Enable Enterprise DLP for Managed Firewalls
Create policy rules to enable firewalls to successfully leverage Enterprise DLP (data loss prevention).
Some applications, such as SharePoint and OneDrive, use HTTP/2 by default. When running PAN-OS 10.2.2 and earlier releases you must create a decryption profile and a Security policy rule to strip out the application-layer protocol negotiation (ALPN) extension in headers. Complete these steps to configure your managed firewalls to successfully leverage Enterprise data loss prevention (DLP).
- Configure the proxy server settings to enable Panorama to successfully communicate with the Enterprise DLP cloud service.This step is required if leveraging a proxy server for your Panorama management server.Continue to the next step if you are not leveraging a proxy server or have already configured your Panorama proxy server settings.
- Selectand edit thePanoramaSetupServicesServicessettings.
- Configure the proxy server settings.
- Server—IP address or host name of the proxy server.
- Port—Port for the proxy server.
- User—Administrator username to access the proxy server.
- Password—Password for the user to access the proxy server. Re-enter the password why youConfirm Password.
- (Optional)Use proxy to fetch logs from Cortex Data Lake—If you are leveraging Cortex Data Lake for log storage, enable this setting.
- (Best Practices) Create a service route to enable firewalls to connect to the internet.Palo Alto Networks recommends configuring a service route to ensure a high level of performance for Next-Gen firewalls leveraging Enterprise DLP.By default, matched traffic is sent to the DLP cloud service for inspection through the management interface. Configuring a service route allows you to dedicate a specific Ethernet interface from which to send matched traffic to the DLP cloud service.For a multi-vsys firewall, the service route is a global configuration and is applied to all vsys of a multi-vsys firewall regardless of which vsys the service route belongs to.
- Selectand select the template that contains the Enterprise DLP configuration.DeviceSetupServices
- SelectService Route Configurationin theService Featuresand selectCustomize.
- EnableData Servicesand then clickOKto save your
- Selectand copy theDeviceSetupContent-IDContent Cloud SettingsFQDN in theService URLsection.
- SelectandPoliciesSecurityAdda Security policy rule that allows addresses to the Content Cloud Settings FQDN.
- Add a Security policy rule for dataplane service route traffic from the127.168.0.0/16source address to allow traffic originating from the firewall dataplane.You are required to create this Security policy rule to enable the DLP cloud service to successfully scan files in specific scenarios. You can skip this step if these two scenarios below regarding theintrazone-defaultSecurity policy rule do not apply to your configuration.
- If you created a cleanupDenySecurity policy rule that precedes theintrazone-defaultSecurity policy rule. In this scenario, theintrazone-defaultaction is set toAllow.
- If you modified theintrazone-defaultSecurity policy rule action fromAllowtoDeny.
- Create a decryption profile to remove Application-Layer Protocol Negotiation (ALPN) headers from uploaded files.Enterprise DLP supports HTTP/1.1. Some applications, such as SharePoint and OneDrive, support HTTP/2 for uploads by default. To make uploaded files from applications that use HTTP/2 compatible with Enterprise DLP, complete these steps:
- Selectand specify theObjectsDecryptionDecryption ProfileDevice Group.
- Adda new decryption profile.
- Specify a descriptiveName.
- (Optional) Enable theSharedoption to make this decryption profile available across all device groups.
- (Required for DLP 3.0.1 and earlier releases only) Selectand enableSSL DecryptionSSL Forward ProxyStrip ALPNin theClient Extension.
- Create a policy rule to remove ALPN headers from uploaded files.
- Selectand specify thePoliciesDecryptionDevice Group.
- Adda new decryption policy rule and configure as appropriate.
- For theAction, selectDecrypt.
- Select theDecryption Profileyou created.
- Disable the Quick UDP Internet Connection (QUIC) protocol to deny traffic on ports 80 and 443.Many supported web applications, such as Gmail, require that you disable the QUIC protocol for Enterprise DLP to function correctly.
- Selectand specify thePoliciesSecurityDevice Group.
- Adda Security policy rule that denies traffic that uses thequicapplication.
- Selectand specify theObjectsServicesDevice Group.
- Addtwo services: one for UDP on port 80 and one for UDP on port 443.Newer versions of QUIC might be misidentified asunknown-udp. To account for this, Palo Alto Networks recommends that you add an additional Security policy rule to deny UDP traffic on those ports.
- Selectand specify thePoliciesSecurityDevice Group.
- Adda Security policy rule that includes the services you created to deny traffic to UDP ports 80 and 443.When complete, you will have two Security policy rules: one that blocks the QUIC protocol and one that blocks UDP traffic on
- Attach the data filtering profile to a Security policy rule. If needed, create a Security policy rule.To downgrade your Panorama management server to an earlier PAN-OS version that does not support Enterprise DLP, you must remove all Enterprise DLP data patterns and data filtering profiles referenced in your Security policy rules. Consider this when creating and organizing your policy rules that reference Enterprise DLP data patterns and filtering profiles.For example, create a device group to contain all your Security policy rules that contain references to Enterprise DLP data patterns and filtering profiles. This enables you to quickly modify relevant policy rules should you need to downgrade your Panorama management server to PAN-OS 10.0.1 or an earlier PAN-OS version.
- Selectand specify thePoliciesSecurityPre RulesDevice Group.
- Select the Security policy rule to which you want to add the data filtering profile.
- SelectActionsand set theProfile TypetoProfiles.
- Select theData Filteringprofile you created.
- Commit and push your configuration changes to your managed firewalls leveraging Enterprise DLP.TheCommit and Pushcommand is not recommended for Enterprise DLP configuration changes. Using theCommit and Pushcommand requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- SelectandCommitCommit to PanoramaCommit.
- SelectandCommitPush to DevicesEdit Selections.
- SelectDevice GroupsandInclude Device and Network Templates.
- Pushyour configuration changes to your managed firewalls that are leveraging Enterprise DLP.
Recommended For You
Recommended videos not found.