Create a Security Policy Rule for ChatGPT on Prisma Access (Cloud Management)

Launch the Cloud Management Console.
Select
Manage
Configuration
Security Services
Data Loss Prevention
Settings
Data Transfer
and Enable Non-File Inspection.
Select
Manage
Configuration
Security Services
Decryption
and create the decryption profile and policy rule required to enable .
Do not enable
Strip ALPN
in the decryption profile. Enterprise DLP cannot inspect egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN) headers from decrypted traffic.
(
Optional
) Create a Custom Data Pattern on Cloud Management.
Create a custom regex data pattern to define your own match criteria. You can skip this step if you plan to use predefined or existing data patterns to define match criteria in your data filtering profile.
Create a data profile on
Cloud Management
or use an existing data profile.
Create a Data Profile on Cloud Management
Create a Data Profile with EDM Data Sets on Cloud Management
Create a Data Profile with Data Patterns and EDM Data Sets on Cloud Management
Create a Data Profile with Nested Data Profiles on Cloud Management
Select
Manage
Configuration
Security Services
Data Loss Prevention
DLP Rules
and in the Actions column,
Edit
the DLP rule.
Enable
Non-File Based Match Criteria
.
DLP rules configured for non-file detection are required to prevent exfiltration of sensitive data to ChatGPT. You can further modify the DLP rule to enforce your organization’s data security standards. The DLP rule has an identical name as the data profile from which it was automatically created.
You can keep
File Based Matched Criteria
enabled or disable as needed. Enabling this setting has no impact on detection of egress traffic to ChatGPT as long as
Non-File Based Match Criteria
is enabled.

Modify the
Action
and
Log Severity
.
Modify the rest of the DLP rule as needed.
Save
.
Create a Shared Profile Group for the
Enterprise DLP
data filtering profile.
Select
Manage
Configuration
Security Services
Profile Groups
and
Add Profile Group
.
Enter a descriptive
Name
for the Profile Group.
For the Data Loss Prevention Profile, select the
Enterprise DLP
data profile.
Add any other additional profiles as needed.
Save
the profile group.

Create a Security policy and attach the Profile Group.
Alternatively, you can select
Manage
Configuration
Web Security
to create or add ChatGPT to a Web Security Policy. You can skip this step if you create a Web Security Policy for ChatGPT.
Select
Manage
Configuration
Security Services
Security Policy
and
Add Rule
.
You can also update an existing Security policy to attach a Profile Group for
Enterprise DLP
filtering.
In the Applications, Services, and URLs section,
Add Applications
to search for and select
openai-chatgpt
.

Navigate to the Action and Advanced Inspection section, and select the
Profile Group
you created in the previous step.

Configure the Security policy as needed.
The
Action
you specify in the data profile determines whether egress traffic to ChatGPT is blocked. The Security policy rule
Action
does not impact whether matched traffic is blocked.
For example, you configured the data filtering profile to
Block
matching egress traffic but configure the Security policy rule
Action
to
Allow
. In this scenario, the matching egress traffic to ChatGPT is blocked.
Save
the Security policy.
Push your data filtering profile.
Push Config
and
Push
.
Select (enable)
Remote Networks
and
Mobile Users
.
Push
.