-
- How Does Email DLP Work?
- Activate Email DLP
- Add an Enterprise DLP Email Policy
- Review Email DLP Incidents
-
- Monitor DLP Status with the DLP Health and Telemetry App
- View Enterprise DLP Log Details on the DLP App
- Manage Enterprise DLP Incidents on the DLP App
- View Enterprise DLP Audit Logs on the DLP App
- View Enterprise DLP Log Details on Cloud Management
- Manage Enterprise DLP Incidents on Cloud Management
- View Enterprise DLP Audit Logs on Cloud Management
- View Enterprise DLP Log Details on Panorama
Create a Security Rule Policy for ChatGPT on Panorama
Create a security policy rule to prevent exfiltration of sensitive data to ChatGPT on
the Panorama management server.
Use
Enterprise Data Loss Prevention (E-DLP)
to prevent exfiltration of sensitive data to ChatGPT in
a new or existing Security policy rule. This is supported for Panorama
and
Prisma Access
(Panorama Managed)
.Support for non-file based HTTP/2
traffic inspection is required to successfully prevent exfiltration to ChatGPT.
You must upgrade Panorama and all managed firewalls to PAN-OS 10.2.3 or later
release. Additionally, you must upgrade the Panorama plugin for
Enterprise DLP
to 3.0.2 or later release.- Upgrade Panorama, managed firewalls, and theEnterprise DLPplugin to the minimum required versions.
- Upgrade Panorama to PAN-OS 10.2.3 or later release.
- Upgrade the Enterprise DLP plugin to 3.0.2 or later release.
- Upgrade managed firewalls to PAN-OS 10.2.3 or later release.
- Create the decryption policy rule required for Enterprise DLP.
- Selectand specify theObjectsDecryptionDecryption ProfileDevice Group.Adda new decryption profile. The default decryption profile configuration is all that is required forEnterprise DLPto inspect traffic.Do not enableStrip ALPNin the decryption profile.Enterprise DLPcannot inspect egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN) headers from decrypted traffic.
- Selectand specify thePoliciesDecryptionDevice Group.Adda new decryption policy rule. SelectOptionsand assign the decryption profile.
- For theAction, selectDecrypt.
- Select theDecryption Profileyou created.
- ClickOK.
- Create a custom regex data pattern to define your own match criteria. Skip this step if you plan to use predefined or existing custom data data patterns to define match criteria in your data filtering profile.
- Data filtering profiles configured for non-file detection are required to prevent exfiltration of sensitive data to ChatGPT. You can create a new data filtering profile or use existing data filtering profiles as needed. You can add any combination of custom or predefined data patterns to define the match criteria.
- Attach the data filtering profile to a Security policy rule.
- Select.PoliciesSecurityYou can select an existing Security policy rule orAdda new Security policy rule.
- Configure theGeneralandSourceas needed.
- Configure theDestinationas needed.
- For theApplication,Addand search foropenai-chatgpt.Skip this step if your Security policy rule applies toAnyapplication. ChatGPT is automatically included for a Security policy rule that applies toAnyapplication.
- SelectActionsand configure the Profile Settings.SelectProfilesand select theData Filteringprofile you created in the previous step.If the data filtering profile is part of a Security Profile Group (), selectObjectsSecurity Profile GroupsGroupand select the Security Profile Group the data filtering profile is associated with.
- Configure the rest of the Security policy rule as needed.TheActionyou specify in the data filtering profile determines whether egress traffic to ChatGPT is blocked. The Security policy ruleActiondoes not impact whether matched traffic is blocked.For example, if you configured the data filtering profile toBlockmatching egress traffic but configure the Security policy ruleActiontoAllow, the matching egress traffic to ChatGPT will be blocked.
- ClickOK.
- Commit and push your configuration changes to your managed firewalls that are usingEnterprise DLP.TheCommit and Pushcommand isn’t recommended forEnterprise DLPconfiguration changes. Using theCommit and Pushcommand requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- SelectandCommitCommit to PanoramaCommit.
- SelectandCommitPush to DevicesEdit Selections.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.