Enterprise DLP Plugin
Focus
Focus
Enterprise DLP

Enterprise DLP Plugin

Table of Contents

Enterprise DLP
Plugin

Install or uninstall the
Enterprise Data Loss Prevention (E-DLP)
plugin on your
Panorama™ management server
.
Where Can I Use This?
What Do I Need?
  • NGFW (Panorama Managed)
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • Support license
  • Device management license
To install the
Enterprise Data Loss Prevention (E-DLP)
plugin on your
Panorama™ management server
, you must install the Panorama device certificate and device certificated for all Next-Gen firewalls using
Enterprise DLP
. Then, you must download the plugin from the Palo Alto Networks Update Server and then install it. The
Enterprise DLP
plugin needs to be installed only on
Panorama
, and is installed by default on all Next-Gen firewalls. Review the PAN-OS Upgrade Guide if you need to upgrade the
Enterprise DLP
plugin version.
To perform configuration changes on
Panorama
, the
Enterprise DLP
plugin creates a temporary
__dlp
Panorama
admin regardless of the admin making the configuration changes. The temporary
__dlp
admin is only used by the
Enterprise DLP
plugin for configuration changes and has no log in credentials. The
__dlp
admin cannot be used to log in to
Panorama
and is not listed as a
Panorama
administrator account. The
__dlp
admin has no access privileges beyond the
Enterprise DLP
plugin.
Your existing data patterns (
Objects
Custom Objects
Data Patterns
) and data filtering profiles (
Objects
Security Profiles
Data Filtering
) are automatically hidden after you successfully install the
Enterprise DLP
plugin on
Panorama
. To display your existing data patterns and filtering profiles when you need to reference them, you can temporarily Enable Existing Data Patterns and Filtering Profiles.
To uninstall the
Enterprise Data Loss Prevention (E-DLP)
plugin, you must remove all
Enterprise DLP
data filtering profile references from all your Security policy rules before you can uninstall the plugin from
Panorama
.

Install the Plugin

Install the
Enterprise Data Loss Prevention (E-DLP)
plugin on your
Panorama™ management server
.
  1. Review the Compatibility Matrix to verify the
    Enterprise DLP
    plugin version is supported on the PAN-OS version running on
    Panorama
    .
  2. (
    Best Practices
    ) Before you install the plugin and activate your
    Enterprise DLP
    license, select
    Assets
    Devices
    to locate
    Panorama
    and your managed firewalls to verify that they all belong to the same CSP account.
    Panorama
    and any managed firewalls on which you want to use
    Enterprise DLP
    must belong to the same CSP account, which enables you to share data profiles and maintain consistent Security policy rule enforcement.
  3. The device certificate is required for all managed firewalls using
    Enterprise DLP
    .
  4. Install the plugin on
    Panorama
    .
    1. Log in to the
      Panorama
      web interface.
    2. Select
      Panorama
      Plugins
      and search for the latest version of the
      Enterprise DLP
      plugin.
    3. Download
      and
      Install
      the
      Enterprise DLP
      plugin on
      Panorama
      .
  5. Commit and push the new configuration to your managed firewalls to complete the
    Enterprise DLP
    plugin installation.
    This step is required for
    Enterprise DLP
    data filtering profile names to appear in Data Filtering logs.
    The
    Commit and Push
    command isn’t recommended for
    Enterprise DLP
    configuration changes. Using the
    Commit and Push
    command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select
        Commit
        Commit to
        Panorama
        and
        Commit
        .
      2. Select
        Commit
        Push to Devices
        and
        Edit Selections
        .
      3. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      4. Click
        OK
        .
      5. Push
        your configuration changes to your managed firewalls that are using
        Enterprise DLP
        .
    • Partial configuration push from Panorama
      You must always include the temporary
      __dlp
      administrator when performing a partial configuration push. This is required to keep
      Panorama
      and the DLP cloud service in sync.
      For example, you have an
      admin
      Panorama
      admin user who is allowed to commit and push configuration changes. The
      admin
      user made changes to the
      Enterprise DLP
      configuration and only wants to commit and push these changes to managed firewalls. In this case, the
      admin
      user is required to also select the
      __dlp
      user in the partial commit and push operations.
      1. Select
        Commit
        Commit to
        Panorama
        .
      2. Select
        Commit Changes Made By
        and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the
        admin
        user is currently logged in and performing the commit operation. The
        admin
        user must click
        admin
        and then select the
        __dlp
        user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click
        OK
        to continue.
      3. Commit
        .
      4. Select
        Commit
        Push to Devices
        .
      5. Select
        Push Changes Made By
        and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the
        admin
        user is currently logged in and performing the push operation. The
        admin
        user must click
        admin
        and then select the
        __dlp
        user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click
        OK
        to continue.
      6. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      7. Click
        OK
        .
      8. Push
        your configuration changes to your managed firewalls that are using
        Enterprise DLP
        .
  6. Activate your
    Enterprise DLP
    license on the Palo Alto Networks Customer Support Portal (CSP).
    Repeat this step for all managed firewalls using
    Enterprise DLP
    .
    1. Log in to the Palo Alto Networks Customer Support Portal.
    2. Select
      Assets
      Devices
      and edit ( in the Actions column) the appropriate asset.
    3. In the Device Licenses window,
      Activate Auth-Code
      and then enter the
      Authorization Code
      (auth code).
      The auth code is automatically provided to you by Palo Alto Networks in an email after you complete your purchase of the
      Enterprise DLP
      plugin license.
    4. Agree and Submit
      your auth code.
  7. (
    Optional
    ) Create a Palo Alto Networks Support ticket to enable your
    Enterprise DLP
    license to transfer between firewalls.
    Requesting that the
    Enterprise DLP
    license is transferable enables you to transfer your DLP license to other managed firewalls.
    In the support ticket, include the following information:
    • The request for a firewall transfer for the
      Enterprise DLP
      license.
    • Your CSP account ID and the email associated with your CSP account.
    • The managed firewall serial number. If you activated the
      Enterprise DLP
      license on multiple managed firewalls, include the serial numbers for all the managed firewalls in a single support ticket.
    • The auth codes used to activate the
      Enterprise DLP
      license on your managed firewalls.
    • Also provide the CSP account ID with which additional managed firewalls are associated if you have managed firewalls that belong to a different CSP account.
  8. Activate the
    Enterprise DLP
    plugin on your managed firewalls.
    1. Select
      Panorama
      Device Deployment
      License
      and
      Activate
      the
      Enterprise DLP
      plugin.
    2. Enter the
      Auth Code
      for the target managed firewalls.
      The auth code is automatically provided to you by Palo Alto Networks in an email after you complete your purchase of the
      Enterprise DLP
      plugin license.
    3. Activate
      the
      Enterprise DLP
      plugin license on your managed firewalls.
  9. Select
    Objects
    DLP
    Data Filtering Profiles
    and verify that the predefined data filtering profiles are displayed.
    Panorama
    is automatically populated with predefined data filtering profiles when
    Panorama
    successfully connects to the DLP cloud service.
  10. Verify that the
    Enterprise DLP
    license is successfully activated on your managed firewalls.
    1. Select
      Device
      Licenses
      and verify that the license is successfully activated.
  11. After you successfully install the
    Enterprise DLP
    plugin on
    Panorama
    , you must create Security policy rules to enable your managed firewalls to leverage
    Enterprise DLP
    .

Uninstall the Plugin

Uninstall the
Enterprise Data Loss Prevention (E-DLP)
plugin from your
Panorama™ management server
.
  1. Log in to the
    Panorama
    web interface.
  2. Select
    Policies
    Security
    and remove all
    Enterprise DLP
    data filtering profiles from your Security policy rules.
    This step is required to successfully uninstall the
    Enterprise DLP
    plugin.
  3. Commit and push your configuration changes to your managed firewalls using
    Enterprise DLP
    .
    The
    Commit and Push
    command isn’t recommended for
    Enterprise DLP
    configuration changes. Using the
    Commit and Push
    command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    1. Select
      Commit
      Commit to Panorama
      and
      Commit
      .
    2. Select
      Commit
      Push to Devices
      and
      Edit Selections
      .
    3. Select
      Device Groups
      and
      Include Device and Network Templates
      .
    4. Click
      OK
      .
    5. Push
      your configuration changes to your managed firewalls that are using
      Enterprise DLP
      .
  4. In the
    Panorama
    web interface, select
    Panorama
    Plugins
    and
    Uninstall
    the
    Enterprise DLP
    plugin.
  5. Commit and push the new configuration to your managed firewalls to complete the
    Enterprise DLP
    plugin installation.
    This step is required for
    Enterprise DLP
    data filtering profile names to appear in Data Filtering logs.
    The
    Commit and Push
    command isn’t recommended for
    Enterprise DLP
    configuration changes. Using the
    Commit and Push
    command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select
        Commit
        Commit to
        Panorama
        and
        Commit
        .
      2. Select
        Commit
        Push to Devices
        and
        Edit Selections
        .
      3. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      4. Click
        OK
        .
      5. Push
        your configuration changes to your managed firewalls that are using
        Enterprise DLP
        .
    • Partial configuration push from Panorama
      You must always include the temporary
      __dlp
      administrator when performing a partial configuration push. This is required to keep
      Panorama
      and the DLP cloud service in sync.
      For example, you have an
      admin
      Panorama
      admin user who is allowed to commit and push configuration changes. The
      admin
      user made changes to the
      Enterprise DLP
      configuration and only wants to commit and push these changes to managed firewalls. In this case, the
      admin
      user is required to also select the
      __dlp
      user in the partial commit and push operations.
      1. Select
        Commit
        Commit to
        Panorama
        .
      2. Select
        Commit Changes Made By
        and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the
        admin
        user is currently logged in and performing the commit operation. The
        admin
        user must click
        admin
        and then select the
        __dlp
        user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click
        OK
        to continue.
      3. Commit
        .
      4. Select
        Commit
        Push to Devices
        .
      5. Select
        Push Changes Made By
        and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the
        admin
        user is currently logged in and performing the push operation. The
        admin
        user must click
        admin
        and then select the
        __dlp
        user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click
        OK
        to continue.
      6. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      7. Click
        OK
        .
      8. Push
        your configuration changes to your managed firewalls that are using
        Enterprise DLP
        .

Recommended For You