Enterprise DLP
Edit the Enterprise DLP Data Filtering Settings
Table of Contents
Expand All
|
Collapse All
Enterprise DLP Docs
Edit the Enterprise DLP Data Filtering Settings
Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings to specify the actions the
firewall using Enterprise DLP takes if the data filtering settings are
exceeded.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLP
Release Notes for more
information.
Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
Edit and apply Enterprise Data Loss Prevention (E-DLP) data filtering settings. These network
settings are determine the networking and file size parameters for files scanned by
Enterprise DLP and specify the actions Enterprise DLP takes when these
parameters are exceeded.
All data filtering settings are global settings that take precedence over the Action
setting configured in your DLP rule (Strata Cloud Manager or data filtering profile (Panorama). For example, you create an Alert DLP rule and configure
the Scan Limit Max File Size for Alert (MB) as 20
MB and Action on Max File Size as
Block. A user attempts to upload a 40
MB. In this case, Enterprise DLP returns a
block verdict because the uploaded file forwarded
to Enterprise DLP exceeds the maximum file size you configured in the data
filtering settings.
(NGFW and Prisma Access managed by Panorama)
If you want to enable non-file inspection for your NGFW and Prisma Access tenants you must enable the setting from Panorama.
For NGFW and Prisma Access managed by Panorama,
enabling non-file inspection from Strata Cloud Manager is not supported and
causes Panorama commits to fail.
Edit the Enterprise DLP Data Filtering Settings on Strata Cloud Manager
Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Prisma Access (Managed by Strata Cloud Manager) and NGFW (Managed by Strata Cloud Manager).
- Log in to Strata Cloud Manager.Select ManageConfigurationData Loss PreventionSettingsData Transfer and edit the Data Transfer settings.Configure the File Based Settings.You can configure any of these settings as needed. You must Save any changes to your file based settings for them to take effect and be enforced.
- File Movement Max Latency (sec)—Maximum allowed time it takes for the enforcement point to forward a file to Enterprise DLP for inspection.For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
- Action When Max Latency is Reached —Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the time it takes to forward a file to Enterprise DLP exceeds the File Movement Max Latency (sec) setting.Supported actions are Allow (default) or Block.
- Scan Limit Max File Size for Alert (MB)—Enforce a maximum file size for files forwarded to Enterprise DLP when a traffic matches a DLP rule configured to Alert.
- Scan Limit Max File Size for Block (MB)—Enforce a maximum file size for files forwarded to Enterprise DLP when a traffic matches a DLP rule configured to Block.
- Action on Max File Size—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the inspected file size exceeds the Scan Limit Max File Size for Alert (MB) or Scan Limit Max File Size for Block (MB) settings.Supported actions are Allow (default) or Block.
- Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect a forwarded file for any reason.
- Action When Scanning Error Occurred—Action the enforcement point takes when Enterprise DLP encounters any errors inspecting a forwarded file that prevents rendering a verdict.Supported actions are Allow (default) or Block.
Edit the Non-File Based Settings.You can configure any of these settings as needed. You must Save any changes to your non-file based settings for them to take effect and be enforced.- Enable non-file based DLP—Enable this setting to prevent exfiltration of sensitive data in non-file format traffic for collaboration apps, web forms, cloud and SaaS apps, and social media on your network.You must enable this setting for Enterprise DLP to scan non-file based traffic and enforce all non-file based settings.
- Max Latency (sec)—Maximum allowed time it takes for the enforcement point to forward non-file traffic to Enterprise DLP for inspection.
- Action on Max Latency—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the time it takes to forward non-file traffic to Enterprise DLP exceeds the Max Latency (sec) setting.Supported actions are Allow (default) or Block.
- Min Data Size (B)—Enforce a minimum data size for non-file traffic forwarded to Enterprise DLP.Enterprise DLP supports a minimum non-file traffic data size of 250 - 4000 bytes.
- Max Data Size (KB)—Enforce a maximum data size for non-file traffic forwarded to Enterprise DLP.Enterprise DLP supports a maximum non-file traffic data size of 1-500 KB.
- Action on Data Size—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the inspected non-file traffic exceeds the Max Data Size (KB) setting.Supported actions are Allow (default) or Block.
- Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect forwarded non-file traffic for any reason.
In the DLP Settings, configure the Action on any Error to specify the action the NGFW or Prisma Access tenant takes when any kind of error occurs that prevents Enterprise DLP from inspecting forwarded file or non-file traffic and rendering a verdict.Select Allow to allow the file or non-file traffic to continue to the intended destination when Enterprise DLP encounters an error or select Block to block the file or non-file traffic. This includes when the NGFW or Prisma Access tenant encounter file or non-file traffic smaller than the configured Min Data Size (B) (non-file), and the Action on Max File Size (file) and Max Data Size (KB) (non-file).Save.Push your data filtering settings.- Push Config and Push.Select (enable) Remote Networks and Mobile Users.Push.
Edit the Enterprise DLP Data Filtering Settings on Panorama
Edit the data filtering settings to specify the actions the NGFW or Prisma Access tenant takes on traffic scanned by Enterprise DLP.- Log in to the Panorama web interface.Select DeviceSetupDLP and select the Template associated with the NGFW or Prisma Access tenant using Enterprise DLP.Edit the Data Filtering Settings.You can configure any of these settings as needed. Click OK to save any changes to your file based settings for them to take effect and be enforced.
- File Movement Max Latency (sec)—Maximum allowed time it takes for the enforcement point to forward a file to Enterprise DLP for inspection.For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
- Action When Max Latency is Reached —Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the time it takes to forward a file to Enterprise DLP exceeds the File Movement Max Latency (sec) setting.Supported actions are Allow (default) or Block.
- Scan Limit Max File Size for Alert (MB)—Enforce a maximum file size for files forwarded to Enterprise DLP when a traffic matches a DLP rule configured to Alert.
- Scan Limit Max File Size for Block (MB)—Enforce a maximum file size for files forwarded to Enterprise DLP when a traffic matches a DLP rule configured to Block.
- Action on Max File Size—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the inspected file size exceeds the Scan Limit Max File Size for Alert (MB) or Scan Limit Max File Size for Block (MB) settings.Supported actions are Allow (default) or Block.(DLP 3.0.3 only) Increasing the max file size for the Enterprise DLP data filtering settings to 21 MB or greater when Panorama has the Enterprise DLP 3.0.3 plugin installed is supported only from the Panorama CLI.admin>configureadmin#set template <template_name> config shared dlp-settings max-file-size <1 - 100>Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect a forwarded file for any reason.Action When Scanning Error Occurred—Action the enforcement point takes when Enterprise DLP encounters any errors inspecting a forwarded file that prevents rendering a verdict.Supported actions are Allow (default) or Block.Edit the Non-File Data Filtering Settings.You can configure any of these settings as needed. Click OK to save any changes to your file based settings for them to take effect and be enforced.
- Enable non-file based DLP—Enable this setting to prevent exfiltration of sensitive data in non-file format traffic for collaboration apps, web forms, cloud and SaaS apps, and social media on your network.You must enable this setting for Enterprise DLP to scan non-file based traffic and enforce all non-file based settings.
- Max Latency (sec)—Maximum allowed time it takes for the enforcement point to forward non-file traffic to Enterprise DLP for inspection.
- Action on Max Latency—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the time it takes to forward non-file traffic to Enterprise DLP exceeds the Max Latency (sec) setting.Supported actions are Allow (default) or Block.
- Min Data Size (B)—Enforce a minimum data size for non-file traffic forwarded to Enterprise DLP.Enterprise DLP supports a minimum non-file traffic data size of 250 - 4000 bytes.
- Max Data Size (KB)—Enforce a maximum data size for non-file traffic forwarded to Enterprise DLP.Enterprise DLP supports a maximum non-file traffic data size of 1-500 KB.
- Action on Data Size—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the inspected non-file traffic exceeds the Max Data Size (KB) setting.Supported actions are Allow (default) or Block.
- Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect forwarded non-file traffic for any reason.
Specify the Action on any Error the NGFW or Prisma Access tenant takes when any kind of error occurs that prevents Enterprise DLP from inspecting forwarded file or non-file traffic and rendering a verdict.This includes when the NGFW or Prisma Access tenant encounter file or non-file traffic smaller than the configured Min Data Size (B) (non-file), and the Action on Max File Size (file) and Max Data Size (KB) (non-file).- Select Allow (default) to continue if the NGFW or Prisma Access tenant experiences any type of error.
- Select Block to stop uploading if the NGFW or Prisma Access tenant experiences any type of error.
Click OK to continue.Commit and push the new configuration to your NGFW or Prisma Access tenant.The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and NGFW or Prisma Access tenant in the Push Scope Selection.- Full configuration push from Panorama
- Select CommitCommit to Panorama and Commit.
- Select CommitPush to Devices and Edit Selections.
- Select Device Groups and Include Device and Network Templates.
- Click OK.
- Push your configuration changes to your NGFW or Prisma Access tenant that are using Enterprise DLP.
- Partial configuration push from PanoramaYou must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and Enterprise DLP in sync.For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to NGFW or Prisma Access tenant. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
- Select CommitCommit to Panorama.
- Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.Click OK to continue.
- Commit.
- Select CommitPush to Devices.
- Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.Click OK to continue.
- Select Device Groups and Include Device and Network Templates.
- Click OK.
- Push your configuration changes to your NGFW or Prisma Access tenant that using Enterprise DLP.
Edit the Enterprise DLP Data Filtering Settings for Email DLP
Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Email DLP on Strata Cloud Manager.- Log in to Strata Cloud Manager.Select ManageConfigurationSaaS SecuritySettingsEmail DLP Settings.Edit the Policy Evaluation Timeout to configure what Enterprise DLP does when Email DLP policy evaluation exceeds the configured timeout.
- Maximum Timeout—Maximum time allowed for Enterprise DLP to inspect an outbound email. Minimum timeout is 1 minute. Maximum timeout is 5 minutes.
- Action on Max Timeout—The action Enterprise DLP takes if the maximum timeout is exceeded. The possible actions are the same as those you configure in the Email DLP policy rule Response. Default is Monitor.
Save Settings.Edit the Enterprise DLP Data Filtering Settings for Endpoint DLP
Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Endpoint DLP on Strata Cloud Manager.You can customize the data filtering settings for your USB, printer, and Network Share peripheral devices independently of one another.- Log in to Strata Cloud Manager.Select ManageConfigurationData Loss PreventionSettingsData Transfer to edit the data filtering settings.Edit the File Based Settings for Endpoint DLP.You can configure the data filtering settings for each type of peripheral device (USB Devices, Printers, and Network Shares) independently of one another. You must Save any changes to your Endpoint DLP file based settings for them to take effect and be enforced
- Data Scan Region—By default, the Nearest Data Scan Region is selected and automatically resolves to the region closest to your Enterprise DLP tenant. You can select a specific region to ensure you meet any data residency requirements if required.For example, your Endpoint DLP administrator sets the Data Scan Region to America instead of Nearest Data Scan Region. Your US based worker travels to Europe with their protected endpoint and generates a DLP Incident. In this case, the traffic is forwarded to an Enterprise DLP cloud service tenant in the US for inspection and verdict rendering even though the endpoint was in Europe when the incident was generated. Additionally, the DLP incident displays under the US Region when filtering your incidents.The data filtering settings are shared across all data scan regions. You can’t configure unique data filtering settings for each data scan region. Changing the data filtering settings for one data scan region changes it for all other supported data scan regions.
- File Movement Max Latency (sec)—Maximum allowed time it takes for the peripheral device to forward a file to Enterprise DLP for inspection.For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
- Action When Max Latency is Reached —Action the Prisma Access Agent takes if Enterprise DLP can't inspect and render a verdict on a file upload because the time it takes to forward a file to Enterprise DLP exceeds the File Movement Max Latency (sec) setting.Selecting Alert allows the file upload to the peripheral device but generates a DLP incident.Selecting Block blocks the file upload to the peripheral device and generates a DLP incident.
- Scan Limit Max File Size for Block (MB)—Enforce a maximum file size for file uploads to a peripheral device for a Data in Motion Endpoint DLP policy rule configured to Block.The maximum supported file size is 20 MB.
- Scan Limit Max File Size for Alert (MB)—Enforce a maximum file size for file uploads to a peripheral device for a Data in Motion Endpoint DLP policy rule configured to Alert.The maximum supported file size is 100 MB.
- Action When File Size Exceeds Scan Limit—Action Prisma Access Agent takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the inspected file size exceeds the Scan Limit Max File Size for Alert (MB) or Scan Limit Max File Size for Block (MB) settings.Supported actions are Allow (default) or Block.If the file exceeds the Scan Limit Max File Size for Block (MB) or Scan Limit Max File Size for Alert (MB):
- The DLP incident details does not display a Data Profile match.
- If you have End User Coaching configured, the end user who generated the DLP incident does not receive a data security notification.
- Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect a forwarded file for any reason.
- Action When Scanning Error Occurred—Action the enforcement point takes when Enterprise DLP encounters any errors inspecting a forwarded file that prevents rendering a verdict.Supported actions are Allow (default) or Block.
- Action When Endpoint is Offline—Action Prisma Access Agent takes if the peripheral device is offline and can't forward traffic to Enterprise DLP for inspection and verdict rendering.Supported actions are Allow (default) or Block.
Push your new Endpoint DLP data filtering settings to the Prisma Access Agent.- Select Endpoint DLP PolicyPush Policies and Push Policies.(Optional) Enter a Description for the Endpoint DLP configuration push.Review the Push Policies scope to understand the changes include the Endpoint DLP configuration push.Push.