>
    Strata Copilot
    Managing Enterprise DLP Configuration Changes
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Managing Enterprise DLP Configuration Changes
    Download PDF
    Enterprise DLP

    Managing Enterprise DLP Configuration Changes

    Table of Contents

    Managing Enterprise DLP Configuration Changes

    Learn more about managing your Enterprise Data Loss Prevention (E-DLP) configuration changes.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    When managing your Enterprise Data Loss Prevention (E-DLP) configuration across Strata Cloud Manager and a Panorama® management server, a commit on Panorama triggers a Enterprise DLP configuration synchronization to ensure that your Enterprise DLP configuration on Strata Cloud Manager and Panorama match. Ensuring the Enterprise DLP configuration on Strata Cloud Manager and Panorama are synchronized allows data security administrators to maintain proper version control and prevents configuration errors that could result in the unintended exfiltration of sensitive data.

    Understanding the Components of a Data Profile

    Firstly, it's important to understand the two key components of an Enterprise DLP data profile (Strata Cloud Manager) and a data filtering profile (Panorama).
    • Strata Cloud Manager
      On Strata Cloud Manager, data security administrators manage the Enterprise DLP data profile and the DLP rule configurations from discrete places on Strata Cloud Manager.
      • Data Profile—An Enterprise DLP data profile specify how data security administrators want to enforce the sensitive content that you’re filtering. These can include predefined or custom data patterns, as well as any of the advanced detection methods.
      • DLP Rule—The DLP rule defines the type of traffic to inspect, the impacted file types, action, and log severity for the data profile match criteria. Enterprise DLP automatically creates a DLP rule with the same name when data security administrators create a new data profile.
    • Panorama
      On Panorama, data security administrators manage the Enterprise DLP data profile and the DLP rule configurations from the same data filtering profile. When editing a data filtering profile on Panorama, data security administrators can make changes to the data profile, the DLP rule, or both.
      • Data Profile—An Enterprise DLP data profile specify how data security administrators want to enforce the sensitive content that you’re filtering. These can include predefined or custom data patterns. Review the list of advanced detection methods that data security administrators can configure on Panorama.
      • DLP Rule—The DLP rule defines the type of traffic to inspect, the impacted file types, action, and log severity for the data profile match criteria. Enterprise DLP automatically creates a DLP rule with the same name when data security administrators create a new data profile.
        If a data security administrator created a data profile on Strata Cloud Manager that includes an advanced detection method marked with Configured on Strata Cloud Manager, data security administrators can only configure the DLP rule portion of the data filtering profile.

    When Does a Configuration Sync Occur?

    The point at which an Enterprise DLP configuration sync occurs between Strata Cloud Manager and Panorama depends on where the configuration change was made.
    • Strata Cloud Manager
      No automated Enterprise DLP configuration sync between Strata Cloud Manager and Panorama occurs when making Enterprise DLP configuration changes on Strata Cloud Manager.
      If data security administrators manage your Enterprise DLP configuration on Strata Cloud Manager but apply the configuration to your enforcement points managed by Panorama, you must log in to Panorama to initiate a configuration sync. Similarly, if you make Enterprise DLP configuration on Panorama you must take action on Panorama to sync those changes so they reflect on Strata Cloud Manager.
    • Panorama
      Panorama syncs its Enterprise DLP configuration when:
      • You Commit a configuration change on Panorama.
        This can include other unrelated configuration changes or just be an Enterprise DLP configuration change. In this case, Panorama pushes the new Enterprise DLP configuration changes to Strata Cloud Manager.
      • You refresh ObjectsDLPData Filtering Patterns.
        In this case, Panorama pulls the latest data pattern configurations from Strata Cloud Manager.
      • You refresh ObjectsDLPData Filtering Profiles.
        In this case, Panorama pulls the latest data profile configurations from Strata Cloud Manager.
        Keeping the data filtering profiles synchronized between Strata Cloud Manager and Panorama is especially important to prevent configuration errors and commit failures on Panorama. Enterprise DLP assigns all data profiles on Strata Cloud Manager a version on creation and updates the version (+1) when the admin Saves changes to the data profile on Strata Cloud Manager. However, Enterprise DLP does not automatically sync the changes to Panorama. To synchronize, the user must manually trigger a sync on Panorama to reflect the data profile changes from Strata Cloud Manager. Otherwise, when the data filtering profile version on Panorama is 10 or more versions behind the data profile on Strata Cloud Manager, commits start to fail with the error profile not found.

    When Should I Commit a Configuration Change?

    When to commit an Enterprise DLP configuration change depends on where you made those changes.
    • Strata Cloud Manager
      Configuration changes on Strata Cloud Manager don't require a commit before you can push those changes to enforcement points. Instead, security administrators make configuration and then push those changes to your enforcement points.
    • Panorama
      Data security administrators must Commit on Panorama when making any kind of configuration change for the following:

    When Should I Push a Configuration Change?

    Strata Cloud Manager requires data security administrators push configuration changes to enforcement points after:
    • Editing data filtering settings
    • Editing snippet settings
    • Creating or updating a granular data profile
    • Adding a Secondary rule to an existing nested data profile that didn't include one when it was first created
    • Modifying a DLP rule
      This includes adding it to a Profile Group and adding the Profile Group to a Security policy rule.
    • Adding or editing an Endpoint DLP Policy rule
    • Setting up evidence storage
    Panorama requires data security administrators configuration to push all Enterprise DLP configuration changes to your enforcement points.

    Recommendations

    Review the recommendations for managing when data security administrators commit (Panorama only) and push configuration changes to your enforcement points.
    • (Panorama) Ensure your Enterprise DLP configuration change management workflow always includes a Commit to ensure changes are synchronized with Strata Cloud Manager as a standard operating procedure even if your security administrators are not ready to push these changes.
    • Ensure your Enterprise DLP configuration change management workflow always includes a configuration push to apply Enterprise DLP configuration changes to your enforcement points. Security administrators often push configuration changes during scheduled maintenance or change windows to minimize disruptions.
      (Panorama) Palo Alto Networks does not recommend performing a Commit and Push operation as this can lead to issues with Enterprise DLP.
    • Develop a step-by-step check list for managing Enterprise DLP configuration changes to reduce human error. This includes when to commit changes and when to push change to your enforcement points.
    • (Panorama) Perform a config audit to review and understand the difference between the running and candidate configurations.

    © 2025 Palo Alto Networks, Inc. All rights reserved.