Save Evidence for Investigative Analysis with Enterprise DLP
Create a storage bucket to store and download files that match your Enterprise Data Loss Prevention (E-DLP) data profiles.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLPRelease Notes for more
information.
Where Can I Use This?
What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager)
Prisma Access (Managed by Panorama or Strata Cloud Manager)
Prisma Browser
Enterprise Data Loss Prevention (E-DLP) license
Review the Supported
Platforms for details on the required license
for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
Prisma Access CASB license
Next-Generation
CASB for Prisma Access and NGFW (CASB-X) license
Data Security license
Configure Enterprise Data Loss Prevention (E-DLP) to
automatically store evidence for traffic that matches the sensitive data
match criteria in your data profiles. You can connect one or more SFTP, AWS,
or Azure storage buckets to forward evidence. After a user generates a DLP
incident, you can download evidence of the DLP incident for further
investigation.
Enterprise DLP supports evidence storage for file based traffic, non-file
based traffic, Email DLP, Endpoint DLP, and Prisma Browser.
Evidence Storage Bucket Types
Region-Specific Buckets—Store DLP incident
evidence within specific regional boundaries based
on where the incident was generated. This enables
your organization to store evidence across your
global footprint while maintaining regulatory
compliance.
Enterprise DLP supports multiple regions
per storage bucket. However, you cannot add the
same region to multiple storage buckets regardless
of the storage bucket type.
To upload and download evidence to a
region-specific storage bucket, you must allow the
region's IP Address for
Evidence Storage on your network.
All Region Storage Bucket—Forward all DLP
incident evidence to the same storage bucket
regardless of the region where the incident was
generated.
Use the All Regions
storage bucket only if your organizations does not
have any data residency requirements it needs to
meet. The All Regions
storage bucket is not intended to act as a backup
bucket for evidence storage.
Evidence Storage Forwarding Behavior
When multiple region-specific storage buckets
exist, Enterprise DLP evaluates the DLP
incident origin and forwards the evidence to the
correct region-specific storage bucket.
When both region-specific and All
Regions storage buckets exist, Enterprise DLP prioritizes forwarding evidence to
the region-specific bucket first.
Enterprise DLP forwards evidence to the
All Regions storage bucket
only if a region-specific bucket for that
incident's origin doesn't exist or is
unreachable.
Enterprise DLP doesn't forward evidence if
DLP incident evidence if a DLP incident occurs in
a region without a configured region-specific
storage bucket and an All Regions bucket
does not exist.
