What’s Supported with Enterprise DLP?
Learn about the supported applications and operational
parameters for Enterprise data loss prevention (DLP).
Learn about the products that support Enterprise data
lost prevention (DLP) and its features:
Platform Support
Enterprise data loss prevention (DLP) is supported on
the following platforms:
- All PA-Series firewalls and VM-Series firewalls (but not CN-Series firewalls).
- Requires PAN-OS 10.0.2 or a later version.
- Requires an M-Series or Panorama virtual appliance running PAN-OS 10.0.2 or later version.Enterprise DLP supports adding a data filtering profile to a Security policy rule or security profile group configured on Panorama only. To successfully leverage Enterprise DLP, you must configure your Security policy rule and security profile group on Panorama and push these configurations to your managed firewalls.Enterprise DLP does not support pushing an Enterprise DLP data filtering profile to your managed firewall and referencing the data filtering profile in a Security policy rule or security profile group created locally on the firewall.
- Requires minimum Application and Threats content release version 8334 or a later version.Upgrade to PAN-OS 10.0.3 and install Application and Threats content release 8413 or later version for additional application support.
- Prisma Access (Panorama Managed)
- Requires Prisma Access 2.0 Innovation or a later version.
- Requires an M-Series or Panorama virtual appliance running PAN-OS 10.0.2 or later version.
- Requires minimum Application and Threats content release 8334 or a later version.Install Application and Threats content release 8413 or later version for additional application support.
- DLP is an add-on license on Prisma Access. You can either start with a 60-day trial or you can purchase a license to use Enterprise DLP on Prisma Access.
- Prisma Access (Cloud Managed)
- Important:If you’re already using Panorama to manage Enterprise DLP configurations for next-generation firewalls, your DLP configuration in Prisma Access cloud management is read-only; you should continue to manage the Enterprise DLP configuration from your Panorama management server.DLP policy enforcement on Prisma Access (Cloud Managed) is still supported when using Panorama to manage your Enterprise DLP configuration.If the Panorama managing your Enterprise DLP configuration is no longer licensed to leverage Enterprise DLP, you must contact Palo Alto Networks Support to transfer Enterprise DLP configuration management to Prisma Access (Cloud Managed). The Enterprise DLP configuration on Prisma Access (Cloud Managed) remains read-only until you contact Palo Alto Networks Support.Enterprise DLP configuration on Prisma Access (Cloud Managed)
- DLP is an add-on license on Prisma Access. You can either start with a 60-day trial or you can purchase a license to use Enterprise DLP on Prisma Access.
DLP data patterns and data filtering profiles are designed to
work across all supported platforms to provide consistent data security
across all locations.
Supported Applications
The following table displays the supported
web applications and operational parameters that you can use with
Enterprise DLP.
Of the applications listed in the table below, GitHub,
Microsoft OnePoint, Salesforce, ServiceNow, and Yahoo Mail require
you install Application and
Threats content release 8413 or later versions on your PAN-OS
firewalls or Prisma Access deployment.
Web Application | PDF | doc/docx | ppt/pptx | xls/xlsx | rtf | CSV | txt | Multi-file uploads | File Size |
|---|---|---|---|---|---|---|---|---|---|
GitHub Web App | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 20MB |
Web Browsing | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 20MB |
OneDrive Web App | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 20MB |
SharePoint Web App | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 20MB |
OneNote Web App | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 20MB |
Gmail Web App | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 20MB |
Box Web App | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 20MB |
Salesforce Web App | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 20MB |
ServiceNow Web App | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 20MB |
Slack Web App | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 20MB |
Yahoo Web App | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 20MB |
The following list contains the supported applications, file
operations, upload parameters, file types, actions, and predefined data
patterns and filtering profiles.
- Applications—You can enforce DLP for web-based (HTTP- or HTTPS-based) uploads for the following applications:
- Box Enterprise, Personal, Drive Enterprise, Drive Personal (App-ID™ is boxnet-uploading)
- Gmail (App-ID is gmail-uploading)To use Gmail, you must disable the Quick UDP Internet Connection (QUIC) protocol. Palo Alto Networks recommends that you disable QUIC in Chrome. To do so, specifychrome://flags/in the ChromeExperimental QUIC Protocol, and selectDisabled.
- GitHub (App-ID is github-uploading)
- Microsoft OneDrive (App-ID is sharepoint-online-uploading)Only the business Microsoft OneDrive application is supported by Enterprise DLP. The personal Microsoft OneDrive application (App-ID is ms-onedrive-uploading) is not supported.
- Microsoft SharePoint (App-ID is sharepoint-online-uploading)
- Microsoft OneNote (App-ID is ms-onenote-uploading)
- Salesforce (App-ID is salesforce-uploading)
- ServiceNow (App-ID is service-now-uploading)
- Slack (App-ID is slack-uploading)
- Web browsing (App-ID is web-browsing)
- Yahoo Mail (App-ID is yahoo-mail-uploading)
Supported File Types
The following lists the supported file operations, upload
parameters, file types, and actions.
- File operations—You can upload files using HTTP and HTTPS (no FTP or SMTP) using HTTP/1.1.Some applications, such as SharePoint and OneDrive, use HTTP/2 by default. To use HTTP/2 files with HTTP/1.1, you need to create a decryption profile and a Security policy rule to strip out the application-layer protocol negotiation (ALPN) extension in headers. See Enable Enterprise DLP for Managed Firewalls for more information.
- Data flow—File uploads are supported (downloads are not supported).
- Concurrent file uploads—25 concurrent file uploads are supported.
- File size—Files of up to 20MB are supported.If you use Box to upload multiple files and one or more of the files are larger than 20MB, the upload of all files will stall. To continue, find the files in Box that are larger than 20MB and clickXto stop the upload of those files.
- File types—Enterprise DLP supports inspection of the following file types.Of the file types listed below, iWork Keynote, iWork Numbers, and iWork Pages require you install Application and Threats content release 8529 or later versions on your PAN-OS firewalls or Prisma Access deployment.
- Microsoft Office (.doc, .docx, .ppt, .pptx, .xls, .xlsx)
- .csv
- .pdf
- .rtf
- .txt
- iWork (Keynote, Numbers, Pages)
- Image files (.jpg, .jpeg, .png, .tif, .tiff)Detection of image files requires you to enable Optical Character Recognition (OCR) on the DLP app or Prisma Access (Cloud Managed).
- Source Code File Types—Enterprise DLP supports inspection of the following source code file types.
- Cfamily—C, C++, C+, Objective C
- Generic
- java
- javascript
- perl
- powershell
- python
- r
- ruby
- vbs
- verilog
- vhd1
- x86_assembly
- ZIP Files—Enterprise DLP supports inspection of ZIP and 7Z (7-ZIP file archiver) files containing the supported file types listed above.The Enterprise DLP cloud service supports single level compression of files only.The Enterprise DLP cloud service does not support scanning multilevel compressed files. For example, the DLP cloud service cannot scan and render a verdict on the file contents of a zip file if its been compressed more than once.
- Response—Block and Alert actions are supported for HTTP and HTTPS files. However, the Block page does not display the name of the file that the managed firewall blocked.
Support for Non-File Based Traffic
Enterprise DLP supports inspection of non-file based traffic for sensitive data. A data filtering profile
configured for non-file based traffic detection allow you to configure URL and
application exclusion lists to exclude specific URL and application traffic from
Enterprise DLP inspection.
Inspection of non-file based traffic is supported on Panorama running PAN-OS
10.2.1 and later releases and Enterprise DLP plugin 3.0.1 and later
releases.
To upgrade to PAN-OS 10.2.1, you must install Application and Threats content
release 8552-7333 or later version on Panorama and managed
firewalls leveraging Enterprise DLP. This is required to support non-file
based traffic inspection.
Data Patterns and Data Filtering Profiles
Use predefined or create your own data patterns and data filtering profiles. You
can duplicate predefined and custom data patterns and data filtering profiles if you
want to add, remove, or modify data identifiers in the existing pattern or profile.
However, duplication of ML-based data patterns is not supported.
For each data filtering profile, Enterprise DLP allows a maximum of 10 data patterns
for a Block rule and 50 data patterns for an Alert rule.
Predefined data patterns use either machine learning (ML) or regex-based detection
for scanned files. Enterprise DLP returns verdicts for ML-based data patterns of
scanned files up to 1MB in size. For all other predefined and custom data patterns,
Enterprise DLP supports verdicts for scanned files of up to 20MB in size.
for the full list of all predefined ML-based patterns and all predefined data
filtering profiles, see:
