Managing Enterprise DLP Configuration Changes
Focus
Focus
Enterprise DLP

Managing Enterprise DLP Configuration Changes

Table of Contents

Managing Enterprise DLP Configuration Changes

Learn more about managing your Enterprise Data Loss Prevention (E-DLP) configuration changes.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
When managing your Enterprise Data Loss Prevention (E-DLP) configuration across Strata Cloud Manager and a Panorama™ management server, a commit on Panorama triggers a Enterprise DLP configuration synchronization to ensure that your Enterprise DLP configuration on Strata Cloud Manager and Panorama match. Ensuring the Enterprise DLP configuration on Strata Cloud Manager and Panorama are synchronized allows you to maintain proper version control and prevents configuration errors that could result in the unintended exfiltration of sensitive data.

Understanding the Components of a Data Profile

Firstly, it's important to understand the two key components of an Enterprise DLP data profile (Strata Cloud Manager) and a data filtering profile (Panorama).
  • Strata Cloud Manager
    On Strata Cloud Manager, you manage the Enterprise DLP data profile and the DLP rule configurations from discrete places on Strata Cloud Manager.
    • Data Profile—An Enterprise DLP data profile specify how you want to enforce the sensitive content that you’re filtering. These can include predefined or custom data patterns, as well as any of the advanced detection methods.
    • DLP Rule—The DLP rule defines the type of traffic to inspect, the impacted file types, action, and log severity for the data profile match criteria. Enterprise DLP automatically creates a DLP rule with the same name when you create a new data profile.
  • Panorama
    On Panorama, you manage the Enterprise DLP data profile and the DLP rule configurations from the same data filtering profile. When editing a data filtering profile on Panorama, you can make changes to the data profile, the DLP rule, or both.
    • Data Profile—An Enterprise DLP data profile specify how you want to enforce the sensitive content that you’re filtering. These can include predefined or custom data patterns. Review the list of advanced detection methods that you can configure on Panorama.
    • DLP Rule—The DLP rule defines the type of traffic to inspect, the impacted file types, action, and log severity for the data profile match criteria. Enterprise DLP automatically creates a DLP rule with the same name when you create a new data profile.
      If you created a data profile on Strata Cloud Manager that includes an advanced detection method marked with Configured on Strata Cloud Manager, you can only configure the DLP rule portion of the data filtering profile.

When Does a Configuration Sync Occur?

The point at which an Enterprise DLP configuration sync occurs between Strata Cloud Manager and Panorama depends on where the configuration change was made.
  • Strata Cloud Manager
    No automated Enterprise DLP configuration sync between Strata Cloud Manager and Panorama occurs when making Enterprise DLP configuration changes on Strata Cloud Manager.
    If you manage your Enterprise DLP configuration on Strata Cloud Manager but apply the configuration to your enforcement points managed by Panorama, you must log in to Panorama to initiate a configuration sync. Similarly, if you make Enterprise DLP configuration on Panorama you must take action on Panorama to sync those changes so they reflect on Strata Cloud Manager.
  • Panorama
    Panorama syncs its Enterprise DLP configuration when:
    • You Commit a configuration change on Panorama.
      This can include other unrelated configuration changes or just be an Enterprise DLP configuration change. In this case, Panorama pushes the new Enterprise DLP configuration changes to Strata Cloud Manager.
    • You refresh ObjectsDLPData Filtering Patterns.
      In this case, Panorama pulls the latest data pattern configurations from Strata Cloud Manager.
    • You refresh ObjectsDLPData Filtering Profiles.
      In this case, Panorama pulls the latest data profile configurations from Strata Cloud Manager.
      Keeping the data filtering profiles synchronized between Strata Cloud Manager and Panorama is especially important to prevent configuration errors and commit failures on Panorama. Enterprise DLP assigns all data profiles on Strata Cloud Manager a version on creation and updates the version (+1) when the admin Saves changes to the data profile on Strata Cloud Manager. However, Enterprise DLP does not automatically sync the changes to Panorama. To synchronize, the user must manually trigger a sync on Panorama to reflect the data profile changes from Strata Cloud Manager. Otherwise, when the data filtering profile version on Panorama is 10 or more versions behind the data profile on Strata Cloud Manager, commits start to fail with the error profile not found.

When Should I Commit a Configuration Change?

When to commit an Enterprise DLP configuration change depends on where you made those changes.
  • Strata Cloud Manager
    Configuration changes on Strata Cloud Manager don't require a commit before you can push those changes to enforcement points. Instead, security administrators make configuration and then push those changes to your enforcement points.
  • Panorama
    You must Commit on Panorama when making any kind of configuration change for the following:

When Should I Push a Configuration Change?

Strata Cloud Manager and Panorama require a configuration push to propagate your Enterprise DLP configuration changes to your enforcement points.

Recommendations

Review the recommendations for managing when you commit (Panorama only) and push configuration changes to your enforcement points.
  • (Panorama) Ensure your Enterprise DLP configuration change management workflow always includes a Commit to ensure changes are synchronized with Strata Cloud Manager as a standard operating procedure even if your security administrators are not ready to push these changes.
  • Ensure your Enterprise DLP configuration change management workflow always includes a configuration push to apply Enterprise DLP configuration changes to your enforcement points. Security administrators often push configuration changes during scheduled maintenance or change windows to minimize disruptions.
    (Panorama) Palo Alto Networks does not recommend performing a Commit and Push operation as this can lead to issues with Enterprise DLP.
  • Develop a step-by-step check list for managing Enterprise DLP configuration changes to reduce human error. This includes when to commit changes and when to push change to your enforcement points.
  • (Panorama) Perform a config audit to review and understand the difference between the running and candidate configurations.