Install the Enterprise Data Loss Prevention (DLP) Plugin

Install the Enterprise Data Loss Prevention (DLP) plugin on your Panorama™ management server and managed firewalls.
To install the Enterprise Data Loss Prevention (DLP) plugin on your Panorama™ management server and managed firewalls , you must download the plugin from the Palo Alto Networks Customer Support Portal, upload the plugin to Panorama, and then install the plugin. You must install the plugin on Panorama and your managed firewalls to leverage the Enterprise DLP.
Your existing data patterns (
Objects
Custom Objects
Data Patterns
) and data filtering profiles (
Objects
Security Profiles
Data Filtering
) are automatically hidden after you successfully install the Enterprise DLP plugin on Panorama. To display your existing data patterns and filtering profiles, see Enable Existing Data Patterns and Filtering Profiles.
  1. Register your Panorama and managed firewalls with the Palo Alto Networks Customer Support Portal (CSP).
  2. You must install the device certificate on all your managed firewalls leveraging Enterprise DLP.
  3. Install the plugin on Panorama.
    1. Select
      Panorama
      Plugins
      and search for the latest version of the dlp plugin.
    2. Download
      and
      Install
      the Enterprise DLP plugin on Panorama.
  4. Install the plugin on your managed firewalls.
    1. Select
      Panorama
      Device Deployment
      Plugins
      and search for the latest version of the Enterprise DLP plugin.
    2. Download
      and
      Install
      the Enterprise DLP plugin on your managed firewalls.
    3. Select the
      Devices
      on which to install the plugin.
    4. Click
      OK
      to install the plugin.
  5. Commit and push to your managed firewalls complete the Enterprise DLP plugin installation.
    This step is required in order for Enterprise DLP data filtering profile names to appear in Data Filtering logs.
    While a performing a
    Commit and Push
    is supported, it is not recommended for Enterprise DLP configuration changes and requires you to manually select the impacted templates and managed firewalls in the Push Scope Selection.
    1. Select
      Commit
      Commit to Panorama
      and
      Commit
      your configuration changes.
    2. Select
      Commit
      Push to Devices
      and
      Edit Selections
      .
    3. Select
      Device Groups
      and
      Include Device and Network Templates
      .
    4. Click
      OK
      .
    5. Push
      your configuration changes to your managed firewalls.
  6. Activate your Enterprise DLP license on the Palo Alto Networks Customer Support Portal (CSP).
    Repeat this step for all firewalls leveraging Enterprise DLP.
    1. Log in to the Palo Alto Networks Customer Support Portal.
    2. Select
      Assets
      Devices
      and click the edit button ( csp-pencil.png ) in the Actions column.
    3. In the Device Licenses window, select
      Activate Auth-Code
      and enter the
      Authorization Code
      .
      The authorization code (auth code) is automatically provided to you by Palo Alto Networks in an email upon purchase of the Enterprise DLP plugin license.
    4. Click
      Agree and Submit
      .
  7. Create a Palo Alto Networks Support ticket to enable Enterprise DLP license transfer between firewalls.
    Requesting that the Enterprise DLP license be transferable allows you to transfer your DLP license to other managed firewalls.
    In the support ticket, include the following information:
    • Request a firewall transfer for the Enterprise DLP license.
    • Your CSP account ID and email associated with your CSP account.
    • The managed firewall serial number. If you activated the Enterprise DLP license on multiple managed firewalls, include all the managed firewalls serial numbers in a single support ticket.
    • The auth code(s) used to activate the Enterprise DLP license on your managed firewalls.
    • (
      Optional
      ) If you have managed firewalls belonging to a different CSP account, provide the CSP account ID with which those managed firewalls are associated.
  8. Verify that Panorama and the managed firewalls belong to the same CSP account.
    Having Panorama and the managed firewalls belong to the same CSP account is required and enables you to share data profiles for consistent security policy enforcement.
    1. Log in to the Palo Alto Networks Customer Support Portal.
    2. Select
      Assets
      Devices
      and locate your Panorama and managed firewalls.
  9. Activate the Enterprise DLP plugin on your managed firewalls.
    1. Select
      Panorama
      Device Deployment
      License
      and
      Activate
      the Enterprise DLP plugin.
    2. Enter the
      Auth Code
      for the target managed firewalls.
      The auth code is automatically provided to you by Palo Alto Networks in an email upon purchase of the Enterprise DLP plugin license.
    3. Activate
      the Enterprise DLP plugin license on your managed firewalls.
  10. Select
    Objects
    DLP
    DLP Data Filtering
    and verify that the predefined Data Filtering profiles are displayed.
    Panorama is automatically populated with predefined Data Filtering profiles when Panorama successfully connects to the DLP cloud service.
  11. Verify the Enterprise DLP license is successfully activated on your managed firewalls.
    1. Select
      Device
      Licenses
      and verify that the license is successfully activated.
      dlp-plugin-activate-verify.png

Recommended For You