Edit the Enterprise DLP Data Filtering Settings for Endpoint DLP

1. Log in to Strata Cloud Manager.
2. Select ManageConfigurationData Loss PreventionSettingsData Transfer to edit the data filtering settings.
3. Edit the File Based Settings for Endpoint DLP.

   You can configure the data filtering settings for each type of peripheral device (USB Devices, Printers, and Network Shares) independently of one another.

   1. Verify that the correct Endpoint DLP Data Scan Region is selected.

      By default, the Nearest Data Scan Region is selected and automatically resolves to the region closest to your Enterprise DLP tenant. You can select a specific region to ensure you meet any data residency requirements if required.

      For example, your Endpoint DLP administrator sets the Data Scan Region to America instead of Nearest Data Scan Region. Your US based worker travels to Europe with their protected endpoint and generates a DLP Incident. In this case, the traffic is forwarded to an Enterprise DLP cloud service tenant in the US for inspection and verdict rendering even though the endpoint was in Europe when the incident was generated. Additionally the DLP Incident displays under the US Region when filtering your incidents.

      The data filtering settings are shared across all data scan regions. You cannot configure unique data filtering settings for each data scan region. Changing the data filtering settings for one data scan region changes it for all other supported data scan regions.
   2. Specify the File Movement Max Latency (Sec) for a file upload to a peripheral device before an action is taken by Enterprise DLP.

      For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
   3. Specify the Action When Max Latency is Reached (Alert or Block) Enterprise DLP takes if no verdict was received for a file upload to a peripheral device due to the upload time exceeding the configured Max Latency.

      Selecting Alert allows the file upload to the peripheral device but generates a DLP Incident.

      Selecting Block blocks the file upload to the peripheral device and generates a DLP incident.
   4. Specify the Scan Limit Max File Size for Block (MB) to enforce the maximum file size for file uploads to a peripheral device for a Data in Motion Endpoint DLP policy rule configured to Block.
   5. Specify the Scan Limit Max File Size for Alert (MB) to enforce the maximum file size for file uploads to a peripheral device for a Data in Motion Endpoint DLP policy rule configured to Alert.
   6. Specify the Scan Limit Action on Max File Size (Alert or Block) Enterprise DLP takes if no verdict was received for a file upload due to the file size being larger than the configured Max File Size.

      Selecting Block applies only to DLP rules configured to block files. This setting doesn’t impact Enterprise DLP data filtering profiles configured to alert when traffic containing sensitive data is scanned.
   7. Specify the Action When File Size Exceeds Max Limit (Alert or Block) Enterprise DLP takes if an inspected file exceeds the maximum alert or block file size limit configured in the previous steps.
   8. Check (enable) Log Files Not Scanned to generate an alert in the DLP incident when a file can’t be scanned to the DLP cloud service.
   9. Specify the Action When Scanning Error Occurred (Alert or Block) when any kind of error occurs that prevents Enterprise DLP from inspecting a file upload to a peripheral device and rendering a verdict.
   10. Specify the Action When Endpoint is Offline (Alert or Block) Enterprise DLP takes if the peripheral device is offline and cannot forward traffic for inspection.
   11. Save.
4. Push your new Endpoint DLP data filtering settings to the Prisma Access Agent.

   1. Select Endpoint DLP PolicyPush Policies and Push Policies.
   2. (Optional) Enter a Description for the Endpoint DLP policy push.
   3. Review the Push Policies scope to understand the changes included the Endpoint DLP configuration push.
   4. Push.