>
    Strata Copilot
    Data Profiles
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Configure Enterprise DLP
    5. Data Profiles
    Download PDF
    Enterprise DLP

    Data Profiles

    Table of Contents

    Data Profiles

    Create and configure an Enterprise Data Loss Prevention (E-DLP) profile.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Browser
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Enterprise Data Loss Prevention (E-DLP) data profiles are a collection of predefined and custom data patterns, advanced detection methods, or predefined and custom data profiles that define the sensitive content that want to inspect for.
    Data Profiles remain inactive until attached to a Security policy rule. Once attached, the enforcement point forwards matching traffic to Enterprise DLP for inspection. Depending on the data filtering profile (Panorama) or DLP rule setting, Enterprise DLP instructs the enforcement point to either generate an alert or block the traffic.
    Enterprise DLP supports two types of detection coverage for data profiles:
    • (Default) Cloud Only
      By default, enforcement points forward traffic to Enterprise DLP when traffic matches any predefined and custom data patterns, advanced detection methods, or predefined and custom data profiles. A data profile configured for Cloud Only detection coverage is a data profile that includes at least one match criteria that requires forwarding traffic to Enterprise DLP to render a verdict.
    • Cloud & Local
      You can configure a data profile for Cloud & Local detection coverage on Strata Cloud Manager if you have a Prisma Browser license. For detection methods that support local detection, Prisma Browser inspects all sensitive data that matches a data profile configured locally on the browser. All other enforcement points continue to forward traffic to Enterprise DLP.
      A data profile configured for Cloud & Local detection is one configured exclusively with detection methods supported for local Prisma Browser detection:
      • Predefined and custom regex data patterns. Data patterns supported for local detection display
        .
      • Data Dictionaries
      • (Nested and Granular) predefined and custom data profiles only containing detection methods supported for local Prisma Browser detection
      You can toggle the Local Detection filter when creating or editing a data profile to display just the detection methods supported for local detection.
    You can create a data profile for either Cloud Only or Cloud & Local detection. However, You can't disable local detection. If you want to create a data profile explicitly for Cloud Only detection, you must only add detection methods supported for cloud detection.
    Enterprise DLP supports the following number of detection methods per data profile:
    • Panorama running PAN-OS 10.2.3 or earlier release and DLP plugin 3.0.3 or earlier release—A data profile supports up to 10 data patterns for a Block rule and 50 data patterns for an Alert rule.
    • Panorama running PAN-OS 10.2.4 or later release and DLP plugin 3.0.4 or later release—No limit for the number of data patterns or advanced detection methods you can add to a data profile. No limit to the number of data profiles you can add to a granular data profile.
    • Strata Cloud Manager—No limit for the number of data patterns or advanced detection methods you can add to a data profile. No limit to the number of data profiles you can add to a nested or granular data profile.
    Even though Panorama running PAN-OS 10.2.4 or later release and DLP plugin 3.0.4 or later release has no limit to the number of data patterns you can add to a data profile, the DLP plugin displays only the first 50 predefined or custom data patterns, advanced detection methods, or data profiles added. However, Enterprise DLP has full knowledge of the entire data profile despite what the DLP plugin displays.
    This applies to data filtering profiles created on Panorama and data profiles created on Strata Cloud Manager and synchronized to Panorama.
    You can't delete data profiles after creation. See the Supported Data Profile Actions for more information on the data profile actions Enterprise DLP supports.
    Data Profile Type
    Description
    Predefined Data Profiles
    Enterprise DLP includes many predefined data profiles that you can immediately use to detect sensitive data.
    Create a Data Profile
    A data profile that can use any predefined data pattern, regular expression (regex) data patterns and custom file property data patterns, and advanced detection methods.
    Create a Nested Data Profile
    A nested data profile contains multiple data profiles and enables your data security administrator to consolidate the match criteria to prevent exfiltration of sensitive data to a single data profile that you can associate with a single Security policy rule.
    For a nested data profile, the DLP rule settings apply to all data profiles added to the nested data profile.
    Create a Granular Data Profile
    A granular data profile contains multiple data profiles and enhance your detection capabilities by enabling your data security administrators to apply differentiated inline content inspection requirements and response actions within the same Security policy rule.
    For a granular data profile, your data security administrator configures the DLP rule settings for each data profile added to the granular data profile.
    Update a Data Profile
    Update your data profiles to modify the match criteria and settings.
    Test a Data Profile
    		Test the efficacy of your data profiles on Strata Cloud Manager before pushing them to your enforcement points.
    Resolve Data Profile Synchronization Conflicts
    		Resolve data profile synchronization conflicts between Strata Cloud Manager and Panorama that can lead configurations commit failures or for data filtering profiles to be silently overwritten, which can cause security disruptions and protection gaps.

    © 2026 Palo Alto Networks, Inc. All rights reserved.