>
    Strata Copilot
    Edit the Enterprise DLP Data Filtering Settings on Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Edit the Enterprise DLP Data Filtering Settings
    4. Edit the Enterprise DLP Data Filtering Settings on Panorama
    Download PDF
    Enterprise DLP

    Edit the Enterprise DLP Data Filtering Settings on Panorama

    Table of Contents

    Edit the Enterprise DLP Data Filtering Settings on Panorama

    Edit the data filtering settings to specify the actions the NGFW or Prisma Access tenant takes on traffic scanned by Enterprise DLP.
    1. Log in to the Panorama web interface.
    2. Select DeviceSetupDLP and select the Template associated with the NGFW or Prisma Access tenant using Enterprise DLP.
    3. Edit the Data Filtering Settings.
      You can configure any of these settings as needed. Click OK to save any changes to your file based settings for them to take effect and be enforced.
      • Max Latency (sec)—Maximum allowed time it takes for the enforcement point to forward a file to Enterprise DLP for inspection.
        For inspection of files greater than 20 MB, Palo Alto Networks recommends setting the max latency to greater than 60 seconds.
      • Action on Max Latency—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the time it takes to forward a file to Enterprise DLP exceeds the Max Latency (sec) setting.
        Supported actions are Allow (default) or Block.
      • Max File Size (MB)—Enforce a maximum file size for files forwarded to Enterprise DLP for inspection.
      • Action on Max File Size—Action the enforcement point takes if the file forwarded to Enterprise DLP exceeds the Max File Size setting.
        Supported actions are Allow (default) or Block.
        (DLP 3.0.3 only) Increasing the max file size for the Enterprise DLP data filtering settings to 21 MB or greater when Panorama has the Enterprise DLP 3.0.3 plugin installed is supported only from the Panorama CLI.
        admin>configure
        admin#set template <template_name> config shared dlp-settings max-file-size <1 - 100>
      • Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect a forwarded file for any reason.
      • Action When Scanning Error Occurred—Action the enforcement point takes when Enterprise DLP encounters any errors inspecting a forwarded file that prevents rendering a verdict.
        Supported actions are Allow (default) or Block.
    4. Edit the Non-File Data Filtering Settings.
      You can configure any of these settings as needed. Click OK to save any changes to your file based settings for them to take effect and be enforced.
      • Enable Non File DLP—Enable this setting to prevent exfiltration of sensitive data in non-file format traffic for collaboration apps, web forms, cloud and SaaS apps, and social media on your network.
        You must enable this setting for Enterprise DLP to scan non-file based traffic and enforce all non-file based settings.
      • Max Latency (sec)—Maximum allowed time it takes for the enforcement point to forward non-file traffic to Enterprise DLP for inspection.
      • Action on Max Latency—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the time it takes to forward non-file traffic to Enterprise DLP exceeds the Max Latency (sec) setting.
        Supported actions are Allow (default) or Block.
      • Min Data Size (B)—Enforce a minimum data size for non-file traffic forwarded to Enterprise DLP.
        Enterprise DLP supports a minimum non-file traffic data size of 250 - 4000 bytes.
      • Max Data Size (KB)—Enforce a maximum data size for non-file traffic forwarded to Enterprise DLP.
        Enterprise DLP supports a maximum non-file traffic data size of 1-500 KB.
      • Action on Max Data Size—Action the enforcement point takes if Enterprise DLP can't inspect and render a verdict on traffic matches because the inspected non-file traffic exceeds the Max Data Size (KB) setting.
        Supported actions are Allow (default) or Block.
      • Log Files Not Scanned—Check (enable) to generate a DLP incident when Enterprise DLP can't inspect forwarded non-file traffic for any reason.
      • Enable WebSocket Inspection—Enable this setting to prevent exfiltration of sensitive data through WebSocket persistent streams. Enterprise DLP supports WebSocket inspection for the following widely adopted platforms that rely heavily on streaming data:
        • Microsoft Copilot
        • Perplexity
    5. Specify the Action on any Error the NGFW or Prisma Access tenant takes when any kind of error occurs that prevents Enterprise DLP from inspecting forwarded file or non-file traffic and rendering a verdict.
      This includes when the NGFW or Prisma Access tenant encounter file or non-file traffic smaller than the configured Min Data Size (B) (non-file), and the Action on Max File Size (file) and Max Data Size (KB) (non-file).
      • Select Allow (default) to continue if the NGFW or Prisma Access tenant experiences any type of error.
      • Select Block to stop uploading if the NGFW or Prisma Access tenant experiences any type of error.
      Click OK to continue.
    6. Commit and push the new configuration to your NGFW or Prisma Access tenant.
      The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and NGFW or Prisma Access tenant in the Push Scope Selection.
      • Full configuration push from Panorama
        1. Select CommitCommit to Panorama and Commit.
        2. Select CommitPush to Devices and Edit Selections.
        3. Select Device Groups and Include Device and Network Templates.
        4. Click OK.
        5. Push your configuration changes to your NGFW or Prisma Access tenant that are using Enterprise DLP.
      • Partial configuration push from Panorama
        You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and Enterprise DLP in sync.
        For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to NGFW or Prisma Access tenant. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
        1. Select CommitCommit to Panorama.
        2. Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
          In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
          Click OK to continue.
        3. Commit.
        4. Select CommitPush to Devices.
        5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
          In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
          Click OK to continue.
        6. Select Device Groups and Include Device and Network Templates.
        7. Click OK.
        8. Push your configuration changes to your NGFW or Prisma Access tenant that using Enterprise DLP.

    © 2026 Palo Alto Networks, Inc. All rights reserved.