Register and Activate DLP on Prisma Access
Complete the task to register and activate DLP on Prisma Access.
DLP on Prisma Access enables you to secure remote networks and users, and requires an add-on license. You can either purchase a license or try the 60-day trial.
When you request a trial from the web interface, you must wait 24 hrs for the request to be processed. After the 60-day trial is approved, Palo Alto Networks lets you try the product for 60 days, along with a 30-day grace period to allow you to purchase the license. Palo Alto Networks deactivates DLP on Prisma Access 90 days after the start of the trial if you do not purchase a license.
When you purchase a license, all you need to do it activate it in this workflow. The welcome email that you receive when you purchase Enterprise DLP includes an auth code. Please disregard the auth code in the email. The auth code in the email is automatically processed for you, all you need to do is follow the instructions in this workflow.
To register and activate DLP on Prisma Access, complete the following steps.
- The minimum required Panorama version is 9.0.4, and the minimum required content version is 8190.If you have DLP on Prisma Access enabled for more than one Prisma Access instance in a single Customer Service Portal (CSP) account, data filtering profiles are synchronized across all instances. This behavior can result in unexpected consequences; for example, the deletion of a custom data pattern or data filtering profile for one instance does not delete that pattern or profile for other instances in the CSP account. For this reason, Palo Alto Networks recommends that you move each Prisma Access instance to its own CSP account.
- Perform the following pre-checks to make sure that your environment is ready to request Enterprise DLP on Prisma Access:
- Be sure that Panorama can access thedss.paloaltonetworks.comURL.Add this URL to the allow list on any security appliance that you use with the Panorama appliance. In addition, if your Panorama appliance uses a proxy server (), or if you use SSL forward proxy with Prisma Access, be sure to addPanoramaSetupServiceProxy Serverdss.paloaltonetworks.comto the allow list on the proxy server.
- If you are using the same parent device group for on-premise firewalls and Prisma Access firewalls, and would like to use the parent device group to configure security policy rules, open a command-line interface (CLI) session in Prisma Access and enter therequest plugins cloud_services prisma-access dlp-enable-config-in-sharedcommand. This command makes a copy of the data filtering profile in theShareddevice group that can be read by the on-premise firewalls.If you do not enter this command, you cannot refer to the data filtering profiles with Enterprise DLP in non-Prisma Access device groups, because the Enterprise DLP data filtering profiles are only available in the Prisma Access device group.
- Selectand verify that thePanoramaAdministrators__cloud_servicesuser is present.After you install the Cloud Services plugin, the plugin creates a Panorama administrative user with a username of__cloud_services. This user account is required to enable communication between Enterprise DLP on Prisma Access and the Prisma Access management infrastructure. Palo Alto Networks recommends that you change the password for this administrative user in accordance with your organization’s password policy.If you delete the__cloud_servicesuser, you must re-add the user manually. The account is used to register and activate Enterprise DLP on Prisma Access, and for continued DLP scanning using the data patterns and data filtering profiles referenced in security policy rules.
- Log in to Prisma Access and select.PanoramaCloud ServicesConfigurationService Setup
- In theService Operationsarea, selectActivate Enterprise DLP or Request a Trial.If you have purchased an add-on Enterprise DLP license, when you click the link the Enterprise DLP capabilities are ready for use. Please disregard the auth code in the welcome email you received with your purchase. The auth code in the email is automatically processed for you.A page displays indicating that your existing data filtering settings will be removed after your DLP on Prisma Access request is approved.After you register and active DLP on Prisma Access, the Cloud Services plugin enables DLP-specific features in the following areas in Panorama.If you have any existing data patterns, they will be removed when you register and activate the DLP on Prisma Access.
- —Allows you to specify global settings for data filtering based on latency, file size, and logging for files that are not scanned.DeviceData Filtering Settings
- —Specifies patterns that you use with the data filtering profile.ObjectsCustom ObjectsData Patterns
- —Adds a data pattern to a data filtering profile and specify additional parameters to send an alert or block action for files that match the patterns you specify.ObjectsSecurity ProfilesData Filtering
- —Adds a customizable page that displays to users when Prisma Access blocks a file using a DLP-based security policy.DeviceResponse PagesData Filtering Block Page
- For a trial, selectYesto request DLP on Prisma Access.A page displays indicating that your request was received and is being evaluated. Do not open a case during this evaluation period.
- Wait 24-48 hours; then selectand reselectPanoramaCloud ServicesConfigurationService SetupActivate Enterprise DLP or Request a Trialto see the results of your request.
- If the DLP on Prisma Access request was approved, a pop-up window displays indicating that Enterprise DLP has been activated and the Panorama appliance displays a banner indicating that DLP configuration has changed and a push is required. If you see this page and banner,CommitandPushyour changes, then enable DLP on Prisma Access.
- If you receive the page that indicates that your request was received and is being evaluated, either your request is still being processed or it wasn’t approved; you can retry the request in 24 hours to see its status. Do not open a case when this request is being evaluated.
- If you receive a message thatEnterprise DLP activation was unsuccessful, the request is approved, but Prisma Access has not yet provisioned the infrastructure. If you see this message, open a support case on the Customer Service Portal (CSP).
Recommended For You
Recommended videos not found.