Register and Activate DLP on Prisma Access

Complete the task to register and activate DLP on Prisma Access.
DLP on Prisma Access enables you to secure remote networks and users, and requires an add-on license. You can either purchase a license or try the 60-day trial.
When you request a trial from the web interface, you must wait 24 hrs for the request to be processed. After the 60-day trial is approved, Palo Alto Networks lets you try the product for 60 days, along with a 30-day grace period to allow you to purchase the license. Palo Alto Networks deactivates DLP on Prisma Access 90 days after the start of the trial if you do not purchase a license.
When you purchase a license, all you need to do it activate it in this workflow. The welcome email that you receive when you purchase Enterprise DLP includes an auth code. Please disregard the auth code in the email. The auth code in the email is automatically processed for you, all you need to do is follow the instructions in this workflow.
To register and activate DLP on Prisma Access, complete the following steps.
If you have existing data patterns and data filtering profiles in a Prisma Access-specific device group (
Service_Conn_Device_Group
,
Remote_Network_Device_Group
, or
Mobile_User_Device_Group
), the patterns and profiles will be removed after you register and activate DLP on Prisma Access.
  1. Check the minimum Panorama and content version on the Panorama appliance on which you will install DLP on Prisma Access, and upgrade your Panorama or content version if required.
    The minimum required Panorama version is 9.0.4, and the minimum required content version is 8190.
    If you have DLP on Prisma Access enabled for more than one Prisma Access instance in a single Customer Service Portal (CSP) account, data filtering profiles are synchronized across all instances. This behavior can result in unexpected consequences; for example, the deletion of a custom data pattern or data filtering profile for one instance does not delete that pattern or profile for other instances in the CSP account. For this reason, Palo Alto Networks recommends that you move each Prisma Access instance to its own CSP account.
  2. Activate and install Prisma Access and configure your settings for the Prisma Access service infrastructure; then, configure your mobile users deployment, your remote networks deployment, or both, depending on your Prisma Access license.
    Skip this step if you’ve already configured Prisma Access.
  3. Perform the following pre-checks to make sure that your environment is ready to request Enterprise DLP on Prisma Access:
    • Be sure that Panorama can access the
      dss.paloaltonetworks.com
      URL.
      Add this URL to the allow list on any security appliance that you use with the Panorama appliance. In addition, if your Panorama appliance uses a proxy server (
      Panorama
      Setup
      Service
      Proxy Server
      ), or if you use SSL forward proxy with Prisma Access, be sure to add
      dss.paloaltonetworks.com
      to the allow list on the proxy server.
    • If you are using the same parent device group for on-premise firewalls and Prisma Access firewalls, and would like to use the parent device group to configure security policy rules, open a command-line interface (CLI) session in Prisma Access and enter the
      request plugins cloud_services prisma-access dlp-enable-config-in-shared
      command. This command makes a copy of the data filtering profile in the
      Shared
      device group that can be read by the on-premise firewalls.
      If you do not enter this command, you cannot refer to the data filtering profiles with Enterprise DLP in non-Prisma Access device groups, because the Enterprise DLP data filtering profiles are only available in the Prisma Access device group.
    • Select
      Panorama
      Administrators
      and verify that the
      __cloud_services
      user is present.
      After you install the Cloud Services plugin, the plugin creates a Panorama administrative user with a username of
      __cloud_services
      . This user account is required to enable communication between Enterprise DLP on Prisma Access and the Prisma Access management infrastructure. Palo Alto Networks recommends that you change the password for this administrative user in accordance with your organization’s password policy.
      If you delete the
      __cloud_services
      user, you must re-add the user manually. The account is used to register and activate Enterprise DLP on Prisma Access, and for continued DLP scanning using the data patterns and data filtering profiles referenced in security policy rules.
  4. Log in to Prisma Access and select
    Panorama
    Cloud Services
    Configuration
    Service Setup
    .
  5. In the
    Service Operations
    area, select
    Activate Enterprise DLP or Request a Trial
    .
    If you have purchased an add-on Enterprise DLP license, when you click the link the Enterprise DLP capabilities are ready for use. Please disregard the auth code in the welcome email you received with your purchase. The auth code in the email is automatically processed for you.
    dlp-request-dlp-service-trial-1-7.png
    A page displays indicating that your existing data filtering settings will be removed after your DLP on Prisma Access request is approved.
    dlp-window-settings-removed.png
    After you register and active DLP on Prisma Access, the Cloud Services plugin enables DLP-specific features in the following areas in Panorama.
    If you have any existing data patterns, they will be removed when you register and activate the DLP on Prisma Access.
    • Device
      Data Filtering Settings
      —Allows you to specify global settings for data filtering based on latency, file size, and logging for files that are not scanned.
    • Objects
      Custom Objects
      Data Patterns
      —Specifies patterns that you use with the data filtering profile.
    • Objects
      Security Profiles
      Data Filtering
      —Adds a data pattern to a data filtering profile and specify additional parameters to send an alert or block action for files that match the patterns you specify.
    • Device
      Response Pages
      Data Filtering Block Page
      —Adds a customizable page that displays to users when Prisma Access blocks a file using a DLP-based security policy.
  6. For a trial, select
    Yes
    to request DLP on Prisma Access.
    A page displays indicating that your request was received and is being evaluated. Do not open a case during this evaluation period.
    dlp-request-received.png
  7. Wait 24-48 hours; then select
    Panorama
    Cloud Services
    Configuration
    Service Setup
    and reselect
    Activate Enterprise DLP or Request a Trial
    to see the results of your request.
    • If the DLP on Prisma Access request was approved, a pop-up window displays indicating that Enterprise DLP has been activated and the Panorama appliance displays a banner indicating that DLP configuration has changed and a push is required. If you see this page and banner,
      Commit
      and
      Push
      your changes, then enable DLP on Prisma Access.
      dlp-activated.png
      dlp-request-successful-1-7.png
    • If you receive a page that indicates that your request was received and is being evaluated, either your request is still being processed or it wasn’t approved; you can retry the request in 24 hours to see its status. Do not open a case when this request is being evaluated.
      dlp-request-received.png
    • If you receive a message that
      Enterprise DLP activation was unsuccessful
      , the request is approved, but Prisma Access has not yet provisioned the infrastructure. If you see this message, open a support case on the Customer Service Portal (CSP).
      dlp-provisioning-failed.png

Recommended For You