Enterprise DLP
Enable Enterprise DLP
Table of Contents
Enable Enterprise DLP
Enterprise DLP
Create policy rules to enable firewalls to forward traffic to
Enterprise Data Loss Prevention (E-DLP)
to prevent exfiltration of sensitive data.Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
Some applications, such as SharePoint and OneDrive, use HTTP/2 by default. For
firewalls managed by a
Panorama™ management server
or by Strata Cloud Manager
running
PAN-OS 10.2.2 and earlier releases, you must create a decryption profile and a
Security policy rule to strip out the application-layer protocol negotiation (ALPN)
extension in headers. Complete these steps to configure your managed firewalls to
successfully use Enterprise Data Loss Prevention (E-DLP)
.Strata Cloud Manager
Strata Cloud Manager
Enable
Enterprise Data Loss Prevention (E-DLP)
for Prisma Access (Managed by Strata Cloud Manager)
and SaaS Security
on
Strata Cloud Manager
.- EnableEnterprise DLP.
- Single Prisma SASE Platform Tenant License ActivationActivate a License for Cloud-Managed Prisma Access Through the Prisma SASE Platform for a single tenant deployment. Follow this procedure to activateEnterprise DLPwhen your tenant has no subtenants or tenant hierarchy of any kind.
- Multitenant Prisma SASE Platform License ActivationActivate a License for Prisma Access Multitenant Through the Prisma SASE Platform to activateEnterprise DLPfor a parent tenant or a subtenant.
- CASB-X Platform License ActivationBy default, theEnterprise DLPlicense is included as part of the CASB-X license. To activateEnterprise DLPfor your CASB-X tenants, you only need to activate CASB-X. There’s no individualEnterprise DLPlicense you need to activate when using CASB-X.To useEnterprise DLPfor a CASB-X tenant, you must Activate a Next Generation CASB License on Cross Platforms (CASB-X) Through the Prisma SASE Platform.
- Log in toStrata Cloud Manager.
- Verify that the DLP license is active.
- Selectand navigate to the Licenses widget.ManageConfigurationNGFW and Prisma AccessOverview
- Click the license Quantity and confirm that the Data Loss Prevention license is active.Confirm the Data Loss Prevention license Type displaysPAIDand that an expiration date is displayed.
- Selectand verify thatManageConfigurationData Loss Preventionis displayed.
- Create the decryption profile required forEnterprise DLPto inspect traffic.
- SelectandManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryptionAdd Profile.
- Enter a descriptiveNamefor the decryption profile.
- Review the predefined decryption profile settings.The predefined decryption profile settings enableEnterprise DLPto inspect traffic. Modifying the predefined decryption profile settings isn’t required unless you need to enableStrip ALPN.
- (Software Version 10.2.2 or earlier versions) Configure the decryption profile to remove Application-Layer Protocol Negotiation (ALPN) headers from uploaded files.Remove the ALPN headers from files if anyStrata Cloud Managerdeployment is running software version 10.2.2 or earlier version. If your entireStrata Cloud Managerdeployment is running software version 10.2.3 or later version, stripping ALPN headers isn’t required.A web security admin can also strip ALPN headers in the Web Security decryption settings(and edit the Action Options). Web Security admins don’t need to create a decryption policy rule and can push the setting to Remote Networks and Mobile Users.ManageWeb SecuritySecurity SettingsDecryption
- In the SSL Forward Proxy, clickAdvanced.
- Check (enable)Strip ALPNandSave.
- Savethe Decryption profile group.
- Create a decryption policy rule to decrypt traffic forEnterprise DLPinspection.Cloud Managementincludes the predefinedExclude Microsoft O365 Optimized Endpoints - IPsandExclude Microsoft O365 Optimized Endpoints - URLsdecryption rules that exclude Microsoft Office 365 from decryption.ForEnterprise DLPto successfully inspect traffic for Microsoft Office 365, you must position this new decryption rule before the predefined decryption exclusion rules. Alternatively, you canDisablethese rules orDeletethem.
- SelectandManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryptionAdd Rule.
- Enter a descriptiveNameand configure the decryption policy rule as needed.
- In the Action and Advanced Inspection section, configure the policy rule toDecrypttraffic that matches this rule.
- For the Type, selectSSL Forward Proxy.
- Select the Decryption Profile you created to strip ALPN headers.
- Savethe decryption policy rule.
- Push your data filtering profile.
- Push ConfigandPush.
- Select (enable)Remote NetworksandMobile Users.
- Push.
Panorama
Panorama
Create policy rules to enable firewalls to successfully use
Enterprise Data Loss Prevention (E-DLP)
. - Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
- Log in to thePanoramaweb interface.
- Configure the proxy server settings to enable thePanorama™ management serverto successfully communicate with theEnterprise DLPcloud service.This step is required if using a proxy server forPanoramaContinue to the next step if you aren’t using a proxy server or have already configured yourPanoramaproxy server settings.
- Selectand edit thePanoramaSetupServicesServicessettings.
- Configure the proxy server settings.
- Server—IP address or hostname of the proxy server.
- Port—Port for the proxy server.
- User—Administrator username to access the proxy server.
- Password—Password for the user to access the proxy server. Reenter the password why youConfirm Password.
- (Optional)Use proxy to fetch logs from Cortex Data Lake—If you’re using Cortex Data Lake for log storage, enable this setting.
- ClickOK.
- (Best Practices) Create a service route to enable firewalls to connect to the internet.Palo Alto Networks recommends configuring a service route to ensure a high level of performance for Next-Gen firewalls usingEnterprise DLP.By default, matched traffic is sent to the DLP cloud service for inspection through the management interface. Configuring a service route allows you to dedicate a specific Ethernet interface from which to send matched traffic to the DLP cloud service.For a multi-vsys firewall, the service route is a global configuration and is applied to all vsys of a multi-vsys firewall regardless of which vsys the service route belongs to.Create a service route for all supported firewall models running PAN-OS 10.1 or a later release.
- Selectand select the template that contains theDeviceSetupServicesEnterprise DLPconfiguration.
- SelectService Route Configurationin theService Featuresand selectCustomize.
- SelectData Servicesand configure theSource InterfaceandSource Address.The source interface must have internet connectivity. See Configure Interfaces and Create an Address Object for more information on creating the source interface and address.
- EnableData Servicesand clickOK.
- Selectand copy theDeviceSetupContent-IDContent Cloud SettingsFQDN in theService URLsection.
- SelectandPoliciesSecurityAdda Security policy rule that allows addresses to the Content Cloud Settings FQDN.
- Add a Security policy rule for dataplane service route traffic from the127.168.0.0/16source address to allow traffic originating from the firewall dataplane.You’re required to create this Security policy rule to enable the DLP cloud service to successfully scan files in specific scenarios. You can skip this step if these two scenarios below regarding theintrazone-defaultSecurity policy rule don’t apply to your configuration.
- If you created a cleanupDenySecurity policy rule that precedes theintrazone-defaultSecurity policy rule. In this scenario, theintrazone-defaultaction is set toAllow.
- If you modified theintrazone-defaultSecurity policy rule action fromAllowtoDeny.
- (Required for DLP 3.0.1 and earlier releases only) Create a decryption profile to remove application-layer protocol negotiation (ALPN) headers from uploaded files.Enterprise DLPsupports HTTP/1.1. Some applications, such as SharePoint and OneDrive, support HTTP/2 for uploads by default. Strip ALPN is required to force application using HTTP/2 to use HTTP/1.1 to make them compatible withEnterprise DLP.
- Selectand specify theObjectsDecryptionDecryption ProfileDevice Group.
- Adda new decryption profile.
- Specify a descriptiveName.
- (Optional) Enable theSharedoption to make this decryption profile available across all device groups.
- Selectand enableSSL DecryptionSSL Forward ProxyStrip ALPNin theClient Extension.
- ClickOK.
- (Required for DLP 3.0.1 and earlier releases only) Create a policy rule to remove ALPN headers from uploaded files.
- Selectand specify thePoliciesDecryptionDevice Group.
- Adda new decryption policy rule and configure as appropriate.
- SelectOptions.
- For theAction, selectDecrypt.
- Select theDecryption Profileyou created.
- ClickOK.
- Disable the Quick UDP Internet Connection (QUIC) protocol to deny traffic on ports 80 and 443.Many supported web applications, such as Gmail, require that you disable the QUIC protocol forEnterprise DLPto function correctly.
- Selectand specify thePoliciesSecurityDevice Group.
- Adda Security policy rule that denies traffic that uses thequicapplication.
- Selectand specify theObjectsServicesDevice Group.
- Addtwo services: one for UDP on port 80 and one for UDP on port 443.Newer versions of QUIC might be misidentified asunknown-udp. To account for this, Palo Alto Networks recommends that you add an additional Security policy rule to deny UDP traffic on those ports.
- Selectand specify thePoliciesSecurityDevice Group.
- Adda Security policy rule that includes the services you created to deny traffic to UDP ports 80 and 443.When complete, you will have two Security policy rules; one that blocks the QUIC protocol and one that blocks UDP traffic on ports 80 and 443.
- Attach the data filtering profile to a Security policy rule. If needed, create a Security policy rule.To downgradePanoramato an earlier PAN-OS version that doesn’t supportEnterprise DLP, you must remove allEnterprise DLPdata patterns and data filtering profiles referenced in your Security policy rules. Consider this when creating and organizing your policy rules that referenceEnterprise DLPdata patterns and filtering profiles.For example, create a device group to contain all your Security policy rules that contain references toEnterprise DLPdata patterns and filtering profiles. This enables you to quickly modify relevant policy rules should you need to downgradePanoramato PAN-OS 10.0.1 or an earlier PAN-OS version.
- Selectand specify thePoliciesSecurityPre RulesDevice Group.
- Select the Security policy rule to which you want to add the data filtering profile.
- SelectActionsand set theProfile TypetoProfiles.
- Select theData Filteringprofile you created.
- ClickOK.-
- Commit and push the new configuration to your managed firewalls to complete theEnterprise DLPplugin installation.This step is required forEnterprise DLPdata filtering profile names to appear in Data Filtering logs.TheCommit and Pushcommand isn’t recommended forEnterprise DLPconfiguration changes. Using theCommit and Pushcommand requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Full configuration push from Panorama
- SelectandCommitCommit toPanoramaCommit.
- SelectandCommitPush to DevicesEdit Selections.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
- Partial configuration push from PanoramaYou must always include the temporary__dlpadministrator when performing a partial configuration push. This is required to keepPanoramaand the DLP cloud service in sync.For example, you have anadminPanoramaadmin user who is allowed to commit and push configuration changes. Theadminuser made changes to theEnterprise DLPconfiguration and only wants to commit and push these changes to managed firewalls. In this case, theadminuser is required to also select the__dlpuser in the partial commit and push operations.
- Select.CommitCommit toPanorama
- SelectCommit Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial commit.In this example, theadminuser is currently logged in and performing the commit operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- Commit.
- Select.CommitPush to Devices
- SelectPush Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial push.In this example, theadminuser is currently logged in and performing the push operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.