Enable Enterprise DLP on Cloud Management

Enable
Enterprise DLP
.
Single Prisma SASE Platform Tenant License Activation
Activate a License for Cloud-Managed Prisma Access Through the Prisma SASE Platform for a single tenant deployment. Follow this procedure to activate
Enterprise DLP
when your tenant has no subtenants or tenant hierarchy of any kind.
Multitenant Prisma SASE Platform License Activation
Activate a License for Prisma Access Multitenant Through the Prisma SASE Platform to activate
Enterprise DLP
for a parent tenant or a subtenant.
CASB-X Platform License Activation
By default, the
Enterprise DLP
license is included as part of the CASB-X license. To activate
Enterprise DLP
for your CASB-X tenants, you only need to activate CASB-X. There’s no individual
Enterprise DLP
license you need to activate when using CASB-X.
To use
Enterprise DLP
for a CASB-X tenant, you must Activate a Next Generation CASB License on Cross Platforms (CASB-X) Through the Prisma SASE Platform.
Launch the Cloud Management Console.
Verify that the DLP license is active.
Select
Manage
Overview
and navigate to the Licenses widget.
Click the license Quantity and confirm that the Data Loss Prevention license is active.
Confirm the Data Loss Prevention license Type displays
PAID
and that an expiration date is displayed.

Select
Manage
Configuration
Security Services
and verify
Data Loss Prevention
is displayed.
Select
Activity
Logs
and verify
DLP Incidents
is displayed.
Create the decryption profile required for
Enterprise DLP
to inspect traffic.
Select
Manage
Configuration
Security Services
Decryption
and
Add Profile
.
Enter a descriptive
Name
for the decryption profile.
Review the predefined decryption profile settings.
The predefined decryption profile settings enable
Enterprise DLP
to inspect traffic. Modifying the predefined decryption profile settings isn’t required unless you need to enable
Strip ALPN
.

(
Software Version 10.2.2 or earlier versions
) Configure the decryption profile to remove Application-Layer Protocol Negotiation (ALPN) headers from uploaded files.
Remove the ALPN headers from files if any
Cloud Management
deployment is running software version 10.2.2 or earlier version. If your entire
Cloud Management
deployment is running software version 10.2.3 or later version, stripping ALPN headers isn’t required.
A web security admin can also strip ALPN headers in the Web Security decryption settings(
Manage
Web Security
Security Settings
Decryption
and edit the Action Options). Web Security admins don’t need to create a decryption policy rule and can push the setting to Remote Networks and Mobile Users.
In the SSL Forward Proxy, click

Advanced.

Check (enable)

Strip ALPN

and

Save

.


Save
the Decryption profile group.
Create a decryption policy rule to decrypt traffic for
Enterprise DLP
inspection.
Cloud Management
includes the predefined
Exclude Microsoft O365 Optimized Endpoints - IPs
and
Exclude Microsoft O365 Optimized Endpoints - URLs
decryption rules that exclude Microsoft Office 365 from decryption.
For
Enterprise DLP
to successfully inspect traffic for Microsoft Office 365, you must position this new decryption rule before the predefined decryption exclusion rules. Alternatively, you can
Disable
these rules or
Delete
them.
Select
Manage
Configuration
Decryption
and
Add Rule
.
Enter a descriptive
Name
and configure the decryption policy rule as needed.
In the Action and Advanced Inspection section, configure the policy rule to
Decrypt
traffic that matches this rule.
For the Type, select
SSL Forward Proxy
.
Select the Decryption Profile you created to strip ALPN headers.

Save
the decryption policy rule.
Push your data filtering profile.
Push Config
and
Push
.
Select (enable)
Remote Networks
and
Mobile Users
.
Push
.
Enable Role Based Access to Enterprise DLP on Cloud Management.