On
May 7, 2025,
Palo Alto Networks is introducing new
Evidence Storage and
Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
| Where Can I Use This? | What Do I Need? |
- NGFW (Managed by Panorama)
- Prisma Access (Managed by Panorama)
|
|
To use Enterprise Data Loss Prevention (E-DLP), you must first install the device certificate on
your Panorama® management server and all managed NGFW using Enterprise DLP. This is required to successfully connect your Panorama
and NGFW to Enterprise DLP to synchronize data patterns and data
profiles, and to forward traffic to Enterprise DLP for inspection and verdict
rendering.
After you successfully install the device certificate, you must install the Enterprise DLP plugin on Panorama. The Enterprise DLP plugin on
Panorama is required to manage your Enterprise DLP configuration
and to push Enterprise DLP configuration changes to your managed NGFW. A Panorama with the Enterprise DLP plugin
installed is required; managing the Enterprise DLP configuration on your NGFW isn't supported.
Before you install the plugin, verify that
Panorama belongs to the same
tenant service group (TSG) as the
NGFW or
Prisma Access tenants
with which you associated
Enterprise DLP. Use
Device Associations in
Strata Cloud Manager to add
Panorama to the TSG if it isn't already
associated.
You only need to manually
upgrade the
Enterprise DLP plugin
version on
Panorama and when upgrading within the same major plugin
version. For example, you currently have
Enterprise DLP plugin version 5.0.0
installed and want to upgrade to
Enterprise DLP plugin version 5.0.1. In this
case you download and install this new plugin version just on
Panorama.
You only need to install the
Enterprise DLP on
Panorama. By default,
all
NGFW have the
minimum supported
Enterprise DLP plugin version installed based on the currently installed
PAN-OS version. The minimum supported plugin installation occurs
automatically when you install a new
PAN-OS version on your
NGFW.
To perform configuration changes on
Panorama, the
Enterprise DLP plugin
creates a temporary
__dlp
Panorama admin regardless of the admin making the configuration changes.
The temporary
__dlp admin is only used by the
Enterprise DLP plugin for configuration changes and has no login credentials.
The
__dlp admin can't be used to log in to
Panorama and isn't listed as a
Panorama administrator account. The
__dlp admin has no access privileges beyond the
Enterprise DLP plugin.
Enterprise DLP supports:
Associating multiple Panorama management servers with a single
Customer Support Account.
One Enterprise DLP license per TSG.
Associating up to one standalone Panorama or up to one pair of
Panorama management servers in an active/passive high
availability (HA) configuration per TSG with an Enterprise DLP
license.
Enterprise DLP
synchronization occurs across
the specific TSG and not across the entire multitenant TSG hierarchy.
Enterprise DLP fails to synchronize your Enterprise DLP
configuration to Panorama if you associate more than one
standalone Panorama, more than one Panorama HA pair,
or any combination of the two, with a TSG.
While Enterprise DLP and the Customer Support Portal support associating
multiple Panorama with a single Customer Support Portal, you must meet the
per-TSG Enterprise DLP license and Panorama association
requirement to successfully synchronize configuration changes across Panorama and Strata Cloud Manager.
Your existing data patterns () and data filtering profiles () are automatically hidden after you successfully install the
Enterprise DLP plugin on
Panorama. To display your existing data
patterns and filtering profiles when you need to reference them, you can
temporarily
enable existing data patterns and
profiles.
To uninstall the Enterprise Data Loss Prevention (E-DLP) plugin, you must remove all Enterprise DLP data filtering profile references from all your Security policy
rules before you can uninstall the plugin from Panorama.
Install the Enterprise DLP Plugin
Install the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama® management server.
Activate the Enterprise DLP License.
You must activate the Enterprise DLP license and associate it
with your Panorama and NGFW before you
install the Enterprise DLP plugin. This ensures the plugin
correctly maps to your TSG and prevents synchronization issues.
Review the
Compatibility Matrix to verify the
Enterprise DLP plugin version is supported on the PAN-OS version running on
Panorama.
Verify that
Panorama and your managed devices belong to the same
tenant service group (TSG) using
Device Associations in
Strata Cloud Manager.
Panorama and any managed devices on which you want to use Enterprise DLP must belong to the same TSG. This enables Panorama to synchronize Enterprise DLP data profiles with Strata Cloud Manager and maintain consistent Security policy rule
enforcement across your managed firewalls.
If Panorama isn't already associated with the TSG, use Device
Associations to add it before you install the plugin.
Add your
NGFW or
Prisma Access tenants to a
device group and
template stack.
Device groups and template stacks are required to manage your managed device
configurations and are required to push Enterprise DLP configuration
changes.
Skip this step if you already added your NGFW or Prisma Access tenants to a device group and template stack.
Install device certificates on
Panorama and your managed
firewalls.
Install the Panorama Device
Certificate.
(High Availability) If Panorama is in an
active/passive high availability (HA) configuration, install the Panorama device certificate on both HA peers.
Install the Device Certificate for
Managed Firewalls.
The device certificate is required for all managed firewalls using
Enterprise DLP.
Install the plugin on
Panorama.
Log in to the
Panorama web interface.
Select and search for the latest version of the
Enterprise DLP plugin.
Download the
Enterprise DLP plugin
(
HA only) Check (enable)
Sync to HA
peer to install the
Enterprise DLP on the
Panorama peer.
You must install the Enterprise DLP plugin on both HA peers to
successfully use Enterprise DLP. Installing the Enterprise DLP plugin on only one of the HA peers might result
in configuration push errors and cause the active HA peer to become
suspended.
and
Install the
Enterprise DLP plugin on
Panorama.
Repeat this step on both Panorama HA peers.
Commit and push the new configuration to your managed firewalls to complete the
Enterprise DLP plugin installation.
This step is required for Enterprise DLP data filtering profile names to
appear in Data Filtering logs.
The Commit and Push command isn’t recommended for
Enterprise DLP configuration changes. Using the
Commit and Push command requires the
additional and unnecessary overhead of manually selecting the impacted
templates and managed firewalls in the Push Scope Selection.
Activate your
Enterprise DLP license for your managed firewalls.
Repeat this step for all managed firewalls using Enterprise DLP.
Log in to the Palo Alto Networks
Customer Support Portal.
Select and locate the managed firewall for which you want to
activate
Enterprise DLP In the
Actions column, click
Licenses
& Subscriptions.
Click
Activate License at the bottom of the
page.
Select
Activate License from the list of
Activation Types.
In the
Activate Auth-Code field, enter the auth
code provided by
Palo Alto Networks.
Agree and Submit.
(
Optional) Create a
Palo Alto Networks Support ticket to
enable your
Enterprise DLP license to transfer between firewalls.
Requesting that the Enterprise DLP license is transferable enables you
to transfer your DLP license to other managed firewalls.
In the support ticket, include the following information:
The request for a firewall transfer for the Enterprise DLP
license.
Your CSP account ID and the email associated with your CSP
account.
The managed firewall serial number. If you activated the Enterprise DLP license on multiple managed firewalls, include
the serial numbers for all the managed firewalls in a single support
ticket.
The auth codes used to activate the Enterprise DLP license on
your managed firewalls.
Also provide the CSP account ID with which additional managed
firewalls are associated if you have managed firewalls that belong
to a different CSP account.
Verify that you successfully activated
Enterprise DLP.
On
Panorama, select to confirm that the
Data Filtering
Patterns and
Data Filtering
Profiles automatically populate with the
predefined data patterns and
profiles.
On the
firewall web interface, select and verify that the
Enterprise DLP successfully
activated.
After you successfully install the
Enterprise DLP plugin on
Panorama, you must create Security policy rules to
enable your managed firewalls to leverage
Enterprise DLP.
Uninstall the Enterprise DLP Plugin
Uninstall the Enterprise Data Loss Prevention (E-DLP) plugin from your Panorama® management server.
Log in to the
Panorama web
interface.
Select and remove all
Enterprise DLP data filtering profiles from
your Security policy rules.
This step is required to successfully uninstall the Enterprise DLP
plugin.
Commit and push your configuration changes to your managed firewalls using
Enterprise DLP.
The Commit and Push command isn’t recommended for
Enterprise DLP configuration changes. Using the
Commit and Push command requires the
additional and unnecessary overheard of manually selecting the impacted
templates and managed firewalls in the Push Scope Selection.
Select and
Commit.
Select and
Edit Selections.
Select
Device Groups and
Include
Device and Network Templates.
Click
OK.
Push your configuration changes to your managed
firewalls that are using
Enterprise DLP.
In the
Panorama
web interface, select and
Uninstall the
Enterprise DLP
plugin.
(HA) Repeat this step on both Panorama HA peers if Panorama
is an HA configuration.
Commit and push the new configuration to your managed firewalls to uninstall
the
Enterprise DLP plugin.
The Commit and Push command isn’t recommended for
Enterprise DLP configuration changes. Using the
Commit and Push command requires the
additional and unnecessary overheard of manually selecting the impacted
templates and managed firewalls in the Push Scope Selection.
Troubleshoot the Enterprise DLP Plugin
Troubleshoot issues when installing the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama® management server.
Review the information below if you have trouble installing or upgrading the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama® management server.
Reset the Enterprise DLP Plugin
In some cases, data security administrators need to reset the
Enterprise DLP
plugin in the
Panorama
CLI to resolve
Enterprise DLP
configuration sync or upgrade issues causing
Panorama commit failures
or
failed plugin validation errors. These errors
are often related to the device certificate required on
Panorama or the
NGFW, or a general connectivity issue preventing
Panorama or the
NGFW from connecting to
Enterprise DLP. This issue manifests in two primary ways:
Review the steps below to identify and resolve.
Log in to the
Panorama
CLI.
Reset the
Enterprise DLP plugin using either of the following
commands. They are functionally the same and both reset the
Enterprise DLP plugin.
Review the plugin reset command responses.
A successful plugin reset returns one of the following responses.
An unsuccessful plugin reset returns one the following responses.
fail DLP reset failure, check DLP plugin
log
Plugin reset failed due to an issue with the device certificate
on Panorama and requires the data security
administrators to investigate the plugin log.
Cannot perform operation : DLP not provisioned for
this tenant
Plugin reset failed due to Panorama not having a valid
Enterprise DLP tenant ID.
Investigate further depending on the error message
Panorama
returned when resetting the plugin,