Enable Enterprise DLP on Prisma Access (Cloud Managed)

Enable Enterprise data loss prevention (DLP) on Prisma Access (Cloud Managed).
Purchase an Enterprise data loss prevention (DLP) license for Prisma Access (Cloud Managed) and create a Decryption policy rule strip Application-Layer Protocol Negotiation (ALPN) headers from uploaded files.
  1. Contact your Palo Alto Networks sales representative and purchase an Enterprise data loss prevention (DLP) license for Prisma Access (Cloud Managed).
    Palo Alto Networks activates the Enterprise DLP license for your Prisma Access (Cloud Managed) tenant. No manual intervention is required on your part to activate the Enterprise DLP license.
  2. Verify that the DLP license is activate.
    1. Select
      Manage
      Overview
      and navigate to the Licenses widget.
    2. Click the license Quantity and confirm the Data Loss Prevention license is active.
      Confirm the Data Loss Prevention license Type displays
      PAID
      and that an expiration date is displayed.
    3. Select
      Manage
      Configuration
      Security Services
      and verify
      Data Loss Prevention
      is displayed.
    4. Select
      Activity
      Logs
      and verify
      DLP Incidents
      is displayed.
  3. Create a decryption profile to remove Application-Layer Protocol Negotiation (ALPN) headers from uploaded files.
    Enterprise DLP supports HTTP/1.1. Some applications, such as SharePoint and OneDrive, support HTTP/2 for uploads by default. You must remove ALPN headers to make uploaded files from applications that use HTTP/2 compatible with Enterprise DLP.
    A web security admin can also strip ALPN headers in the Web Security decryption settings(
    Manage
    Web Security
    Security Settings
    Decryption
    and edit the Action Options). Web Security admins do not need to create a Decryption policy rule and can push the setting to Remote Networks and Mobile Users.
    1. Select
      Manage
      Configuration
      Decryption
      and
      Add Profile
      .
    2. Enter a descriptive
      Name
      for the decryption profile.
    3. In the SSL Forward Proxy, click
      Advanced
    4. Check (enable)
      Strip ALPN
      and
      Save
      .
    5. Save
      the Decryption profile group.
  4. Create a Decryption policy rule to remove ALPN headers from uploaded files.
    1. Select
      Manage
      Configuration
      Decryption
      and
      Add Rule
      .
    2. Enter a descriptive
      Name
      and configure the Decryption policy rule as needed.
    3. In the Action and Advanced Inspection section, configure the policy rule to
      Decrypt
      traffic that matches this rule.
    4. For the Type, select
      SSL Forward Proxy
      .
    5. Select the Decryption Profile you created to strip ALPN headers.
    6. Save
      the Decryption policy rule.
  5. Push your data filtering profile.
    1. Push Config
      and
      Push
      .
    2. Select (enable)
      Remote Networks
      and
      Mobile Users
      .
    3. Push
      .

Recommended For You