Edit the Enterprise DLP Data Filtering Settings
Focus
Focus
Enterprise DLP

Edit the Enterprise DLP Data Filtering Settings

Table of Contents

Edit the Enterprise DLP Data Filtering Settings

Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings to specify the actions the firewall using Enterprise DLP takes if the data filtering settings are exceeded.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
  • (Email DLP only) Data Security and Email DLP licenses
  • (Endpoint DLP only) Endpoint DLP license
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
Edit and apply Enterprise Data Loss Prevention (E-DLP) data filtering settings. These network settings are determine the networking and file size parameters for files scanned by the DLP cloud service and specify the actions Enterprise DLP takes when these parameters are exceeded.
(NGFW and Prisma Access managed by Panorama) If you want to enable non-file inspection for your NGFW and Prisma Access tenants you must enable the setting from Panorama. For NGFW and Prisma Access managed by Panorama, enabling non-file inspection from Strata Cloud Manager is not supported and causes Panorama commits to fail.

Edit the Enterprise DLP Data Filtering Settings on Strata Cloud Manager

Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Prisma Access (Managed by Strata Cloud Manager) and NGFW (Managed by Strata Cloud Manager).
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationData Loss PreventionSettingsData Transfer and edit the Data Transfer settings.
  3. Edit the File Based Settings.
    1. Specify the File Movement Max Latency (sec) for a file upload before an action is taken by Enterprise DLP.
      For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
    2. Specify the Action When Max Latency is Reached (Allow or Block) Enterprise DLP takes if no verdict was received for a file upload due to the upload time exceeding the configured Max Latency.
      Selecting Block applies only to DLP rules configured to block files. This setting doesn’t impact Enterprise DLP data profiles configured to alert when traffic containing sensitive data is scanned.
    3. Specify the Scan Limit Max File Size for Alert (MB) to enforce the maximum file size for file uploads to Enterprise DLP when a DLP rules is configured to Alert.
    4. Specify the Scan Limit Max File Size for Block (MB) to enforce the maximum file size for files uploaded to the DLP cloud service for inspection.
    5. Specify the Action on Max File Size (Allow or Block) Enterprise DLP takes if no verdict was received for a file upload due to the file size being larger than the configured Max File Size.
      Selecting Block applies only to DLP rules configured to block files. This setting doesn’t impact Enterprise DLP data filtering profiles configured to alert when traffic containing sensitive data is scanned.
    6. Check (enable) Log Files Not Scanned to generate an alert in the DLP incident when a file can’t be scanned to the DLP cloud service.
    7. Specify the Action When Scanning Error Occurred (Alert or Block) when any kind of error occurs that prevents Enterprise DLP from inspecting a file upload and rendering a verdict.
    8. Save.
  4. Edit the Non-File Based Settings.
    1. Enable non-file based DLP.
      Enable this setting to prevent exfiltration of sensitive data in non-file format traffic for collaboration applications, web forms, cloud and SaaS applications, and social media on your network
    2. Specify the Max Latency (sec) to configure the allowable time for a non-file data uploads to determine the allowable time before an action is taken by Cloud Management.
    3. Specify the Action on Max Latency (Allow or Block) Strata Cloud Manager takes if no verdict was received for a non-file traffic data upload due to the upload time exceeding the configured Max Latency.
      Selecting Block applies only to DLP rules configured to block non-file data. This setting doesn’t impact Enterprise DLP data profiles configured to alert when traffic containing sensitive data is scanned.
    4. Specify the Min Data Size (B) to enforce a minimum size for non-file data to be scanned by the DLP cloud service.
    5. Specify the Max Data Size (KB) to enforce a maximum size for non-file data to be scanned by the DLP cloud service.
    6. Specify the Action on Data File Size (Allow or Block) Strata Cloud Manager takes if no verdict was received for a non-file traffic data upload due to the traffic data size being larger than the configured Max Data Size.
      Selecting Block applies only to DLP rules configured to block non-file data. This setting doesn’t impact Enterprise DLP data profiles configured to alert when traffic containing sensitive data is scanned.
    7. Check (enable) Log Data Not Scanned to generate an alert in the DLP incident when non-file data can’t be scanned by the DLP cloud service.
    8. Save.
  5. In the DLP Settings, specify the action Strata Cloud Manager takes when an error is encountered while being scanned by the DLP cloud service.
    Select Allow to allow the file upload to continue when an error is encountered or Block to block the upload.
    Save to apply the setting.
  6. Push your data filtering profile.
    1. Push Config and Push.
    2. Select (enable) Remote Networks and Mobile Users.
    3. Push.

Edit the Enterprise DLP Data Filtering Settings on Panorama

Edit the data filtering settings to specify the actions the managed firewall takes on traffic scanned to the DLP cloud service.
  1. Log in to the Panorama web interface.
  2. Select DeviceSetupDLP and select the Template associated with the managed firewalls using Enterprise DLP.
  3. Edit the Data Filtering Settings.
    1. Specify the Max Latency (sec) for a file upload before an action is taken by the firewall.
      For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
    2. Specify the Action on Max Latency (Block or Allow) the firewall takes if no verdict was received for a file upload due to the upload time exceeding the Max Latency.
      Selecting Block applies only to data profiles configured to block files. This setting doesn’t impact Enterprise DLP data filtering profiles configured to alert when traffic containing sensitive data is scanned.
    3. Specify the Max File Size (MB) to enforce a maximum file size for files uploaded to the DLP cloud service for inspection.
    4. Specify the Action on Max File Size (Block or Allow) the firewall takes if no verdict was received for a file upload due to the file size being larger than the configured Max File Size.
      Selecting Block applies only to data profiles configured to block files. This setting doesn’t impact Enterprise DLP data filtering profiles configured to alert when traffic containing sensitive data is scanned.
      (DLP 3.0.3 only) Increasing the max file size for the Enterprise DLP data filtering settings to 21 MB or greater when Panorama has the Enterprise DLP 3.0.3 plugin installed is supported only from the Panorama CLI.
      admin>configure
      admin#set template <template_name> config shared dlp-settings max-file-size <1 - 100>
    5. Check (enable) Log Files Not Scanned to generate an alert in the data filtering log when a file can’t be scanned to the DLP cloud service.
    6. Click OK to save your configuration changes.
  4. Edit the Non-File Data Filtering Settings.
    1. Verify that Enable Non File DLP is checked (enabled).
      Non-File DLP is enabled by default when you install Panorama plugin for Enterprise DLP 3.0.1.
    2. Specify the Max Latency (sec) to configure the allowable time for non-file data uploads to determine the allowable time before an action is taken by the firewall.
    3. Specify the Action on Max Latency (Allow or Block) the firewall takes if no verdict was received for a non-file traffic data upload due to the upload time exceeding the configured Max Latency.
      Selecting Block applies only to data profiles configured to block non-file data. This setting doesn’t impact Enterprise DLP filtering profiles configured to alert when traffic containing sensitive data is scanned.
    4. Specify the Min Data Size (B) to enforce a minimum size for non-file data to be scanned by the DLP cloud service.
    5. Specify the Max Data Size (KB) to enforce a maximum size for non-file data to be scanned by the DLP cloud service.
    6. Specify the Action on Data File Size (Allow or Block) the firewall takes if no verdict was received for a non-file traffic data upload due to the traffic data size being larger than the configured Max Data Size.
      Selecting Block applies only to data profiles configured to block non-file data. This setting doesn’t impact Enterprise DLP data filtering profiles configured to alert when traffic containing sensitive data is scanned.
    7. Check (enable) Log Data Not Scanned to generate an alert in the data filtering log when non-file data can’t be scanned by the DLP cloud service.
    8. Click OK to save your configuration changes.
  5. Specify the Action on any Error the firewall takes if an error is encountered during upload to the DLP cloud service.
    • Select Allow (default) to continue uploading if the firewall experiences any type of error.
    • Select Block to stop uploading if the firewall experiences any type of error.
    Click OK to continue.
  6. Commit and push the new configuration to your managed firewalls.
    The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select CommitCommit to Panorama and Commit.
      2. Select CommitPush to Devices and Edit Selections.
      3. Select Device Groups and Include Device and Network Templates.
      4. Click OK.
      5. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
    • Partial configuration push from Panorama
      You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and the DLP cloud service in sync.
      For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
      1. Select CommitCommit to Panorama.
      2. Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      3. Commit.
      4. Select CommitPush to Devices.
      5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      6. Select Device Groups and Include Device and Network Templates.
      7. Click OK.
      8. Push your configuration changes to your managed firewalls that are using Enterprise DLP.

Edit the Enterprise DLP Data Filtering Settings for Email DLP

Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Email DLP on Strata Cloud Manager.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationSaaS SecuritySettingsEmail DLP Settings.
  3. Edit the Policy Evaluation Timeout to configure what Enterprise DLP does when Email DLP policy evaluation exceeds the configured timeout.
    • Maximum Timeout—Maximum time allowed for Enterprise DLP to inspect an outbound email. Minimum timeout is 1 minute. Maximum timeout is 5 minutes.
    • Action on Max Timeout—The action Enterprise DLP takes if the maximum timeout is exceeded. The possible actions are the same as those you configure in the Email DLP policy rule Response. Default is Monitor.
  4. Save Settings.

Edit the Enterprise DLP Data Filtering Settings for Endpoint DLP

Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Endpoint DLP on Strata Cloud Manager.
You can customize the data filtering settings for your USB, printer, and Network Share peripheral devices independently of one another.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationData Loss PreventionSettingsData Transfer to edit the data filtering settings.
  3. Edit the File Based Settings for Endpoint DLP.
    You can configure the data filtering settings for each type of peripheral device (USB Devices, Printers, and Network Shares) independently of one another.
    1. Verify that the correct Endpoint DLP Data Scan Region is selected.
      By default, the Nearest Data Scan Region is selected and automatically resolves to the region closest to your Enterprise DLP tenant. You can select a specific region to ensure you meet any data residency requirements if required.
      For example, your Endpoint DLP administrator sets the Data Scan Region to America instead of Nearest Data Scan Region. Your US based worker travels to Europe with their protected endpoint and generates a DLP Incident. In this case, the traffic is forwarded to an Enterprise DLP cloud service tenant in the US for inspection and verdict rendering even though the endpoint was in Europe when the incident was generated. Additionally the DLP Incident displays under the US Region when filtering your incidents.
      The data filtering settings are shared across all data scan regions. You cannot configure unique data filtering settings for each data scan region. Changing the data filtering settings for one data scan region changes it for all other supported data scan regions.
    2. Specify the File Movement Max Latency (Sec) for a file upload to a peripheral device before an action is taken by Enterprise DLP.
      For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
    3. Specify the Action When Max Latency is Reached (Alert or Block) Enterprise DLP takes if no verdict was received for a file upload to a peripheral device due to the upload time exceeding the configured Max Latency.
      Selecting Alert allows the file upload to the peripheral device but generates a DLP Incident.
      Selecting Block blocks the file upload to the peripheral device and generates a DLP incident.
    4. Specify the Scan Limit Max File Size for Block (MB) to enforce the maximum file size for file uploads to a peripheral device for a Data in Motion Endpoint DLP policy rule configured to Block.
    5. Specify the Scan Limit Max File Size for Alert (MB) to enforce the maximum file size for file uploads to a peripheral device for a Data in Motion Endpoint DLP policy rule configured to Alert.
    6. Specify the Scan Limit Action on Max File Size (Alert or Block) Enterprise DLP takes if no verdict was received for a file upload due to the file size being larger than the configured Max File Size.
      Selecting Block applies only to DLP rules configured to block files. This setting doesn’t impact Enterprise DLP data filtering profiles configured to alert when traffic containing sensitive data is scanned.
    7. Specify the Action When File Size Exceeds Max Limit (Alert or Block) Enterprise DLP takes if an inspected file exceeds the maximum alert or block file size limit configured in the previous steps.
    8. Check (enable) Log Files Not Scanned to generate an alert in the DLP incident when a file can’t be scanned to the DLP cloud service.
    9. Specify the Action When Scanning Error Occurred (Alert or Block) when any kind of error occurs that prevents Enterprise DLP from inspecting a file upload to a peripheral device and rendering a verdict.
    10. Specify the Action When Endpoint is Offline (Alert or Block) Enterprise DLP takes if the peripheral device is offline and cannot forward traffic for inspection.
    11. Save.
  4. Push your new Endpoint DLP data filtering settings to the Prisma Access Agent.
    1. Select Endpoint DLP PolicyPush Policies and Push Policies.
    2. (Optional) Enter a Description for the Endpoint DLP policy push.
    3. Review the Push Policies scope to understand the changes included the Endpoint DLP configuration push.
    4. Push.