: Create a Security Policy Rule for ChatGPT on Prisma Access (Cloud Management)
Focus
Focus

Create a Security Policy Rule for ChatGPT on Prisma Access (Cloud Management)

Table of Contents

Create a Security Policy Rule for ChatGPT on Prisma Access (Cloud Management)

Create a security policy rule to prevent exfiltration of sensitive data to ChatGPT for
Prisma Access (Cloud Management)
on
Cloud Management
.
Use
Enterprise Data Loss Prevention (E-DLP)
for
Prisma Access (Cloud Management)
on
Cloud Management
to prevent exfiltration of sensitive data to ChatGPT in a new or existing Security policy rule.
Your Prisma Access tenants must be running Software Version 10.2.3 or later release. Support for non-file based HTTP/2 traffic inspection is required to successfully prevent exfiltration to ChatGPT.
  1. Select
    Manage
    Configuration
    Security Services
    Data Loss Prevention
    Settings
    Data Transfer
    and Enable Non-File Inspection.
  2. Select
    Manage
    Configuration
    Security Services
    Decryption
    and create the decryption profile and policy rule required to enable .
    Do not enable
    Strip ALPN
    in the decryption profile. Enterprise DLP cannot inspect egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN) headers from decrypted traffic.
  3. Create a custom regex data pattern to define your own match criteria. You can skip this step if you plan to use predefined or existing data patterns to define match criteria in your data filtering profile.
  4. Select
    Manage
    Configuration
    Security Services
    Data Loss Prevention
    DLP Rules
    and in the Actions column,
    Edit
    the DLP rule.
    1. Enable
      Non-File Based Match Criteria
      .
      DLP rules configured for non-file detection are required to prevent exfiltration of sensitive data to ChatGPT. You can further modify the DLP rule to enforce your organization’s data security standards. The DLP rule has an identical name as the data profile from which it was automatically created.
      You can keep
      File Based Matched Criteria
      enabled or disable as needed. Enabling this setting has no impact on detection of egress traffic to ChatGPT as long as
      Non-File Based Match Criteria
      is enabled.
    2. Modify the
      Action
      and
      Log Severity
      .
    3. Modify the rest of the DLP rule as needed.
    4. Save
      .
  5. Create a Shared Profile Group for the
    Enterprise DLP
    data filtering profile.
    1. Select
      Manage
      Configuration
      Security Services
      Profile Groups
      and
      Add Profile Group
      .
    2. Enter a descriptive
      Name
      for the Profile Group.
    3. For the Data Loss Prevention Profile, select the
      Enterprise DLP
      data profile.
    4. Add any other additional profiles as needed.
    5. Save
      the profile group.
  6. Create a Security policy and attach the Profile Group.
    Alternatively, you can select
    Manage
    Configuration
    Web Security
    to create or add ChatGPT to a Web Security Policy. You can skip this step if you create a Web Security Policy for ChatGPT.
    1. Select
      Manage
      Configuration
      Security Services
      Security Policy
      and
      Add Rule
      .
      You can also update an existing Security policy to attach a Profile Group for
      Enterprise DLP
      filtering.
    2. In the Applications, Services, and URLs section,
      Add Applications
      to search for and select
      openai-chatgpt
      .
    3. Navigate to the Action and Advanced Inspection section, and select the
      Profile Group
      you created in the previous step.
    4. Configure the Security policy as needed.
      The
      Action
      you specify in the data profile determines whether egress traffic to ChatGPT is blocked. The Security policy rule
      Action
      does not impact whether matched traffic is blocked.
      For example, you configured the data filtering profile to
      Block
      matching egress traffic but configure the Security policy rule
      Action
      to
      Allow
      . In this scenario, the matching egress traffic to ChatGPT is blocked.
    5. Save
      the Security policy.
  7. Push your data filtering profile.
    1. Push Config
      and
      Push
      .
    2. Select (enable)
      Remote Networks
      and
      Mobile Users
      .
    3. Push
      .

Recommended For You