>
    Enterprise DLP Limitations
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Limitations
    Download PDF
    Enterprise DLP

    Enterprise DLP Limitations

    Table of Contents

    Enterprise DLP
     Limitations

    Review the
    Enterprise Data Loss Prevention (E-DLP)
     cloud service and plugin limitations.
    The following are limitations associated with
    Enterprise Data Loss Prevention (E-DLP)
     cloud service, plugin, and Endpoint DLP.

    Enterprise DLP
     Cloud Service and Plugin

    Issue ID
    Description
    When using
    Enterprise DLP
     on Hub 1.0, the DLP app on the hub supports only Superuser administrative privileges. Role based access control for
    Enterprise DLP
     is supported on Hub 2.0 only.
    A custom block response page for matched traffic blocked by
    Enterprise DLP
     is not supported for
    NGFW
     and
    Prisma Access
     managed by
    Strata Cloud Manager
     or
    Panorama
    .
    WIF-1127
    For PA-3250 firewalls running
    PAN-OS
     10.2.4 or
    PAN-OS
     10.2.5,
    .zip
     file uploads to the Zendesk application cannot be successfully blocked by
    Enterprise DLP
     and do not generate a DLP Incident on
    Panorama
     or the
    NGFW
     (
    Monitor
    Logs
    Data Filtering
    ).
    WIF-484
    Detection of floating images is not supported when Optical Character Recognition on Panorama or Prisma Access (Managed by Strata Cloud Manager) is enabled.
    WIF-215
    On
    Panorama
    , the original connection to the Service URL FQDN is terminated before the connection to the new Service URL FQDN can be established after reconfiguring the Service URL Setting (
    Device
    Setup
    Content-ID
    ).
    PLUG-12944
    After you upgrade
    Panorama
     and managed
    NGFW
     to
    PAN-OS
     11.0.2, the
    Panorama
     plugin for
    Enterprise DLP
     4.0.1 you downloaded on
    Panorama
     prior to upgrade does not automatically install.
    Workaround:
     After you successfully upgrade
    Panorama
     to
    PAN-OS
     11.0.2, manually install the downloaded
    Enterprise DLP
     plugin (
    Panorama
    Plugins
    ).
    PLUG-12756
    This limitation is addressed in
    Enterprise DLP
     version 3.0.4.
    Predefined data filtering profile (
    Objects
    DLP
    Data Filtering Profiles
    )
    File Direction
     displays
    Default
     instead of
    Upload
    .
    PLUG-11837
    On
    Panorama
    , downgrading from the following
    PAN-OS
     releases does not restore the default
    Upload
    File Direction
     for data filtering profiles (
    Objects
    DLP
    Data Filtering Profiles
    ).
    • Downgrading from
      PAN-OS
       11.0.1 to
      PAN-OS
       11.0.0.
    • Downgrading from
      PAN-OS
       10.2.4 to
      PAN-OS
       10.2.3 or earlier release.
    PLUG-10323
    After you downgrade
    Panorama
     and
    NGFW
     to
    PAN-OS
     10.2.0 and
    Enterprise DLP
     plugin 3.0.0, the
    Non-File Based
     (
    Objects
    DLP
    Data Filtering Profiles
    ) setting for a data filtering profile configured for non-file traffic data inspection erroneously displays as enabled on the managed firewall CLI.
    Workaround:
     Disable the Non-File Based setting on the data filtering profile before downgrading to
    PAN-OS
     10.2.0 and
    Enterprise DLP
     plugin 3.0.0.
    1. Log in to the
      Panorama
       web interface.
    2. Select
      Objects
      DLP
      Data Filtering Profiles
      .
    3. Configure the Non-File Based setting as
      No
       and click
      OK
      .
    4. Commit and push your configuration changes to your managed firewalls leveraging
      Enterprise DLP
      .
      1. Select
        Commit
        Commit to Panorama
         and
        Commit
        .
      2. Select
        Commit
        Push to Devices
         and
        Edit Selections
        .
      3. Select
        Device Groups
         and
        Include Device and Network Templates
        .
      4. Push
         your configuration changes to your managed firewalls leveraging
        Enterprise DLP
        .
    PLUG-10252
    Renaming an existing data profile on the DLP app on the hub creates an entirely new data filtering profile (
    Objects
    DLP
    Data Filtering Profiles
    ) on
    Panorama
    .
    PLUG-10172
    On
    Panorama
    , the commit fails if the same profile (
    Objects
    DLP
    Data Filtering Profiles
    ) is being edited on
    Panorama
     and the DLP app at the same time.
    Workaround:
     If you experience a commit failure when editing the data filtering profile on
    Panorama
    , you must discard the edits, reset the
    Enterprise DLP
     plugin, and reconfigure the data filtering profile.
    PLUG-6159
    On the
    Panorama
    , all
    Enterprise DLP
     data profiles (
    Objects
    DLP
    Data Filtering Profiles
    ) are not displayed if you
    Remove Config
     (
    Panorama
    Plugins
    ) for the
    Enterprise DLP
     plugin and install the Cloud Services plugin.
    Workaround:
     After you successfully
    Enterprise DLP
     plugin configuration, log in to the Panorama CLI and reset the
    Enterprise DLP
     plugin to display the DLP data profiles.
    admin> 
    request plugins dlp reset
    PLUG-6121
    On
    Panorama
    ,
    Enterprise DLP
     data patterns and profiles do not function as expected after you load or revert a firewall configuration.
    Workaround:
     After you successfully load or revert a
    NGFW
     configuration, log in to the Panorama CLI and reset the
    Enterprise DLP
     plugin.
    admin> 
    request plugins dlp reset
    PAN-215405
    File uploads to the Box application exceeding 20MB create multiple sessions if the data filtering profile (
    Objects
    DLP
    Data Filtering Profile
     Action is set to
    Block
    . This results in the Box application requiring multiple retries before the file upload is successfully attempted and blocked by the DLP cloud service.
    PAN-211913
    Enterprise DLP
     does not support maintaining a session connection to continue inspection if a file download is paused. The DLP cloud service inspection is terminated for the file if the download operation is paused.
    PAN-206877
    The Gmail file attachment operation may sometimes get stuck or fail after multiple attempts if the DLP cloud service already scanned and blocked the file.
    PAN-142785
    Enterprise DLP
     does not support custom response pages on
    Panorama
     and uses the default File Blocking Block Page response page (
    Device
    Response Pages
    ).
    PAN-140057
    Enterprise DLP
     and IoT logs share log severity levels and cannot be configured individually.
    DIT-27539
    (
    Enterprise DLP
     3.0.3 only
    ) Increasing the max file size for the Enterprise DLP data filtering settings to 21 MB or greater is supported only from the
    Panorama
     CLI.
    2. Enter configuration mode.
      admin>
      configure
    3. Set the max file size data filtering setting.
      admin#
      set template <template_name> config shared dlp-settings max-file-size <1 - 100>

    Endpoint DLP

    Issue ID
    Description
    For endpoint devices running macOS, the
    Prisma Access Agent
     inspects file movement within a USB peripheral device connected to the endpoint device due to a macOS limitation that prevents macOS from being able to determine the file operation source path.
    For example, you move a file from the endpoint device to
    Folder A
     in the connected USB device and the
    Prisma Access Agent
     inspects the file for sensitive data. A few minutes later you move the same file from
    Folder A
     to
    Folder B
    . In this case, the
    Prisma Access Agent
     once again inspects the file for sensitive data.
    PANG-5687
    Multiple DLP Incidents (
    Manage
    Configuration
    Data Loss Prevention
    DLP Incidents
    ) can be generated for a single file move operation from the endpoint and peripheral device. Some examples of when this may occur are:
    • Extracting the file contents of a compressed file from the endpoint to a peripheral device.
    • An application that generates any artifact files when writing to a peripheral device. For example, the Microsoft BITSAdmin tool generates multiple
      .tmp
       files when writing to a peripheral device.
    To prevent exfiltration of sensitive data, Enterprise DLP inspects every file associated with the file move operation from the endpoint to the peripheral device. This ensures that all impacted files are captured in your logs and analyzed. However, this may result in creation of unnecessary DLP Incidents.
    PANG-5530
    Installing the
    Prisma Access Agent
     on an endpoint device with Cortex 8.3.0 or earlier installed generates an error titled
    cytray.exe - Bad Image
     and alerts the user that DLP is either not designed to run on Windows or it contains an error.
    This error can be ignored. It has no impact on the
    Prisma Access Agent
     installation or Endpoint DLP policy rule enforcement. Click
    OK
     when prompted to Finish the
    Prisma Access Agent
     installation.
    PANG-5122
    The
    Prisma Access Agent
     is unable to enforce policy rules when the endpoint on which it is installed is in Safe Mode. As a result, the
    Prisma Access Agent
     is unable to inspect and block files moved between the endpoint and the peripheral device if the endpoint is in Safe Mode.
    DSS-17434
    For printer peripheral devices, a data profile (
    Manage
    Configuration
    Data Loss Prevention
    Data Profile
    ) that includes an IDM document type (
    Manage
    Configuration
    Data Loss Prevention
    Document Types
    ) with a high
    matching
     value results in Enterprise DLP being unable to render a match verdict for inspected traffic.
    Workaround
    : In your data profile, configure a low
    matching
     value for IDM document types to increase the likelihood of successful match verdicts for printer peripheral devices.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.