PAN-OS ® New Features Guide
    : File Type Include or Exclude List for Data filtering Profiles
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. Enterprise Data Loss Prevention Features
    5. File Type Include or Exclude List for Data filtering Profiles
    Download PDF

    PAN-OS ® New Features Guide

    File Type Include or Exclude List for Data filtering Profiles

    Table of Contents
    End-of-Life (EoL)

    File Type Include or Exclude List for Data filtering Profiles

    Create a file type include or exclude list for file-based inspection using Enterprise Data Loss Prevention (E-DLP).
    Enterprise Data Loss Prevention (E-DLP) now supports creating a file type include or exclude list for data filtering profiles configured for file-based inspection. This allows you to select one of two modes:
    • Inclusion Mode—Allow only specified file types be scanned by Enterprise DLP.
    • Exclusion Mode—Allow all supported files to be scanned by Enterprise DLP by default but excluding the file types you specify.
      Exclusion Mode includes True File Type Support and does not rely on file extensions to determine file types.
    To create a file type include or exclude list for Enterprise DLP data filtering profiles, the Panorama management server and managed firewalls using Enterprise DLP must be running PAN-OS 11.0.2 or later release. Additionally, the Enterprise DLP plugin must be version 4.0.1 or later.
    1. Log in to the Panorama web interface.
    2. Select ObjectsDLPData Filtering Profiles and specify the Device Group.
    3. Create a data filtering profile on Panorama for file-based inspection.
    4. When creating the data filtering profile, specify the file types the DLP cloud service takes action against.
      1. Select File Types.
      2. Select the Scan Type to create a file type include or exclude list.
        • Include—DLP cloud service inspects only the file types you add to the File Type Array.
        • Exclude—DLP cloud service inspects all supported file types except for those added to the File Type Array.
      3. Click Modify to add the file types to the File Type Array and click OK.
    5. Click OK to save your changes.
    6. Attach the data filtering profile to a Security policy rule.
      1. Select PoliciesSecurity and specify the Device Group.
      2. Select the Security policy rule to which you want to add the data filtering profile.
      3. Select Actions and set the Profile Type to Profiles.
      4. Select the Data Filtering profile you created previously.
      5. Click OK.
    7. Commit and push your configuration changes to your managed firewalls that are using Enterprise DLP.
      The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
      1. Select CommitCommit to Panorama and Commit.
      2. Select CommitPush to Devices and Edit Selections.
      3. Select Device Groups and Include Device and Network Templates.
      4. Click OK.
      5. Push your configuration changes to your managed firewalls that are using Enterprise DLP.

    © 2025 Palo Alto Networks, Inc. All rights reserved.