Enterprise DLP
Data Profiles
Table of Contents
Expand All
|
Collapse All
Enterprise DLP Docs
Data Profiles
Create and configure an Enterprise Data Loss Prevention (E-DLP) profile.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLP
Release Notes for more
information.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
To get started, you’ll first create a data pattern that specifies the information
types and fields that you want enforcement points to filter. Then, you attach that
pattern to a data filtering profile, which specifies how you want to enforce the content
that the firewall filters. Add the data filtering profile to a Security policy rule to
start filtering traffic matching the rule.
Enterprise Data Loss Prevention (E-DLP) profiles specify how you want to enforce the sensitive content that you’re
filtering. Predefined data profiles have data patterns
that include industry-standard data identifiers, keywords, and built-in logic in the
form of machine learning, regular expressions, and checksums for legal and financial
data patterns.
Enterprise DLP profiles are active only when they’re attached to a Security policy rule;
they scan traffic that matches the rule. If a user uploads a file that matches a data
pattern, an alert is triggered or the file is blocked (depending on the action you
define in the DLP profile).
- Panorama running PAN-OS 10.2.3 or earlier release and DLP plugin 3.0.3 or earlier release—A data profile supports up to 10 data patterns for a Block rule and 50 data patterns for an Alert rule.
- Panorama running PAN-OS 10.2.4 or later release and DLP plugin 3.0.4 or later release—No limit for the number of data patterns that you can add to a data profile.
- Strata Cloud Manager—No limit for the number of data patterns or advanced detection methods you can add to a data profile.
Even though Panorama running PAN-OS 10.2.4 or later release
and DLP plugin 3.0.4 or later release has no limit to the number of data patterns
you can add to a data profile, the DLP plugin displays only the first 50 predefined or custom data patterns, advanced detection methods, or data profiles added.
However, Enterprise DLP has full knowledge of the entire data profile despite
what the DLP plugin displays.
This applies to data filtering profiles created on Panorama and data
profiles created on Strata Cloud Manager and synchronized to Panorama.
You can't delete data profiles after creation. See the Supported Data Profile Actions for more
information on the data profile actions Enterprise DLP supports.
|
Data Profile Type
|
Description
|
|---|---|
|
Enterprise DLP includes many predefined data profiles that you
can immediately use to detect sensitive data.
| |
|
A data profile that can use any predefined data pattern,
regular expression (regex) data patterns and custom file property
data patterns,
and advanced detection
methods.
You can configure a data profile for
Local Detection if you have an Prisma Browser license. A data profile configured for
Local Detection means that inspection of
sensitive data against the traffic match criteria occurs locally on
Prisma Browser rather than being sent to the Enterprise DLP cloud detection engine. If you have an active
Prisma Browser but no active Enterprise DLP license,
you can only create a data profile for Local
Detection only.
| |
|
A nested data profile contains multiple data profiles and enables
your data security administrator to consolidate the match criteria
to prevent exfiltration of sensitive data to a single data profile
that you can associate with a single Security policy rule.
For a nested data profile, the DLP rule settings
apply to all data profiles added to the nested data profile.
You can configure a data profile for
Local Detection if you have an Prisma Browser license. A data profile configured for
Local Detection means that inspection of
sensitive data against the traffic match criteria occurs locally on
Prisma Browser rather than being sent to the Enterprise DLP cloud detection engine. If you have an active
Prisma Browser but no active Enterprise DLP license,
you can only create a data profile for Local
Detection only.
| |
|
A granular data profile contains multiple data profiles and enhance
your detection capabilities by enabling your data security
administrators to apply differentiated inline content inspection
requirements and response actions within the same Security policy
rule.
For a granular data profile, your data security administrator
configures the DLP rule settings
for each data profile added to the granular data profile.
You can configure a data profile for
Local Detection if you have an Prisma Browser license. A data profile configured for
Local Detection means that inspection of
sensitive data against the traffic match criteria occurs locally on
Prisma Browser rather than being sent to the Enterprise DLP cloud detection engine. If you have an active
Prisma Browser but no active Enterprise DLP license,
you can only create a data profile for Local
Detection only.
| |
|
Update your data profiles to modify the match criteria and
settings.
| |
| Test the efficacy of your data profiles on Strata Cloud Manager before pushing them to your enforcement points. | |
| Resolve data profile synchronization conflicts between Strata Cloud Manager and Panorama that can lead configurations commit failures or for data filtering profiles to be silently overwritten, which can cause security disruptions and protection gaps. |