Enable Enterprise DLP for Managed Firewalls

Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
Log in to the Panorama web interface.
Configure the proxy server settings to enable Panorama to successfully communicate with the
Enterprise DLP
cloud service.
This step is required if using a proxy server for your Panorama management server.
Continue to the next step if you aren’t using a proxy server or have already configured your Panorama proxy server settings.
Select
Panorama
Setup
Services
and edit the
Services
settings.
Configure the proxy server settings.
Server
—IP address or hostname of the proxy server.
Port
—Port for the proxy server.
User
—Administrator username to access the proxy server.
Password
—Password for the user to access the proxy server. Reenter the password why you
Confirm Password
.
(
Optional
)
Use proxy to fetch logs from Cortex Data Lake
—If you’re using Cortex Data Lake for log storage, enable this setting.
Click
OK
.

(
Best Practices
) Create a service route to enable firewalls to connect to the internet.
Palo Alto Networks recommends configuring a service route to ensure a high level of performance for Next-Gen firewalls using
Enterprise DLP
.
By default, matched traffic is sent to the DLP cloud service for inspection through the management interface. Configuring a service route allows you to dedicate a specific Ethernet interface from which to send matched traffic to the DLP cloud service.
For a multi-vsys firewall, the service route is a global configuration and is applied to all vsys of a multi-vsys firewall regardless of which vsys the service route belongs to.
Create a service route for all supported firewall models running PAN-OS 10.1 or a later release.
Select
Device
Setup
Services
and select the template that contains the
Enterprise DLP
configuration.
Select
Service Route Configuration
in the
Service Features
and select
Customize
.
Select
Data Services
and configure the
Source Interface
and
Source Address
.
The source interface must have internet connectivity. See Configure Interfaces and Create an Address Object for more information on creating the source interface and address.
Enable
Data Services
and click
OK
.
Select
Device
Setup
Content-ID
and copy the
Content Cloud Settings
FQDN in the
Service URL
section.
Select
Policies
Security
and
Add
a Security policy rule that allows addresses to the Content Cloud Settings FQDN.
Add a Security policy rule for dataplane service route traffic from the
127.168.0.0/16
source address to allow traffic originating from the firewall dataplane.
You’re required to create this Security policy rule to enable the DLP cloud service to successfully scan files in specific scenarios. You can skip this step if these two scenarios below regarding the
intrazone-default
Security policy rule don’t apply to your configuration.
If you created a cleanup
Deny
Security policy rule that precedes the
intrazone-default
Security policy rule. In this scenario, the
intrazone-default
action is set to
Allow
.
If you modified the
intrazone-default
Security policy rule action from
Allow
to
Deny
.
(
Required for DLP 3.0.1 and earlier releases only
) Create a decryption profile to remove application-layer protocol negotiation (ALPN) headers from uploaded files.
Enterprise DLP
supports HTTP/1.1. Some applications, such as SharePoint and OneDrive, support HTTP/2 for uploads by default. Strip ALPN is required to force application using HTTP/2 to use HTTP/1.1 to make them compatible with
Enterprise DLP
.
Select
Objects
Decryption
Decryption Profile
and specify the
Device Group
.
Add
a new decryption profile.
Specify a descriptive
Name
.
(
Optional
) Enable the
Shared
option to make this decryption profile available across all device groups.
Select
SSL Decryption
SSL Forward Proxy
and enable
Strip ALPN
in the
Client Extension
.
Click
OK
.

(
Required for DLP 3.0.1 and earlier releases only
) Create a policy rule to remove ALPN headers from uploaded files.
Select

Policies

Decryption

and specify the

Device Group

.

Add

a new decryption policy rule and configure as appropriate.

Select

Options

.

For the

Action

, select

Decrypt

.

Select the

Decryption Profile

you created.

Click

OK

.


Disable the Quick UDP Internet Connection (QUIC) protocol to deny traffic on ports 80 and 443.
Many supported web applications, such as Gmail, require that you disable the QUIC protocol for
Enterprise DLP
to function correctly.
Select
Policies
Security
and specify the
Device Group
.
Add
a Security policy rule that denies traffic that uses the
quic
application.
Select
Objects
Services
and specify the
Device Group
.
Add
two services: one for UDP on port 80 and one for UDP on port 443.
Newer versions of QUIC might be misidentified as
unknown-udp
. To account for this, Palo Alto Networks recommends that you add an additional Security policy rule to deny UDP traffic on those ports.
Select
Policies
Security
and specify the
Device Group
.
Add
a Security policy rule that includes the services you created to deny traffic to UDP ports 80 and 443.
When complete, you will have two Security policy rules; one that blocks the QUIC protocol and one that blocks UDP traffic on ports 80 and 443.
Create a Data Pattern on Panorama.
Create a Data Filtering Profile on Panorama.
Attach the data filtering profile to a Security policy rule. If needed, create a Security policy rule.
To downgrade your Panorama management server to an earlier PAN-OS version that doesn’t support
Enterprise DLP
, you must remove all
Enterprise DLP
data patterns and data filtering profiles referenced in your Security policy rules. Consider this when creating and organizing your policy rules that reference
Enterprise DLP
data patterns and filtering profiles.
For example, create a device group to contain all your Security policy rules that contain references to
Enterprise DLP
data patterns and filtering profiles. This enables you to quickly modify relevant policy rules should you need to downgrade your Panorama management server to PAN-OS 10.0.1 or an earlier PAN-OS version.
Select
Policies
Security
Pre Rules
and specify the
Device Group
.
Select the Security policy rule to which you want to add the data filtering profile.
Select
Actions
and set the
Profile Type
to
Profiles
.
Select the
Data Filtering
profile you created.
Click
OK
.-
Commit and push your configuration changes to your managed firewalls using
Enterprise DLP
.
The
Commit and Push
command isn’t recommended for
Enterprise DLP
configuration changes. Using the
Commit and Push
command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
Select
Commit
Commit to Panorama
and
Commit
.
Select
Commit
Push to Devices
and
Edit Selections
.
Select
Device Groups
and
Include Device and Network Templates
.
Click
OK
.
Push
your configuration changes to your managed firewalls that are using
Enterprise DLP
.