Enable DLP on Prisma Access

Configure parameters to use DLP on Prisma Access successfully.
Complete these steps to use DLP on Prisma Access successfully.
  1. Create a decryption profile and a decryption policy rule to remove ALPN headers from uploaded files.
    DLP on Prisma Access supports HTTP/1.1. Some applications, such as SharePoint and OneDrive, support HTTP/2 for uploads by default. To make uploaded files from applications that use HTTP/2 compatible with DLP on Prisma Access, complete these steps.
    1. Select
      Objects
      Decryption
      Decryption Profile
      .
      Choose any device group in the Device Group drop-down at the top of the page; decryption profiles are shared across device groups.
    2. Add
      a new profile and give it a
      Name
      .
    3. Select
      SSL Forward Proxy
      , then select
      Strip ALPN
      in the
      Client Extension
      area.
      dlp-decryption-profile-strip-alpn.png
    4. Select
      Policies
      Decryption
      .
    5. Add
      a decryption policy and give it a
      Name
      .
    6. Select
      Options
      , then select the Decryption profile you created.
      dlp-decryption-policy-rule.png
  2. Disable the QUIC protocol by adding services and security policies.
    Many supported web applications, such as Gmail, require that you disable the QUIC protocol for DLP on Prisma Access to function correctly.
    1. Select
      Policies
      Security
      and
      Add
      a security policy that denies traffic using the
      quic
      application.
    2. Select
      Objects
      Services
      and
      Add
      two services: One for UDP on port 80 and one for UDP on port 443.
      Newer versions of QUIC might be misidentified as
      unknown-udp
      . For this reason, Palo Alto Networks recommends adding services for UDP port 80 and UDP port 443 and creating an additional security policy to block UDP traffic on those ports.
      dlp-quic-servicepolicy.png
    3. Select
      Policies
      Security
      and
      Add
      a security policy that includes the services you created to deny traffic to UDP ports 80 and 443.
      When complete, you will have two security policies: One that blocks the QUIC protocol and one that blocks traffic on UDP ports 80 and 443.
      dlp-quic-application-deny.png
  3. (
    Optional
    ) Review the default values for snippets and data masking, and change the default settings if required by your organization’s compliance or policy rules, by opening a command-line interface (CLI) session with admin-level privileges on the Panorama that is running DLP on Prisma Access and entering the following commands.
    By default, Prisma Access retrieves snippets and puts them in the Data Filtering logs (
    Monitor
    Logs
    Data Filtering
    . Prisma Access stores these snippets in the logs for 90 days. The default data masking level is
    partial
    , which means that Prisma Access displays the last four digits of the value in clear text.
    • Check the current configuration of snippets and data masking by entering the following command:
      admin@Panorama>
      request plugins cloud_services prisma-access dlp-get-snippets-config
      The following command output shows the default setting for snippets and data masking:
      admin@Panorama>
      request plugins cloud_services prisma-access dlp-get-snippets-config
      pass{"id": "7997000089575537664", "enable_snippets": true, "mask_level": "partial_mask"}
    • Enable or disable snippets by entering the following command:
      admin@Panorama>
      request plugins cloud_services prisma-access dlp-configure-snippets enable [
      no
      |
      yes
      ]
      For example, to disable snippets, enter
      request plugins cloud_services prisma-access dlp-configure-snippets enable no
      .
    • Change the data masking level by entering the following command:
      admin@Panorama>
      request plugins cloud_services prisma-access dlp-configure-snippets masking-level [
      full_mask
      |
      no_mask
      |
      partial_mask
      ]
      • A keyword of
        partial_mask
        displays only the last four digits in clear text.
      • A keyword of
        no_mask
        displays all the values in clear text.
      • A keyword of
        full_mask
        does not display any values.
    When a file is scanned, DLP on Prisma Access stores snippets of data for every data pattern match. These snippets are masked (full mask, partial mask, or no mask) based on the settings you configured. If DLP detects that a file was previously scanned and the file's contents were unchanged, scanning is skipped, and the verdict and snippets are returned based on the earlier scan.
  4. Identify what content is sensitive in your environment and determine the types of data patterns or data filtering profiles you require.
    1. Determine the type of data pattern you need.
      Prisma Access includes more than 250 predefined data patterns that contain many commonly-used data patterns. If your data requirements need a custom data pattern, create a data pattern and specify data detection techniques; otherwise, use one of the predefined data patterns for your sensitive content.
    2. Determine the type of data filtering profile you need.
      Prisma Access includes many predefined data filtering profiles for specific types, such as financial and healthcare-specific profiles. If your data requirements need a custom data filtering profile, create a data filtering profile, add a data pattern to it, and specify matching criteria and confidence levels; otherwise, use one of the existing data filtering profiles in the security policy you create.
  5. Attach the data filtering profile to a security policy rule.
    1. Select
      Policies
      Security
      Pre Rules
      .
      Select the correct Device Group from the drop-down list (either
      Mobile_User_Device_Group
      for remote networks or
      Remote_Network_Device_Group
      for mobile users).
    2. Add
      a new policy, or select an existing policy to modify it.
    3. Select
      Actions
      , then select a
      Profile Setting
      of
      Profiles
      .
    4. Attach the
      Data Filtering
      profile you created earlier to the security policy rule.
    5. Click
      OK
      .
      dlp-security-policy-rule.png
  6. Commit and Push
    your changes to make them active in Prisma Access.
    After you configure DLP, you can view the DLP logs, including the snippets that Prisma Access retrieved as the result of an Alert or Block action.
  7. (
    Optional
    ) Test the functionality of Prisma Access.
    1. Create a document with a supported file type and enter sensitive data in the file.
      For example, if you use the predefined data filter profile of
      Sensitive Content
      in a security policy, create a Microsoft Word .docx file and enter data in the format of a United States Social Security Number (SSN).
    2. Connect to Prisma Access with the GlobalProtect app.
    3. Use a supported upload method (such as OneDrive) to upload the file.
      You can upload multiple files; however, if you use Box to upload multiple files, and one or more of the files are larger than 5 MB, the upload of all files do not complete. To continue, find the files in Box that are larger than 5 MB and click
      X
      to stop the upload of those files.
      dlp-box-delete-files.png
    4. View the DLP logs to verify that DLP on Prisma Access correctly applied the action you specified in the security policy.

Recommended For You