Install the Enterprise DLP Plugin on Panorama

Install the Enterprise DLP (data loss prevention) plugin on your Panorama™ management server and managed firewalls.
To install the Enterprise data loss prevention (DLP) plugin on your Panorama™ management server and managed firewalls, first download the plugin from the Palo Alto Networks Customer Support Portal, upload the plugin to Panorama, and then install it. You must install the plugin on Panorama and your managed firewalls before you can leverage Enterprise DLP.
Your existing data patterns (
Objects
Custom Objects
Data Patterns
) and data filtering profiles (
Objects
Security Profiles
Data Filtering
) are automatically hidden after you successfully install the Enterprise DLP plugin on your Panorama management server. To display your existing data patterns and filtering profiles when you need to reference them, you can temporarily Enable Existing Data Patterns and Filtering Profiles.
  1. (
    Best Practices
    ) Before you install the plugin and activate your Enterprise DLP license, select
    Assets
    Devices
    to locate your Panorama management server and your managed firewalls to verify that they all belong to the same CSP account.
    Panorama and any managed firewalls on which you want to leverage Enterprise DLP must belong to the same CSP account, which enables you to share data profiles and maintain consistent Security policy rule enforcement.
  2. You must install the device certificate on all your managed firewalls that will leverage Enterprise DLP.
  3. Install the plugin on Panorama.
    1. Select
      Panorama
      Plugins
      and search for the latest version of the Enterprise DLP plugin.
    2. Download
      and
      Install
      the Enterprise DLP plugin on Panorama.
  4. Commit and push the new configuration to your managed firewalls to complete the Enterprise DLP plugin installation.
    This step is required for Enterprise DLP data filtering profile names to appear in Data Filtering logs.
    The
    Commit and Push
    command is not recommended for Enterprise DLP configuration changes. Using the
    Commit and Push
    command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    1. Select
      Commit
      Commit to Panorama
      and
      Commit
      .
    2. Select
      Commit
      Push to Devices
      and
      Edit Selections
      .
    3. Select
      Device Groups
      and
      Include Device and Network Templates
      .
    4. Click
      OK
      .
    5. Push
      your configuration changes to your managed firewalls that are leveraging Enterprise DLP.
  5. Activate your Enterprise DLP license on the Palo Alto Networks Customer Support Portal (CSP).
    Repeat this step for all firewalls that are leveraging Enterprise DLP.
    1. Log in to the Palo Alto Networks Customer Support Portal.
    2. Select
      Assets
      Devices
      and edit ( in the Actions column) the appropriate asset.
    3. In the Device Licenses window,
      Activate Auth-Code
      and then enter the
      Authorization Code
      .
      The authorization code (auth code) is automatically provided to you by Palo Alto Networks in an email after you complete your purchase of the Enterprise DLP plugin license.
    4. Agree and Submit
      your authorization code.
  6. (
    Optional
    ) Create a Palo Alto Networks Support ticket to enable your Enterprise DLP license to transfer between firewalls.
    Requesting that the Enterprise DLP license be transferable enables you to transfer your DLP license to other managed firewalls.
    In the support ticket, include the following information:
    • The request for a firewall transfer for the Enterprise DLP license.
    • Your CSP account ID and the email associated with your CSP account.
    • The managed firewall serial number. If you activated the Enterprise DLP license on multiple managed firewalls, include the serial numbers for all the managed firewalls in a single support ticket.
    • The authorization codes used to activate the Enterprise DLP license on your managed firewalls.
    • Also provide the CSP account ID with which additional managed firewalls are associated if you have managed firewalls that belong to a different CSP account.
  7. Activate the Enterprise DLP plugin on your managed firewalls.
    1. Select
      Panorama
      Device Deployment
      License
      and
      Activate
      the Enterprise DLP plugin.
    2. Enter the
      Auth Code
      for the target managed firewalls.
      The authorization code is automatically provided to you by Palo Alto Networks in an email after you complete your purchase of the Enterprise DLP plugin license.
    3. Activate
      the Enterprise DLP plugin license on your managed firewalls.
  8. Select
    Objects
    DLP
    DLP Data Filtering
    and verify that the predefined data filtering profiles are displayed.
    Panorama is automatically populated with predefined data filtering profiles when the Panorama management server successfully connects to the DLP cloud service.
  9. Verify that the Enterprise DLP license is successfully activated on your managed firewalls.
    1. Select
      Device
      Licenses
      and verify that the license is successfully activated.
  10. After you successfully install the Enterprise DLP plugin on the Panorama management server, you must create Security policy rules to enable your managed firewalls to leverage Enterprise DLP.

Recommended For You