Enable Enterprise Data Loss Prevention (DLP)

Create policy rules to enable data loss prevention.
Complete these steps to configure your managed firewalls to leverage Enterprise Data Loss Prevention (DLP) successfully.
  1. (
    Hardware firewalls only
    ) Create a service route to enable firewalls to connect to the internet.
    A service route must be configured to successfully leverage Enterprise DLP for these firewall platforms.
    Create a service route for all supported firewall models running PAN-OS 10.0 and later releases.
    1. Select
      Device
      Setup
      Services
      and select the template that contains the Enterprise DLP configuration
    2. Click
      Service Route Configuration
      in the
      Service Features
      and select
      Customize
      .
    3. Click
      Dataplane
      and configure the
      Source Interface
      and
      Source Address
      .
      The source interface must have internet connectivity. See Configure Interfaces and Create an Address Object for more information on creating the source interface and address.
    4. Select (check)
      Dataplane
      and click
      OK
      to save your configuration changes.
    5. Select
      Device
      Setup
      Content-ID
      and copy the
      Public Cloud Server
      FQDN in the
      Service URL Setting
      section.
    6. Select
      Policies
      Security
      and
      Add
      a security policy rule allowing traffic from the source interface to the Public Cloud Server FQDN.
  2. Create a decryption profile to remove Application-Layer Protocol Negotiation (ALPN) headers from uploaded files.
    Enterprise DLP supports HTTP/1.1. Some applications, such as SharePoint and OneDrive, support HTTP/2 for uploads by default. To make uploaded files from applications that use HTTP/2 compatible with Enterprise DLP, complete these steps:
    1. Select
      Objects
      Decryption
      Decryption Profile
      and specify the
      Device Group
      .
    2. Add
      a new decryption profile.
    3. Enter a descriptive
      Name
      .
    4. (
      Optional
      ) Enable (check)
      Shared
      to make this decryption profile available across all device groups.
    5. Select
      SSL Decryption
      SSL Forward Proxy
      and enable (check)
      Strip ALPN
      in the
      Client Extension
    6. Click
      OK
      to save your configuration changes.
    dlp-plugin-alpn-decryption-profile.png
  3. Create the policy rule to remove ALPN headers from uploaded files.
    1. Select
      Policies
      Decryption
      and specify the
      Device Group
      .
    2. Add
      a new decryption policy rule and configure as needed.
    3. Select
      Options
      .
    4. For the
      Action
      , select
      Decrypt
      .
    5. Select the
      Decryption Profile
      you created.
    6. Click
      OK
      to save your configuration changes.
      dlp-plugin-alpn-decryption-policy.png
  4. Disable the QUIC protocol to deny traffic on ports 80 and 443.
    Many supported web applications, such as Gmail, require that you disable the QUIC protocol for Enterprise DLP to function correctly.
    1. Select
      Policies
      Security
      and specify the
      Device Group
      .
    2. Add
      a security policy rule that denies traffic using the
      quic
      application.
    3. Select
      Objects
      Services
      and specify the
      Device Group
      .
    4. Add
      two services: one for UDP on port 80 and one for UDP on port 443.
      Newer versions of QUIC might be misidentified as
      unknown-udp
      . For this, Palo Alto Networks recommends adding services for UDP port 80 and UDP port 443 and creating an additional security policy to deny UDP traffic on those ports.
    5. Select
      Policies
      Security
      and specify the
      Device Group
      .
    6. Add
      a security policy rule that includes the services you created to deny traffic to UDP ports 80 and 443.
      When complete, you will have two security policies: one that blocks QUIC protocol and one that blocks traffic on UDP ports 80 and 443.
  5. Attach the data filtering profile to a Security policy rule.
    See Create a Security Policy Rule for more information on creating a new Security policy rule.
    To downgrade your Panorama management server to a previous PAN-OS version, you must remove all Enterprise DLP data patterns and data filtering profiles referenced in your Security policy rules. Consider this when creating and organizing your policy rules that reference Enterprise DLP data patterns and filtering profiles.
    For example, create a device group to contain all your Security policy rules that contain references to Enterprise DLP data patterns and filtering profiles. This allows you to quickly modify relevant policy rules should you need to downgrade the Panorama PAN-OS version.
    1. Select
      Policies
      Security
      Pre Rules
      and specify the
      Device Group
      .
    2. Select the Security policy rule to which you want to add the data filtering profile.
    3. Select
      Actions
      and set the
      Profile Type
      to
      Profiles
      .
    4. Select the
      Data Filtering
      profile you created.
    5. Click
      OK
      to save your configuration changes.
  6. Commit and push your configuration changes to your managed firewalls leveraging Enterprise DLP.
    While a performing a
    Commit and Push
    is supported, it is not recommended for Enterprise DLP configuration changes and requires you to manually select the impacted templates and managed firewalls in the Push Scope Selection.
    1. Select
      Commit
      Commit to Panorama
      and
      Commit
      your configuration changes.
    2. Select
      Commit
      Push to Devices
      and
      Edit Selections
      .
    3. Select
      Device Groups
      and
      Include Device and Network Templates
      .
    4. Click
      OK
      .
    5. Push
      your configuration changes to your managed firewalls.

Recommended For You