Enterprise DLP
Known Issues in Enterprise DLP Plugin 3.0.1
Table of Contents
Expand All
|
Collapse All
Enterprise DLP Docs
Known Issues in Enterprise DLP Plugin 3.0.1
Known issues in Enterprise Data Loss Prevention (E-DLP) plugin 3.0.1.
WIF-523
This issue is addressed in PAN-OS 10.2.2.
Managed firewalls leveraging Enterprise DLP erroneously
display as not licensed, even though
the firewall is successfully licensed, when you enter the following command
in the firewall CLI.
admin> show ctd-agent status security-client
This issue is observed only when you initially activate the DLP
license on the managed firewall and before you push the Enterprise
DLP configuration from the Panorama management server for the first
time.
Workaround: Finish setting up and configuring Enterprise
DLP.
This requires you to commit and push the Enterprise DLP configuration
to your managed firewall leveraging Enterprise DLP which restores
the correct license state on the managed firewall.
PLUG-21209
This issue is addressed in Enterprise DLP plugin 5.0.8.
On the Panorama® management server, the Enterprise DLP plugin configuration objects (Objects DLP) display the following error after activating a Trial DLP license for NGFW:
No DLP licenses found on Prisma Access or managed firewalls, to learn how
to activate DLP licenses refer to the product documentation
PLUG-18987
This issue is addressed in Enterprise DLP plugin 5.0.6.
On rare occasions, you are unable to reset theEnterprise DLP plugin from the Panorama® management server CLI and receive the following error:
DLP reset failure: must be str, not NoneType
PLUG-18713
This issue is addressed in Enterprise DLP plugin 3.0.10 and 5.0.6.
On the Panorama® management server, Enterprise DLP might fail to delete a data pattern (ObjectsDLPData Filtering Pattern).
PLUG-15192
This issue is addressed in Enterprise DLP plugin 3.0.10 and 5.0.6.
The Panorama® management server might fail to synchronize some data profiles created on Strata Cloud Manager and displays the following error:
Cannot update profile on Enforcer. Version passed to Enforcer must be equal
to or greater than the onboard version.
PLUG-15177
This is addressed in Enterprise DLP plugin 3.0.9 and 4.0.4 and
5.0.2.
On the Panorama management server, the web interface becomes unresponsive when editing
large data profiles (ObjectsDLPData Filtering Profiles).
PLUG-14534
This is addressed in Enterprise DLP plugin 3.0.7, 4.0.3, and 5.0.5
On the Panorama management server, the Enterprise DLP plugin fails to complete post
commit tasks and causes all commits (CommitCommit to Panorama) to get stuck at 99%.
PLUG-14201
This is addressed in Enterprise DLP plugin 3.0.7, 4.0.3, and 5.0.1.
The Panorama management server is unable to a generate report if a data filtering log (MonitorLogsData Filtering) with Report ID of 0 for a DLP incident. A
DLP Incident has a Report ID of 0 if the DLP cloud service
was unable to scan the file.
PLUG-13729
This is addressed in Enterprise DLP plugin 4.0.3 and 5.0.1.
The Panorama management server is unable to synchronize new data profiles (ObjectsDLPData Filtering Profiles) from the DLP cloud service.
PLUG-13111
This issue is addressed in Enterprise DLP 3.0.6.
On the Panorama management server, the list of predefined URL categories are not
displayed for a data profile configured for non-file inspection (ObjectsDLPData Filtering Profiles<select a data profile>URL Category List Excluded From).
PLUG-12430
This issue is addressed in PAN-OS 10.2.4-h3 and Enterprise DLP plugin 3.0.5.
On the Panorama management server, Enterprise Data Loss Prevention (E-DLP) allows you to
create multiple data filtering profiles (ObjectsDLPData Filtering Profiles) with the same Name.
PLUG-11851
This is addressed in Enterprise DLP plugin 3.0.0.
On the Panorama management server, an outdated default DLP block response page is
displayed when traffic matches a data filtering profile with the Action set to
Block when leveraging Enterprise DLP.
PLUG-11750
This is addressed in Enterprise DLP plugin 3.0.5.
After you upgrade the Panorama management server and
managed firewalls leveraging Enterprise DLP from PAN-OS 10.1.7 to
PAN-OS 11.0, data filtering logs (MonitorLogsData Filtering)
display DLP Skipped; possible config er as
the Reason for Action despite the firewall taking the correct action
for matched traffic.
PLUG-11197
This issue is addressed in Enterprise DLP version
3.0.2.
The DLP plugin install or uninstall fails if the local administrator
account does not exist.
PLUG-10330
This issue is addressed in Enterprise DLP version
3.0.2.
On a multi-vsys managed firewall managed, the Shared URL
Category (ObjectsCustom
ObjectsURL Category)
pushed from the Panorama management server to multiple vsys of the
multi-vsys firewall do not successfully match beyond vsys1.
PLUG-10252
This issue is addressed in PAN-OS 10.2.3 and 11.0.0.
Renaming an existing data profile on the DLP app on
the hub creates an entirely new data filtering profile (ObjectsDLPData
Filtering Profiles) on the Panorama management
server.
PLUG-9811
This issue is addressed in Enterprise DLP 3.0.6.
Creating a new data profile from the Panorama management server CLI fails.
Workaround:
Create a new data profile from the Panorama
web interface.
PLUG-9323
This issue is addressed in Enterprise DLP version 1.0.6 and 3.0.2.
On the Panorama management server, the
Secondary Pattern for a data filtering profile (ObjectsDLPData
Filtering Profiles) is not displayed for
the data filtering profile is successfully created and pushed to
managed firewalls.
PLUG-6254
Firewalls leveraging Enterprise Data
Loss Prevention (DLP) do not display the Enterprise DLP data filtering
profiles (ObjectsDLPData Filtering Profiles) or Enterprise
DLP Settings (DeviceSetupDLP), and cannot be overridden
locally on the firewall.
PLUG-6145
On the Panorama management server, you
cannot create an admin role (PanoramaAdmin Roles) to control access
to Enterprise Data Loss Prevention (DLP) filtering settings and
snippet configuration (DeviceSetupDLP).
PAN-191513
This issue is addressed in Enterprise DLP version 3.0.2.
For multi-vsys firewalls, the DLP cloud service continues
to exclude an application added to a Shared application
group (ObjectsApplication
Groups) or a Shared application
filter (ObjectsApplication
Filters) from non-file traffic inspection when
removed from the application group or filter that was added to the
App Exclusion List (ObjectsDLPData Filtering Profiles).
Workaround: Create a new Shared application
group or filter if you need to remove an application. Alternatively,
you can restart the managed firewall each time you push an updated Shared application
group or filter to a multi-vsys firewall.
PAN-191014
This issue is addressed in Enterprise DLP version 3.0.2.
On the Panorama management server, the on device help
for data filtering profiles (ObjectsDLPData Filtering ProfilesAdd) and data filtering patterns ObjectsDLPData
Filtering PatternsAdd)
do not display correctly.
PAN-155923
Enterprise Data Loss Prevention (DLP)
data filtering profiles (ObjectsDLPData Filtering Profiles)
names do not display in Data Filtering logs (MonitorLogsData Filtering)
until a commit is performed on firewalls leveraging Enterprise DLP after
you successfully install the Enterprise DLP plugin.
PAN-144897
Enterprise Data Loss Prevention (DLP)
data profile Thread ID/Name filter is not available
when you configure a custom report (ManageManage Custom Reports) on the
Panorama management server or locally on a firewall leveraging Enterprise
DLP.
DSS-17763
On the Panorama management server, custom data profiles (ObjectsDLPData Filtering Profiles) are not synchronized to the DLP cloud service if you have an active
CASB-X license. This prevents you being able to associate the data profile with a
Security policy rule and displays the error Data Profile does not
exist.
Workaround: Contact Palo Alto Networks Support to restore synchronization
functionality between the DLP cloud service and Panorama.