Edit the Enterprise DLP Data Filtering Settings
Focus
Focus
Enterprise DLP

Edit the Enterprise DLP Data Filtering Settings

Table of Contents

Edit the
Enterprise DLP
Data Filtering Settings

Edit the
Enterprise Data Loss Prevention (E-DLP)
data filtering settings to specify the actions the firewall using
Enterprise DLP
takes if the data filtering settings are exceeded.
Where Can I Use This?
What Do I Need?
  • NGFW (Panorama Managed)
  • Prisma Access (Cloud Management)
  • SaaS Security
  • NGFW (Cloud Managed)
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • NGFW (Panorama Managed)
    —Support and
    Panorama
    device management licenses
  • Prisma Access (Cloud Management)
    Prisma Access
    license
  • SaaS Security
    SaaS Security
    license
  • NGFW (Cloud Managed)
    —Support and
    AIOps for NGFW Premium
    licenses
Or any of the following licenses that include the
Enterprise DLP
license
  • Prisma Access
    CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
    license
  • Data Security
    license
Edit and apply
Enterprise Data Loss Prevention (E-DLP)
data filtering settings. These network settings are determine the networking and file size parameters for files scanned by the DLP cloud service and specify the actions
Enterprise DLP
takes when these parameters are exceeded.

Strata Cloud Manager

Edit the
Enterprise Data Loss Prevention (E-DLP)
data filtering settings for Prisma Access
Prisma Access (Cloud Management)
and
SaaS Security
on
Strata Cloud Manager
.
  1. Log in to
    Strata Cloud Manager
    .
  2. Select
    Manage
    Configuration
    Security Services
    Data Loss Prevention
    Settings
    Data Transfer
    and edit the Data Transfer settings.
  3. Edit the File Based Settings.
    1. Specify the
      Max Latency (sec)
      for a file upload before an action is taken by
      Strata Cloud Manager
      .
      For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than
      60
      seconds.
    2. Specify the
      Action on Max Latency
      (
      Allow
      or
      Block
      )
      Strata Cloud Manager
      takes if no verdict was received for a file upload due to the upload time exceeding the configured
      Max Latency
      .
      Selecting
      Block
      applies only to DLP rules configured to block files. This setting doesn’t impact
      Enterprise DLP
      data profiles configured to alert when traffic containing sensitive data is scanned.
    3. Specify the
      Max File Size (MB)
      to enforce the maximum file size for files uploaded to the DLP cloud service for inspection.
    4. Specify the
      Action on Max File Size
      (
      Block
      or
      Allow
      )
      Strata Cloud Manager
      takes if no verdict was received for a file upload due to the file size being larger than the configured
      Max File Size
      .
      Selecting
      Block
      applies only to DLP rules configured to block files. This setting doesn’t impact
      Enterprise DLP
      data filtering profiles configured to alert when traffic containing sensitive data is scanned.
    5. Check (enable)
      Log Files Not Scanned
      to generate an alert in the DLP incident when a file can’t be scanned to the DLP cloud service.
    6. Save
      .
  4. Edit the Non-File Based Settings.
    1. Enable non-file based DLP
      .
      Enable this setting to prevent exfiltration of sensitive data in non-file format traffic for collaboration applications, web forms, cloud and SaaS applications, and social media on your network
    2. Specify the
      Max Latency (sec)
      to configure the allowable time for a non-file data uploads to determine the allowable time before an action is taken by
      Cloud Management
      .
    3. Specify the
      Action on Max Latency
      (
      Allow
      or
      Block
      )
      Strata Cloud Manager
      takes if no verdict was received for a non-file traffic data upload due to the upload time exceeding the configured
      Max Latency
      .
      Selecting
      Block
      applies only to DLP rules configured to block non-file data. This setting doesn’t impact
      Enterprise DLP
      data profiles configured to alert when traffic containing sensitive data is scanned.
    4. Specify the
      Min Data Size (B)
      to enforce a minimum size for non-file data to be scanned by the DLP cloud service.
    5. Specify the
      Max Data Size (KB)
      to enforce a maximum size for non-file data to be scanned by the DLP cloud service.
    6. Specify the
      Action on Data File Size
      (
      Allow
      or
      Block
      )
      Strata Cloud Manager
      takes if no verdict was received for a non-file traffic data upload due to the traffic data size being larger than the configured
      Max Data Size
      .
      Selecting
      Block
      applies only to DLP rules configured to block non-file data. This setting doesn’t impact
      Enterprise DLP
      data profiles configured to alert when traffic containing sensitive data is scanned.
    7. Check (enable)
      Log Data Not Scanned
      to generate an alert in the DLP incident when non-file data can’t be scanned by the DLP cloud service.
    8. Save
      .
  5. In the DLP Settings, specify the action
    Strata Cloud Manager
    takes when an error is encountered while being scanned by the DLP cloud service.
    Select
    Allow
    to allow the file upload to continue when an error is encountered or
    Block
    to block the upload.
    Save
    to apply the setting.
  6. Push your data filtering profile.
    1. Push Config
      and
      Push
      .
    2. Select (enable)
      Remote Networks
      and
      Mobile Users
      .
    3. Push
      .

Panorama

Edit the data filtering settings to specify the actions the managed firewall takes on traffic scanned to the DLP cloud service.
  1. Log in to the
    Panorama
    web interface.
  2. Select
    Device
    Setup
    DLP
    and select the
    Template
    associated with the managed firewalls using
    Enterprise DLP
    .
  3. Edit the Data Filtering Settings.
    1. Specify the
      Max Latency (sec)
      for a file upload before an action is taken by the firewall.
      For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than
      60
      seconds.
    2. Specify the
      Action on Max Latency
      (
      Block
      or
      Allow
      ) the firewall takes if no verdict was received for a file upload due to the upload time exceeding the
      Max Latency
      .
      Selecting
      Block
      applies only to data profiles configured to block files. This setting doesn’t impact
      Enterprise DLP
      data filtering profiles configured to alert when traffic containing sensitive data is scanned.
    3. Specify the
      Max File Size (MB)
      to enforce a maximum file size for files uploaded to the DLP cloud service for inspection.
    4. Specify the
      Action on Max File Size
      (
      Block
      or
      Allow
      ) the firewall takes if no verdict was received for a file upload due to the file size being larger than the configured
      Max File Size
      .
      Selecting
      Block
      applies only to data profiles configured to block files. This setting doesn’t impact
      Enterprise DLP
      data filtering profiles configured to alert when traffic containing sensitive data is scanned.
      (
      DLP 3.0.3 only
      ) Increasing the max file size for the
      Enterprise DLP
      data filtering settings to 21 MB or greater when
      Panorama
      has the
      Enterprise DLP
      3.0.3 plugin installed is supported only from the
      Panorama
      CLI.
      admin>
      configure
      admin#
      set template <template_name> config shared dlp-settings max-file-size <1 - 100>
    5. Check (enable)
      Log Files Not Scanned
      to generate an alert in the data filtering log when a file can’t be scanned to the DLP cloud service.
    6. Click
      OK
      to save your configuration changes.
  4. Edit the Non-File Data Filtering Settings.
    1. Verify that
      Enable Non File DLP
      is checked (enabled).
      Non-File DLP is enabled by default when you install
      Panorama
      plugin for
      Enterprise DLP
      3.0.1.
    2. Specify the
      Max Latency (sec)
      to configure the allowable time for non-file data uploads to determine the allowable time before an action is taken by the firewall.
    3. Specify the
      Action on Max Latency
      (
      Allow
      or
      Block
      ) the firewall takes if no verdict was received for a non-file traffic data upload due to the upload time exceeding the configured
      Max Latency
      .
      Selecting
      Block
      applies only to data profiles configured to block non-file data. This setting doesn’t impact
      Enterprise DLP
      filtering profiles configured to alert when traffic containing sensitive data is scanned.
    4. Specify the
      Min Data Size (B)
      to enforce a minimum size for non-file data to be scanned by the DLP cloud service.
    5. Specify the
      Max Data Size (KB)
      to enforce a maximum size for non-file data to be scanned by the DLP cloud service.
    6. Specify the
      Action on Data File Size
      (
      Allow
      or
      Block
      ) the firewall takes if no verdict was received for a non-file traffic data upload due to the traffic data size being larger than the configured
      Max Data Size
      .
      Selecting
      Block
      applies only to data profiles configured to block non-file data. This setting doesn’t impact
      Enterprise DLP
      data filtering profiles configured to alert when traffic containing sensitive data is scanned.
    7. Check (enable)
      Log Data Not Scanned
      to generate an alert in the data filtering log when non-file data can’t be scanned by the DLP cloud service.
    8. Click
      OK
      to save your configuration changes.
  5. Specify the
    Action on any Error
    the firewall takes if an error is encountered during upload to the DLP cloud service.
    • Select
      Allow
      (default) to continue uploading if the firewall experiences any type of error.
    • Select
      Block
      to stop uploading if the firewall experiences any type of error.
    Click
    OK
    to continue.
  6. Commit and push the new configuration to your managed firewalls to complete the
    Enterprise DLP
    plugin installation.
    This step is required for
    Enterprise DLP
    data filtering profile names to appear in Data Filtering logs.
    The
    Commit and Push
    command isn’t recommended for
    Enterprise DLP
    configuration changes. Using the
    Commit and Push
    command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select
        Commit
        Commit to
        Panorama
        and
        Commit
        .
      2. Select
        Commit
        Push to Devices
        and
        Edit Selections
        .
      3. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      4. Click
        OK
        .
      5. Push
        your configuration changes to your managed firewalls that are using
        Enterprise DLP
        .
    • Partial configuration push from Panorama
      You must always include the temporary
      __dlp
      administrator when performing a partial configuration push. This is required to keep
      Panorama
      and the DLP cloud service in sync.
      For example, you have an
      admin
      Panorama
      admin user who is allowed to commit and push configuration changes. The
      admin
      user made changes to the
      Enterprise DLP
      configuration and only wants to commit and push these changes to managed firewalls. In this case, the
      admin
      user is required to also select the
      __dlp
      user in the partial commit and push operations.
      1. Select
        Commit
        Commit to
        Panorama
        .
      2. Select
        Commit Changes Made By
        and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the
        admin
        user is currently logged in and performing the commit operation. The
        admin
        user must click
        admin
        and then select the
        __dlp
        user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click
        OK
        to continue.
      3. Commit
        .
      4. Select
        Commit
        Push to Devices
        .
      5. Select
        Push Changes Made By
        and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the
        admin
        user is currently logged in and performing the push operation. The
        admin
        user must click
        admin
        and then select the
        __dlp
        user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click
        OK
        to continue.
      6. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      7. Click
        OK
        .
      8. Push
        your configuration changes to your managed firewalls that are using
        Enterprise DLP
        .

Recommended For You