0% found this document useful (0 votes)

129 views404 pages

Enterprise DLP Administration

The document provides an overview of the Administration guide for Palo Alto Networks' Enterprise Data Loss Prevention (E-DLP) as of April 2025, detailing configuration, monitoring, and management of data protection policies. It includes sections on data patterns, profiles, and specific features such as email and endpoint DLP, as well as guidelines for using regular expressions. Additionally, it highlights new service IP addresses for improved performance and the importance of allowing these on networks to prevent service disruptions.

Uploaded by

Uddesh Pätil

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

129 views404 pages

Enterprise DLP Administration

Uploaded by

Uddesh Pätil

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 404

Administration

April 2025

docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.

© 2021-2025 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
April 14, 2025

Administration April 2025 2 ©2025 Palo Alto Networks, Inc.

Table of Contents
Configure Enterprise DLP................................................................................ 7
Data Patterns................................................................................................................................ 9
Configure Regular Expressions...................................................................................10
Create a Custom Data Pattern...................................................................................15
Create a File Property Data Pattern......................................................................... 21
Add Custom Match Criteria to a Predefined Data Pattern................................. 27
Data Profiles............................................................................................................................... 30
Create a Classic Data Profile...................................................................................... 31
Create an Advanced Data Profile.............................................................................. 51
Create a Nested Data Profile..................................................................................... 57
Update a Data Profile...................................................................................................61
Test a Data Profile........................................................................................................ 66
Resolve Data Profile Synchronization Conflicts.....................................................70
Enable Existing Data Patterns and Filtering Profiles........................................................ 75
Modify a DLP Rule on Strata Cloud Manager................................................................... 80
Create a SaaS Security Policy Recommendation to Leverage Enterprise DLP........... 84
Reduce False Positive Detections.........................................................................................86
Exact Data Matching (EDM)...................................................................................................89
Supported EDM Data Set Formats........................................................................... 90
Set Up the EDM CLI App............................................................................................95
Configure EDM CLI App Connectivity to Enterprise DLP................................... 98
Upload an Encrypted EDM Data Set to Enterprise DLP Using a Configuration
File................................................................................................................................... 104
Create and Upload an Encrypted EDM Data to Enterprise DLP in Interactive
Mode...............................................................................................................................114
Update an Existing EDM Data Set on Enterprise DLP.......................................119
Enterprise DLP End User Alerting with Cortex XSOAR................................................ 122
About Enterprise DLP End User Alerting with Cortex XSOAR........................ 122
Set Up Enterprise DLP End User Alerting with Cortex XSOAR....................... 124
Respond to Blocked Traffic Using Enterprise DLP End User Alerting with
Cortex XSOAR............................................................................................................. 141
View the Enterprise DLP End User Alerting with Cortex XSOAR Response
History............................................................................................................................144
Inspection of Contextual Secrets for Chat Applications............................................... 147
About Inspection of Contextual Secrets............................................................... 147
Contextual Chat Examples........................................................................................149
Configure SaaS Security to Inspect for Contextual Secrets..............................150
Enterprise DLP and AI Apps................................................................................................ 152
How Enterprise DLP Safeguards Against ChatGPT Data Leakage.................. 152

Administration April 2025 3 ©2025 Palo Alto Networks, Inc.

Table of Contents

Create a Security Policy Rule for ChatGPT.......................................................... 155

Custom Document Types for Enterprise DLP................................................................. 167
About Custom Document Types.............................................................................167
Upload a Custom Document Type......................................................................... 170
Test a Custom Document Type...............................................................................175
Email DLP..................................................................................................................................178
How Does Email DLP Work?................................................................................... 178
Onboard Microsoft Exchange Online.....................................................................182
Onboard Gmail.............................................................................................................230
Add an Email DLP Policy Rule................................................................................. 259
Review Email DLP Incidents.....................................................................................267
Why Are Emails Not Being Blocked?.....................................................................271
Endpoint DLP...........................................................................................................................275
How Does Endpoint DLP Work?............................................................................ 275
Add a Peripheral.......................................................................................................... 278
Create a Peripheral Group........................................................................................ 283
Create an Endpoint DLP Policy Rule......................................................................286
Troubleshoot Endpoint DLP..................................................................................... 299
Data Dictionaries.................................................................................................................... 302
Recommendations for Security Policy Rules....................................................................306
Enterprise DLP Migrator....................................................................................................... 309

Monitor Enterprise DLP...............................................................................317

Monitor DLP Status with the DLP Health and Telemetry App................................... 318
Access the DLP Health and Telemetry Dashboard on Strata Cloud
Manager......................................................................................................................... 318
Monitor DLP Service Status..................................................................................... 319
View Enterprise DLP Log Details....................................................................................... 320
Manage Enterprise DLP Incidents...................................................................................... 336
View Enterprise DLP Audit Logs........................................................................................ 338
Reasons for Inspection Failure............................................................................................ 343
Save Evidence for Investigative Analysis with Enterprise DLP....................................347
Set Up SFTP Storage to Save Evidence................................................................ 348
Set Up Cloud Storage on AWS to Save Evidence...............................................353
Set Up Cloud Storage on Microsoft Azure to Save Evidence...........................366
Download Files for Evidence Analysis................................................................... 371
Data Risk................................................................................................................................... 373
What Is Data Risk?..................................................................................................... 373
Analyze the Data Risk Dashboard.......................................................................... 375
Configure Risk Score Ranges................................................................................... 380
Configure Risk Factor Importance.......................................................................... 381

Administration April 2025 4 ©2025 Palo Alto Networks, Inc.

Table of Contents

Configure Severity for Data Profiles...................................................................... 383

Data Risk Recommendations....................................................................................385
End User Coaching................................................................................................................. 387
Data Asset Explorer............................................................................................................... 396
Report a False Positive Detection...................................................................................... 401

Administration April 2025 5 ©2025 Palo Alto Networks, Inc.

Table of Contents

Administration April 2025 6 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Cloud Manager) license
• Prisma Access (Managed by Panorama or Review the Supported Platforms for
Strata Cloud Manager) details on the required license for each
enforcement point.
Or any of the following licenses that include
the Enterprise DLP license
Prisma Access CASB license
Next-Generation CASB for Prisma Access
and NGFW (CASB-X) license
Data Security license

Create and configure Enterprise Data Loss Prevention (E-DLP) data patterns and filtering profiles
for use in Security policy rules to enforce your organization’s data security standards to prevent
accidental data misuse, loss, or theft.
• Data Patterns
• Data Profiles
• Enable Existing Data Patterns and Filtering Profiles
• Modify a DLP Rule on Strata Cloud Manager
• Create a SaaS Security Policy Recommendation to Leverage Enterprise DLP
• Reduce False Positive Detections
• Exact Data Matching (EDM)
• Enterprise DLP End User Alerting with Cortex XSOAR
• Inspection of Contextual Secrets for Chat Applications
• Enterprise DLP and AI Apps
• Custom Document Types for Enterprise DLP
• Email DLP
• Endpoint DLP

7
Configure Enterprise DLP

• Data Dictionaries
• Recommendations for Security Policy Rules
• Enterprise DLP Migrator

Administration April 2025 8 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Data Patterns
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Enterprise Data Loss Prevention (E-DLP) data patterns specify what content is sensitive and
needs to be protected—this is the content you’re filtering.
Predefined data patterns and built-in settings make it easy for you to protect files that contain
certain file properties (such as document title or author), credit card numbers, regulated
information from different countries (such as driver’s license numbers), and third-party DLP labels.
To improve detection rates for sensitive data in your organization, you can supplement predefined
data patterns by creating custom data patterns that are specific to your content inspection and
data protection requirements. In a custom data pattern, you can also define regular expressions
and file properties to look for metadata or attributes in the file’s custom or extended properties
and use it in a data filtering profile.
• Configure Regular Expressions
• Create a Custom Data Pattern
• Create a File Property Data Pattern
• Add Custom Match Criteria to a Predefined Data Pattern

Administration April 2025 9 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Configure Regular Expressions

On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

The regular expression builder in Enterprise Data Loss Prevention (E-DLP) provides an easy
mechanism to configure regular expressions (regex for short), which you define when you create
a custom data pattern. You can use the regular expression builder to construct a data pattern
expression, view matches, filter occurrences and weight thresholds, and assess match results to
determine if the content poses a risk to your organization.
There are two types of regular expressions:
• Basic—Searches for a specific text pattern. When Enterprise DLP displays the match
occurrences when inspected traffic matches the data pattern match criteria.
• Weighted—Assigns a score to a text entry. When the score threshold is exceeded, such as
enough expressions from a pattern match an asset, the service returns a match for the pattern.
To reduce false-positives and maximize the search performance of your regular expressions,
you can assign scores using the weighted regular expression builder in Enterprise DLP to find
and calculate scores for the information that’s important to you. Scoring applies to a match
threshold, and when a threshold is exceeded, such as enough words from a pattern are found
in a document, the document will be indicated as a match for the pattern.
Use Case: Calculating and Scoring a weighted regular expression
For example, Joe is an employee at a water treatment plant and needs to compile user data on
a proprietary pH additive that is used when source water arrives at the plant. If Joe initiated a
regular expression search with just the term tap water thousands of match results display, as
the matched tap water documents list the additive. However, Joe is searching for the first use of

Administration April 2025 10 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

the additive and not every document the additive is listed in, making it difficult for Joe to find the
usage data he needs.
To get more accurate results, Joe can initiate a weighted regular expression to assign weight
and occurrence scores to the expression, or indicate the information to exclude by assigning a
negative weight value.
Joe enters a negative weight value to exclude tap water and higher values to source water and
the proprietary water additive. The results are filtered and counted to a more manageable list,
meaning that a document containing 10 occurrences of water counts as one when all files and
folders are scanned. This enables Joe to view the match results, adjust the totals for weight
and occurrences, and calculate an adjusted score to determine if the content poses a risk to his
organization.

Weighted Regex Item Occurrence Adjusted Occurrence Adjusted Total

Score

Water; 1 50 50 (1 Occurrence X 110 minus 100 for

1) tap water = 10 regex
weight
IP pH; 2 30 60 (30 occurrences X
2)

Tap Water; -10 10 -100 (10 occurrences

x -10)

STEP 1 | Consider the best practices for using regular expression matches.
• Use predefined data patterns instead of regular expressions. Use Enterprise DLP
predefined data patterns instead of regular expressions where possible. Data patterns
are more efficient than regular expressions because the predefined data patterns are
tuned for accuracy and the data is validated. For example, if you want to search for social
security numbers, use the US Social Security Number (SSN) data pattern instead of a regular
expression.
• Use regular expressions sparingly. Regular expressions can be computationally expensive.
If you add a regular expression condition, observe the system for 1 hour for efficient
performance. Make sure that the system does not slow down and there are no false
positives.
• Test regular expressions. If you implement regular expression matching, consider using
a third-party tool to test the regular expressions before you enable the policy rules. The
recommended tool is RegexBuddy. Another good tool for testing your regular expressions is
RegExr. If your expression is incorrect, the service can’t match or will match incorrectly.

Administration April 2025 11 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 2 | Understand expression terminology.

Expression Terminology:

Term Description

Literal A literal is any character you use in a search or

matching expression, for example, to find dlp
in Enterprise DLP, dlp is a literal string - each
character plays a part in the search, it’s literally
the string we want to find.

Metacharacter A metacharacter is one or more special

characters that have a unique meaning and are
not used as literals in the search expression,
for example, the character < > (caret) is a
metacharacter.

Regular Expression This term describes the search expression

data pattern that you will be using to search in
Enterprise DLP.

Escape Sequence An escape sequence is a way of indicating that

you want to use one of the metacharacters
as a literal. In a regular expression an escape
sequence involves placing the metacharacter \
(backslash) in front of the metacharacter that
you use as a literal, for example, if you want
to find (dlp) in Enterprise DLP then use the
search expression $dlp$, and if you want to
find \\file in the target string c:\\file then you
would need to use the search expression \\\
\file (each \ to search for a literal (there are 2)
that is preceded by an escape sequence \).

STEP 3 | Understand expression constructs.

Enterprise DLP implements Perl Compatible Regular Expressions (PCRE) syntax for policy rule
condition matching. Enterprise DLP provides some common reference constructs for writing
regular expressions to match or exclude characters in content.
Regular expression constructs:

Construct Description

. A dot, any single character, except newline

(line ending, end of line, or line break)
characters.

Administration April 2025 12 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Construct Description

\ Escape the next character (the character

becomes a normal/literal character.)

\d Any digit (0-9.)

\s Any white space.

\W Any word character (a-z, A-Z, 0-9.)

\D Anything other than a digit.

\S Anything other than a white space.

[] Elements inside brackets are a character class

(for example, [abc] matches 1 character [a. b. or
c.]

^ At the beginning of a character class, negates it

(for example, [^abc] matches anything except
(a, b, or c.)

$ At the end of a character class, or before the

newline at the end.

+ Following a regular expression means 1 or

more (for example, \d+ means 1 more digit.)

? Following a regular expression means 0 or 1

(for example, \d? means 1 or no digit.)

* Following a regular expression means any

number (for example \d* means 0, 1, or more
digits.)

(?i) At the beginning of a regular expression makes

it case-insensitive (regular expressions are
case-sensitive by default.)

() Groups regular expressions together.

(?u) Makes a period ( . ) match to even newline

characters.

| Means OR (for example, A|B means regular

expression A or regular expression B.)

Administration April 2025 13 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Understand expression qualifiers.

Quantifiers can be used to specify the number or length that part of a pattern should match or
repeat. A quantifier will bind to the expression group to its immediate left.
Regular expression quantifiers:

Quantifier Description

* Match 0 or more times.

+ Match 1 or more times.

? Match 1 or 0 times.

{n} Match exactly n times.

{n, } Match at least n times.

{n, m} Match at least n but not more than m times.

STEP 5 | Enter one regular expression per line, up to 100 lines of expressions.
There is no limit to the number of regular expressions you can add to a data pattern. Add as
many lines of regular expressions as needed.

STEP 6 | (Weighted expressions only): Assign a regular expression for each line entry between -9999
(lowest importance) to 9999 (highest importance) by entering the regular expression, the
delimiter, and the weight score. Enter a weight threshold score of one (1) of more.

STEP 7 | (Optional) Customize your delimiter.

By default, the delimiter for all weighted regular expressions is semicolon ( ; ). You can
customize your delimiter to copy and paste existing expressions instead of entering them
manually. Use a delimiter to specify separate strings of data when configuring regular
expressions. For example, you can configure a weighted regular expression using a delimiter to
separate the string of text you’re matching from the weight threshold value. If you have large
amounts of existing expressions to match, you can customize your delimiter to copy and paste
the expressions instead of entering them manually. A delimiter can be any nonalphanumeric,
nonbackslash, nonwhitespace character.
Regular expression delimiters:

Delimiter Note

; Semicolon — If the delimiter isn't customized,

the semicolon is the default delimiter in
Enterprise Data Loss Prevention (E-DLP).

: Colon.

Administration April 2025 14 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Delimiter Note

| Pipe.

/ Forward Slash — You must escape the

delimiter using a backlash ( \ ) if the delimiter
needs to match inside the data pattern. If the
delimiter appears often inside the pattern, it’s
a good idea to choose another delimiter to
increase readability.

+ Plus — Include phrase for matching.

- Minus — Ignore phrase for matching.

# Hash — Used to denote a number.

~ Tilde

{ } Curly Use brackets to find a range of characters. You

don't need to escape bracket-style delimiters
[ ] Square when used as meta characters within the
pattern, but you must escape bracket-style
( ) Parenthesis delimiters when used as literal characters.

< > Caret

Create a Custom Data Pattern

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Administration April 2025 15 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

Next-Generation CASB for Prisma Access
and NGFW (CASB-X) license
Data Security license

Create an Enterprise Data Loss Prevention (E-DLP) custom data pattern using regular expressions.
Create data patterns to specify the match criteria and identify patterns using regular expressions
and keywords that represent sensitive information on your network. Enterprise DLP synchronizes
all data patterns across your Panorama™ management server and Strata Cloud Manager
associated with the tenant. You can edit all custom data patterns created on Panorama or Strata
Cloud Manager as needed.
• Strata Cloud Manager
• Panorama

Strata Cloud Manager

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Detection Methods > Data
Patterns.

STEP 3 | Add Data Patterns and select Custom.

You can also create a new custom data pattern by copying an existing custom data
pattern. To copy a custom data pattern, select the data pattern name to view the data
pattern details and copy ( ). You can then configure the custom data pattern you
copied as needed.

STEP 4 | Enter a descriptive Data Pattern Name.

STEP 5 | (Optional) Enter a Description for the data pattern.

STEP 6 | Select the type of Regular Expression.

You can choose Basic or Weighted data patterns. Use the Weighted data pattern to create
a basic or weighted regular expression. With weighted regular expressions, each text entry is
assigned a score and when the score threshold is exceeded, such as when enough expressions
from a pattern match an asset, Enterprise DLP will indicate that the asset is a match for the
pattern.
Then use the query builder in the Regular Expressions field to add either regular (Basic) or
Weighted expressions.

STEP 7 | (Optional) Enter one or more Proximity Keywords.

Proximity keywords are not case-sensitive. You can enter one or more proximity keywords
to increase the probability Enterprise DLP accurately detects a regular expression match.
Proximity keywords impact the Enterprise DLP confidence level, which reflects how confident

Administration April 2025 16 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Enterprise DLP is when detecting matched traffic. Enterprise DLP determines confidence level
by inspecting the distance of regular expressions to proximity keywords.

STEP 8 | Save the data pattern.

STEP 9 | Create a data profile on Strata Cloud Manager.

Panorama

STEP 1 | Log in to the Panorama web interface.

STEP 2 | Select Objects > DLP > Data Filtering Patterns.

You do not need to select the device group the managed firewalls using Enterprise DLP
are associated with. All data patterns are shared across all device groups by default.

STEP 3 | Add a new data pattern.

STEP 4 | Specify a Type and criteria for the data pattern and specify a Name.
Use any of the following data pattern types:
• Regular Expression—Create regular expressions to use in the data pattern.
You can choose Basic or Advanced data patterns. Use the Advanced data pattern to create
a basic or weighted regular expression. With weighted regular expressions, each text
entry is assigned a score and when the score threshold is exceeded, such as when enough

Administration April 2025 17 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

expressions from a pattern match an asset, Enterprise DLP will indicate that the asset is a
match for the pattern.
Then use the query builder in the Regular Expressions field to add either regular (Basic) or
weighted (Advanced) expressions.
You can enter one or more Proximity Keywords to use with the data filtering pattern.
Proximity keywords aren’t case-sensitive. You can enter one or more proximity keywords
to increase the probability Enterprise DLP accurately detects a regular expression match.
Proximity keywords impact the Enterprise DLP confidence level, which reflects how
confident Enterprise DLP is when detecting matched traffic. Enterprise DLP determines
confidence level by inspecting the distance of regular expressions to proximity keywords.
• File Property—Add a file property pattern on which to match.
For data governance and protection of information, if you use classification labels or embed
tags in MS Office and PDF documents to include more information for audit and tracking
purposes, you can create a file property data pattern to match on the metadata or attributes
that are part of the custom or extended properties in the file. Regardless whether you use
an automated classification mechanism, such as Titus, or whether require users to add a tag,
you can specify a name-value pair on which to match on a custom or extended property
embedded in the file.
Enterprise DLP supports file property data patterns in MS Office and PDF documents and
supports both the OLE (.doc/.ppt) and XML (.docx/.pptx) formats of MS Office.
Then add a Tag Name and Tag Value.
A Tag Name and Tag Value are an associated pair that specifies the property for which
you want to look (for example, you can specify a Tag Name of Label and a Tag Value
of Confidential). You can add as many file properties as you’d like and when you later
reference the file property data pattern in a data filtering profile, Enterprise DLP will use a
boolean OR match in the match criteria.

For files protected with Microsoft Azure Information Protection (AIP), you must
enter the full AIP label Name that you want to take action on. This can be either the
MSIP_Label_<GUID>_Enabled label name or the Sensitivity label name.

STEP 5 | Click OK to save the data pattern.

Administration April 2025 18 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | Commit and push the new configuration to your managed firewalls.

The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.

• Full configuration push from Panorama

1. Select Commit > Commit to Panorama and Commit.
2. Select Commit > Push to Devices and Edit Selections.
3. Select Device Groups and Include Device and Network Templates.
4. Click OK.
5. Push your configuration changes to your managed firewalls that are using Enterprise
DLP.
• Partial configuration push from Panorama

You must always include the temporary __dlp administrator when performing a
partial configuration push. This is required to keep Panorama and the DLP cloud
service in sync.
For example, you have an admin Panorama admin user who is allowed to commit
and push configuration changes. The admin user made changes to the Enterprise
DLP configuration and only wants to commit and push these changes to managed
firewalls. In this case, the admin user is required to also select the __dlp user in
the partial commit and push operations.

1. Select Commit > Commit to Panorama.

2. Select Commit Changes Made By and then click the current Panorama admin user to
select additional admins to include in the partial commit.
In this example, the admin user is currently logged in and performing the commit
operation. The admin user must click admin and then select the __dlp user. If there are

Administration April 2025 19 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

3. Commit.
4. Select Commit > Push to Devices.
5. Select Push Changes Made By and then click the current Panorama admin user to select
additional admins to include in the partial push.
In this example, the admin user is currently logged in and performing the push
operation. The admin user must click admin and then select the __dlp user. If there are

Administration April 2025 20 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

6. Select Device Groups and Include Device and Network Templates.

7. Click OK.
8. Push your configuration changes to your managed firewalls that are using Enterprise
DLP.

STEP 7 | Create a data profile on Panorama or Strata Cloud Manager.

Create a File Property Data Pattern

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Administration April 2025 21 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

Prisma Access CASB license
Next-Generation CASB for Prisma Access
and NGFW (CASB-X) license
Data Security license

Create an Enterprise Data Loss Prevention (E-DLP) data pattern using file properties to specify
the match criteria and identify patterns that represent sensitive information on your network.
All data patterns you create are shared across Panorama™ management server and Strata
Cloud Manager deployments associated with the tenant. All custom data patterns created on
Panoramaor Strata Cloud Manager can be edited and copied as needed.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Detection Methods > Data
Patterns.

STEP 3 | Add Data Patterns and select File Property.

You can also create a new file property data pattern by copying an existing file
property data pattern. To copy a custom data pattern, select the data pattern name to
view the data pattern details and copy ( ). You can then configure the file property
data pattern you copied as needed.

STEP 4 | Enter a descriptive Name for the file property data pattern.

STEP 5 | (Optional) Enter a Description for the data pattern.

Administration April 2025 22 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | Select the File Property Type and enter the corresponding Value.
Enterprise DLP supports file property data patterns in MS Office and PDF documents and
supports both the OLE (.doc/.ppt) and XML (.docx/.pptx) formats of MS Office.
(Extended Properties and Custom only) You must enter the file property Name to identify
which extended or custom property Enterprise DLP needs to inspect for.
• AIP Tags
Microsoft Azure Information Protection (AIP) labels used to classify and protect documents
and emails. AIP tags are case insensitive and only whole word matches are supported.
Regex expressions and wildcards are not supported.
Review the examples of the supported AIP tag format when configuring a file property data
pattern to prevent exfiltration of documents with AIP tags:
• MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Enabled=true
• MSIP_Label_305f50f5-
e953-4c63-867b-388561f41989_SetDate=2024-01-25T07:05:49Z
• MSIP_Label_305f50f5-
e953-4c63-867b-388561f41989_Method=Privileged
• MSIP_Label_305f50f5-
e953-4c63-867b-388561f41989_Name=Confidential
Enterprise DLP supports using either the Name or Display Name for a Microsoft
Purview sensitivity label.
• MSIP_Label_305f50f5-
e953-4c63-867b-388561f41989_SiteId=fb8ed654-3195-4846-
ac37-491dc8a2349e
• MSIP_Label_305f50f5-
e953-4c63-867b-388561f41989_ActionId=218bb304-
e1fc-46f2-9210-7fb21702c52a
• MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_ContentBits=2
Only one AIP Tag entry is supported per data pattern. However,
you can add up to 10 AIP tag values to an AIP Tag entry using
; as a separator. For example, MSIP_Label_305f50f5-
e953-4c63-867b-388561f41989_Enabled:true; MSIP_Label_305f50f5-
e953-4c63-867b-388561f41989_SetDate:2024-01-25T07:05:49Z;
SIP_Label_305f50f5-e953-4c63-867b-388561f41989_Method:Privileged.

• Asset Name
Asset names are the file name of files you want to prevent exfiltration. Asset names are
case insensitive.
Only one Asset Name entry is supported per data pattern. However, you can add up to 100
Asset Name values to an Asset Name entry using ; as a separator. Asset Names entries

Administration April 2025 23 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

support plaintext and fully formed regex expressions for the Asset Name value. Asset Name
is designed to inspect for a full word match. If a partial match is required, then the inclusion
of a wild card character in the regular expression is required.
• For plaintext Asset Name values, the asset name must include the file extension. For
example, billing-info.csv or customer-data.docx.

• For regex, the following expression matches all variations of file types when the specific
keywords are present due to the inclusion of a wild card at the end of the expression
to specify the file type. For example, password.csv and ccn.docx match this regex
expression:
(?i)(\(ssn|password|pwd|security|credit|CCN|finance).*

• Alternatively, the following regex expression matches variations in the file name and all
variations of file types due to the inclusion of a wildcard added before the expression

Administration April 2025 24 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• Author
First and last name of the file owner contained in the asset metadata. Author tags are case
and space insensitive and only whole word matches are supported. No regex expressions or
wildcards are supported.
Only one Author entry is supported per data pattern. However, you can add up to 100
Author values to an Author entry using ; as a separator. For example, Bill Smith; john
doe; leslieBarnes.

The Author file property type is not supported for source code files.

• File Extension
Specify one or more file types supported by Enterprise DLP. File Extension tags are case
and space insensitive and only whole word matches are supported. Regex expressions

Administration April 2025 25 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

and wildcards are not supported. To scan files based on a specific file extension, the file
extension must be included in the file name.
Only one File Extension entry is supported per data pattern. However, you can add up
to 10 File Extension values to a File Extension entry using ; as a separator. For example,
.pdf;.csv;.rtf.

• File SHA
String of letters and numbers that represent a long checksum. Only SHA-256 are supported.
File Extension tags are case and space insensitive and only whole word matches are
supported. Regex expressions and wildcards are not supported.
Only one File SHA entry is supported per data pattern. However, you can add up
to 1,000 File SHA values to an File SHA entry using ; as a separator. For example,
CA4D03E8F8A495AA671930184A04275E050D096B9E7E3CF693E0AB12898F3A46;5C4753EAE1F

• Extended Properties
Unique Advanced properties added to Microsoft Suite (Word, Excel, PPT, PDF) file
properties that are not the default General properties.
Only one Extended Properties entry is supported per data pattern. However, you can add
up to 100 Extended Property values to an Extended Properties entry using ; as a separator.

• Custom
Unique Custom properties added to Microsoft Suite (Word, Excel, PPT, PDF) file properties
that are not the default General properties.
Multiple Custom entries are supported per data pattern. However, only one Custom value
per Custom entry is supported.

STEP 7 | Save the data pattern.

STEP 8 | Create a data profile on Strata Cloud Manager.

Administration April 2025 26 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Add Custom Match Criteria to a Predefined Data Pattern

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Clone a predefined regular expression (regex) data pattern to add specific inclusion or exclusion
and provide custom match criteria to enhance detection and prevention of data exfiltration of
sensitive data. This allows users to enhance predefined regex data pattern with more customized
match criteria.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Detection Methods > Data
Patterns.

STEP 3 | Locate the predefined regex data pattern.

Administration April 2025 27 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Expand the Actions and Clone.

Administration April 2025 28 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Add the custom match criteria to specify data to include or exclude from inspection and
verdict rendering.
Up to 50,000 characters are supported in each field. You can add multiple custom data match
criteria requirements in a single field separated by a semicolon (;). You specify one, some, or all
custom data match criteria.
• Include Matches Starting With—Inclusive match criteria to inspect for and trigger
Enterprise DLP enforcement for only data matches starting with one or more of the criteria
added.
This field is an AND operator.
• Include Matches End With—Inclusive match criteria to inspect for and trigger Enterprise
DLP enforcement for only data matches ending with one or more of the criteria added.
This field is an AND operator.
• Exclude Matches Starting With—Exclude match criteria from Enterprise DLP inspection and
enforcement for data matches starting with one or more of the criteria added.
This field is an OR operator.
• Exclude Matches Ending With—Exclude match criteria from Enterprise DLP inspection and
enforcement for data matches ending with one or more of the criteria added.
This field is an OR operator.

STEP 6 | Save.

STEP 7 | Create a data profile on Strata Cloud Manager.

Administration April 2025 29 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Data Profiles
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

To get started, you’ll first create a data pattern that specifies the information types and fields
that you want the firewall to filter. Then, you attach that pattern to a data filtering profile, which
specifies how you want to enforce the content that the firewall filters. Add the data filtering
profile to a Security policy rule to start filtering traffic matching the rule.
Enterprise Data Loss Prevention (E-DLP) profiles specify how you want to enforce the sensitive
content that you’re filtering. Predefined data profiles have data patterns that include industry-
standard data identifiers, keywords, and built-in logic in the form of machine learning, regular
expressions, and checksums for legal and financial data patterns.
Enterprise DLP profiles are active only when they’re attached to a Security policy rule; they
scan traffic that matches the rule. If a user uploads a file that matches a data pattern, an alert is
triggered or the file is blocked (depending on the action you define in the DLP profile).

You can't delete data profiles after creation. See the Supported Data Profile Actions for
more information on the data profile actions Enterprise DLP supports.

• Create a Classic Data Profile

• Create an Advanced Data Profile
• Create a Nested Data Profile
• Update a Data Profile
• Test a Data Profile

Administration April 2025 30 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• Resolve Data Profile Synchronization Conflicts

Create a Classic Data Profile

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

After you create a data pattern, you need to create a data profile to add those data patterns and
specify matches and confidence levels. All data profiles you create are shared across Panorama™
management server and Strata Cloud Manager deployments associated with the tenant. All classic
data profiles created on Panorama or Strata Cloud Manager can be edited and copied as needed.
Viewing a data profile created on the DLP on Panorama requires Panorama plugin for Enterprise
DLP 1.0.4 or later release.
(Panorama only) A data profile configured for detection of non-file traffic allows you to configure
URL and application exclusion lists. The URL and application exclusion lists allow you to select
Shared URL and application traffic to exclude from inspection. For the application exclusion list, at
least one application exclusion is required to create a data filtering profile for inspecting non-file
traffic. The predefined DLP App Exclusion Filter is provided containing commonly used
applications that can be safely excluded from inspection. When you create a data filtering profile
using predefined data patterns, be sure to consider the detection type used by the predefined
data patterns because the detection type determines how Enterprise Data Loss Prevention (E-
DLP) arrives at a verdict for scanned files. If you downgrade from PAN-OS 10.2.1 or later release
and Enterprise DLP plugin 3.0.1 or late release to PAN-OS 10.1 and Enterprise DLP plugin 1.0,
data filtering profiles created on Panorama for non-file inspection are automatically converted
into file-based data filtering profiles.
When you create a data profile using predefined data patterns, be sure to consider the detection
type used by the predefined data patterns because the detection type determines how Enterprise
Data Loss Prevention (E-DLP) arrives at a verdict for scanned files.

Administration April 2025 31 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Updating a classic data profile to include an advanced detection method such as Exact
Data Matching (EDM) and custom document types set isn’t supported.
You need to create an advanced data profile if you want to create a data profile that
combines a predefined or custom data pattern and advanced detection methods, see

• Strata Cloud Manager

• File Based for Panorama
• Non-File Based for Panorama

Strata Cloud Manager

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Edit the data filtering settings on Strata Cloud Manager to configure the minimum and
maximum data size limits and the actions the firewall takes when uploading files or to the
DLP cloud service or when inspecting non-file based traffic.

STEP 3 | Select Manage > Configuration > Data Loss Prevention > Data Profiles and Add Data Profile
> Classic Data Profile.
You can also create a new data profile by copying an existing data profile. This allows you
to quickly modify an existing data profile with additional match criteria while preserving the
original data profile from which the new data profile was copied.
Data profiles created by copying an existing data profile are appended with Copy -
<name_of_original_data_profile>. This name can be edited as needed.

Adding an EDM data set to a copied data profile is supported only if the original data
profile had an EDM data set to begin with. Adding an EDM data set to a data profile
that doesn’t already have an EDM data set isn’t supported.

Administration April 2025 32 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the Primary Rule for the data profile.

Data pattern match criteria for traffic that you want to allow must be added to the
Primary Rule. Data pattern match criteria for traffic that you want to block can be
added to either Primary Rule or Secondary Rule.

1. Enter a descriptive Data Profile Name.

2. Add Pattern Group and Add Data Pattern.
3. Configure the match criteria.
• Data Pattern—Select a custom or predefined data pattern.

Predefined ML-based data patterns support only the Any occurrence

condition with either High or Lowconfidence. You can't configure any other
traffic match criteria other than the confidence level for Predefined ML-
based data patterns.
• Occurrence Condition—Specify the occurrences condition required to trigger a
Security policy rule action.
• Any—Security policy rule action triggered if Enterprise DLP detects at least one
instance of matched traffic.
• Less than or equal to—Security policy rule action triggered if Enterprise DLP
detects instances of matched traffic, with the maximum being the specified Count.
• More than or equal to—Security policy rule action triggered if Enterprise DLP
detects instances of matched traffic, with a minimum being the specified Count.
• Between (inclusive)—Security policy rule action triggered if Enterprise DLP detects
any number of instances of matched traffic between the specific Count range.
• Count—Specify the number of instances of matched traffic required to trigger a
Security policy rule action. Range is 1 - 500.
For example, to match a pattern that appears three or more times in a file, select
More than or equal to as the Occurrence Condition and specify 3 as the Threshold.
• Confidence—Specify the confidence level required for a Security policy rule action to
be taken (High or Low).
4. (Optional) Add Data Pattern to add additional data pattern match criteria to the Primary
rule.
5. (Optional) Add Data Pattern Group to add additional data pattern conditions using AND
or OR operators to the Primary Rule.
Refer to the descriptions above to configure any additional data pattern conditions as
needed.
6. (Optional) Configure a Secondary Rule.

Data pattern match criteria added to the Secondary Rule block all traffic that
meets the match criteria for the data pattern conditions. If you want to allow
traffic that matches a data pattern match criteria, add it to the Primary Rule.
7. Review the Data Profile Preview to verify the data profile match criteria.

Administration April 2025 33 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

8. Save the data profile.

STEP 5 | Test a Data Profile to verify it accurately detects the sensitive data you configured it to
detect.

STEP 6 | In Data Profiles, search for the data profile you created to verify it was successfully created.

STEP 7 | Modify a DLP Rule on Strata Cloud Manager to Attach the data profile to a Security policy
rule.
The DLP Rule defines the type of traffic to inspect, the impacted file types, action, log severity,
and more for the data profile match criteria. Enterprise DLP automatically creates a DLP rule
with an identical name as the data profile from which it was created.

File Based for Panorama

STEP 1 | Log in to the Panorama web interface.

STEP 2 | Edit the data filtering settings on Panorama to configure the minimum and maximum data
size limits and the actions the firewall takes when uploading files to the DLP cloud service.

STEP 3 | Create one or more data patterns.

STEP 4 | Select Objects > DLP > Data Filtering Profiles.

STEP 5 | Add a new data filtering profile.

STEP 6 | Enter a descriptive Name for the data profile.

Administration April 2025 34 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Verify the following settings are enabled.

• File Based—New data profiles have Yes selected by default.
• Shared—All Enterprise DLP data profiles must be Shared across all device groups. This
setting is enabled by default and cannot be disabled.

Administration April 2025 35 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 8 | Define the match criteria.

• If you select Basic, configure the following:
• Primary Pattern—Add one or more data patterns to specify as the match criteria.
If you specify more than one data pattern, the managed firewall uses a boolean OR
match in the match criteria.
• Match—Select whether the pattern you specify should match (include) or not match
(exclude) the specified criteria.
• Operator—Select a boolean operator to use with the Threshold parameter. Specify Any
to ignore the threshold.
• Any—Security policy rule action triggered if Enterprise DLP detects at least one
instance of matched traffic.
• Less than or equal to—Security policy rule action triggered if Enterprise DLP detects
instances of matched traffic, with the maximum being the specified Threshold.
• More than or equal to—Security policy rule action triggered if Enterprise DLP detects
instances of matched traffic, with a minimum being the specified Threshold.
• Between (inclusive)—Security policy rule action triggered if Enterprise DLP detects
any number of instances of matched traffic between the specific Threshold range.
• Occurrence—Specify the number of instances of matched traffic required to trigger a
Security policy rule action. Range is 1 - 500.
For example, to match a pattern that appears three or more times in a file, select
more_than_or_equal_to as the Operator and specify 3 as the Threshold.
• Confidence—Specify the confidence level required for a Security policy rule action to be
taken (High or Low).

Administration April 2025 36 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• If you select Advanced, you can create expressions by dragging and dropping data patterns,
Confidence levels, Operators, and Occurrence values into the field in the center of the
page.
Specify the values in the order that they’re shown in the following example (data pattern,
Confidence, and Operator or Occurrence).

Administration April 2025 37 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 9 | Select an Action (Alert or Block) to perform on the file.

If the data profile has both Primary and Secondary Patterns, changing the data profile
Action on Panorama deletes all Secondary Pattern match criteria.

Administration April 2025 38 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 10 | Specify the file types the DLP cloud service takes action against.
• DLP plugin 4.0.0 and earlier releases
Select the File Type. By default, any is selected and inspects all supported file types.
• DLP plugin 4.0.1 and later releases
1. Select File Types.
2. Select the Scan Type to create a file type include or exclude list.
• Include—DLP cloud service inspects only the file types you add to the File Type Array.
• Exclude—DLP cloud service inspects all supported file types except for those added
to the File Type Array.
3. Click Modify to add the file types to the File Type Array and click OK.

STEP 11 | Select traffic Direction you want to inspect.

You can select Upload, Download, or Both.

STEP 12 | Set the Log Severity recorded for files that match this rule.
You can select critical, high, medium, low, or informational. The default severity is
informational.

STEP 13 | Click OK to save your changes.

STEP 14 | (Best Practices for File Based Inspection) Create a File Blocking profile and create a Block
Rule to block the file types you don't explicitly forwarded to Enterprise DLP.
Palo Alto Networks recommends creating this File Blocking profile to ensure sensitive data
can't be exfiltrated in file types Enterprise DLP doesn't support.

Administration April 2025 39 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 15 | Attach the data filtering profile to a Security policy rule.

1. Select Policies > Security and specify the Device Group.
2. Select the Security policy rule to which you want to add the data filtering profile.
3. Select Actions and set the Profile Type to Profiles.
4. (Best Practices for File Based Inspection) For the File Blocking Profile, select the File
Blocking profile you created in the previous step.
5. For the Data Filtering profile, select the Enterprise DLP data filtering profile you created.
6. Click OK.

STEP 16 | Commit and push your configuration changes.

• Full configuration push from Panorama

1. Select Commit > Commit to Panorama and Commit.
2. Select Commit > Push to Devices and Edit Selections.
3. Select Device Groups and Include Device and Network Templates.
4. Click OK.
5. Push your configuration changes to your NGFW are using Enterprise DLP.
• Partial configuration push from Panorama

You must always include the temporary __dlp administrator when performing a
partial configuration push. This is required to keep Panorama and Enterprise DLP in
sync.
For example, you have an admin Panorama admin user who is allowed to commit
and push configuration changes. The admin user made changes to the Enterprise
DLP configuration and only wants to commit and push these changes to your
NGFW. In this case, the admin user is required to also select the __dlp user in the
partial commit and push operations.

1. Select Commit > Commit to Panorama.

Administration April 2025 40 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

Administration April 2025 41 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

6. Select Device Groups and Include Device and Network Templates.

7. Click OK.
8. Push your configuration changes to your managed firewalls that are using Enterprise
DLP.

Non-File Based for Panorama

STEP 1 | Log in to the Panorama web interface.

STEP 2 | Edit the data filtering settings on Panorama to configure the minimum and maximum data
size limits and the actions the firewall takes when uploading non-file data to the DLP cloud
service.

Palo Alto Networks recommends verifying you Enable Non File DLP after you install
Panorama plugin for Enterprise DLP 3.0.1.

STEP 3 | Create one or more data patterns.

STEP 4 | (Optional) Create a custom application filter or application group to define predefined or
custom application traffic you want to exclude from inspection.
The application filter and application group must be Shared to be used in the data filtering
profile application exclusion list. Data filtering profiles for non-file traffic inspection support
either both custom application filters and application groups. You aren’t required to add both.
• Create a Custom Application Filter
• Create an Application Group

Administration April 2025 42 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | (Optional) Create a custom URL category to define URL traffic you want to exclude from
inspection.
The URL category must be Shared to be used in the data filtering profile URL exclusion list.

To include the custom URL category in the URL exclusion list of a data filtering profile,
adding the custom URL category to a URL Filtering profile isn’t required.

STEP 6 | Select Objects > DLP > Data Filtering Profiles.

STEP 7 | Add a new data filtering profile.

STEP 8 | (Optional) Configure the data filtering profile to scan File Based traffic.
Data filtering profiles support scanning both file based and non-file based traffic. Select Yes
to scan for both file based and non-file based traffic. Select No to only scan for non-file based
traffic. Configuring the data filtering profile not to scan for file based traffic has no impact on
scanning non-file based traffic.

STEP 9 | Configure the data filtering profile to scan Non-File Based traffic.
Select Yes to scan for non-file based traffic.

STEP 10 | Verify that Shared is enabled.

All Enterprise DLP data profiles must be Shared across all device groups. This setting is
enabled by default and cannot be disabled.

Administration April 2025 43 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 11 | Define the match criteria.

Administration April 2025 44 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• If you select Advanced, you can create expressions by dragging and dropping data patterns,
Confidence levels, Operators, and Occurrence values into the field in the center of the
page.
Specify the values in the order that they’re shown in the following screenshot (data pattern,
Confidence, and Operator or Occurrence).

Administration April 2025 45 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 12 | Select an Action (Alert or Block) to perform on matching traffic.

If the data profile has both Primary and Secondary Patterns, changing the data profile
Action on Panorama deletes all Secondary Pattern match criteria.

Administration April 2025 46 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 13 | (Optional) Configure the URL category list to exclude URL traffic from inspection.
The URL category list can only be configured when Non-File Based traffic inspection is
enabled.
1. Select URL Category List Excluded From Non-File.
2. Add a new URL category list.
3. Select a predefined URL category, custom URL category or EDL.

Administration April 2025 47 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 14 | Configure the application exclusion list to exclude application traffic from inspection.
The application list can only be configured when Non-File Based traffic inspection is enabled.
At least one application list or application group is required to create a data filtering profile for
inspecting non-file traffic.
1. Select Application List Excluded From Non-File.
2. Add an application filter or application group.
If you didn’t create a custom application filter or application group, you must add the
DLP App Exclusion Filter.

STEP 15 | For the Direction, only Upload is supported for inspection of non-file based traffic.

STEP 16 | Set the Log Severity recorded for files that match this rule.
You can select critical, high, medium, low, or informational. The default severity is
informational.

STEP 17 | Click OK to save your changes.

STEP 18 | Attach the data filtering profile to a Security policy rule.

Administration April 2025 48 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 19 | Commit and push the new configuration to your managed firewalls.

• Full configuration push from Panorama

1. Select Commit > Commit to Panorama.

Administration April 2025 49 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

Administration April 2025 50 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

6. Select Device Groups and Include Device and Network Templates.

7. Click OK.
8. Push your configuration changes to your managed firewalls that are using Enterprise
DLP.

Create an Advanced Data Profile

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Administration April 2025 51 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

Next-Generation CASB for Prisma Access
and NGFW (CASB-X) license
Data Security license

Advanced data profiles are data profiles that can any combination of predefined, custom regex,
or file property data pattern and advanced detection methods such EDM data sets and custom
document types. Enterprise DLP synchronizes advanced data profiles betweenPanorama and
Strata Cloud Manager.
When you create a data profile using predefined data patterns, be sure to consider the detection
type used by the predefined data patterns because the detection type determines how Enterprise
DLP arrives at a verdict for scanned files.

Updating an advanced data profile to include only data patterns isn’t supported if
the advanced data profile includes at least one data pattern and advanced detection
method when it was initially created. However, updating a data profile that includes data
patterns and advanced detection methods to only include advanced detection methods is
supported.
Create a Classic Data Profile to create a data profile containing only predefined or
custom data patterns.

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Data Profiles and Add Data Profile
> Advanced Data Profile.
You can also create a new data profile by copying an existing data profile. This allows you
to quickly modify an existing data profile with additional match criteria while preserving the
original data profile from which the new data profile was copied.
Data profiles created by copying an existing data profile are appended with Copy -
<name_of_original_data_profile>. This name can be edited as needed.

Administration April 2025 52 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Configure the Primary Rule for the data profile.

1. Enter a descriptive Data Profile Name.

2. Select the data pattern operator (AND or OR).
3. Add Data Pattern.
4. Define the data profile match criteria
• Data Patterns
Select Add > Data Pattern and define the data pattern match criteria.
• Data Pattern—Select a custom or predefined data pattern.

Predefined ML-based data patterns support only the Any occurrence

condition with either High or Lowconfidence. You can't configure any
other traffic match criteria other than the confidence level for Predefined
ML-based data patterns.
• Occurrence Condition—Specify the occurrences condition required to trigger a
Security policy rule action.
• Any—Security policy rule action triggered if Enterprise DLP detects at least one
instance of matched traffic.
• Less than or equal to—Security policy rule action triggered if Enterprise DLP
detects instances of matched traffic, with the maximum being the specified
Count.
• More than or equal to—Security policy rule action triggered if Enterprise DLP
detects instances of matched traffic, with a minimum being the specified Count.
• Between (inclusive)—Security policy rule action triggered if Enterprise DLP
detects any number of instances of matched traffic between the specific Count
range.
• Count—Specify the number of instances of matched traffic required to trigger a
Security policy rule action. Range is 1 - 500.
For example, to match a pattern that appears three or more times in a file,
select More than or equal to as the Occurrence Condition and specify 3 as the
Threshold.
• Confidence—Specify the confidence level required for a Security policy rule action
to be taken (High or Low).
• Unique Occurrences—Check (enable) to detect only unique instances of traffic
matches. Only unique occurrences of traffic matches are counted toward the
specified Count.
This setting is disabled by default. Keep Unique Occurrences disabled if you want
all instances of traffic matches to count toward the specified Count.
• Data Dictionary

Administration April 2025 53 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Select Add > Dictionary and define the data dictionary match criteria.
• Dictionary—Select a custom or predefined data pattern.
• Occurrence Condition—Specify the occurrences condition required to trigger a
Security policy rule action.
• Any—Security policy rule action triggered if Enterprise DLP detects at least one
instance of matched traffic.
• Less than or equal to—Security policy rule action triggered if Enterprise DLP
detects instances of matched traffic, with the maximum being the specified
Count.
• More than or equal to—Security policy rule action triggered if Enterprise DLP
detects instances of matched traffic, with a minimum being the specified Count.
• Between (inclusive)—Security policy rule action triggered if Enterprise DLP
detects any number of instances of matched traffic between the specific Count
range.
• Count—Specify the number of instances of matched traffic required to trigger a
Security policy rule action. Range is 1 - 500.
For example, to match a pattern that appears three or more times in a file,
select More than or equal to as the Occurrence Condition and specify 3 as the
Threshold.
• Confidence—Specify the confidence level required for a Security policy rule action
to be taken (High or Low).
• Unique Occurrences—Check (enable) to detect only unique instances of traffic
matches. Only unique occurrences of traffic matches are counted toward the
specified Count.
This setting is disabled by default. Keep Unique Occurrences disabled if you want
all instances of traffic matches to count toward the specified Count.
• Custom Document Types
Select Add > Document Types and define the custom document type match criteria.
• Document Type—Select a predefined or custom document type you uploaded to
Enterprise DLP.
• Overlapping Score Condition—Specify the custom document overlapping score
required to trigger a Security policy rule action.
• Greater Than or Equal To—Security policy rule triggered if Enterprise DLP
detects an instance of matched traffic with the specified minimum overlapping
score.
• Between (Inclusive)—Security policy rule action triggered if Enterprise DLP
detects an instance of matched traffic with an overlapping score between the
specified min and max overlapping scores.
• EDM
Select Add > EDM Dataset and define the EDM match criteria.
• EDM Dataset—Select an EDM data set uploaded to the DLP cloud service.

Administration April 2025 54 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• Occurrence Condition—Specify the occurrences condition required to trigger a

Security policy rule action.
• Count—Specify the number of instances of matched traffic required to trigger a
Security policy rule action. Range is 1 - 500.
• Configure EDM data set Primary Fields values to specify whether a Security policy
rule action is taken if Any (OR) or All (AND) primary fields are matched and if Any
(OR) or All (AND) secondary fields are matched.
• (Any(OR) only) Enter the Count to specify the number of instances of matched
traffic required to trigger a Security policy rule action. Range is 1 - 500.

When you select Any (OR), the maximum Count setting is one less than
the total number of fields included in the Primary Field or Secondary
Field.
• Select the Primary Fields values.
The list of available values is populated from the selected EDM data set. You must
select at least one primary field value.
You’re required to add at least one column where the column values occurs up
to 12 times in the selected EDM data set for the Primary Field. For example,
if the EDM data set contains columns for first name, last name, social security
number, and credit card number, add social security number and credit card in the
primary field.
• Group
Select Add > Group to nest and group additional match criteria so you can more
accurately define your compliance rules.
When you click add a new Group, the new match criteria group is nested under
the most recently added data pattern or EDM data set. You can’t nest a new match
criteria group between existing data patterns or EDM data sets. If multiple data
patterns or EDM data sets are added, you must remove the data patterns or EDM
data sets that follow the data pattern or EDM data set for which you want to add the
nested match criteria. For example, you added EDM_Dataset1, Data_Pattern2,
and EDM_Dataset3 to the Primary Rule. If you wanted to added nested match
criteria to Data_Pattern2, you must first remove EDM_Dataset3 from the Primary
Rule.
You can select the same data pattern or EDM data set or a different data pattern
EDM data set to more accurately define your compliance rules. Nesting match criteria
is supported only when the data profile includes an EDM data set. Enterprise DLP
supports up to three level of additional nesting groups for each data pattern or EDM

Administration April 2025 55 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

data set. You can nest additional data patterns or EDM data sets under a data pattern
or EDM data set added to the Primary or Secondary Rule.
Nested match criteria support the AND, OR, and NOT operators. Refer to the
descriptions above to configure the nested match criteria.

STEP 4 | (Optional) Configure a Secondary Rule.

Data pattern match criteria added to the Secondary Rule block all traffic that meets
the match criteria for the data patterns by default and can’t be modified. If you want
to allow traffic that matches a data pattern match criteria, add it to the Primary Rule.

STEP 5 | Review the Data Profile Preview to verify the data profile match criteria.

Administration April 2025 56 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | Save the data profile.

STEP 7 | Test a Data Profile to verify it accurately detects the sensitive data you configured it to
detect.

STEP 8 | In Data Profiles, search for the data profile you created to verify it was successfully created.

STEP 9 | Modify a DLP Rule on Strata Cloud Manager to Attach the data profile to a Security policy
rule.
The DLP Rule defines the type of traffic to inspect, the impacted file types, action, log severity,
and more for the data profile match criteria. Enterprise DLP automatically creates a DLP rule
with an identical name as the data profile from which it was created.

Create a Nested Data Profile

Administration April 2025 57 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Enterprise Data Loss Prevention (E-DLP) supports creating a single data profile that contains
multiple nested data profiles. Creating a single data profile that contains multiple nested data
profiles allows you to consolidate the match criteria to prevent exfiltration of sensitive data to
a single data profile that you can associate with a single Security policy rule. This allows you to
simplify the management of sensitive data leaving your network and reduces the need to manage
multiple Security policy rules and data profiles. Enterprise DLP synchronizes nested data profiles
between Panorama and Strata Cloud Manager
When you create a data profile that contains predefined data profiles and patterns, be sure to
consider the detection types used by the predefined data patterns because the detection type
determines how Enterprise DLP arrives at a verdict for scanned files.

• Enterprise DLP supports updating a nested data profile only from Strata Cloud
Manager.
• Enterprise DLP does not support adding a nested data profile to another nested data
profile.
• Enterprise DLP supports adding a classic or advanced data profiles that have only a
Primary Rule configured. Enterprise DLP does not support adding data profiles that
include both Primary and Secondary Rules to a nested data profile.
• Enterprise DLP supports adding a data profile that includes an advanced detection
method to an existing nested data profile if you did not include one when you
originally created the data profile.
• (SaaS Security) Enterprise DLP supports adding a nested data profile to SaaS Security
Inline policy recommendations and Internet Access policy rules only.
Enterprise DLP does not support adding a nested data profile to data asset policy
rules in Data Security.

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | (Optional) Create your classic or advanced data profiles on Strata Cloud Manager.
You can create a data profile that contains multiple data profiles using both predefined data
profiles and custom data profiles you create.

Administration April 2025 58 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Select Manage > Configuration > Data Loss Prevention > Data Profiles and Add Data
Profiles > Nested Data Profiles.
You can also create a new data profile by copying an existing data profile that already contains
multiple data profiles. This allows you to quickly modify an existing data profile with additional
data profile match criteria while preserving the original data profile from which the new data
profile was copied.
Enterprise DLP appends the name of copied a data profile with Copy -
<name_of_original_data_profile>.

STEP 4 | Enter the Data Profile Name.

STEP 5 | Configure the Primary Rule for the data profile.

Add Data Profile to add predefined or custom data profiles. Repeat this step to include
additional data profiles.
Add the data profile match criteria for allowed traffic to the Primary Rule. Add data profiles for
blocked traffic to either Primary Rule or Secondary Rule.
A data profile containing multiple data profiles support any combination of data profiles with
data patterns only, data patterns and EDM data sets, and EDM data sets only.

Nested data profiles support only the OR operator.

Administration April 2025 59 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | (Optional) Configure a Secondary Rule.

Add Data Profile to add predefined or custom data profiles. Repeat this step to include
additional data profiles.
Data profile match criteria added to the Secondary Rule block all traffic that meets the match
criteria for the data profile by default and can’t be modified. If you want to allow traffic that
matches a data profile match criteria, add it to the Primary Rule.
A data profile containing multiple data profiles support any combination of data profiles with
data patterns only, data patterns and EDM data sets, and EDM data sets only.

Nested data profiles support only the OR operator.

STEP 7 | Save the data profile.

STEP 8 | Test a Data Profile to verify it accurately detects the sensitive data you configured it to
detect.

STEP 9 | Verify that the data profile you created.

• Strata Cloud Manager—Log in to Strata Cloud Manager and select Manage > Configuration
> Data Loss Prevention > Data Profiles and search for the data profile you created.
• Panorama and Prisma Access (Managed by Panorama)
See Update a Data Profile for more information on which data profile settings are editable
on Panorama for a data profile created on Strata Cloud Manager.

If the data profile has both Primary and Secondary Patterns, changing the data
profile Action on Panorama deletes all Secondary Pattern match criteria.

1. Select the data profile created on Strata Cloud Manager.

2. Set the data profile Action to Block traffic that matches the data profile match criteria.
3. Select Commit > Commit to Panorama and Commit.
4. Click OK.
5. Select Commit > Push to Devices and Edit Selections.
6. Select Device Groups and Include Device and Network Templates.
7. Push your configuration changes to your managed firewalls that are using Enterprise
DLP.

STEP 10 | Modify a DLP Rule on Strata Cloud Manager to attach the data profile to a Security policy
rule.
The DLP Rule defines the type of traffic to inspect, the impacted file types, action, log severity,
and more for the data profile match criteria. Enterprise DLP automatically creates a DLP rule
with an identical name as the data profile from which it was created.

Administration April 2025 60 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Update a Data Profile

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

You can edit and modify an existing custom Enterprise Data Loss Prevention (E-DLP) data profile
at any time. Enterprise DLP synchronizes any changes you make to an existing data profile
between Panorama and Strata Cloud Manager.
If you update a data profile to include a predefined data pattern, be sure to consider the
detection types used by the predefined data patterns because the detection type determines
how Enterprise DLP arrives at a verdict for scanned files. For example, when you create a data
profile that includes three machine learning (ML)-based data patterns and seven regex-based data
patterns, Enterprise DLP will return verdicts based on the seven regex-based patterns whenever
the scanned file exceeds 1 MB.

Advanced data profiles and nested data profiles can only be modified from Strata Cloud
Manager.
Any changes to the data profile match criteria made on Strata Cloud Manager are
synchronized to Panorama but don’t display in the Panorama web interface. Security
policy rules using a data profile updated on Strata Cloud Manager inspect traffic using the
new or modified match criteria.

(Panorama only) Updating the data profile Name is supported but you must manually
update the existing Security policy rules (Policies > Security to reassociate the renamed
data filtering profile. Commits on Panorama fail if you do not reassociate the renamed
data filtering profile with the Security policy rule after the updated data profile name is
synchronized to Panorama.

Administration April 2025 61 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• Strata Cloud Manager

• Panorama

Strata Cloud Manager

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Data Profiles and navigate to the
data profile you want to modify.

STEP 3 | Edit ( ) the data profile.

STEP 4 | Modify the data profile as needed.

• See Create a Classic Data Profile for details on configuring configure a data profile that uses
only predefined or custom data patterns.

Modifying a classic data profile to include advanced detection methods isn’t

supported.
• See Create an Advanced Data Profile for details on configuring a profile that uses any
combination of predefined or custom data patterns and advanced detection methods.

Modifying an advanced data profile to only include data patterns isn’t supported
if the advanced data profile included both data patterns and advanced detection
methods when it was initially created.
Enterprise DLP includes predefined document templates that were converted
from ML-based data patterns. Palo Alto Networks recommends modifying the
match criteria in the event your existing data profile references the list ML-based
data patterns that were converted.
• See Create a Nested Data Profile for details on configuring a single data profile that
contains multiple data profiles.

Adding an advanced data profile to an existing nested data profile if one wasn’t
included when the nested data profile was originally created is supported.

STEP 5 | Test a Data Profile to verify it accurately detects the sensitive data you configured it to
detect.

STEP 6 | Save your changes.

Panorama

STEP 1 | Log in to the Panorama web interface.

STEP 2 | Select Objects > DLP > Data Filtering Profiles and specify the Device Group.

STEP 3 | Select a data filtering profile to edit.

Administration April 2025 62 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Edit the data filtering profile as needed.

1. Modify the data filtering profile scan for File Based traffic, Non-File Based traffic, or
both.
2. Modify the Primary Pattern and Secondary Pattern match criteria.
Modifying the data filtering profile match criteria on Panorama is supported only for
Enterprise DLP data filtering profiles created on Panorama. See File Based for Panorama
for details on configuring data pattern criteria using predefined or custom data patterns.
3. (Data Filtering Profile for Non-File Traffic Inspection Only) Modify the URL Category
Excluded List from Non-File and Application List Excluded from Non-File to configure
which URL and application traffic is excluded from Enterprise DLP inspection.
See Create a Classic Data Profile (Non-File Based for Panorama) for more information.
4. Edit the data filtering profile settings.
Enterprise DLP only supports editing the advanced data profile settings from Panorama.
• Select the data filtering profile Action (Alert or Block)

If the data profile has both Primary and Secondary Patterns, changing the
data filtering profile Action on Panorama deletes all Secondary Pattern
match criteria.
• Specify a File Type.
Leave the file type as any to match any of the supported file types.
• Set the Log Severity recorded for files that match this data filtering profile.

STEP 5 | Click OK.

Administration April 2025 63 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | Commit and push the new configuration to your managed firewalls.

• Full configuration push from Panorama

1. Select Commit > Commit to Panorama.

Administration April 2025 64 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

Administration April 2025 65 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

6. Select Device Groups and Include Device and Network Templates.

7. Click OK.
8. Push your configuration changes to your managed firewalls that are using Enterprise
DLP.

Test a Data Profile

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Administration April 2025 66 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

Next-Generation CASB for Prisma Access
and NGFW (CASB-X) license
Data Security license

Test the efficacy of your Enterprise Data Loss Prevention (E-DLP) data profiles before adding
them to your Security policy rule and pushing to your production NGFW and Prisma Access
tenants. This allows you to validate your data profiles against a file containing known sensitive
data to ensure accurate detection by Enterprise DLP. You can run a test on a data profile you're
currently configuring or on an existing data profile. The data profile test results show a high-level
summary of the type of data profile you're testing, the number of instances of High, Medium, and
Low confidence detections, and snippets of the sensitive data detected.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Create a data profile to add your predefined or custom data patterns, or edit an existing data
profile.

If you have an existing data profile you want to test, expand the Actions menu and
click Test.

STEP 3 | Click Test Run before you save the data profile to test the traffic match criteria and validate
the data profile detects the expected sensitive data.

Administration April 2025 67 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | In the Detection Results, drag and drop the file you want to test or Browse File to select and
upload the file.
You can upload one file at a time. The maximum file size is 1 MB. Review the list of supported
file types for a list of file types you can upload to Enterprise DLP to test your data profile.
Enterprise DLP displays Invalid file upload if you upload an unsupported file type and
File size too large if you upload a supported file type larger than 1 MB.
Enterprise DLP begins testing the successfully uploaded file against the data profile.

STEP 5 | Review the test results.

Enterprise DLP can return one of the following data profile test results. Click View Data
Pattern Results and expand the Matched Data Patterns to view additional information
about which data patterns were matched, the number of high, medium, and low confidence
occurrences detected, and snippets of the sensitive data detected.
• Matched Test Results
Enterprise DLP returns a Matched verdict and successfully detected sensitive data
matching the sensitive data match criteria configured in the data profile. There are two
types of matched test results:
1. Successful Test Result—Enterprise DLP successfully detected all sensitive match criteria
configured in the data profile.

2. Partial Test Result—Enterprise DLP successfully detected some but not all sensitive
match criteria configured in the data profile. A partial test result can mean:
• Match criteria in at least one, but not all, data patterns added to the data profile isn't
configured correctly to detect the sensitive data in the uploaded test file.
• Test file uploaded to Enterprise DLP does not contain sensitive data that matches at
least one, but not all, data pattern match criteria in your data profile.
• Primary and Secondary Rules in the data profile are not configured correctly. For
example, Enterprise DLP does not generate a DLP incident if you configured the
Occurrences for one of the data patterns in the Primary Rule to Less than or equal

Administration April 2025 68 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

to 10 but there are more than 10 instances of sensitive data for each associated data
pattern.
In the example below you can see that Enterprise DLP did not detect any sensitive data
in the test file that matched the Credit Card Number data pattern, but did detect
sensitive data that matches the Credit Card CVV and National Id - US Social
Security Number - SSN data patterns. In this case, you should modify the number
of occurrences required
Re-Upload File to test a different file against the data profile or exit the Test Data Profile
page to review and modify your data pattern and data profile configurations before
retesting.

• Not Matched Test Results

If Enterprise DLP returns a Not Matched verdict results it means one of the following:
• Match criteria configured in all data patterns added to the data profile are not configured
correctly to detect the sensitive data in the uploaded test file.
• Primary and Secondary Rules in the data profile are not configured correctly.
• Test file uploaded to Enterprise DLP does not contain sensitive data that matches any
data pattern match criteria in your data profile.
Re-Upload File to test a different file against the data profile or exit the Test Data Profile
page to review and modify your data pattern and data profile configurations before
retesting.

STEP 6 | Exit the data profile test screen after you verified the data profile detects the intended
sensitive data.

Administration April 2025 69 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Resolve Data Profile Synchronization Conflicts

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama) Enterprise Data Loss Prevention (E-DLP)

• Prisma Access (Managed by Panorama) license
Review the Supported Platforms for
details on the required license for each
enforcement point.

When managing your Enterprise Data Loss Prevention (E-DLP) data filtering profiles across
your Panorama™ management server and Strata Cloud Manager, configuration drift might
occur because the Enterprise DLP plugin's local configuration only syncs with Strata Cloud
Manager when you commit Enterprise DLP configuration changes on Panorama. This can lead to
configurations commit failures or for data filtering profiles to be silently overwritten, which can
cause security disruptions and protection gaps.
To resolve data filtering profile synchronization conflicts, you must install Enterprise DLP plugin
5.0.0 or later release. Review the Compatibility Matrix to learn more about the plugin versions
supported on each PAN-OS release.

If you decide to ignore any data filtering profile conflict errors, be aware that Enterprise
DLP synchronizes data patterns and data profiles changes on Panorama with Strata Cloud
Manager every time you commit configuration changes on Panorama.
This might in result in Enterprise DLP overwriting the correct configuration on Strata
Cloud Manager with the incorrect configuration from Panorama.

STEP 1 | Log in to the Panorama web interface.

STEP 2 | Select Objects > DLP > Data Filtering Profiles.

STEP 3 | A banner displays at the top of the data filtering profile list when Enterprise DLP detects
a synchronization conflict between the Enterprise DLP plugin installed on Panorama
and the data profiles on Strata Cloud Manager. This banner displays the total number of
synchronization conflicts detected.
Click the Resolve Conflicts link to continue.

Administration April 2025 70 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Select a data filtering profile with conflicts to review. You can review one data filtering
profile at a time.

STEP 5 | Review the Local Changes on Panorama and the Remote Changes on Strata Cloud Manager
and decide which configuration you want to keep.
Use the Legend to identify the conflicts between the data filtering profile on Panorama and
the data profile on Strata Cloud Manager.
• Apply Local—Enterprise DLP preserves the local configuration on Panorama. Enterprise
DLP synchronizes the data filtering profile configuration you preserved on Panorama
with Strata Cloud Manager after you commit and push your Enterprise DLP configuration
changes.
• Apply Cloud—Enterprise DLP applies the data profile configuration detected on Strata
Cloud Manager to the data filtering profile on Panorama. Enterprise DLP synchronizes the
data filtering profile configuration applied from Strata Cloud Manager to the data filtering
profile on Panorama after you commit and push your Enterprise DLP configuration changes.

STEP 6 | When prompted, Confirm you want to apply the changes from the local data filtering profile
on Panorama or from the data profile on Strata Cloud Manager.

Administration April 2025 71 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Commit and push your configuration changes.

• Full configuration push from Panorama

1. Select Commit > Commit to Panorama and Commit.
2. Select Commit > Push to Devices and Edit Selections.
3. Select Device Groups and Include Device and Network Templates.
4. Click OK.
5. Push your configuration changes to your NGFW are using Enterprise DLP.
• Partial configuration push from Panorama

1. Select Commit > Commit to Panorama.

Administration April 2025 72 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

Administration April 2025 73 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

6. Select Device Groups and Include Device and Network Templates.

7. Click OK.
8. Push your configuration changes to your managed firewalls that are using Enterprise
DLP.

Administration April 2025 74 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Enable Existing Data Patterns and Filtering Profiles

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama) Enterprise Data Loss Prevention (E-DLP)

• Prisma Access (Managed by Panorama) license
Review the Supported Platforms for
details on the required license for each
enforcement point.

After you successfully install the Enterprise Data Loss Prevention (E-DLP) plugin on Panorama,
existing data patterns and filtering profiles are no longer displayed but you can still reference
them in your Security policy rules. If you have existing data filtering patterns and profiles
configured that you need to edit after installing the Enterprise DLP plugin, you can display them
again in your Panorama web interface.

Existing data patterns and data filtering profiles aren’t hidden if you’re using Enterprise
DLP for Prisma Access (Managed by Panorama).

STEP 1 | Enable existing data patterns and filtering profiles on Panorama.

1. Log in to the Panorama CLI.
2. Enable the existing data patterns and filtering profiles.

admin> request plugins dlp hide-old-config no

Panorama returns a pass message to confirm the existing data patterns and filtering
profiles are now displayed.

Enter the following command to disable the displaying of existing data patterns
and filtering profiles.

admin> request plugins dlp hide-old-config yes

Administration April 2025 75 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 2 | (Optional) Enable existing data patterns and filtering profiles on the managed firewall if you
have any Security policy rules configured locally on the firewall.
1. Log in to the firewall CLI.
2. Enable the existing data patterns and filtering profiles.

admin> request plugins dlp hide-old-config no

The firewall returns a pass message to confirm the existing data patterns and filtering
profiles are now displayed.

Enter the following command to disable the displaying of existing data patterns
and filtering profiles.

admin> request plugins dlp hide-old-config yes

STEP 3 | Log in to the Panorama web interface.

STEP 4 | Edit your existing data patterns and filtering profiles.

1. Select Objects > Custom Objects > Data Patterns and edit your data patterns.
2. Select Objects > Security Profiles > Data Filtering and edit your data filtering profiles.

STEP 5 | Select Policies > Security and select the Device Group to modify your Security policy rules
as needed.

Administration April 2025 76 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | Commit and push the new configuration to your managed firewalls.

• Full configuration push from Panorama

1. Select Commit > Commit to Panorama.

Administration April 2025 77 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

Administration April 2025 78 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

6. Select Device Groups and Include Device and Network Templates.

7. Click OK.
8. Push your configuration changes to your managed firewalls that are using Enterprise
DLP.

Administration April 2025 79 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Modify a DLP Rule on Strata Cloud Manager

Where Can I Use This? What Do I Need?

• NGFW (Managed by Strata Cloud Enterprise Data Loss Prevention (E-DLP)

Manager) license
• Prisma Access (Managed by Strata Cloud Review the Supported Platforms for
Manager) details on the required license for each
enforcement point.
Or any of the following licenses that include
the Enterprise DLP license
Prisma Access CASB license
Next-Generation CASB for Prisma Access
and NGFW (CASB-X) license
Data Security license

Configure a DLP rule to define the type of traffic to inspect, the impacted file types, action,
and log severity for the data profile match criteria. Enterprise Data Loss Prevention (E-DLP)
automatically creates a DLP rule when you create a new data profile. After you configure the data
filtering profile, you must create a Profile Group containing the data filtering profile and attached
it to a Security policy rule so the NGFW or Prisma Access tenant can enforce your data security
standards.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Create a data profile.

STEP 3 | Select Manage > Configuration > Data Loss Prevention > DLP Rules and in the Actions
column, Edit the DLP rule.
The DLP rule has an identical name as the data profile from which it was automatically created.

STEP 4 | (Optional) Enter a Description for the DLP rule.

Administration April 2025 80 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Modify the DLP rule Match Criteria.

• File Based
1. Enable DLP rule match criteria for file-based based traffic.
2. (Prisma Access 5.1 and later) Select the File Scan Mode to explicitly include or exclude
specific file types.
A DLP rule supports only one type of file mode. You can't configure a DLP rule to both
include and exclude specific file types.
• Include—Enterprise DLP only inspects the selected file types. The NGFW or Prisma
Access tenant ignores all other file types and does not forward them to Enterprise
DLP for inspection and verdict rendering.
• Exclude—The NGFW or Prisma Access tenant excludes the selected file types and
does not send them Enterprise DLP for inspection and verdict rendering. The NGFW

Administration April 2025 81 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

or Prisma Access tenant forwards all other file types to Enterprise DLP but Enterprise
DLP inspects and renders verdicts only on supported file types.
3. Specify one or more supported file types to include in the match criteria.
All supported file types are included in the match criteria by default.
4. Specify the File Direction (Upload, Download, or Both).
The default file direction is Upload. File direction support is dependent on the app.
Review the list of supported apps to learn which file directions Enterprise DLP supports.

• Non-File Based
1. Enable DLP rule match criteria for non-file based traffic.
2. Select the URL Category List Exclusions to exclude forwarding traffic from one or more
specific URLs to Enterprise DLP.
You can use a predefined URL category or create a custom URL category in the Global
Configuration Scope. You can select multiple URL categories to exclude traffic from non-
file inspection.
3. Select the Application List Exclusion to exclude forwarding traffic from one or more
specific apps to Enterprise DLP.
You can use a predefined application filter or create a custom application filter in the
Global Configuration Scope. You can select multiple application filters to exclude app
traffic from non-file inspection.

Enterprise DLP requires at least one Application Filter if you enable exclusions
for non-file based traffic. Palo Alto Networks recommends adding the predefined
DLP App Exclusion application filter if you don't have a custom or
predefined application filter you want to add.

Administration April 2025 82 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | Configure the Action & Log settings.

1. Select the Action (Alert, or Block) taken when Enterprise DLP detects sensitive data.
The default action is Alert.
2. Set the Log Severity when Enterprise DLP detects traffic that matches the DLP rule.
The default severity is Low.

STEP 7 | (Best Practices for File Based Inspection) Create a File Blocking profile and create a Block
Rule to block the file types you don't explicitly forwarded to Enterprise DLP.
Palo Alto Networks recommends creating this File Blocking profile to ensure sensitive data
can't be exfiltrated in file types Enterprise DLP doesn't support.

STEP 8 | Create a Shared Profile Group for the Enterprise DLP data filtering profile.
1. Select Manage > Configuration > NGFW and Prisma Access > Security Services >
Profile Groups and Add Profile Group.
2. Enter a descriptive Name for the Profile Group.
3. (Best Practices for File Based Inspection) For the File Blocking Profile, select the File
Blocking profile you created in the previous step.
4. For the Data Loss Prevention Profile, select the Enterprise DLP data profile.
5. Add any other additional profiles as needed.
6. Save the profile group.

STEP 9 | Create a Security policy rule and attached the Profile Group.
1. Select Manage > Configuration > NGFW and Prisma Access > Security Services >
Security Policy and Add Rule.
You can also update an existing Security policy to attach a Profile Group for Enterprise
DLP filtering.
2. Configure the Security policy as needed.
3. Navigate to the Action and Advanced Inspection section, and select the Profile Group
you created in the previous step.
4. Save the Security policy.

STEP 10 | Push Config and push your configuration changes.

Administration April 2025 83 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Create a SaaS Security Policy Recommendation to

Leverage Enterprise DLP
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

A SaaS policy rule recommendation is required to leverage the Enterprise Data Loss Prevention
(E-DLP) data profile in SaaS Security. In order to scan for and render a verdict on sensitive data
you for which you want to prevent exfiltration, you must assign the data profile to the SaaS
Security policy rule recommendation.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Create data patterns and a data profile to define the match criteria for sensitive data you
want to detect.

STEP 3 | Select Manage > Configuration > Security Services > SaaS Security > Discovered Apps >
Policy Recommendations and Add Policy.

Administration April 2025 84 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Create the SaaS Security policy rule recommendation.

1. Configure the policy rule recommendation as needed.
Review how to create policy rule recommendations for SaaS Security for more details.
See the Supported Applications for more information on which applications Enterprise
DLP supports.
2. For the Data Profile, select the data profile you created in the previous step.
Only one data profile can be associated with a policy rule recommendation.
3. Save.

Administration April 2025 85 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Reduce False Positive Detections

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

In some instances, Enterprise Data Loss Prevention (E-DLP) may incorrectly detect and take
action on network traffic that it should not have. This is called a false positive detection and
they can cause productivity impacts to individual employees and Enterprise DLP administrators
alike. False positive detections are commonly caused by traffic match criteria in your data patterns
that are too generalized or may be instances where the Enterprise DLP machine learning (ML)
models need to be manually trained. Review the recommendations below to help reduce the
chance of false positive detections.
STEP 1 | Log in to the management platform where you are managing Enterprise DLP.
• Log in to Strata Cloud Manager
• Log in to the Panorama web interface

STEP 2 | (Regex only) Review your custom regex data patterns.

1. Review the regular expression (regex) for the custom data pattern generating false
positive detections.
Custom data patterns use regular expressions (regex) to define the match criteria
that you want Enterprise DLP to detect and take action on. Regex that is too broad
contribute to false positive detections. Palo Alto Networks recommends writing narrow

Administration April 2025 86 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

regex so only the sensitive data you want to prevent leaving your organization's network
is detected and blocked.
2. Add proximity keywords to your custom data pattern.
Proximity keywords help improve overall Enterprise DLP detection accuracy and reduce
false positives. Proximity keywords impact the detection confidence level, which reflects
how confident Enterprise DLP is when detecting matched traffic. Enterprise DLP
determines the match confidence level by inspecting the distance of the regex to the
proximity keywords you added.
3. Use the File Property configuration settings to add specific file property patterns on
which to match.
If you use classification labels or embed tags in documents to include more information
for audit and tracking purposes, you can create a file property data pattern to match on
the metadata or attributes that are part of the custom or extended properties in the file.
Regardless whether you use an automated classification mechanism, such as Titus, or
whether require users to add a tag, you can specify a name-value pair on which to match
on a custom or extended property embedded in the file. This allows you to narrow down
the likelihood of false positives by requiring Enterprise DLP to inspect and take action
only on documents that contain the specified name-value-pair.
For Panorama, this means modifying or creating a new data pattern. For Strata Cloud
Manager, this means creating a file property data pattern.

STEP 3 | Use advanced detection tools to create specific and narrow match criteria for your data
profiles.
• ML-Based Data Patterns—Use predefined regex data patterns enhanced with machine
learning (ML) or ML-based data patterns to increase detection accuracy and reduce false
positive detections.
• Exact Data Matching (EDM)—EDM is used to monitor and prevent exfiltration of sensitive
and personally identifiable information (PII) such as social security numbers, Medical Record
Numbers, bank account numbers, and credit card numbers, in a structured data source such
as databases, directory servers, or structured data files with high accuracy.
With EDM, you can reduce false positive detections by uploading data sets with the specific
PII data you want to prevent exfiltration of and use them as match criteria in data profiles.
• Custom Document Types—Enterprise DLP supports the upload and detection of custom
documents containing intellectual property for which you want to prevent exfiltration. This
tool uses ML-based detection models to detect and prevent exfiltration of sensitive data
contained in documents unique to your organization.
With custom document types, you can reduce false positive detections for file-based
traffic by narrowing down the possible file-based detections to just those unique to your
organization. For example, be sure to set a high Overlapping Score Condition threshold
when you create an advanced data profile to detect custom documents. This narrows down
the possible traffic matches by requiring a high degree of overlap between the scanned file
and the custom document type.
• Data Dictionaries—Data dictionaries are a collection of one or more proximity keywords
or phrases that you want to detect and prevent exfilitration. A data dictionary is added as
a match criteria alongside the other supported match criteria in advanced and nested data
profiles to increase the Enterprise Data Loss Prevention (E-DLP) detection accuracy

Administration April 2025 87 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Contact Palo Alto Networks Support to help investigate why false positive detections
continue to occur.
Only contact Palo Alto Networks Support if you have implemented the above
recommendations and continue to experience false positive detections. Palo Alto Networks
Support team members will work with your administrators to review your data patterns and
data profiles to help identify what can be further improved.
In some instances, they may go back to review your data patterns and data profiles to see if
any further modifications can be made to narrow the match criteria scope.

STEP 5 | (Predefined Data Patterns and Profiles only) Report a False Positive Detection to Palo Alto
Networks.
Report false positive detections to Palo Alto Networks to improve Enterprise DLP detection
accuracy for yourself and other Enterprise DLP users. You can report snippets of false positive
detections for high confidence traffic matches against predefined regular expression (regex) or
machine learning (ML) data patterns.

All selected DLP incident snippets are shared with Palo Alto Networks when you
submit a false positive report. The selected snippets are stored and accessible by
Palo Alto Networks for up to 90 days to allow Palo Alto Networks to investigate and
improve Enterprise DLP detection accuracy.

Administration April 2025 88 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Exact Data Matching (EDM)

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Exact Data Matching (EDM) for Enterprise Data Loss Prevention (E-DLP) is an advanced detection
tool to monitor and protect sensitive data from exfiltration. Use EDM to detect sensitive and
personally identifiable information (PII) such as social security numbers, Medical Record Numbers,
bank account numbers, and credit card numbers, in a structured data source such as databases,
directory servers, or structured data files, with high accuracy.
To use EDM, Enterprise DLP relies on the encrypted hash of the sensitive data you upload to
Enterprise DLP. Enterprise DLP indexes the encrypted hash of uploaded EDM data sets. To
prevent the exfiltration of sensitive data, Enterprise DLP uses the indexed hash data set in the
Security policy rule for matching outbound traffic.
By default, EDM data set values must be within 100 characters in order for Enterprise DLP to
successfully detect sensitive data in inspected traffic. Contact Palo Alto Networks Customer
Support to increase the maximum proximity characters to detect sensitive data.
For example, you upload an EDM data set that contains the following data:

FName LName SSN BankAccNum CCN

Bill Smith 123-45-678922334455 1111-2222-3333-4444

In this case, Enterprise DLP detects sensitive data in inspected traffic if Smith and 22334455 are
within 100 characters of each other.

Administration April 2025 89 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• Supported EDM Data Set Formats

• Set Up the EDM CLI App
• Configure EDM CLI App Connectivity to Enterprise DLP
• Upload an Encrypted EDM Data Set to Enterprise DLP Using a Configuration File
• Create and Upload an Encrypted EDM Data to Enterprise DLP in Interactive Mode
• Update an Existing EDM Data Set on Enterprise DLP

Supported EDM Data Set Formats

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

The Exact Data Matching (EDM) CLI app supports CSV and TSV as source files for an encrypted
EDM data set upload to Enterprise Data Loss Prevention (E-DLP). Before you upload an
encrypted EDM data set to Enterprise DLP, review the supported CSV file, TSV file, and data type
formatting.
Enterprise DLP uses an Exact Match for values that don't follow the supported data type format
below or data types that have no unique formatting requirements. If a data type follows the
supported format, Enterprise DLP can match other instances of the data type in the scanned
file. For example, if you configure an EDM filtering profile to block files that contains the social
security number 456-12-7890, Enterprise DLP also matches instances of social security
numbers that are formatted as 456 12 7890 and 456.12.7890. However, if the EDM filtering
profile is configured to block files containing the social security number 456127890, only files
containing an exact match to this social security number are blocked.
When preparing an EDM data set for upload, considering the following:

Administration April 2025 90 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• A header row is supported.

• Data sets in CSV and TSV formats are supported.
CSV format is recommended to adhere to the RFC-4180 standard.
• Atomic columns are recommended to ensure accurate matching of sensitive data.
Atomic columns are columns containing cells that are expected to contain a discrete or unique
Data Type value. For example, in your data set you have the SSN column. One of the cells in
this column contains the value "123456789;098765432. In this example, Enterprise DLP
inspects for all incidents of 123456789;098765432 as a singular SSN rather than inspecting
for 123456789 and 098765432 as unique incidents.
• Up to 50 individual Data Type values are supported in a single cell.
The Data Types are data values recognized by Enterprise DLP. If a cell has more than 50 Data
Type values recognized by Enterprise DLP, only the first 50 values are processed and the
remaining are ignored.
For example, Today is August 02, 2020 contains three data type values; Today and is
are Alphabet data types and August 02, 2020 is a Date data type.
• Only English (Latin script).
• Only the “,” and tab (t) delimiters are supported.
• By default, A maximum of 30 columns and 130 million rows are supported per EDM data set.
For example, you have one EDM data set containing 30 columns and 4 million rows and a
second EDM data set containing 6 columns and 20 million rows. Both EDM data sets are
supported because they each have contain up to the maximum number of rows and columns
supported.
• By default, Enterprise DLP supports up to 120 million cells per data set and up to 500 million
cells for a single Enterprise DLP tenant across all EDM data sets uploaded to Enterprise DLP.

Contact Palo Alto Networks Customer Support to increase the maximum number of
cells supported for your Enterprise DLP tenant.
By request, Enterprise DLP can support up to 1 billion cells per EDM data set and
up to 2 billion cells per Enterprise DLP tenant across all EDM data sets uploaded to
Enterprise DLP.
• The supported file encoding schemes are UTF-8, UTF-16, ISO-8859-1, and US-ASCII.
• The EDM CLI app removes all punctuation from data contained in the EDM data set.
The EDM CLI app supports the following data type formats for EDM data sets.

Administration April 2025 91 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Data Type Format Example

Date • DD-MM-YYYY • 2-Aug-2020

DD/MM/YYYY • 02-Aug-2020

DD.MM.YYYY • 02.08.2020
• 02 Aug 2020
DD,MM,YYYY
• 2 August, 2020
DD MM YYYY
• 2 Aug, 2020
• MM-DD-YYYY
• 02 August 2020
MM/DD/YYYY
• 2. August 2020
MM.DD.YYYY • August 2, 2020
MM,DD,YYYY • Aug 2, 2020
MM DD YYYY • Sunday, August 2, 2020
• YYYY-MM-DD • Sunday, August 02, 2020
YYYY/MM/DD • Sunday, 2 August, 2020
YYYY.MM.DD • Sunday 02 August 2020

YYYY,MM,DD Exact Data Matching is

performed for ambiguous
YYYY MM DD dates.
A space, dashes (-), slash (/), • 20-08-02
comma (,), period (.), and
• 02.08.20
any combination of these
separators are supported. • 08/02/20
• 08 2, 20
• 02/08/20
• 8/2/20
• 2020/08/02
• 2020-08-02
• 02/08/2020
• 2/08/2020

USA Social Security Number • XXX-XX-XXXX • 123-45-6789

• XXX XX XXXX • 123 45 6789
• XXX.XX.XXXX • 123.45.6789
• XXXXXXXXX • 123456789
A space, dashes (-), period (.)
are supported separators.

Country Name • Country full name US

Administration April 2025 92 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Data Type Format Example

• Country name USA
abbreviation
United States
An Exact Match is performed
United States of America
for a country name.
The United States of America

First Name Uppercase and lowercase. Bill

Last Name bill
Middle Name Bill’s
Full Name bill’s
Bill Smith
bill smith
Bill Smith’s
bill smith’s

Medical Record Number An Exact Match is performed N/A

for a Medical Record
Number.

Member ID An Exact Match is performed N/A

for a Medical Record
Reward ID
Number.

Alphanumeric Numbers, uppercase, and ABCDEFG

lowercase letters.
Alphabet abcdefg
AB123CG
AB123cdab123cd

USA Driver License Alphanumeric. E1234567

e1234567

Email RFC5322— bill@business.com

<emailprefix>@<emaildomain>
BILL@BUSINESS.COM
BILL@business.com
bill@BUSINESS.com

Bank Routing Number An Exact Match is performed N/A

for a bank routing number
Bank Account Number
and bank account number.

Administration April 2025 93 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Data Type Format Example

IP Address (IPv4 and IPv6) An Exact Match is performed N/A

for an IPv4 and IPv6 IP
address.

Numbers An Exact Match is performed • SI Numbers - 1234,

for all numbers. +1234, or -1234
A positive signed integer • Formatted Numbers—9.00
(+) is removed and treated • Indian Number System—
the same as a nonsigned 12, 34, 567.89
integer. A negative signed
integer (-) isn’t removed as
to differentiate between
positive and negative signed
integers.

Phone Number Ten-digit US phone number 8001234567

format only.
(800)1234567
Country code, parentheses,
1.800.123.4567
dash, space, and dots are
removed. +1 (800)123-4567
1 800 123 4567
+1 800 123 4567
+1 800 123-4567
1-800-123-4567
1 (800) 123-4567
(800)123-4567
(800) 123 4567
800-123-4567

UUID RFC4122—32 hexadecimal 123e4567e89b12d3a45642661417400

(base-16) digits. If you’re
123e4567-e89b-12d3-
using hyphens, the total is 36
a456-42661417400
digits.

Credit Card Between 13 to 23 digits 4739-5402-9061-0638

including dashes.
4739540290610638

Administration April 2025 94 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Set Up the EDM CLI App

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

The Exact Data Matching (EDM) CLI app is a secure CLI tool used to upload hash encrypted EDM
data sets to Enterprise Data Loss Prevention (E-DLP). The EDM CLI app accepts a source file
in CSV or TSV format. The EDM CLI app then generates an encrypted hash EDM data set with
AES-256 encryption of the source file and saves it as a zip file that you can upload to Enterprise
DLP. The EDM CLI app applies a one-way hash to each field in the CSV or TSV file that is then
encoded in Base64. After securing the file, the EDM CLI app generates a zip file containing the
secured data set.
The EDM CLI app is supported on Microsoft Windows and Linux operating systems such as
Ubuntu, Debian, and CentOS.
The EDM CLI app is downloaded from Strata Cloud Manager and includes the following:
• README.TXT—Quick overview of the EDM CLI app functionality, including descriptions of
data types and column values.
• edm-secure-cli-<version>.jar—The executable Java app.
• config.properties—Configuration file you can prepopulate to upload a file to Enterprise DLP.
• upload_config.properties—Configuration file for the connectivity settings to connect to
Enterprise DLP.
• lib—Directory containing all the dependency libraries required by the EDM Secure CLI app.
• log4j2.xml—Configuration files for debugging and logging.
• sample_dataset.csv—Sample CSV file you can use as a template for upload to Enterprise DLP.

Administration April 2025 95 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• (Windows) edm-secure-cli.bat—Windows batch file used to create and upload an EDM data set
to Enterprise DLP.
(Linux) edm-secure-cli.sh—Bash script used to create and upload an EDM data set to Enterprise
DLP.
STEP 1 | Review the setup prerequisites for Enterprise DLP before you set up the EDM CLI app.
Allow the required FQDNs and IP addresses listed here to successfully upload EDM data sets
and forward traffic to Enterprise DLP for inspection.

STEP 2 | Deploy the device you will use to upload EDM data sets to Enterprise DLP.
You can upload EDM data sets to Enterprise DLP using any physical or virtual device running a
Windows or Linux operating system.

If you plan to deploy a dedicated virtual machine to upload EDM data sets to
Enterprise DLP, Palo Alto Networks recommends you allocate a minimum of four CPUs
and 8 GB memory to the virtual machine.

STEP 3 | Log in to Strata Cloud Manager.

STEP 4 | Enable Exact Data Matching (EDM).

It might take up to 24 hours for Palo Alto Networks to enable EDM functionality.
Continue to the next step after Palo Alto Networks enabled EDM. You can verify you
enabled EDM when you have the ability to download the EDM CLI app to your local
device.

Administration April 2025 96 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Download the EDM CLI app.

The entire contents of the EDM CLI app are downloaded as a .zip file.
1. Select Manage > Configuration > Data Loss Prevention > Detection Methods > Exact
Data Matching and expand the EDM Setup Guide
2. Click Download EDM Tool and Download the latest version of the EDM CLI app.
• Select Windows 64-bit if you’re installing the EDM CLI app on a Microsoft
Windows device.
• Select Linux 64-bit if you're installing the EDM CLI app on a Linux device.
• Select and download the latest EDM CLI version available.
Download version 3.5 or later to upload EDM data sets in an air-gapped
environment.

If you use an older unsupported version of the CLI, the CLI will display an
error message: Please use the latest version of cli tool.
Latest version: <latest-version>.

STEP 6 | (Optional) Create a new folder for EDM on your local device.
The EDM CLI app generates secured versions of all EDM data sets uploaded to Enterprise DLP
and logs for EDM CLI app activity. As a best practice, create a folder just for the EDM CLI app
to contain all EDM-specific files to a single folder.
Refer to the documentation for Microsoft Windows or your specific Linux OS for more
information on creating a new folder.

STEP 7 | Extract the EDM zip file contents.

1. On your local device, navigate to the downloaded package-edm-secure-cli-
<version>-<platform>.zip file.
2. Right-click the package-edm-secure-cli-<version>-<platform>.zip file and
click Extract To.
3. Select a folder and Extract.
(Best Practices) Select the folder you created for your EDM CLI app files.

Administration April 2025 97 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 8 | Verify the extracted .zip file contains all the required EDM CLI app files.

STEP 9 | Install Java on your local device.

The EDM CLI app requires a 64-bit Java version, such as JDK 64-Bit, to run.
1. Open the terminal and view the Java version currently installed.

admin: java -version

2. Install the latest version of Java.

Skip this step if you already have a 64-bit Java version, such as JDK 64-Bit, already
installed. Refer to the Microsoft Windows or your Linux OS documentation for the
command to install the latest version of Java.

STEP 10 | (Linux only) Make the EDM CLI app script readable, writable, and executable.
1. Navigate to the directory where you extracted the EDM CLI app .zip contents.
In this example, we extracted the package-edm-secure-cli-<version>-
<platform>.zip contents to the EDM directory.
2. Make the EDM CLI app script readable, writable, and executable.

admin: chmod 777 ./edm-secure-cli.sh

STEP 11 | Configure EDM CLI App Connectivity to Enterprise DLP.

Configure EDM CLI App Connectivity to Enterprise DLP

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Administration April 2025 98 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

Prisma Access CASB license
Next-Generation CASB for Prisma Access
and NGFW (CASB-X) license
Data Security license

To configure connectivity to Enterprise Data Loss Prevention (E-DLP), you must create an
access token and then configure the upload_config.properties file included with
the EDM CLI app. The access token you create is how Enterprise DLP authenticates you
and understands which DLP user is uploading an EDM data set to Enterprise DLP. If you
use a proxy server to connect to the internet, you must enter the proxy server details in the
upload_config.properties file as well to successfully upload an EDM data set.

Administration April 2025 99 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 1 | Access the Common Services Identity and & Access settings and add a Service Account to
generate the Client ID and Client Secret.

If you already have a Service Account created, you can Reset Client Secret to recover
a lost Client Secret.

• Enterprise DLP uses the Client ID and Client Secret to authenticate and connect
the EDM CLI app.
When you create the Service Account, the Client ID and Client Secret are displayed
in the Client Credentials. You can manually copy the Client Credentials or Download CSV
File to download the Client Credentials in plaintext locally to your device.

• You must assign a role to the service account to upload EDM data sets to Enterprise DLP.
EDM data set uploads fail if the service account does not have a role assigned with write
access privileges to Enterprise DLP.
You can assign any predefined role on Strata Cloud Manager or a predefined or custom role
specific to the Enterprise DLP app on Strata Cloud Manager.

If you're creating a service account only for EDM data set uploads, Palo Alto
Networks recommends assigning the DLP Policy Administrator role for the
Enterprise DLP app. The service account uploading EDM data sets to Enterprise
DLP requires write privileges to successfully upload.

STEP 2 | Set Up the EDM CLI App.

Download EDM CLI app version 3.0 or later version to upload an EDM data set to a
TSG-supported tenant.
Download EDM CLI app version 3.5 or later to create an encrypted EDM data set in
an air-gapped environment.

Administration April 2025 100 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | On the local device where you downloaded the EDM CLI app, navigate to and open the
upload configuration file.
The EDM CLI app bundles the upload configuration file with the package-edm-secure-
cli-<version>-<platform>.zip file contents you extracted when you set up the EDM
CLI app.
The name of the upload configuration file for Linux and Windows versions of the EDM CLI
display as:
• Linux—upload_config.properties
• Windows—upload_config

Administration April 2025 101 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the upload configuration file to enable connectivity to Enterprise DLP.
• EDM CLI App Version 3.0
1. In the have_access_token_refresh_token field, enter no.
2. Add the client_id and client_secret.
3. (Proxy server only) Configure the proxy server settings.
Skip this step if you don't require a proxy server for the local device to connect to the
internet.
• Specify whether the local device uploading the EDM data set to Enterprise DLP
requires a proxy server to the connect to the internet.
If you don't require a proxy server, enter no (default).
If you require a proxy server, enter yes.
• Enter the proxy_host_name and proxy_port_number.
• Enter the proxy_user_name and proxy_password.
4. Enter the dataset_name for the EDM data set you want to upload. Enterprise DLP
uses the data set name entered here in Strata Cloud Manager for the uploaded EDM
data set.
5. Save the changes to the upload configuration file.

• EDM CLI App Version 3.1 and Later

1. In the have_access_token_refresh_token, enter no.
2. Add the client_id and client_secret.
3. (Proxy server only) Configure the proxy server settings.
Skip this step if you don't require a proxy server for the local device to connect to the
internet.
• Specify whether the local device uploading the EDM data set to Enterprise DLP
requires a proxy server to the connect to the internet.
If you don't require a proxy server, enter no (default).
If you require a proxy server, enter yes.
• Enter the proxy_host_name and proxy_port_number.
• Enter the proxy_user_name and proxy_password.
4. Enter the dataset_name for the EDM data set you want to upload. Enterprise DLP
uses the data set name entered here in Strata Cloud Manager for the uploaded EDM
data set.
5. (FedRAMP only) Configure the FedRAMP settings.

Administration April 2025 102 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Skip this step if not uploading to a FedRAMP Enterprise DLP environment.

• In the fed_ramp field, enter yes if uploading an EDM data set to a FedRAMP
Enterprise DLP environment.
• In the fed_ramp_level field, enter the FedRAMP impact level (moderate or high)
6. Save the changes to the upload configuration file.

STEP 5 | (Air-gapped Environments only) Create the environment.properties file to instruct the
EDM CLI app to skip checking for a connection to Enterprise DLP.

Requires EDM CLI app version 3.5 or later version.

By default, the EDM CLI app connects to Enterprise DLP each time you create an
encrypted EDM data set to verify the CLI app version. Encrypted EDM data set
creation fails when running an unsupported EDM CLI app version or if the EDM CLI
app can't connect to Enterprise DLP.
The EDM CLI app version 3.5 and later check for the existence of
environment.properties file every time you create an encrypted EDM
data set. The environment.properties file instructs the EDM CLI app to skip
connecting to Enterprise DLP to allow you to create the encrypted EDM data set.

1. In the same folder as your other EDM CLI app config files, create the following new
configuration file with the exact file name provided below.
environment.properties

2. Enter the following:

skip_dlp_api_call_for_create_cmd=true

3. Save the changes to the environment.properties file.

Administration April 2025 103 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | Create and upload your EDM data sets to Enterprise DLP.
• Upload an Encrypted EDM Data Set to Enterprise DLP Using a Configuration File
• Create and Upload an Encrypted EDM Data to Enterprise DLP in Interactive Mode

Upload an Encrypted EDM Data Set to Enterprise DLP Using a

Configuration File
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

You can use the Exact Data Matching (EDM) CLI app using a configuration file to create and
upload an encrypted EDM data set as two individual jobs or create and upload an encrypted EDM
data set in a single job.
The EDM CLI App first hashes the data set using the SHA256 hash function when you initiate an
EDM data set upload. The EDM CLI App then encrypts the EDM data set using AES Symmetric
encryption before beginning the EDM data set upload to the Enterprise DLP EDM data set
storage bucket. The raw data in your EDM data sets never leave your organization's network,
and Enterprise DLP does not store or have access to the raw EDM data set data. Enterprise DLP
stores only hashed and encrypted EDM data set data in the EDM data set storage bucket.
• Create an Encrypted EDM Data Set Using a Configuration File
• Upload an Encrypted EDM Data Set to Enterprise DLP
• Create and Upload an Encrypted EDM Data Set Using a Configuration File

Administration April 2025 104 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Create an Encrypted EDM Data Set Using a Configuration File

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Create an encrypted hash Exact Data Matching (EDM) data set using a configuration file included
with the EDM CLI app. The configuration file allows you to configure the file parameters for
upload ahead of time rather than manually entering each parameter at the time of creation. You
can also quickly update an existing EDM data set on Enterprise DLP when you configure the
config.properties and upload_config.properties files.
STEP 1 | Set Up the EDM CLI App.

STEP 2 | Configure EDM CLI App Connectivity to Enterprise DLP.

In the upload_config.properties file, you must enter a unique data set name for EDM
data set you want to create as the dataset_name. Upload to Enterprise DLP fails if you
upload an EDM data set with a data set name that already exists.

STEP 3 | Review the Supported EDM Data Set Formats and prepare the EDM data set you want to
create.

STEP 4 | Navigate to the package-edm-secure-cli-<version>-<platform> directory and

open the config.properties file.

Administration April 2025 105 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Configure the EDM data set upload parameters.

1. Enter the path of the EDM data set for upload.
2. Enter the delimiter used to specify boundaries between values in the EDM data set.
The “,” and tab (t) delimiters are supported for EDM data set uploads. An EDM data set
might only use one delimiter.
3. Enter the EDM data set encoding method.
4. Enter the error threshold percentage for the EDM data set.
A secured version of the EDM data set isn't created if Enterprise DLP encounters errors
exceeding the specified error threshold percentage.
5. Specify whether the EDM data set has a header row.
Enter true if the EDM data set includes a header row.
Enter false if the EDM data set does not include a header row.
6. Specify whether to allow uploads of EDM data sets that include empty or blank cells.
Enter true to allow rows that include empty or blank rows in an EDM data set.
Enter false to reject rows that include empty or blank cells in an EDM data set.
7. Specify whether the EDM CLI app should abort the EDM data set upload if the EDM
data set includes more than the maximum number of cells supported.
Enter true to upload the maximum number of data set cells supported.
Enter false to abort EDM CLI app if the EDM data set has more than the maximum
number of data set cells supported.

8. Map your columns using the supported Data Types Value to accurately map each
column in your EDM data set to a specific Data Type.
Refer to the README.txt file packaged with the EDM CLI app for the table to map your
EDM data set columns to the correct Data Type value.

When you create an advanced data profile on Strata Cloud Manager, you’re
required to add at least one column where the column values occurs up to 12
times in the selected EDM data set for the Primary Field.
When mapping your columns to a specific Data Type, be sure to include at
least one column with up to 12 occurrences across the entire EDM data set.
Otherwise, Enterprise DLP is unable to match traffic against the EDM data
profile you create using this EDM data set.

Administration April 2025 106 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

9. Select File and Save the configuration file.

STEP 6 | Create the EDM data set to Enterprise DLP.

1. Open a terminal and navigate to the package-edm-secure-cli-<version>-
<platform> directory where the EDM CLI app is located.
2. Create the encrypted EDM data set.
• Windows

admin: edm-secure-cli.bat create

• Linux

admin: ./edm-secure-cli.sh create

Entering this command creates a secured copy of the EDM data set in the package-
edm-secure-cli-<version>-<platform> directory.
3. Verify that the EDM data set uploaded successfully to Enterprise DLP.
The EDM CLI app displays a progress bar and success message to notify you whether the
upload is successful.

STEP 7 | Verify that the EDM CLI app successfully created the encrypted EDM data set.
The EDM CLI app only supports the upload of the encrypted EDM data sets it creates to the
DLP cloud service.
The EDM CLI app creates a secured copy of the EDM data set in the package-edm-secure-
cli-<version>-<platform> directory. In the directory, the EDM CLI app creates a new
folder with the name of the EDM data set appended with the date and time it was created.
Inside this folder is the encrypted output.zip file containing your EDM data set that is
uploaded to the DLP cloud service.

Administration April 2025 107 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 8 | (Air-gapped Environments only) Transfer the encrypted EDM data set created in the
previous step to an internet-connected device.
Enterprise DLP requires an internet connection to upload an EDM data set. If you generated
the encrypted EDM data set on an air-gapped device, you must first transfer it to an internet-
connected device before you can upload the EDM data set to Enterprise DLP.
You can transfer the entire folder containing the encrypted EDM data set or transfer just the
encrypted EDM data set .zip file containing within.

STEP 9 | Upload an Encrypted EDM Data Set to Enterprise DLP.

Upload an Encrypted EDM Data Set to Enterprise DLP

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Upload encrypted Exact Data Matching (EDM) data sets to the Enterprise Data Loss Prevention
(E-DLP) cloud service using the EDM CLI app. The EDM CLI app supports a single EDM data set
upload at a time.
STEP 1 | Create and encrypted EDM data set.
• Create an Encrypted EDM Data Set Using a Configuration File
• Create an Encrypted EDM Data Set in Interactive mode
Enter n when prompted to deny uploading to the DLP cloud service to create the encrypted
EDM data set.

Administration April 2025 108 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 2 | Configure EDM CLI App Connectivity to Enterprise DLP if not already configured.
If you’ve already configured the upload_config.properties file, navigate to
the package-edm-secure-cli-<version>-<platform> directory where the
upload_config.properties is located to modify the dataset_name value for the
encrypted EDM data set you want to upload.

STEP 3 | Obtain the path for the encrypted EDM data set you created.
In the package-edm-secure-cli-<version>-<platform> directory, open the folder
containing the EDM data set and right-click the output.zip file to view the Properties. Copy
the file Location.

STEP 4 | Open the terminal and navigate to the package-edm-secure-cli-<version>-

<platform> directory where the EDM CLI app is located.

STEP 5 | Upload the encrypted EDM data set to the DLP cloud service.
• Windows

admin: edm-secure-cli.bat upload --dataset-zip-file <outpit.zip-

file-location>

• Linux

admin: ./edm-secure-cli.sh upload --dataset-zip-file <outpit.zip-

file-location>

STEP 6 | Verify that the EDM data set uploaded successfully to Enterprise DLP.
The EDM CLI app displays a progress bar and success message to notify you whether the
upload is successful.

During the upload process, the EDM CLI app connects to Enterprise DLP to verify that
you created the output.zipfile using a supported EDM CLI app version. The upload
to Enterprise DLP fails if you created the output.zip file using an unsupported EDM
CLI app version.

STEP 7 | Monitor the upload status of the DLP data set.

The time it takes for an EDM data set uploaded to Enterprise DLP to be available on Strata
Cloud Manager depends on the EDM data set size and internet connectivity speed. For

Administration April 2025 109 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

example, a 4GB EDM data set upload typically takes about 30 minutes to display on Strata
Cloud Manager and be usable in an advanced data profile.
1. Log in to Strata Cloud Manager
2. Select Manage > Configuration > Data Loss Prevention > Detection Methods > Exact
Data Matching.
3. The EDM data set upload is complete when the Indexing Status column displays
Complete.

Create and Upload an Encrypted EDM Data Set Using a Configuration File

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Administration April 2025 110 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Create and upload an encrypted hash Exact Data Matching (EDM) data set using a configuration
file included with the EDM CLI app. The configuration file allows you to configure the upload
parameters for upload ahead of time rather than manually entering each parameter at the time
of upload. You can also quickly update an existing EDM data set on Enterprise DLP when you
configure the config.properties and upload_config.properties files.
STEP 1 | Set Up the EDM CLI App.

STEP 2 | Configure EDM CLI App Connectivity to Enterprise DLP.

In the upload_config.properties file, you must enter a unique data set name for EDM
data set you want to create and upload as the dataset_name. Upload to Enterprise DLP fails
if you upload an EDM data set with a data set name that already exists.

STEP 3 | Review the Supported EDM Data Set Formats and prepare the EDM data set for upload to
Enterprise DLP.

STEP 4 | Navigate to the package-edm-secure-cli-<version>-<platform> directory and

open the config.properties file.

Administration April 2025 111 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Configure the EDM data set upload parameters.

1. Enter the path of the EDM data set for upload.
2. Enter the delimiter used to specify boundaries between values in the EDM data set.
Enterprise DLP supports the “,” and tab (t) delimiters for EDM data set uploads. An
EDM data set can only use one delimiter.
3. Enter the EDM data set encoding method.
4. Enter the error threshold percentage for the EDM data set.
The EDM CLI app does not create an encrypted version of the EDM data set if it
encounters errors exceeding the specified error threshold percentage.
5. Specify whether the EDM data set has a header row.
Enter true if the EDM data set includes a header row.
Enter false if the EDM data set does not include a header row.
6. Specify whether to allow uploads of EDM data sets that include empty or blank cells.
Enter true to allow rows that include empty or blank rows in an EDM data set.
Enter false to reject rows that include empty or blank cells in an EDM data set.
7. Specify whether the EDM CLI app should abort the EDM data set upload if the EDM
data set includes more than the maximum number of cells supported.
Enter true to upload the maximum number of data set cells supported.
Enter false to abort EDM CLI app if the EDM data set has more than the maximum
number of data set cells supported.

Administration April 2025 112 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

9. Select File and Save the configuration file.

STEP 6 | Upload the EDM data set to Enterprise DLP.

1. Open a terminal and navigate to the package-edm-secure-cli-<version>-
<platform> directory where the EDM CLI app is located.
2. Upload the EDM data set to Enterprise DLP.
• Windows

admin: edm-secure-cli.bat create -u

• Linux

admin: ./edm-secure-cli.sh create -u

The EDM CLI app creates a secured copy of the EDM data set and the EDM data set
begins uploading to Enterprise DLP.
3. Verify that the EDM data set uploaded successfully to Enterprise DLP.
The EDM CLI app displays a progress bar and success message to notify you whether the
upload is successful.

During the upload process, the EDM CLI app connects to Enterprise DLP to
verify that you created the output.zipfile using a supported EDM CLI app
version. The upload to Enterprise DLP fails if you created the output.zip file
using an unsupported EDM CLI app version.

STEP 7 | Monitor the upload status of the EDM data set.

The time it takes for an EDM data set uploaded to Enterprise DLP to be available on Strata
Cloud Manager depends on the EDM data set size and internet connectivity speed. For

Administration April 2025 113 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

example, a 4GB EDM data set upload typically takes about 30 minutes to display on Strata
Cloud Manager and be usable in an advanced data profile.
1. Log in to Strata Cloud Manager.
2. Select Manage > Configuration > Data Loss Prevention > Detection Methods > Exact
Data Matching.
3. The EDM data set upload is complete when the Indexing Status column displays
Complete.

Create and Upload an Encrypted EDM Data to Enterprise DLP in

Interactive Mode
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Upload an encrypted hash Exact Data Matching (EDM) data set to Enterprise DLP using the EDM
CLI app in Interactive mode to successfully create an EDM filtering profile. In Interactive Mode,
you must specify the EDM data set path for upload and configure the upload parameters directly
through the EDM CLI app.

Administration April 2025 114 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

The EDM CLI App first hashes the data set using the SHA256 hash function when you initiate an
EDM data set upload. The EDM CLI App then encrypts the EDM data set using AES Symmetric
encryption before beginning the EDM data set upload to the Enterprise DLP EDM data set
storage bucket. The raw data in your EDM data sets never leave your organization's network,
and Enterprise DLP does not store or have access to the raw EDM data set data. Enterprise DLP
stores only hashed and encrypted EDM data set data in the EDM data set storage bucket.
STEP 1 | Access the Common Services Identity and & Access settings and add a Service Account to
generate the Client ID and Client Secret.

If you already have a Service Account created, you can Reset Client Secret to recover
a lost Client Secret.

Enterprise DLP uses the Client ID and Client Secret to authenticate and connect the
EDM CLI app to Enterprise DLP.
When you create the Service Account, the Client ID and Client Secret are displayed in
the Client Credentials. You can manually copy the Client Credentials or Download CSV File to
download the Client Credentials in plaintext locally to your device

STEP 2 | Set Up the EDM CLI App.

STEP 3 | Review the Supported EDM Data Set Formats and prepare the EDM data set for upload to
Enterprise DLP.

STEP 4 | Enter Interactive mode in the EDM CLI app to begin the EDM data set upload.
1. Open the terminal and navigate to the package-edm-secure-cli-<version>-
<platform> directory where the EDM CLI app is located.
2. Enter Interactive mode in the EDM CLI app.
• Windows

admin: edm-secure-cli.bat interactive

• Linux

admin: ./edm-secure-cli.sh interactive

Entering this command begins the interactive upload process for EDM data sets to
Enterprise DLP.

Administration April 2025 115 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Enter the path of the EDM data set for upload.

STEP 6 | Enter the delimiter used to specify boundaries between values in the EDM data set.
Enterprise DLP supports the “,” and “tab (t) delimiters for CSV or TSV files. The EDM CLI app
uses the delimiter “,” by default. The EDM data set might only use one delimiter.

STEP 7 | Enter the EDM data set file encoding method.

STEP 8 | Enter the error threshold percentage for the EDM data set.
The EDM CLI app does not create an encrypted version of the EDM data set if it encounters
errors exceeding the specified error threshold percentage.

STEP 9 | Specify whether the EDM data set has a header row.

STEP 10 | Specify whether to allow uploads of EDM data sets that include empty or blank cells.
Enter true to allow rows that include empty or blank cells in an EDM data set.
Enter false to reject rows that include empty or blank cells in an EDM data set.

STEP 11 | Specify whether the EDM CLI app should abort the EDM data set upload if the EDM data set
includes more than the maximum number of cells supported.
Enter true to upload the maximum number of data set cells supported.
Enter false to abort EDM CLI app if the EDM data set has more than the maximum number
of data set cells supported.

STEP 12 | Enter the number of columns in your EDM data set.

Accurately map your CSV or TSV columns to the supported data types to allow Enterprise DLP
to accurately ingest your EDM data set.

Administration April 2025 116 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 13 | Map your columns using the supported Data Types Value to accurately map each column in
your EDM data set to a specific Data Type.
The EMD CLI app presents a table with each Data Type Name and the corresponding Data
Type Value. You can also view this table in the README.txt file packaged with the EDM CLI
app.

When you create an advanced data profile on Strata Cloud Manager, you’re required
to add at least one column where the column values occurs up to 12 times in the
selected EDM data set for the Primary Field.
When mapping your columns to a specific Data Type, be sure to include at least
one column with up to 12 occurrences across the entire EDM data set. Otherwise,
Enterprise DLP is unable to match traffic against the EDM data profile you create
using this EDM data set.

STEP 14 | Specify whether to upload the EDM data set to Enterprise DLP. Enter y to continue
uploading the EDM data set or n to upload the EDM data set later.

Entering n creates a secured copy of the EDM data set in the package-edm-
secure-cli-<version>-<platform> directory for you to review.
You can skip the remaining steps below and Upload an Encrypted EDM Data Set to
Enterprise DLP later.

STEP 15 | Enter y to create a new EDM data set and enter the data set name.

If you enter n and are uploading to Enterprise DLP, you’re still prompted to enter an
EDM data set name. This updates the existing EDM data set you previously uploaded
to Enterprise DLP.

Administration April 2025 117 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 16 | Specify the authentication mechanism used to upload the EDM data set to Enterprise DLP.
1. When prompted about whether you have access and refresh token, enter n.
Enterprise DLP requires you end the Client ID and Client Secret to upload EDM
data sets.
2. Enter the Client ID and Client Secret.

STEP 17 | (Proxy server only) When prompted, enter y if the local device from which you’re uploading
requires a proxy server to connect to the internet.
You’re required to provide the following information for your proxy server.
• Proxy hostname
• Proxy port number
• Proxy username
• Proxy password

STEP 18 | Enter Y or y to confirm the EDM data set upload configuration is correct and begin uploading
to Enterprise DLP.
The EDM CLI app creates a secured copy of the EDM data set in the package-edm-secure-
cli-<version>-<platform>. In the directory, the EDM CLI app creates a new folder
with the name of the EDM data set you appended with the date and time the EDM CLI app
created it. This folder contains the encrypted output.zip file of your EDM data set that you
uploaded to Enterprise DLP.
The EDM CLI app displays a progress bar and success message to notify you whether the
upload is successful.

STEP 19 | Monitor the upload status of the EDM data set.

The time it takes for an EDM data set uploaded to DLP cloud service to be available on Strata
Cloud Manager depends on the EDM data set size and internet connectivity speed. For

Administration April 2025 118 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Update an Existing EDM Data Set on Enterprise DLP

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Update an existing Exact Data Match (EDM) data set you already uploaded to Enterprise
DLP. To quickly update an existing EDM data set on Enterprise DLP, configure the
upload_config.properties and config.properties files. To update an existing EDM
data set, you must upload the entire encrypted EDM data set to Enterprise DLP. Updating an
existing data set on Enterprise DLP overwrites the existing data set with the same data set name.

Administration April 2025 119 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

If you prefer using Interactive mode to upload an EDM data set to Enterprise DLP, see Create and
Upload an Encrypted EDM Data to Enterprise DLP in Interactive Mode for more information. You
must still go through the Interactive mode upload process, but you must enter n when prompted
whether to create a new EDM data set on Enterprise DLP.
STEP 1 | On the local device where you downloaded the EDM CLI app, navigate to and open the
upload_config.properties file.
The EDM CLI app bundles the upload_config.properties file in the package-edm-
secure-cli-<version>-<platform>.zip file you extracted when you set up the EDM
CLI app.

STEP 2 | Edit the upload_config.properties file.

1. Enter the dataset_name of the existing EDM data set on Enterprise DLP you want to
update.
2. Save the changes to the upload_config.properties file.

Administration April 2025 120 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Modify the config.properties file.

1. Navigate to the package-edm-secure-cli-<version>-<platform> directory
and open the config.properties file.
2. For the data_file_path field, enter the path of the EDM data set that you want to
update in Enterprise DLP.
3. Modify the rest of the config.properties file as needed.
See Create an Encrypted EDM Data Set Using a Configuration File for more information.

4. Select File and Save the configuration file.

STEP 4 | Update the EDM data set on Enterprise DLP.

1. Open a terminal and navigate to the package-edm-secure-cli-<version>-
<platform> directory where the EDM CLI app is located.
2. Upload the existing EDM data set to Enterprise DLP.
• Windows

admin: edm-secure-cli.bat update

• Linux

admin: ./edm-secure-cli.sh update

Entering this command creates a secured copy of the EDM data set specified in the
config.properties file and begins uploading to Enterprise DLP.
3. Verify that you successfully uploaded the EDM data set to Enterprise DLP.
The EDM CLI app displays a progress bar and success message to notify you whether
you successfully uploaded the EDM data set or if the upload failed.

Administration April 2025 121 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Enterprise DLP End User Alerting with Cortex XSOAR

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Integrate Enterprise Data Loss Prevention (E-DLP) with Cortex XSOAR to use Enterprise DLP End
User Alerting, granting your team members the ability to self-service temporary exemptions for
file uploads that match your Enterprise DLP data profiles.
• About Enterprise DLP End User Alerting with Cortex XSOAR
• Set Up Enterprise DLP End User Alerting with Cortex XSOAR
• Respond to Blocked Traffic Using Enterprise DLP End User Alerting with Cortex XSOAR
• View the Enterprise DLP End User Alerting with Cortex XSOAR Response History

About Enterprise DLP End User Alerting with Cortex XSOAR

Administration April 2025 122 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR allows your team
members to understand why a file upload was blocked by Enterprise DLP and enables self-service
temporary exemptions for file uploads that match your Enterprise DLP data profiles. Enterprise
DLP End User Alerting with Cortex XSOAR provides an audit trail to better understand the upload
and response history for every file scanned by the DLP cloud service. Additionally, enabling End
User Alerting with Cortex XSOAR prevents malware triggered uploads because an affirmative
action is required to request an exemption.
Enterprise DLP End User Alerting with Cortex XSOAR requires integration with the Enterprise
DLP application. You can view responses to file uploads that match your data filtering profiles
and data profiles for supported apps only. For some applications, End User Alerting with Cortex
XSOAR requires IP mapping to email addresses to furnishing exemption queries to your team
members. After you successfully integrate Enterprise DLP with Cortex XSOAR and configure
the exemption duration, the team member who uploads a matched file is presented with an
automated message to confirm if the file includes sensitive data that triggers a block verdict from
the DLP cloud service. If the team member responds that the file does contain sensitive data,
they’re given the option request a temporary exception for the specific file.

If the team member responds that the file doesn’t contain sensitive information, the DLP
cloud service flags the file as a false positive. However, Enterprise DLP continues to block
the file upload.

The Enterprise DLP cloud service preserves the response history for all scanned files after
End User Alerting with Cortex XSOAR is enabled. For example, your team member uploads
file_A.pdf that matches a data profile match criteria. The team member is prompted to
confirm if the file contains sensitive information, to which they answer Yes and request an
exemption. A few days later, the team member uploads file_A.pdf again. This time they’re
only prompted to request an exemption because the DLP cloud service is already aware of the file
response history.

Administration April 2025 123 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Set Up Enterprise DLP End User Alerting with Cortex XSOAR

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Integrate Enterprise Data Loss Prevention (E-DLP) with Cortex XSOAR to use the Enterprise DLP
End User Alerting.
(Slack) To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR
and set up automatic Slack alerts, you need to integrate your preferred IP address directory
service to map IP addresses to emails to allow for automatic messages to be sent on Slack. After
integration, you must enable Slack, email send integration, and Enterprise DLP with Cortex
XSOAR. This chain of integration allows the DLP cloud service to automate sending Slack
messages to team members who upload a file that matches your data profiles.
(Microsoft Teams) To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with
Cortex XSOAR and set up automatic Microsoft Teams alerts, you need to set up integration with
Microsoft Teams and Enterprise DLP with Cortex XSOAR. This is integration allows the DLP cloud
service to automate sending Microsoft Teams messages to team members who upload a file that
matches your data profiles.
(Email) To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR
and set up automatic email alerts, you need to integrate your preferred IP address directory
service and Enterprise DLP with Cortex XSOAR. This is integration allows the DLP cloud service
to automate sending email messages to team members who upload a file that matches your data
profiles.
After you successfully integrate Slack, Microsoft Teams, or your Email provider and Enterprise
DLP with Cortex XSOAR, you need to enable End User Alerting with Cortex XSOAR functionality
on Strata Cloud Manager and configure the End User Alerting settings as needed.

Administration April 2025 124 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• Slack
• Microsoft Teams
• Email

Slack

STEP 1 | Integrate your preferred IP address directory service using one of the following procedures.
• Integrate AWS - Identity and Access Management
• Integrate MSGraphAzure Users
• Integrate Okta v2
• Integrate PingOne
• Integrate SailPoint IdentityIQ
• Integrate SailPoint IdentityNow

STEP 2 | Enable Slack Integration with XSOAR.

STEP 3 | Enable Mail Send Integration with XSOAR.

Administration April 2025 125 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure Enterprise DLP authentication.

• Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
Access the Common Services Identity and & Access settings and add a Service Account to
generate the Client ID and Client Secret.

If you already have a Service Account created, you can Reset Client Secret to
recover a lost Client Secret.

The Client ID and Client Secret are used for authentication.

When you create the Service Account, the Client ID and Client Secret are displayed
in the Client Credentials. You can manually copy the Client Credentials or Download CSV
File to download the Client Credentials in plaintext locally to your device.

• Panorama (Not TSG-enabled)

1. Log in to the DLP app on the hub.
If you don’t already have access to the DLP app on the hub, see the hub Getting Started
Guide. Only Superusers can access the hub.
2. Select API and Create Token.
3. Enter a descriptive Token Name and Create the access token.
4. Copy the Access Token and Refresh Token and save them in a secure location.

Administration April 2025 126 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Administration April 2025 127 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Enable Enterprise DLP on Cortex XSOAR.

• Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
1. Add the Client Credentials to Cortex XSOAR.
1. On Cortex XSOAR, select Settings > Integrations > Credentials and add a New
credential.
2. Enter a descriptive Credential Name.
3. For the Username, enter the Client ID created in the previous step.
4. For the Password, enter the Client Secret created in the previous step.
5. Save.
2. Select Marketplace > Browse and search for Enterprise DLP.
3. Install the Enterprise DLP content pack.
4. Select Settings > Integrations > Instances and search for Enterprise DLP.
Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR
for more information.
1. Select a descriptive Name.
2. For the Incident Type, verify Data Loss Prevention is selected.
If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.
3. for the Mapper, verify that Data Loss Prevention is selected.
If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.
4. Click Switch to credentials.
5. Enter the Client Credentials generated in the previous step.
6. Check (enable) Long running instance.
7. (Optional) Modify the automated Slack Bot Message.
8. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
A Success is displayed when Cortex XSOAR successfully integrates with Enterprise
DLP.
• Panorama (Not TSG-enabled)
1. On Cortex XSOAR, select Marketplace > Browse and search for Enterprise DLP.
2. Install the Enterprise DLP content pack.
3. Select Settings > Integrations > Instances and search for Enterprise DLP.
Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR
for more information.
1. Select a descriptive Name.
2. For the Incident Type, verify Data Loss Prevention is selected.
If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.

Administration April 2025 128 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

3. for the Mapper, verify that Data Loss Prevention is selected.

If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.
4. Add the Access Token and Refresh Token you created in the previous step.
5. Check (enable) Long running instance.
6. (Optional) Modify the automated Slack Bot Message.
7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
A Success is displayed when Cortex XSOAR successfully integrates with Enterprise
DLP.

STEP 6 | Configure the DLP Incident Feedback Loop Cortex XSOAR playbook
1. In Dashboard & Reports, select Playbooks.
2. Select DLP Incident Feedback Loops > Playbook Triggered.
3. Configure the Cortex XSOAR playbook.
• For ApprovalTarget, enter Manager to send an exemption request to the sender's
manager. This information is pulled from your preferred IP address directory service.
• For the UserMessageApp, verify Slack is displayed.
• For the ApproverMessageApp, enter Slack.
• (Optional) For the DenyMessage, enter a custom response when a file extension is
denied by the sender's manager,
4. Save.

Administration April 2025 129 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Confirm the Cortex XSOAR integration with Enterprise DLP.

• Strata Cloud Manager andPrisma Access (Managed by Panorama) (TSG-enabled)
1. Log in to Strata Cloud Manager.
2. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts > XSOAR
Integration Setup and check (enable) Confirm the status for XSOAR Integration.
• Panorama (Not TSG-enabled)
1. Log in to the DLP app on the hub.
If you don’t already have access to the DLP app on the hub, see the hub Getting Started
Guide. Only Superusers can access the hub.
2. Select Settings and check (enable) Confirm the status for XSOAR Integration.

STEP 8 | Configure the End User Alerting with Cortex XSOAR exemption settings.
1. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure the Exemption Duration.
The file that prompted the End User Alerting with Cortex XSOAR notification that was
exempted can be uploaded for the duration of the exemption duration. The default is 12
hours.
2. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure whether to Include Snippets in Message.
You can select Off (default) to not include a snippet of the sensitive data or On to
include a snippet of the sensitive data in the automated message on Slack.

Microsoft Teams

STEP 1 | Set up the prerequisites needed to begin integrating Microsoft Teams with Cortex XSOAR.
1. Integrate referred IP address directory service using one of the following procedures.
• Integrate AWS - Identity and Access Management
• Integrate MSGraphAzure Users
• Integrate Okta v2
• Integrate PingOne
• Integrate SailPoint IdentityIQ
• Integrate SailPoint IdentityNow
2. Create the Demisto Bot in Microsoft Teams.
3. Grant the Demisto Bot Permissions in Microsoft Graph.
4. Configure Microsoft Teams on Cortex XSOAR.
5. Add the Demisto Bot to a Team.

Administration April 2025 130 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 2 | Integrate Microsoft Teams with Cortex XSOAR.

You can use one of the following methods based on your preferences.
• Using Cortex XSOAR Rerouting
• Using NGINX as Reverse Proxy
• Using Apache Reverse Proxy and Cortex XSOAR Engine
• Using Cloudflare

Administration April 2025 131 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Configure Enterprise DLP authentication.

If you already have a Service Account created, you can Reset Client Secret to
recover a lost Client Secret.

The Client ID and Client Secret are used for authentication.

• Panorama (Not TSG-enabled)

Administration April 2025 132 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Administration April 2025 133 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Enable Enterprise DLP on Cortex XSOAR.

• Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
1. Add the Client Credentials to Cortex XSOAR.
1. On Cortex XSOAR, select Settings > Integrations > Credentials and add a New
credential.
2. Enter a descriptive Credential Name.
3. For the Username, enter the Client ID created in the previous step.
4. For the Password, enter the Client Secret created in the previous step.
5. Save.
2. Select Marketplace > Browse and search for Enterprise DLP.
3. Install the Enterprise DLP content pack.
4. Select Settings > Integrations > Instances and search for Enterprise DLP.
Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR
for more information.
1. Select a descriptive Name.
2. For the Incident Type, verify Data Loss Prevention is selected.
If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.
3. for the Mapper, verify that Data Loss Prevention is selected.
If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.
4. Click Switch to credentials.
5. Enter the Client Credentials generated in the previous step.
6. Check (enable) Long running instance.
7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
A Success is displayed when Cortex XSOAR successfully integrates with Enterprise
DLP.
• Panorama (Not TSG-enabled)
1. On Cortex XSOAR, select Marketplace > Browse and search for Enterprise DLP.
2. Install the Enterprise DLP content pack.
3. Select Settings > Integrations > Instances and search for Enterprise DLP.
Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR
for more information.
1. Select a descriptive Name.
2. For the Incident Type, verify Data Loss Prevention is selected.
If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.
3. for the Mapper, verify that Data Loss Prevention is selected.

Administration April 2025 134 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Configure the DLP Incident Feedback Loop Cortex XSOAR playbook
1. In Dashboard & Reports, select Playbooks.
2. Select DLP Incident Feedback Loops > Playbook Triggered.
3. Configure the Cortex XSOAR playbook.
• For ApprovalTarget, enter Manager to send an exemption request to the sender's
manager. This information is pulled from your preferred IP address directory service.
• For the UserMessageApp, verify Microsoft Teams is displayed.
• For the ApproverMessageApp, enter Microsoft Teams.
• (Optional) For the DenyMessage, enter a custom response when a file extension is
denied by the sender's manager,
4. Save.

Administration April 2025 135 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | Confirm the Cortex XSOAR integration with Enterprise DLP.

• Strata Cloud Manager and Prisma Access (Panorama Managed) (TSG-enabled)
1. Log in to Strata Cloud Manager.
2. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts > XSOAR
Integration Setup and check (enable) Confirm the status for XSOAR Integration.
• Panorama (Not TSG-enabled)
1. Log in to the DLP app on the hub.
If you don’t already have access to the DLP app on the hub, see the hub Getting Started
Guide. Only Superusers can access the hub.
2. Select Settings and check (enable) Confirm the status for XSOAR Integration.

STEP 7 | Configure the End User Alerting with Cortex XSOAR exemption settings.
1. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure the Exemption Duration.
The file that prompted the End User Alerting with Cortex XSOAR notification that was
exempted can be uploaded for the duration of the exemption duration. The default is 12
hours.
2. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure whether to Include Snippets in Message.
You can select Off (default) to not include a snippet of the sensitive data or On to
include a snippet of the sensitive data in the automated message on Microsoft Teams.

STEP 1 | Integrate referred IP address directory service using one of the following procedures.
• Integrate AWS - Identity and Access Management
• Integrate MSGraphAzure Users
• Integrate Okta v2
• Integrate PingOne
• Integrate SailPoint IdentityIQ
• Integrate SailPoint IdentityNow

Administration April 2025 136 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 2 | Configure Enterprise DLP authentication.

If you already have a Service Account created, you can Reset Client Secret to
recover a lost Client Secret.

The Client ID and Client Secret are used for authentication.

• Panorama (Not TSG-enabled)

Administration April 2025 137 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Administration April 2025 138 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Enable Enterprise DLP on Cortex XSOAR.

• Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
1. Add the Client Credentials to Cortex XSOAR.
1. On Cortex XSOAR, select Settings > Integrations > Credentials and add a New
credential.
2. Enter a descriptive Credential Name.
3. For the Username, enter the Client ID created in the previous step.
4. For the Password, enter the Client Secret created in the previous step.
5. Save.
2. Select Marketplace > Browse and search for Enterprise DLP.
3. Install the Enterprise DLP content pack.
4. Select Settings > Integrations > Instances and search for Enterprise DLP.
Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR
for more information.
1. Select a descriptive Name.
2. For the Incident Type, verify Data Loss Prevention is selected.
If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.
3. for the Mapper, verify that Data Loss Prevention is selected.
If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.
4. Click Switch to credentials.
5. Enter the Client Credentials generated in the previous step.
6. Check (enable) Long running instance.
7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
A Success is displayed when Cortex XSOAR successfully integrates with Enterprise
DLP.
• Panorama (Not TSG-enabled)
1. On Cortex XSOAR, select Marketplace > Browse and search for Enterprise DLP.
2. Install the Enterprise DLP content pack.
3. Select Settings > Integrations > Instances and search for Enterprise DLP.
Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR
for more information.
1. Select a descriptive Name.
2. For the Incident Type, verify Data Loss Prevention is selected.
If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.
3. for the Mapper, verify that Data Loss Prevention is selected.

Administration April 2025 139 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the DLP Incident Feedback Loop Cortex XSOAR playbook
1. In Dashboard & Reports, select Playbooks.
2. Select DLP Incident Feedback Loops > Playbook Triggered.
3. Configure the Cortex XSOAR playbook.
• For ApprovalTarget, enter Manager to send an exemption request to the sender's
manager. This information is pulled from your preferred IP address directory service.
• For the UserMessageApp, verify Email is displayed.
• For the ApproverMessageApp, enter Email.
• (Optional) For the DenyMessage, enter a custom response when a file extension is
denied by the sender's manager,
4. Save.

Administration April 2025 140 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Confirm the Cortex XSOAR integration with Enterprise DLP.

• Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
1. Log in to Strata Cloud Manager.
2. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts > XSOAR
Integration Setup and check (enable) Confirm the status for XSOAR Integration.
• Panorama (Not TSG-enabled)
1. Log in to the DLP app on the hub.
If you don’t already have access to the DLP app on the hub, see the hub Getting Started
Guide. Only Superusers can access the hub.
2. Select Settings and check (enable) Confirm the status for XSOAR Integration.

STEP 6 | Configure the End User Alerting with Cortex XSOAR exemption settings.
1. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure the Exemption Duration.
The file that prompted the End User Alerting with Cortex XSOAR notification that was
exempted can be uploaded for the duration of the exemption duration. The default is 12
hours.
2. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure whether to Include Snippets in Message.
You can select Off (default) to not include a snippet of the sensitive data or On to
include a snippet of the sensitive data in the automated message on Microsoft Teams.

Respond to Blocked Traffic Using Enterprise DLP End User

Alerting with Cortex XSOAR
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Administration April 2025 141 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

Next-Generation CASB for Prisma Access
and NGFW (CASB-X) license
Data Security license

After you Set Up Enterprise DLP End User Alerting with Cortex XSOAR and a file upload matches
your data profile, the team member who uploaded the file is automatically alerted on Slack to
confirm whether the file they uploaded contains sensitive information.
The DLP cloud service maintains a response history for all files that trigger End User Alerting with
Cortex XSOAR based on your response.
• Confirmed Sensitive - End user confirmed that Yes,, the file contains sensitive data but
No, the end user didn’t request an exemption.
For all future uploads of the file, the file upload remains blocked and end users aren’t prompted
to request for an exemption.
• Exception Requested - End user confirmed that Yes, the file contains sensitive data and
Yes, the end user requested an exemption.
For all future uploads of the file, end users aren’t prompted to confirm the file contains
sensitive data but are prompted to request for an exemption.
• Confirmed False Positive - End user confirmed that No, the file doesn’t contain
sensitive data.
For all future uploads of the file, the file uploads remain blocked and end users aren’t prompted
to confirm if the file contains sensitive data.
This procedure assumes you have already created a data profile and have successfully set up
Enterprise DLP End User Alerting with Cortex XSOAR.
STEP 1 | Upload a file containing sensitive data that matches a data profile.

STEP 2 | On Slack, the Enterprise DLP Bot sends an automated message to the team member who
uploaded the file containing sensitive data.
Select Yes to confirm that the uploaded file containing sensitive data and to request an
exemption.
Select No to confirm that the uploaded files doesn’t contain sensitive data and flag the file as
a false positive. If you select No, the file remains as blocked for any future upload of the

Administration April 2025 142 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

same file. You will receive confirmation for the Enterprise DLP Bot that your response was
successfully received.

STEP 3 | If you selected Yes and the file contains sensitive information, select Yes when prompted to
request a temporary exemption for the uploaded file.
Select No if you don’t want to request a temporary exemption for the file. The file upload
remains blocked.
Skip this step if you selected No in the previous step and the file doesn’t contain sensitive data.

Administration April 2025 143 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | The Enterprise DLP Bot confirms that the exemption was granted.
You can now reupload the file as needed for the length of the Exemption Duration.

View the Enterprise DLP End User Alerting with Cortex XSOAR
Response History
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Administration April 2025 144 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

Data Security license

The Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR response
history provides an audit trail for administrators to understand which end user uploaded a file
containing sensitive data and how they responded to the Enterprise DLP Bot on Slack.
The possible response statuses are:
• Pending Response - The automated Enterprise DLP Bot message was sent and is pending a
response.
• Confirmed Sensitive - End user confirmed that Yes, the file contains sensitive data but
No, the end user didn’t request an exemption.
For all future uploads of the file, the file upload remains blocked and end users aren’t prompted
to request for an exemption.
• Exception Requested - End user confirmed that Yes, the file contains sensitive data and
Yes, the end user requested an exemption.
For all future uploads of the file, end users aren’t prompted to confirm the file contains
sensitive data but are prompted to request for an exemption.
• Confirmed False Positive - End user confirmed that No, the file doesn’t contain
sensitive data.
For all future uploads of the file, the file uploads remain blocked and end users aren’t prompted
to confirm if the file contains sensitive data.
STEP 1 | Log in based on the platform on which you’re using Enterprise DLP.
• Panorama (Next-Gen Firewalls) and Prisma Access (Managed by Panorama) - Log in to the
DLP app on the hub.
If you don’t already have access to the DLP app on the hub, see the hub Getting Started
Guide. Only Superusers can access the hub.
• Strata Cloud Manager - Log in to Strata Cloud Manager.

STEP 2 | Navigate to the Enterprise DLP Incidents.

• Panorama (Next-Gen Firewalls) and Prisma Access (Managed by Panorama) - In the DLP
app, select Incidents.
• Strata Cloud Manager - Select Manage > Configuration > Data Loss Prevention > DLP
Incidents.

Administration April 2025 145 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | In the Incidents section, view the Response Status for all file uploads.

You can also Add New Filter to filter Enterprise DLP Incidents based on the Response
Status.

STEP 4 | Click on the File name to view the detailed Response History for that specific file.
The detailed response history includes the team member who uploaded the file and how they
responded to the Enterprise DLP Bot.

Administration April 2025 146 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Inspection of Contextual Secrets for Chat Applications

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Use Enterprise Data Loss Prevention (E-DLP) to inspect contextual chat messages for chat-based
applications to identify and alert administrators when passwords are shared.
• About Inspection of Contextual Secrets
• Contextual Chat Examples
• Configure SaaS Security to Inspect for Contextual Secrets

About Inspection of Contextual Secrets

Administration April 2025 147 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Use Enterprise Data Loss Prevention (E-DLP) to inspection contextual chat messages to monitor
sharing of sensitive passwords over chat-based applications. Enterprise DLP uses contextual
messages to understand instances where a password might have been shared. When Enterprise
DLP detects that a password was shared, a DLP Incident is generated that displays a snippet of
the response containing the password.

Which Chat Applications Are Supported?

The Slack V2 chat application is currently supported for inspection of contextual secrets.

Which Data Patterns and Profiles Detect Passwords?

Data Patterns:
• Predefined Application Credential ML-based data pattern
Data Profiles
• Predefined Secrets and Credentials data profile
• A data profile containing the Application Credentials data pattern.

What Kind of Contextual Messages Are Supported?

Enterprise DLP supports inspection of one contextual message and one immediate response
message containing a password in a private channel or public channel, and includes inspection
of threaded replies. For Enterprise DLP to detect a shared password, the response message
containing the password must be sent within 60 minutes of the contextual message. Review the
Contextual Chat Examples for more information on the types of contextual messages that trigger
inspection by Enterprise DLP.
For example, James asks Justin for a password. At 8:45 AM, Justin responds with the password
James requested. At 10:11 AM, Justin again replies but this time in a threaded response to the
contextual message and shares a second password. In this example, Enterprise DLP is able to
detect and generate a DLP Incident when Justin shares with James the first password at 8:45
AM. However, Enterprise DLP can’t detect the second password Justin shared with James because

Administration April 2025 148 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

the contextual message was already associated with the first response message and the second
threaded response exceeds the 60-minute time limit.

The contextual message, and password shared in response to a contextual message, must be in
text format for Enterprise DLP to detect and generate a DLP Incident. Enterprise DLP can’t detect
if a password was shared in a response to a contextual message if:
• The contextual message is a text or image attachment
• The response to the contextual message is a text or image attachment

Contextual Chat Examples

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

The table below shows various examples of combinations of contextual statements formats
that would trigger inspection Enterprise Data Loss Prevention (E-DLP), as well as examples of
passwords with varying complexity that would be blocked by Enterprise DLP.

Administration April 2025 149 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Contextual Statement Response

@<user> what is the password for the password is password123

database?

Can you please share Virus DB credentials Alex, username is your email address and
with Alex? passwd is pA$$w0rd!23

what were the credentials for the Google username - <user> and passwd - gQxHD4&%
Cloud accounts?

Please share the credntial uname: abc123 and passwd: pA$$w0rd!23

Please share the password ComPl3xP@$$w0rd@x1y2z

@<user> what is the passwrd for the password - password123

database?

Configure SaaS Security to Inspect for Contextual Secrets

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

To configure SaaS Security to inspect for contextual secrets, you must leverage an Enterprise
Data Loss Prevention (E-DLP) data profile containing data pattern match criteria that looks for
passwords and credentials. After the data profile is enabled, it must be associated with a policy
rule recommendation.

Administration April 2025 150 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Connect the Slack Enterprise V2 application to SaaS Security.

STEP 3 | Select Manage > Configuration > SaaS Security > Settings > Data Profiles and verify that the
predefined Secrets and Credentials data profile is enabled.

(Optional) Instead of using the predefined data profile, you can create a data profile
and add the predefined ML-based Application Credential data pattern. Adding
a custom data pattern with regex match criteria to a custom data profile is not
supported for inspection for contextual secrets.

STEP 4 | Create a SaaS Security Policy Recommendation to Leverage Enterprise DLP.

STEP 5 | View Enterprise DLP Log Details.

Administration April 2025 151 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Enterprise DLP and AI Apps

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Use Enterprise Data Loss Prevention (E-DLP) to safeguard against GPT language model data
leakages.
• How Enterprise DLP Safeguards Against ChatGPT Data Leakage
• Create a Security Policy Rule for ChatGPT

How Enterprise DLP Safeguards Against ChatGPT Data Leakage

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Cloud Manager) license
• Prisma Access (Managed by Panorama or Review the Supported Platforms for
Strata Cloud Manager) details on the required license for each
enforcement point.

Administration April 2025 152 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

Or any of the following licenses that include
the Enterprise DLP license
Prisma Access CASB license
Next-Generation CASB for Prisma Access
and NGFW (CASB-X) license
Data Security license

Learn more about using Enterprise Data Loss Prevention (E-DLP) in your Security policy rules to
prevent data exfiltration to ChatGPT.
With the rise of generative Artificial Intelligence (AI), new Natural Language Processing and
Generation (NPL/NLG) interface-based apps have seen unprecedented adoption. ChatGPT is a
popular generative pre-trained transformer (GPT) language model application and presents an
ever increasing risk of exfiltration of sensitive data. Palo Alto Networks maintains its commitment
to a holistic approach on data security. Enterprise DLP offers immediate prevention of sensitive
data exfiltration to AI apps like ChatGPT.

Existing ChatGPT Traffic - Discovery

Before you use Enterprise DLP to prevent data exfiltration to ChatGPT, it is important to
understand by who and how often ChatGPT is accessed on your network. Panorama, Prisma
Access (Managed by Panorama), Cloud Management, and Next-Generation CASB for Prisma
Access and NGFW allows users to monitor all egress activity and easily identify new AI app usage
by employees on your network.
Panorama
Use the Unified Log View for NGFW (Managed by Panorama) managed firewalls and Panorama
Managed Prisma Access.
• Use the Unified Log View (Monitor > Logs > Unified) to discover traffic to ChatGPT.
• ChatGPT traffic is captured through the App ID openai-chatgpt and can be found with the
following filter query:
(app eq openai-chatgpt)
Strata Cloud Manager
Use the Log Viewer for NGFW (Managed by Strata Cloud Manager) and Prisma Access (Managed
by Strata Cloud Manager).
• Use Log Viewer (Activity > Logs > Logs Viewer) to discover traffic to ChatGPT.
• ChatGPT traffic is captured through the App ID openai-chatgpt and can be found with the
following app filter query:
app = 'openai-chatgpt'

Administration April 2025 153 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Next-Generation CASB
• Use the Discovered Apps (Discovered Apps > Applications) to discover traffic to ChatGPT.
• Add Filter to narrow down the Category to Artificial Intelligence applications and Tag as
Unknown.
This filter allows you to narrow down all traffic to uncategorised AI applications on your
network. Uncategorised applications display as unknown but can be manually recategorized
as sanctioned, unsanctioned, or tolerated once the initial discovery is completed
based on your organization's risk posture.
• Alternatively, you can search for ChatGPT in the Search Application Name search
bar.

Block or Allow ChatGPT

How to Block ChatGPT
You can choose to block access to ChatGPT entirely using the App ID if the risk of employees
having access to ChatGPT messaging and API features is too high. For Next-Generation CASB
for Prisma Access and NGFW, you can block access to ChatGPT through the Artificial
Intelligence category.

Administration April 2025 154 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• Panorama — Create an Application Block Rule to explicitly block traffic to ChatGPT.

The application block rule applies to Panorama managed firewalls and Panorama Managed
Prisma Access
• Cloud Management—In Discovered Apps (Manage > Configuration > SaaS Security >
Discovered Apps > Applications) and filter for ChatGPT to block access (Actions > Block
Access).
Additionally, you can select Actions > Tag to apply existing unsanctioned, tolerated, or
sanctioned app policies for egress traffic to ChatGPT.
This applies to Prisma Access (Managed by Strata Cloud Manager) and SaaS Security.
• Next-Generation CASB—In Discovered Apps (Visibility > Discovered Apps > Applications) and
filter for ChatGPT to block access (Actions > Block Access).
Additionally, you can select Actions > Tag to apply existing unsanctioned, tolerated, or
sanctioned app policies for egress traffic to ChatGPT.
Allow ChatGPT and Prevent Exfiltration of Sensitive Data
With Enterprise DLP you can create new or leverage existing data detection logic for data sent to
ChatGPT through chat or API. Enterprise DLP can perform in-line content inspection to identify
and stop sensitive data loss to generative AI apps such as ChatGPT without completely blocking
access. This will allow your employees to continue to access ChatGPT while ensuring no sensitive
data is mishandled and leaves your network.
To allow access to ChatGPT on your network while preventing data leakage, you must create a
Security policy rule using an Enterprise DLP data profile.

Create a Security Policy Rule for ChatGPT

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Administration April 2025 155 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

Data Security license

Use Enterprise Data Loss Prevention (E-DLP)to prevent exfiltration of sensitive data to ChatGPT.
in a new or existing Security policy rule.
(SaaS Security only) If you would rather block access to ChatGPT on your network, you can
do so from the SaaS Security Applications dashboard (Manage > Configuration > Security
Services > SaaS Application Management > Discovered Apps > Applications). Using the SaaS
Security Application dashboard to Block Access allows you to quickly generate a policy rule
recommendation, rather than manually creating one on your own.

(Strata Cloud Manager and SaaS Security) Support for non-file based HTTP/2 traffic
inspection is required to successfully prevent exfiltration to ChatGPT. Your Strata Cloud
Manager tenant must be running Software Version 10.2.3 or later release.
(Panorama) Support for non-file based HTTP/2 traffic inspection is required to
successfully prevent exfiltration to ChatGPT. You must upgrade Panorama and all
managed firewalls to PAN-OS 10.2.3 or later release. Additionally, you must upgrade the
Panorama plugin for Enterprise DLP to 3.0.2 or later release.

• Strata Cloud Manager

• SaaS Security
• Panorama

Strata Cloud Manager

STEP 1 | Log into Strata Cloud Manager.

STEP 2 | Enable Non-File Inspection.

STEP 3 | Select Manage > Configuration > NGFW and Prisma Access > Security Services >
Decryption and create the decryption profile and policy rule required to enable Enterprise
DLP on Strata Cloud Manager.

Do not enable Strip ALPN in the decryption profile. Enterprise DLP cannot inspect
egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN)
headers from decrypted traffic.

STEP 4 | (Optional) Create a data pattern.

Create a custom regex data pattern to define your own match criteria. You can skip this step
if you plan to use predefined or existing data patterns to define match criteria in your data
filtering profile.

STEP 5 | Create a data profile or use an existing data profile.

Administration April 2025 156 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | Select Manage > Configuration > Data Loss Prevention > DLP Rules and in the Actions
column, Edit the DLP rule.
1. Enable Non-File Based Match Criteria.
DLP rules configured for non-file detection are required to prevent exfiltration of
sensitive data to ChatGPT. You can further modify the DLP rule to enforce your
organization’s data security standards. The DLP rule has an identical name as the data
profile from which it was automatically created.
You can keep File Based Matched Criteria enabled or disable as needed. Enabling this
setting has no impact on detection of egress traffic to ChatGPT as long as Non-File
Based Match Criteria is enabled.

2. Modify the Action and Log Severity.

3. Modify the rest of the DLP rule as needed.
4. Save.

Administration April 2025 157 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Create a Shared Profile Group for the Enterprise DLP data filtering profile.
1. Select Manage > Configuration > NGFW and Prisma Access > Security Services >
Profile Groups and Add Profile Group.
2. Enter a descriptive Name for the Profile Group.
3. For the Data Loss Prevention Profile, select the Enterprise DLP data profile.
4. Add any other additional profiles as needed.
5. Save the profile group.

Administration April 2025 158 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 8 | Create a Security policy and attach the Profile Group.

Alternatively, you can create or add ChatGPT to an Internet Access policy rule. You
can skip this step if you create a Internet Access policy rule for ChatGPT.

1. Select Manage > Configuration > Security Services > Security Policy and Add Rule.
You can also update an existing Security policy to attach a Profile Group for Enterprise
DLP filtering.
2. In the Applications, Services, and URLs section, Add Applications to search for and select
openai-chatgpt.

3. Navigate to the Action and Advanced Inspection section, and select the Profile Group
you created in the previous step.

4. Configure the Security policy as needed.

The Action you specify in the data profile determines whether egress traffic to
ChatGPT is blocked. The Security policy rule Action does not impact whether
matched traffic is blocked.
For example, you configured the data filtering profile to Block matching egress
traffic but configure the Security policy rule Action to Allow. In this scenario, the
matching egress traffic to ChatGPT is blocked.
5. Save the Security policy.

Administration April 2025 159 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 9 | Push your Security policy rule.

1. Push Config and Push.
2. Select (enable) Remote Networks and Mobile Users.
3. Push.

SaaS Security

STEP 1 | Log into Strata Cloud Manager.

STEP 2 | Enable Non-File Inspection.

Do not enable Strip ALPN in the decryption profile. Enterprise DLP cannot inspect
egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN)
headers from decrypted traffic.

STEP 4 | (Optional) Create a data pattern.

STEP 5 | Create a data profile or use an existing data profile.

Administration April 2025 160 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

organization’s data security standards. The DLP rule has an identical name as the data
profile from which it was automatically created.
You can keep File Based Matched Criteria enabled or disable as needed. Enabling this
setting has no impact on detection of egress traffic to ChatGPT as long as Non-File
Based Match Criteria is enabled.

2. Modify the Action and Log Severity.

3. Modify the rest of the DLP rule as needed.
4. Save.

STEP 7 | Select Manage > Configuration > SaaS Security > Discovered Apps > Policy
Recommendations to create a Security policy rule recommendation.
A SaaS policy rule recommendation is required to leverage the Enterprise Data Loss
Prevention (E-DLP) data profile in SaaS Security.
1. In the Select Applications section, search for and select ChatGPT.

2. In the Data Profile section, search for and select the data profile you enabled in the
previous step.
3. Configure the policy rule recommendation as needed.
4. Save.

Administration April 2025 161 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Panorama

STEP 1 | Upgrade Panorama, managed firewalls, and the Enterprise DLP plugin to the minimum
required versions.
1. Upgrade Panorama to PAN-OS 10.2.3 or later release.
2. Upgrade the Enterprise DLP plugin to 3.0.2 or later release.
3. Upgrade managed firewalls to PAN-OS 10.2.3 or later release.

STEP 2 | Log in to the Panorama web interface.

STEP 3 | Create the decryption policy rule required for Enterprise DLP.
1. Select Objects > Decryption > Decryption Profile and specify the Device Group.
Add a new decryption profile. The default decryption profile configuration is all that is
required for Enterprise DLP to inspect traffic.

Do not enable Strip ALPN in the decryption profile. Enterprise DLP cannot
inspect egress traffic to ChatGPT if you remove application-layer protocol
negotiation (ALPN) headers from decrypted traffic.
2. Select Policies > Decryption and specify the Device Group.
Add a new decryption policy rule. Select Options and assign the decryption profile.
1. For the Action, select Decrypt.
2. Select the Decryption Profile you created.
3. Click OK.

STEP 4 | Enable Non-File Inspection.

Data filtering profiles configured for non-file detection are required to prevent exfiltration
of sensitive data to ChatGPT. You can create a new data filtering profile or use existing data
filtering profiles as needed. You can add any combination of custom or predefined data
patterns to define the match criteria.

STEP 5 | Create a data profile on Panorama or Strata Cloud Manager, or use an existing data profile.

Administration April 2025 162 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | Attach the data filtering profile to a Security policy rule.

1. Select Policies > Security.
You can select an existing Security policy rule or Add a new Security policy rule.
2. Configure the General and Source as needed.
3. Configure the Destination as needed.
4. For the Application, Add and search for openai-chatgpt.
Skip this step if your Security policy rule applies to Any application. ChatGPT is
automatically included for a Security policy rule that applies to Any application.
5. Select Actions and configure the Profile Settings.
Select Profiles and select the Data Filtering profile you created in the previous step.
If the data filtering profile is part of a Security Profile Group (Objects > Security Profile
Groups), select Group and select the Security Profile Group the data filtering profile is
associated with.
6. Configure the rest of the Security policy rule as needed.

The Action you specify in the data filtering profile determines whether egress
traffic to ChatGPT is blocked. The Security policy rule Action does not impact
whether matched traffic is blocked.
For example, if you configured the data filtering profile to Block matching egress
traffic but configure the Security policy rule Action to Allow, the matching
egress traffic to ChatGPT will be blocked.
7. Click OK.

Administration April 2025 163 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Commit and push the new configuration to your managed firewalls to complete the
Enterprise DLP plugin installation.
This step is required for Enterprise DLP data filtering profile names to appear in Data Filtering
logs.

• Full configuration push from Panorama

1. Select Commit > Commit to Panorama.

Administration April 2025 164 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

Administration April 2025 165 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

additional configuration changes made by other Panorama admins they can be selected
here as well.
Click OK to continue.

6. Select Device Groups and Include Device and Network Templates.

7. Click OK.
8. Push your configuration changes to your managed firewalls that are using Enterprise
DLP.

Administration April 2025 166 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Custom Document Types for Enterprise DLP

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Upload your custom documents that contain intellectual property or sensitive information
to Enterprise Data Loss Prevention (E-DLP) to create custom document types. Your custom
document types are used as match criteria in advanced data profile to detect and prevent
exfiltration.
• About Custom Document Types
• Upload a Custom Document Type
• Test a Custom Document Type

About Custom Document Types

Administration April 2025 167 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Enterprise Data Loss Prevention (E-DLP) supports upload and detection of custom documents
containing intellectual property for which you want to prevent exfiltration. You can upload a
custom document type to Enterprise DLP, or used a predefined document type, to classify and
detect standardized documents and prevent exfiltration of sensitive data. You use the uploaded
custom document types in data profiles as match criteria. Additionally, you can use custom
document types along with predefined Machine Learning-based data patterns to apply additional
ML-based detection algorithms complimented by confidential or sensitive data specific to your
organization.
Enterprise DLP uses Indexed Document Matching and Trainable Classifiers to fingerprint and
index uploaded custom documents to scan for and detect documents that completely or partially
match what you have already uploaded.
• Indexed Document Matching (IDM)—Used to fingerprint documents and create a document
type for documents commonly used by your organization. Uploading multiple documents
allows you to create a custom document repository that you can use in a data profile.
• Trainable Classifiers—Supervised machine learning model that analyzes document types for
classifications. As you upload more custom documents as types, Enterprise DLP is able to
continuously train the ML model to accurately detect sensitive data matches to inspect for and
prevent exfiltration (Positive Training Documents) and those to ignore (Negative Training Set).
The upload of set of custom documents using Trainable Classifiers is referred to as a custom
document model.
Using IDM and Trainable Classifiers for detection of sensitive data is powerful enables Enterprise
DLP to continuously improve its detection capabilities by indexing unstructured text in your
documents.

Administration April 2025 168 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• IDM Examples
• Examples of different types of custom documents where IDM can be successfully applied
are:
• Standardized forms or documents specific to your business or organization
• Patent documents
• Specific business agreements
• Specific intellectual property documents
• Examples of different types of custom documents where IDM is less successful because
they are too generic or not specific to your organization
• Generic whitepapers
• Generic datasheets
• Image or graphic-heavy documents with little text.
• Trainable Classifier Examples
• Examples of different types of custom Positive Training Documents:
• Proprietary product source code
• Proprietary product formulas
• Prerelease earnings, sales estimates, or accounting documents
• Confidential marketing plans
• Patient medical records
• Customer purchasing documents and patterns
• Confidential legal documents, and Merger & Acquisition documents
• Proprietary manufacturing methods
• Examples of different types of custom Negative Training Documents:
• Proprietary code from open source projects
• Non-proprietary product information
• Details of published annual accounts
• Published marketing collateral and advertising copy
• Healthcare documents
• Publicly available consumer data
• Publicly available materials and press releases
• Industry standards and research
For example, your organization both buys and sells software. You want to only detect instances
of sensitive customer data contained in invoices for software that you sell. In this case, you can
upload a copy of your organization's invoice as a custom document types for fingerprinting.
However, custom document types will be less effective if you wanted to detect receipts for
software your organization purchases. This is because there is too much variance in format
between the various software vendors your organization purchases from. Greater document
variance results in less accurate detection of matched traffic.

Administration April 2025 169 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Upload a Custom Document Type

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Upload a custom document to Enterprise Data Loss Prevention (E-DLP) using Indexed Document
Matching (IDM) or Trainable Classifiers to create a custom document type or model. Enterprise
DLP uses custom documents types and models to classify and detect your standardized
documents and prevent exfiltration of sensitive data.
Custom document uploads using Trainable Classifiers allows you to specify two different training
documents types with a single custom document model. Enterprise DLP supports up to 10 unique
custom document models for a single Next-Generation CASB for Prisma Access and NGFW or
Next-Generation CASB for Prisma Access and NGFW (CASB-X) tenant.
• Positive Training Documents—Custom documents containing sensitive data that you want
Enterprise DLP to inspect for and prevent exfiltration.
• Negative Training Documents—Custom documents that you don’t want Enterprise DLP to
inspect for. Enterprise DLP ignores sensitive data in these document types added to this
training set.
Enterprise DLP will inspect for and prevent exfilitration of sensitive data in the event there is
overlap between documents in the positive and negative training documents.

(Trainable Classifiers only) You must add at least one positive and one negative training
document to successfully test and upload custom document types.

You can't delete a custom document type after you add a custom document type to an advanced
data profile. You need to remove the custom document type from the data profile to delete it
from Enterprise DLP.

Administration April 2025 170 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• IDM
• Trainable Classifiers

IDM

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Document Types.

STEP 3 | Add New to upload a new custom document.

Administration April 2025 171 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Define the new custom document.

1. Enter a Name for the custom document.
2. For the Technique, select Index Document Match (IDM).
3. Select the document Category.
Enterprise DLP uses the document category to group together similar types of
documents for administrative purposes.
You can specify one of the following predefined categories—Academia, Confidential,
Employment, Financial, Government, Healthcare, Legal, Marketing, or Source Code.
4. (Optional) Enter a Description for the custom document.
Enterprise DLP supports up to 300 characters.
5. For the Source File, drag and drop a file or Browse Files to select the custom document.
Before you upload a custom document, review the upload requirements:
• The document must contain at least 250 characters.
• Enterprise DLP supports documents containing images but ignores all images
containing within the document.
Documents containing images must still meet the minimum character requirement.
• Enterprise DLP supports document up to 1 MB in size.
• You can upload only one document at a time.
• Document must be one of the file types supported by Enterprise DLP.
6. Generate.

Administration April 2025 172 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | In Document Types, verify that your custom document successfully uploaded to Enterprise
DLP.
To quickly find the document, you can search for the custom document Name. After you have
located the custom document, confirm the Status is Completed.

Trainable Classifiers

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Document Types.

STEP 3 | Add New to upload a new custom document.

Administration April 2025 173 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Define the new custom document.

1. Enter a Name for the custom document.
2. For the Technique, select Trainable Classifier (TC).
3. Select the document Category.
Enterprise DLP uses the document category to group together similar types of
documents for administrative purposes.
You can specify one of the following predefined categories—Academia, Confidential,
Employment, Financial, Government, Healthcare, Legal, Marketing, or Source Code.
4. (Optional) Enter a Description for the custom document.
Enterprise DLP supports up to 300 characters.
5. Upload a .zip file for the Positive Training Documents and a .zip file for the Negative
Training Documents.
Enterprise DLP requires you add at least one positive and at least one negative training
document.
For the Source File for either, Browse Files to select the .zip file. Before you upload,
review the upload requirements:
• Upload a .zip file containing your custom documents for the Positive Training
Documents and for the Negative Training Documents. Enterprise DLP requires a
discrete .zip file for each.
• The .zip file must contain at least 20 document file types supported by Enterprise
DLP.
Palo Alto Networks recommends a .zip containing 50 documents.
• All custom documents contained in the .zip file must be text files.
• A minimum of 10 words required.
• A maximum of 10 MB per custom document is supported.
• Enterprise DLP supports documents containing images but ignores all images
containing within the document.
Documents containing images must still meet the minimum character requirement.
6. Generate.

Administration April 2025 174 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Test a Custom Document Type

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Administration April 2025 175 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Run a test for your custom document types to verify that Enterprise Data Loss Prevention (E-DLP)
can successfully detect a custom document before they leave your network.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Upload a custom document type to Enterprise DLP.

STEP 3 | Select Manage > Configuration > Data Loss Prevention > Document Types.

STEP 4 | Search for the custom document type you want to test and expend the Actions to Test the
custom document type.

STEP 5 | Browse Files and select the documents you want to test against the custom document type.
You can test up to five documents at once. Document must be one of the file types supported
by Enterprise DLP.
Enterprise DLP displays the Overlapping Score for each of the documents you tested. The
overlapping score represents how much content in the tested document matches the custom
document type. A score of 0 represents no commonalities between the test document and

Administration April 2025 176 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

the custom document type. A score of 100 represents a near-total match between the test
document and the custom document type.

Administration April 2025 177 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Email DLP
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

the Enterprise DLP license
Review the Supported Platforms for
details on the required license for each
enforcement point.
• Prisma Access CASB license
• Next-Generation CASB for Prisma
Access and NGFW (CASB-X) license
• Data Security license
Email DLP license

Enterprise DLP prevents exfiltration of emails containing sensitive information with AI/ML
powered data detections. For example, Enterprise DLP can prevent exfiltration of sensitive data
over an outbound email sent from a salesperson within your organization to their personal email.
• How Does Email DLP Work?
• Onboard Microsoft Exchange Online
• Onboard Gmail
• Add an Email DLP Policy Rule
• Review Email DLP Incidents
• Why Are Emails Not Being Blocked?

How Does Email DLP Work?

Administration April 2025 178 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

To prevent sensitive data exfiltration, Enterprise Data Loss Prevention (E-DLP) needs to perform
inline inspection of all outbound emails. To do this, Enterprise DLP uses an inbound and outbound
connector to transport outbound emails to and from Enterprise DLP for inspection and verdict
rendering. You must also create email transport rules to specify the actions Microsoft Exchange or
Gmail take based on the verdicts rendered by Enterprise DLP.
Enterprise DLP adds an email header to the email after inspection to indicate that Enterprise DLP
has already inspected the email. If Enterprise DLP renders a Block or Quarantine verdict for
inspected email, an email header to indicate the verdict is added as well. Emails that are already
inspected are not transported to Enterprise DLP a second time and Microsoft Exchange or Gmail
take action based on the existing email headers.
After Enterprise DLP inspects an email, it's returned back to Microsoft Exchange or Gmail for
further action based on the rendered verdict.
The email flow for inline inspection of emails using Enterprise DLP is as follows:
1. An email is sent from within your organization to a recipient outside your organization.
The outbound email can be sent from a desktop mail client, a web-based mail client, or a
mobile device.
2. The email transport rule instructs Microsoft Exchange or Gmail to forward the outbound email
to Enterprise DLP for inspection.
3. Enterprise DLP inspects the email subject line, body, and attachments against your Email DLP
policies and renders a verdict.
Enterprise DLP adds email headers to mark that it's been inspected and what verdict was
rendered.

Enterprise DLP does not support inspection of document links contained in either the
email subject or body.
4. The email is returned back to Microsoft Exchange or Gmail.
5. Microsoft Exchange or Gmail takes action based on their respective transport rules.

Administration April 2025 179 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

6. Microsoft Exchange or Gmail send the allowed email to the intended recipient if allowed.
An email is allowed if Enterprise DLP did not detect any sensitive data or if the email was
quarantined and approved.

Which Components of the Email Does Email DLP Inspect?

Enterprise DLP supports inspection of the following email components.
• Email subject
• Email body
• Email attachments
Enterprise DLP supports the inspection of the following types of email attachments.
• All supported file types up to 20 MB in size
• .eml files and up to five levels of nested .eml email files

Microsoft Exchange—User must click Forward as Attachment. Enterprise DLP requires

this is setting to inspect the email file attachments. Forwarding email file attachments
using any other method isn't supported and prevents Enterprise DLP for inspecting
.eml attachments.
Gmail—Only MIME email file attachments are supported. Gmail does not support
Forward as Attachment functionality. Users must attach the nested email file in .eml
format.

Which Regions Does Email DLP Support?

Enterprise DLP supports Email DLP in the following regions:
• Australia
• Germany (Europe)
• India
• Japan
• Singapore (APAC)
• United Kingdom
• United States

Administration April 2025 180 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

What Microsoft Exchange Online Licenses Are Required for Email DLP?
Email DLP supports any Microsoft Exchange Online license, including Microsoft 365 Defender,
Microsoft 365, and Office 365 E5 licenses for inline inspection of outbound emails using
Enterprise DLP.
The type of Microsoft Exchange Online license you have active determines the supported Email
DLP functionality available to your Microsoft Exchange Online deployment.

Enterprise DLP does not support the MSDN license for Email DLP. MSDN does not
support the use of inbound connectors to route emails, which Enterprise DLP requires to
forward outbound emails back to Microsoft Exchange after inspection.

What Functionality Do Microsoft Exchange Licenses Support?

Email DLP supports the following functionality based on your active Microsoft Exchange license.
• Any Microsoft Exchange Online licenses except MSDN
• Inspect outbound emails
• Block outbound emails containing sensitive data
• Send outbound emails containing sensitive data for admin approval
• Send outbound emails containing sensitive data for manager approval
• Microsoft 365 Defender license
See the Microsoft 365 Defender prerequisites for more information.
• Inspect outbound emails
• Block outbound emails containing sensitive data
• Send outbound emails containing sensitive data for admin approval
• Send outbound emails containing sensitive data for manager approval
• Send outbound emails containing sensitive data to hosted quarantine for approval
• Microsoft 365 or Office 365 E5 license
• Inspect outbound emails
• Block outbound emails containing sensitive data
• Send outbound emails containing sensitive data for admin approval
• Send outbound emails containing sensitive data for manager approval
• Send outbound emails containing sensitive data to hosted quarantine for approval
• Encrypt outbound emails containing sensitive data before they are sent to the recipient

Administration April 2025 181 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Onboard Microsoft Exchange Online

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

You must onboard the Microsoft Exchange Online to prevent sensitive data exfiltration contained
in outbound emails using Enterprise Data Loss Prevention (E-DLP).
• Connect Microsoft Exchange and Enterprise DLP
• Create Microsoft Exchange Connectors
• Create Microsoft Exchange Transport Rules
• Create an Email DLP Sender Alert Policy
• Obtain Your Microsoft Exchange Domain and Relay Host

Connect Microsoft Exchange and Enterprise DLP

Administration April 2025 182 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

Connect Microsoft Exchange to Enterprise Data Loss Prevention (E-DLP) through SaaS Security
on Strata Cloud Manager to complete the onboarding.

Before you begin connecting Microsoft Exchange to Enterprise DLP, ensure that the admin
performing the connection has at least Email Administrator access for Microsoft
Exchange. Microsoft Exchange requires this minimum access privilege to allow Enterprise
DLP API access to Microsoft Exchange.

STEP 1 | Contact your email domain provider to update your SPF record to add the required
Enterprise DLP service IP addresses.
Add the IP addresses for the region where you host your email domain. You can update your
SPF record with multiple regional IP addresses if you have email domains hosted in multiple
regions.
• APAC
35.186.151.226 and 34.87.43.120
• Australia
35.197.179.113 and 35.244.122.65
• Europe
34.141.90.172 and 34.107.47.119
• India
34.93.185.212 and 35.200.159.173
• Japan
34.84.8.170 and 35.221.111.27
• United Kingdom
34.105.128.121 and 34.89.40.221
• United States
34.168.197.200 and 34.83.143.116

Administration April 2025 183 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 2 | (Best Practices) Confirm that Active Directory is properly configured so that email senders
have a manager to approve or reject quarantined emails.
Microsoft Exchange Active Directory is required to assign a manager to a sender. You can
create a transport rule to quarantine and send the email for approval by the sender's manager.
To successfully quarantine a sender's email if sensitive data is detected by Enterprise DLP, a
sender must have a manager assigned.
If you did not assign a manager to a user, then Microsoft Exchange sends the quarantined
email to the intended recipient. Microsoft Exchange requires that you assign a user a manager
to approve or reject the email.

STEP 3 | (Best Practices) Save Evidence for Investigative Analysis with Enterprise DLP.
Palo Alto Networks recommends configuring evidence storage so you can download emails for
investigative analysis when your review Email DLP incidents.

STEP 4 | Set up the Cloud Identity Engine (CIE).

Palo Alto Networks recommends using CIE so you can create targeted Email DLP policy rules.

STEP 5 | Create the Microsoft Exchange connectors and transport rules, and create the Email DLP
Policy.
Palo Alto Networks recommends setting up all connectors, transport rules, and Email DLP
policy rules to ensure enforcement begins as soon as you successfully connect Microsoft
Exchange Online to Enterprise DLP.
• Create a Microsoft Exchange Outbound Connector
The outbound connector controls the flow of emails forwarded from Microsoft Exchange to
Enterprise DLP.
• Create a Microsoft Exchange Inbound Connector
The inbound connector controls the flow of emails forwarded to Enterprise DLP back to
Microsoft Exchange.
• Create Microsoft Exchange Transport Rules
Transport rules allow Microsoft Exchange to forward emails to Enterprise DLP and specify
the actions Microsoft Exchange takes based on the hosted quarantine, admin approval,
manager approval, encrypt, or block transport rules verdicts rendered by Enterprise DLP.
• Add a Enterprise DLP Email Policy
The DLP email policy specifies the incident severity and the action Enterprise DLP takes
when matching traffic is inspected and sensitive data is detected.

STEP 6 | Obtain Your Microsoft Exchange Domain and Relay Host.

STEP 7 | Log in to Strata Cloud Manager.

STEP 8 | Select Manage > Configuration > SaaS Security > Settings > Apps Onboarding.

Administration April 2025 184 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 9 | Search for Exchange and click Microsoft Exchange.

STEP 10 | In the Email DLP Instance, click Add Instance.

STEP 11 | In the Setup Connectors and Rules page, click Continue to Next Section since you
have already configured the outbound connector, inbound connector, and transport rules.

STEP 12 | In the Configure Smart Host page, add the email domains and relay hosts.
Enterprise DLP requires adding one or more email domains and relay hosts to ensure
Enterprise DLP can successfully forward inspect emails back to Microsoft Exchange.
1. Enter an Email Domain and its corresponding Relay Host you obtained in the previous
step.
Obtain Your Microsoft Exchange Domain and Relay Host if you don't have the Microsoft
Exchange email domain and relay host immediately available.
2. (Optional) Add any additional email domains and relay hosts as needed.
3. Connect.

STEP 13 | Microsoft Exchange is now successfully connected and onboarded.

Administration April 2025 185 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 14 | Configure the Email DLP settings.

• Edit the snippet settings to configure if and how Enterprise DLP stores and masks snippets
of sensitive data that match your data pattern match criteria.
• Edit the policy evaluation timeout settings to configure what Enterprise DLP does when
Email DLP policy evaluation exceeds the configured timeout.
• Configure evidence storage to save evidence for investigative analysis.

Create Microsoft Exchange Connectors

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

To prevents sensitive data exfiltration contained in outbound emails using Enterprise Data
Loss Prevention (E-DLP), you must create outbound and inbound Microsoft Exchange Online
connector to control the flow of emails forwarded from Microsoft Exchange Online to Enterprise
DLP. The outbound connector controls the flow of outbound emails from Microsoft Exchange
to Enterprise DLP for inspection and verdict rendering. The inbound connector to return emails
forwarded to Enterprise DLP back to Microsoft Exchange and instruct Microsoft Exchange to take
action based on the transport rule.
• Outbound Connector
• Inbound Connector
• Proofpoint Server Connector
Create a Microsoft Exchange Outbound Connector

STEP 1 | Log in to the Microsoft Exchange Admin Center.

Administration April 2025 186 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 2 | Select Mail flow > Connectors and Add a connector to launch the Microsoft Exchange
Connector wizard.

STEP 3 | Specify the connector source and destination.

1. For Connection from, select Office 365.
2. For Connection to, select Partner organization.
A partner can be any third-party cloud service that provides services such as services,
such as data protection. In this case, the third-party partner organization is Palo Alto
Networks.
3. Click Next.

Administration April 2025 187 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Name the Microsoft Exchange connector.

1. Enter a descriptive Name for the connector.
2. (Optional) Enter a Description for the connector.
3. (Best Practices) For What do you want to do after connector is saved?,
check (enable) Turn it on.
Enable this to automatically turn on the connector after you have finished creating and
saved the new Microsoft Exchange connector.
4. Click Next.

STEP 5 | To specify when the connector should be used, select Only when I have a transport rule set
up that redirects messages to this connector and click Next.
Using the connector only when a transport rule exists enables fine-grained control of what
action to take when an email contains sensitive data. By selecting this option, Microsoft
Exchange enforces action on emails based on the action specified in the Enterprise DLP data
profile.

Administration April 2025 188 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | To configure the route settings for emails, check (enable) Route email through these smart
hosts to add the following smart host Fully Qualified Domain Name (FQDN) and click Next.
The FQDN specifies the region where emails are forwarded to Enterprise DLP for inspection
and verdict rendering. This also generates and displays Email DLP incidents in the specified
region. All processes and data related to Email DLP occur and are stored in this region.
• APAC

mail.asia-southeast1.email.dlp.paloaltonetworks.com

• Australia

mail.australia-southeast1.email.dlp.paloaltonetworks.com

• Europe

mail.europe-west3.email.dlp.paloaltonetworks.com

• India

mail.asia-south1.email.dlp.paloaltonetworks.com

• Japan

mail.asia-northeast1.email.dlp.paloaltonetworks.com

• United Kingdom

mail.europe-west2.email.dlp.paloaltonetworks.com

• United States

mail.us-west1.email.dlp.paloaltonetworks.com

Administration April 2025 189 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Specify the security restrictions for the connector.

1. Check (enable) Always use Transport Layer Security (TLS) to secure the connection.
Enterprise DLP requires this setting to successfully forward emails for inspection.
Enterprise DLP rejects the connect connection if you disable this setting.
2. Select Issued by a trusted certificate authority (CA).
3. Check (enable) Add the subject name or subject alternative (SAM) matches to this
domain: and add the following domain name.
Enterprise DLP requires you add the subject name for positive identification of the
Enterprise DLP cloud service. The CA issuer FQDN you add must match the email
routing FQDN you added in the previous step.
• APAC

mail.asia-southeast1.email.dlp.paloaltonetworks.com

• Australia

mail.australia-southeast1.email.dlp.paloaltonetworks.com

• Europe

mail.europe-west3.email.dlp.paloaltonetworks.com

• India

mail.asia-south1.email.dlp.paloaltonetworks.com

• Japan

mail.asia-northeast1.email.dlp.paloaltonetworks.com

• United Kingdom

mail.europe-west2.email.dlp.paloaltonetworks.com

• United States

mail.us-west1.email.dlp.paloaltonetworks.com

4. Click Next.

Administration April 2025 190 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 8 | Add a validation email.

A valid email address associated with the email domain used by your organization. This is
required to validate connectivity between the Microsoft Exchange Admin Center and the Palo
Alto Networks smart host, and that emails can be successfully delivered.
1. Add a valid email address for validation.
2. Validate.
The Microsoft Exchange validation tests take a few minutes to complete.
3. Under the Task, verify that the Check connectivity validation test status to the
Enterprise DLP FQDN displays Succeed.

It's expected that the following errors occur when adding the validation email.
• Validation failed error is displayed.
• The Send test email validation test status displays Failed.
These don't prevent you from creating the outbound connector and don't impact
email forwarding to Enterprise DLP.

4. Click Done.
5. When prompted to confirm whether to proceed without successful validation, click Yes,
proceed.

STEP 9 | Review the connector details and Create Connector.

Click Done when prompted that the outbound connector was successfully created.

Administration April 2025 191 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 10 | Back in the Connectors page, verify the outbound connector is displayed and that the
Status is On.

STEP 11 | Create the Microsoft Exchange inbound connector if not already created.
Enterprise DLP requires the inbound connector to return emails forwarded to Enterprise DLP
for inspection back to Microsoft Exchange.
Skip this step if you have already created the inbound connector.

STEP 12 | Create Microsoft Exchange Transport Rules.

After you successfully created the Microsoft Exchange connectors, you must create Microsoft
Exchange transports rule to forward emails to and from Enterprise DLP, and to specify what
actions Microsoft Exchange takes based on the Enterprise DLP verdicts.

Create a Microsoft Exchange Inbound Connector

STEP 1 | Log in to the Microsoft Exchange Admin Center.

STEP 2 | Select Mail flow > Connectors and Add a connector to launch the Microsoft Exchange
Connector wizard.

Administration April 2025 192 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Specify the connector source and destination.

1. For Connection from, select Your organization's email server.
2. Click Next.

STEP 4 | Name the Microsoft Exchange connector.

Administration April 2025 193 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Specify the authentication IP addresses that Microsoft Exchange uses to verify Enterprise
DLP.
Enterprise DLP requires the authentication IP addresses to forward emails back to Microsoft
Exchange.
1. Select By verifying that the IP address of the sending server matches one of the
following IP address, which belong to your partner organization.
2. Add the following to IP addresses.
Add the IP addresses for the region where you host your email domain. You can add
multiple regional IP addresses if you have email domains hosted in multiple regions.
• APAC
35.186.151.226 and 34.87.43.120
• Australia
35.197.179.113 and 35.244.122.65
• Europe
34.141.90.172 and 34.107.47.119
• India
34.93.185.212 and 35.200.159.173
• Japan
34.84.8.170 and 35.221.111.27
• United Kingdom
34.105.128.121 and 34.89.40.221
• United States
34.168.197.200 and 34.83.143.116

STEP 6 | Review the connector details and Create Connector.

Click Done when prompted that you successfully created the inbound connector.

Administration April 2025 194 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Back in the Connectors page, verify the inbound connector is displayed and that the Status
displays On.

STEP 8 | Create the Microsoft Exchange outbound connector if not already created.
Enterprise DLP requires the outbound connector to control the flow of emails forwarded from
Microsoft Exchange Online to Enterprise DLP for inline inspection.
Skip this step if you have already created the outbound connector.

STEP 9 | Create Microsoft Exchange Transport Rules.

After you successfully created the Microsoft Exchange connectors, you must create Microsoft
Exchange transports rule to forward emails to Enterprise DLP, and to specify what actions
Microsoft Exchange takes based on the Enterprise DLP verdicts.

Create a Microsoft Exchange Proofpoint Server Connector

STEP 1 | Prepare your Proofpoint server to encrypt emails inspected by Enterprise DLP.
1. Enable DKIM signing for your Proofpoint server.
When enabling DKIM signing, you must also select Enabled for the domain.
Additionally, keep a record of your DKIM public key. This is required when updating your
domain host records.
2. Contact your email domain provider to update your SPF record.
• Add your Proofpoint IP address to your SPF record.
Enterprise DLP requires this to forward emails to Proofpoint for encryption. Skip this
step if you have already updated your SPF record with your Proofpoint IP address.
• Add the DKIM public key to your domain host records.

STEP 2 | Log in to the Microsoft Exchange Admin Center.

Administration April 2025 195 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Select Mail flow > Connectors and Add a connector to launch the Microsoft Exchange
connector wizard.

STEP 4 | Specify the connector source and destination.

Administration April 2025 196 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Name the Microsoft Exchange connector.

STEP 6 | To specify when the connector should be used, select Only when I have a transport rule set
up that redirects messages to this connector and click Next.

Administration April 2025 197 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | To configure the route settings for your Proofpoint server, check (enable) Route email
through these smart hosts to add the Proofpoint server smart host Fully Qualified Domain
Name (FQDN) and click Next.

STEP 8 | Specify the security restrictions for the connector.

Administration April 2025 198 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 9 | Add a validation email.

Enterprise DLP requires a valid email address associated with the email domain to validate
connectivity between the Microsoft Exchange Admin Center and the Email DLP smart host,
and to verify Enterprise DLP can successfully deliver any required notification emails.
1. Add a valid email address for validation.
2. Validate.
The Microsoft Exchange validation tests take a few minutes to complete.
3. Under the Task, verify that the Check connectivity validation test status to the
Enterprise DLP FQDN displays Succeed.

4. Click Done.
5. When prompted to confirm whether to proceed without successful validation, click Yes,
proceed.

STEP 10 | Review the connector details and Create Connector.

Click Done when prompted that you successfully created the outbound connector.

STEP 11 | Back in the Connectors page, verify that you successfully created the outbound connector
and that the Status displays On.

Administration April 2025 199 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 12 | Create the Microsoft Exchange outbound and inbound connectors if not already created.
Enterprise DLP requires the outbound connector to control the flow of emails forwarded from
Microsoft Exchange Online to Enterprise DLP for inline inspection and requires the inbound
connector to return emails forwarded to Enterprise DLP for inspection back to Microsoft
Exchange.
Skip this step if you have already created the outbound and inbound connectors.

STEP 13 | Create Microsoft Exchange Transport Rules.

Create Microsoft Exchange Transport Rules

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

Create Microsoft Exchange email transport rules to forward emails from Microsoft Exchange to
the Enterprise Data Loss Prevention (E-DLP) cloud service for inspection to prevent exfiltration
of sensitive data. Additionally, you must create transport rules to specify the actions Microsoft
Exchange takes based on the verdicts rendered by Enterprise DLP. The following transport rules
are required:

Administration April 2025 200 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• Email Transport
Required to forward all outbound emails from Microsoft Exchange to the Enterprise Data Loss
Prevention (E-DLP) cloud service for inline email inspection and verdict rendering. The email
transport rule is required in all cases regardless of the verdict Enterprise DLP renders.
Enterprise DLP adds x-panw-inspected: true to the email header for all inspected emails.
If an outbound email already includes this header, it will not be forwarded to Enterprise DLP
again. Instead, Microsoft Exchange will take the action specified in the hosted quarantine,
admin approval, manager approval, encrypt, or block transport rules based on the verdict
already rendered by Enterprise DLP.
• Hosted Quarantine
Instructs Microsoft Exchange to quarantine and forward the email to the spam quarantine
mailbox hosted by Microsoft Exchange when Enterprise Data Loss Prevention (E-DLP) cloud
service returns a Quarantine verdict for an email that contains sensitive data.
Enterprise DLP adds x-panw-action: quarantine to the email header for inspected
emails. The email is transported back to Microsoft Exchange and forwarded to the hosted
quarantine spam inbox so an email administrator can review the email contents and decide
whether to approve or block the email. Any future emails with this header already included will
not be forwarded to Enterprise DLP again. Instead, Microsoft Exchange will take the action
specified in the quarantine transport rule.
• Admin Approval
Instructs Microsoft Exchange to forward the email to the specified email administrator when
Enterprise Data Loss Prevention (E-DLP) cloud service returns a Forward email for
approval admin verdict for an email that contains sensitive data.
Enterprise DLP adds x-panw-action: fwd_to_admin to the email header for inspected
emails. The email is transported back to Microsoft Exchange so an email administrator can
review the email contents and decide whether to approve or block the email. Any future emails
with this header already included will not be forwarded to Enterprise DLP again. Instead,
Microsoft Exchange will take the action specified in the transport rule.
• Manager Approval
Instructs Microsoft Exchange to forward the email to the sender's manager when Enterprise
Data Loss Prevention (E-DLP) cloud service returns a Forward email for approval by
end user's manager verdict for an email that contains sensitive data.
Enterprise DLP adds x-panw-action: fwd_to_manager to the email header for inspected
emails. The email is transported back to Microsoft Exchange so a manager can review the email
contents and decide whether to approve or block the email. Any future emails with this header
already included will not be forwarded to Enterprise DLP again. Instead, Microsoft Exchange
will take the action specified in the transport rule.
• Encrypt
Instructs Microsoft Exchange on the action to take when Enterprise DLP returns a Encrypt
verdict for an email that contains sensitive data.
Enterprise DLP adds x-panw-action: encrypt to the email header for inspected emails.
The email is either transported back to Microsoft Exchange or to your Proofpoint server for
encryption based on the encryption settings you configure in the transport rule. Any future

Administration April 2025 201 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

emails with this header already included will not be forwarded to Enterprise DLP again. Instead,
Microsoft Exchange will take the action specified in the encrypt transport rule.
Forwarding an email to both Microsoft Exchange and your Proofpoint server for encryption is
not supported.
• Block
Instructs Microsoft Exchange on the action to take when Enterprise DLP returns a Block
verdict for an email that contains sensitive data.
Enterprise DLP adds x-panw-action: block to the email header for all inspected emails.
Any future emails with this header already included will not be forwarded to Enterprise DLP
for inspection. Instead, Microsoft Exchange takes the action specified in the Block transport
rule.
• Email Transport
• Hosted Quarantine
• Admin Approval
• Manager Approval
• Encrypt
• Proofpoint Encrypt
• Block
Create a Microsoft Exchange Email Transport Rule

STEP 1 | Log in to the Microsoft Exchange Admin Center.

STEP 2 | Create the outbound and inbound connectors.

Skip this step if you have already created both the outbound and inbound connectors.

STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.

Administration April 2025 202 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the email transport rule conditions.

1. Enter a Name for the email transport rule.
2. Specify the email recipient.
This instructs Microsoft Exchange to forward the email to Enterprise DLP before it
leaves your network when the email recipient is outside your organization.
1. For Apply this rule if, select The recipient.
2. For the recipient, select is external/internal. When prompted to select the recipient
location, select Outside the organization
Click Save to continue.

3. Specify Microsoft Exchange Connector you created as the transport target for email
inspection.
1. For Do the following, select redirect the message to.
2. For the transport target, select the following connector. When prompted, select the
outbound connector.
Click Save to continue.

4. Add an exception for emails that exceed the maximum message size supported by
Enterprise DLP.
Enterprise DLP supports inspection of email messages up to 20 MB in size. Larger email
messages are not supported and should not be forwarded to Enterprise DLP.
1. In the s Except If field, select The message.
2. Select size is greater than or equal to. When prompted, enter the following
maximum-supported message size KB:

20480

5. Add an exception for emails that were already inspected by Enterprise DLP.
1. In the Except if condition, click the add symbol ( ) to add a new Or condition.
2. Select the The message headers condition.
3. For the Or condition action, select matches any of these words.
4. Click Enter text to set the message header to x-panw-inspected.

Administration April 2025 203 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

5. Click Enter words and enter true.

Click Add and select the word you added. Click Save to continue.

6. Add an exception for emails where the sender is blank or empty.

1. In the Except if condition, click the add symbol ( ) to add a new Or condition.
2. Select the The sender condition.
3. For the Or condition action, select address matches any of these text patterns.
4. Click Enter text to configure the text pattern as ^$.

7. Click Next to continue.

STEP 5 | Configure the email transport rule settings.

1. For the Rule mode, ensure Enforce is selected.
This setting is enabled by default when a new transport rule is created.
2. (Optional) Configure the rest of the email transport rule settings as needed.
3. Click Next to continue.
4. Save.

STEP 6 | Review the email transport rule configuration and click Finish.
Click Done when prompted that the email transport rule was successfully created. You are
redirected back to the Microsoft Exchange Rules page.

Administration April 2025 204 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Modify the email transport rule priority as needed.

To change the priority of a transport rule, select the transport rule and Move Up or Move
Down as needed.

A proper rule hierarchy is recommended to ensure emails successfully forward to

Create a Microsoft Exchange Hosted Quarantine Transport Rule

Microsoft supports email approvals on the web browser-based Microsoft Exchange only.
Approving or rejecting emails on the Microsoft Exchange mobile application or desktop
client is not supported.

STEP 1 | Log in to the Microsoft Exchange Admin Center.

STEP 2 | Create the outbound and inbound connectors.

Skip this step if you have already created both the outbound and inbound connectors.

Administration April 2025 205 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.

Administration April 2025 206 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the quarantine transport rule conditions.

1. Enter a Name for the quarantine transport rule.
2. Add the quarantine email message header.
The quarantine header is added by the DLP cloud service when an email contains
sensitive information that needs to be approved by your email administrator.
1. For Apply this rule if, select The message headers....
2. Select match these text patterns.
3. Click Enter Text. When promoted, enter the following.

x-panw-action

Click Save to continue.

4. Click Enter words. When prompted, enter the following and Add:

quarantine

Select the word you added. Click Save to continue.

3. Specify the action Microsoft Exchange takes when an email header includes the
quarantine header added by Enterprise DLP.
1. For Do the following, select Redirect the message to.
2. Select hosted quarantine.

4. Click Next to continue.

STEP 5 | Configure the quarantine transport rule settings.

1. For the Rule mode, ensure Enforce is selected.
This setting is enabled by default when a new transport rule is created.
2. (Optional) Configure the rest of the quarantine transport rule settings as needed.
3. Click Next to continue.

STEP 6 | Review the quarantine transport rule configuration and click Finish.
Click Done when prompted that the quarantine transport rule was successfully created. You
are redirected back to the Microsoft Exchange Rules page.

Administration April 2025 207 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Modify the email transport rule priority as needed.

To change the priority of a transport rule, select the transport rule and Move Up or Move
Down as needed.

A proper rule hierarchy is recommended to ensure emails successfully forward to

STEP 8 | An email administrator must review and approve or reject quarantined emails forwarded to
the hosted quarantine mailbox.

Create a Microsoft Exchange Admin Approval Transport Rule

Microsoft supports email approvals on the web browser-based Microsoft Exchange only.
Approving or rejecting emails on the Microsoft Exchange mobile application or desktop
client is not supported.

STEP 1 | Log in to the Microsoft Exchange Admin Center.

STEP 2 | Create the outbound and inbound connectors.

Skip this step if you have already created both the outbound and inbound connectors.

Administration April 2025 208 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.

Administration April 2025 209 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the transport rule conditions.

1. Enter a Name for the transport rule.
2. Add the email message header.
The fwd_to_admin email header is added by the DLP cloud service when an email
contains sensitive information requiring email administrator approval.
1. For Apply this rule if, select The message headers....
2. Select match these text patterns.
3. Click Enter Text. When promoted, enter the following.

x-panw-action

Click Save to continue.

4. Click Enter words. When prompted, enter the following and Add:

fwd_to_admin

Select the word you added. Click Save to continue.

3. Specify the action Microsoft Exchange takes when an email header includes the header
added by Enterprise DLP.
1. For Do the following, select Forward the message for approval.
2. Select to these people.

4. Click Next to continue.

STEP 5 | Configure the transport rule settings.

1. For the Rule mode, ensure Enforce is selected.
This setting is enabled by default when a new transport rule is created.
2. (Optional) Configure the rest of the transport rule settings as needed.
3. Click Next to continue.

STEP 6 | Review the transport rule configuration and click Finish.

Click Done when prompted that the transport rule was successfully created. You are
redirected back to the Microsoft Exchange Rules page.

Administration April 2025 210 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Modify the transport rule priority as needed.

To change the priority of a transport rule, select the transport rule and Move Up or Move
Down as needed.

A proper rule hierarchy is recommended to ensure emails successfully forward to

Create a Microsoft Exchange Manager Approval Transport Rule

Microsoft Exchange Active Directory is required to assign a manager to a user. To

successfully send an email for manager approval if sensitive data is detected by Enterprise
DLP, the sender must have a manager assigned.
If no manager is assigned to the sender, then the email is sent to the recipient because no
manager is assigned to approve or reject the email.
Additionally, Microsoft supports email approvals on the web browser-based Microsoft
Exchange only. Approving or rejecting emails on the Microsoft Exchange mobile
application or desktop client is not supported.

STEP 1 | Log in to the Microsoft Exchange Admin Center.

STEP 2 | Create the outbound and inbound connectors.

Skip this step if you have already created both the outbound and inbound connectors.

Administration April 2025 211 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.

Administration April 2025 212 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the transport rule conditions.

1. Enter a Name for the transport rule.
2. Add the email message header.
The fw_to_manager header is added by the DLP cloud service when an email contains
sensitive information requiring manager approval.
1. For Apply this rule if, select The message headers....
2. Select match these text patterns.
3. Click Enter Text. When promoted, enter the following.

x-panw-action

Click Save to continue.

4. Click Enter words. When prompted, enter the following and Add:

fwd_to_manager

Select the word you added. Click Save to continue.

3. Specify the action Microsoft Exchange takes when an email header includes the header
added by Enterprise DLP.

Microsoft Exchange Active Directory is required to assign a manager to a

user. To successfully forward a sender's email if sensitive data is detected by
Enterprise DLP, a user must have a manager assigned.
If no manager is assigned to a user, then the email is sent to the recipient
because no manager is assigned to approve or reject the email.

1. For Do the following, select Forward the message for approval.

2. Select to the sender's manager.

4. Click Next to continue.

Administration April 2025 213 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Configure the transport rule settings.

STEP 6 | Review the transport rule configuration and click Finish.

Click Done when prompted that the transport rule was successfully created. You are
redirected back to the Microsoft Exchange Rules page.

STEP 7 | Modify the email transport rule priority as needed.

To change the priority of a transport rule, select the transport rule and Move Up or Move
Down as needed.

A proper rule hierarchy is recommended to ensure emails successfully forward to

Create a Microsoft Exchange Encrypt Transport Rule

STEP 1 | Log in to the Microsoft Exchange Admin Center.

Administration April 2025 214 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 2 | Create the required Microsoft Exchange connectors.

Skip this step if you have already created both the outbound, inbound, and Proofpoint server
connectors.

STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.

Administration April 2025 215 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the encrypt transport rule conditions.

1. Enter a Name for the encrypt transport rule.
2. Add the encrypt email message header.
The encrypt header is added by the DLP cloud service when an email contains
sensitive information that should be encrypted.
1. For Apply this rule if, select The message headers....
2. Select match these text patterns.
3. Click Enter Text. When promoted, enter the following.

x-panw-action

Click Save to continue.

4. Click Enter words. When prompted, enter the following and Add:

encrypt

Select the word you added. Click Save to continue.

3. Specify the action Microsoft Exchange takes when an email header includes the encrypt
header added by Enterprise DLP.
1. For Do the following, select Modify the message security.
2. Select Apply Office 365 Message Encryption and rights protection.
3. Select the RMS template you want to use for outbound email encryption and Save.

4. Click Next to continue.

STEP 5 | Configure the encrypt transport rule settings.

1. For the Rule mode, ensure Enforce is selected.
This setting is enabled by default when a new transport rule is created.
2. (Optional) Configure the rest of the encrypt transport rule settings as needed.
3. Click Next to continue.

STEP 6 | Review the encrypt transport rule configuration and click Finish.
Click Done when prompted that the encrypt transport rule was successfully created. You are
redirected back to the Microsoft Exchange Rules page.

Administration April 2025 216 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Modify the email transport rule priority as needed.

To change the priority of a transport rule, select the transport rule and Move Up or Move
Down as needed.

A proper rule hierarchy is recommended to ensure emails successfully forward to

Create a Microsoft Exchange Proofpoint Encrypt Transport Rule

This procedure assumes you have already setup your Proofpoint server and created the required
Proofpoint connector.
STEP 1 | Log in to the Microsoft Exchange Admin Center.

STEP 2 | Create the required Microsoft Exchange connectors.

Skip this step if you have already created both the outbound, inbound, and Proofpoint server
connectors.

Administration April 2025 217 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.

Administration April 2025 218 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the encrypt transport rule conditions.

1. Enter a Name for the Proofpoint encrypt transport rule.
2. Add the encrypt email message header.
The encrypt header is added by the DLP cloud service when an email contains
sensitive information that should be encrypted.
1. For Apply this rule if, select The message headers....
2. Select match these text patterns.
3. Click Enter Text. When promoted, enter the following.

x-panw-action

Click Save to continue.

4. Click Enter words. When prompted, enter the following and Add:

encrypt

Select the word you added. Click Save to continue.

3. Specify the action Microsoft Exchange takes when an email header includes the encrypt
header added by Enterprise DLP.
1. For Do the following, select Redirect the message to.
2. Select the following connector.
3. Select the Proofpoint connector and Save.

4. Click the Add Action icon (+) to add an additional rule condition.
5. Instruct Microsoft Exchange to further modify the email header.
1. For Do the following, select Modify the message properties.
2. Select set a message header.
3. Click Enter Text. When promoted, enter the following.

x-proofpointencryptdesktop

Click Save to continue.

Administration April 2025 219 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

4. Click Enter words. When prompted, enter the following and Add:

encrypt

Select the word you added. Click Save to continue.

6. Click Next to continue.

STEP 5 | Configure the Proofpoint encrypt transport rule settings.

Administration April 2025 220 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Modify the email transport rule priority as needed.

To change the priority of a transport rule, select the transport rule and Move Up or Move
Down as needed.

A proper rule hierarchy is recommended to ensure emails successfully forward to

Enterprise DLP.
• The email transport rule should always be the highest priority rule relative to the
other transport rules required for Email DLP.
• Any email encryption rules not created as part of the Email DLP configuration must
be ordered below the transport rules created for Email DLP. Enterprise DLP cannot
inspect encrypted emails.
• There is no impact in regards to priority between the quarantine transport rules,
block transport rule, encrypt transport rule, or any other transport rules that exist.
After Enterprise DLP inspects and returns the email back to Microsoft Exchange,
the appropriate transport rule action will occur based on the email header.
• If you want to ensure emails are forwarded to your Proofpoint server for encryption,
Palo Alto Networks recommends disabling your existing Encrypt or assigning a
higher priority to the Proofpoint encrypt rule.
You can forward an email for encryption to either your Proofpoint server or to
Microsoft Exchange for encryption, but not both.

Create a Microsoft Exchange Block Transport Rule

STEP 1 | Log in to the Microsoft Exchange Admin Center.

STEP 2 | Create the outbound and inbound connectors.

Skip this step if you have already created both the outbound and inbound connectors.

Administration April 2025 221 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.

Administration April 2025 222 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the Block transport rule conditions.

1. Enter a Name for the Block transport rule.
2. Add the Block email message header.
The Block header is added by the DLP cloud service when an inspected email contains
sensitive information that is blocked.
1. For Apply this rule if, select The message headers....
2. Select includes any of these words.
3. Click Enter Text. When promoted, enter the following.

x-panw-action

Click Save to continue.

4. Click Enter words. When prompted, enter the following and Add:

block

Select the word you added. Click Save to continue.

3. Specify the action Microsoft Exchange takes when an email header includes the Block
header added by Enterprise DLP.
1. For Do the following, select Block the message.
2. Select reject the message and include an explanation. When prompted, enter the
explanation for why the email was blocked.
This is the response members of your organization receive when an outbound email is
blocked.
Click Save to continue.

4. Click Next to continue.

Administration April 2025 223 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Configure the Block transport rule settings.

1. For the Rule mode, ensure Enforce is selected.
This setting is enabled by default when a new transport rule is created.
2. (Optional) Configure the rest of the Block transport rule settings as needed.
3. Click Next to continue.
4. Save.

STEP 6 | Review the Block transport rule configuration and click Finish.
Click Done when prompted that the Block transport rule was successfully created. You are
redirected back to the Microsoft Exchange Rules page.

STEP 7 | Modify the email transport rule priority as needed.

To change the priority of a transport rule, select the transport rule and Move Up or Move
Down as needed.

A proper rule hierarchy is recommended to ensure emails successfully forward to

Enterprise DLP for inspection.
• The email transport rule should always be the highest priority rule relative to the
other transport rules required for Enterprise DLP inspection.
• Any email encryption rules not created as part of the Email DLP configuration
must be ordered below the transport rules created for Enterprise DLP inspection.
Enterprise DLP cannot inspect encrypted emails.
• There is no impact in regards to priority between the quarantine transport rules,
block transport rule, encrypt transport rule, or any other transport rules that exist.
After Enterprise DLP inspects and returns the email back to Microsoft Exchange,
the appropriate transport rule action will occur based on the email header.

Administration April 2025 224 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Create an Email DLP Sender Alert Policy

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

Create an Email DLP sender alert policy on Microsoft Exchange Online to send an email alert
when a sender's email is sent to hosted quarantine for review.
STEP 1 | Log in to the Microsoft Exchange Online Compliance portal.

STEP 2 | Select Policies > Data loss prevention > Policies and Create policy.

Administration April 2025 225 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Create the a custom DLP policy.

1. For Categories, select Custom.
2. For Templates, select Custom policy.
3. Click Next.

STEP 4 | Enter a Name and Description, and click Next.

STEP 5 | For the Assign admin units, leave the default Full directory and click Next.

STEP 6 | When you Choose location to apply the policy, verify that the Exchange email
Status is On.
Set the Status to Off for all other locations and click Next.

STEP 7 | To Define policy settings, select Create or customize advanced DLP rules and click
Next.
You are redirected to the Customize advanced DLP rules to a sender alert policy rules
for the hosted quarantine transport rule.

Administration April 2025 226 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 8 | Create the Email DLP sender alert policy rule when an email is sent to hosted quarantine.
1. Create rule.
2. Enter a Name and Description.
3. In Conditions, select Add condition > Header contains words or phrases.
4. In the Enter header name field, enter x-panw-action.
5. In the Enter words and then click 'Add' field, enter quarantine.
6. Add.

7. Turn On (enable) User notifications.

8. Verify Notify the user who sent, shared, or last modified the content is enabled.
9. (Optional) Check (enable) Customize the email text to provide a custom response to the
sender when an email is sent to hosted quarantine for review.
10. (Optional) Check (enable) Policy Types to provide customized data compliance tips.

11. Turn Off (disable) Incident reports.

12. Save.
13. Verify the policy rule Status is On.

Administration April 2025 227 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

14. Click Next.

STEP 9 | For the Policy mode, select Turn it on right away and click Next.

STEP 10 | Review the Email DLP sender alert policy and Submit.
Click Done when prompted that the new policy was successfully created.

STEP 11 | Back in the Policies, verify that the Email DLP sender alert policy is displayed and that the
Status is On.

Obtain Your Microsoft Exchange Domain and Relay Host

Administration April 2025 228 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

You must obtain your Microsoft Exchange domain and relay host to connect Microsoft Exchange
and Enterprise Data Loss Prevention (E-DLP) for inline inspection and prevention of sensitive data
exfiltration contained in outbound emails.
STEP 1 | Log in to the Microsoft Office 365 Admin Portal.

STEP 2 | Select Settings > Domains.

STEP 3 | Make note of the Microsoft Exchange domains lists in the Domain name list.
Enterprise DLP supports inline inspection of emails from multiple domains if you use multiple
Microsoft Exchange domains make sure to make note of all email domains for which you want
inline inspection of emails.

Administration April 2025 229 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Obtain the relay host for the Microsoft Exchange domain.
Repeat this step for all Microsoft Exchange domains you want to connect to Enterprise DLP.
1. Click the Microsoft Exchange domain.
2. Select DNS records.
3. In the Microsoft Exchange section, locate the MX record.
The Value column for the MX record lists the relay host for the domain. An example of
a relay host is shown below.

The MX record displays a 0 before the relay host. This character is not required
to connect Microsoft Exchange to Enterprise DLP.

Onboard Gmail
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

You must onboard Gmail to prevent sensitive data exfiltration contained in outbound emails using
Enterprise Data Loss Prevention (E-DLP).
• Connect Gmail and Enterprise DLP

Administration April 2025 230 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• Set Up the Email DLP Host

• Set Up a Proofpoint Server for Email Encryption
• Create Gmail Transport Rules

Connect Gmail and Enterprise DLP

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

Connect Gmail to Enterprise Data Loss Prevention (E-DLP) through SaaS Security on Strata Cloud
Manager to complete the onboarding.

Administration April 2025 231 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 1 | Contact your email domain provider to update your SPF record to add the required
Enterprise DLP service IP addresses.
Add the IP addresses for the region where your email domain is hosted. You can update your
SPF record with multiple regional IP addresses if you have email domains hosted in multiple
regions.
• APAC
35.186.151.226 and 34.87.43.120
• Australia
35.197.179.113 and 35.244.122.65
• Europe
34.141.90.172 and 34.107.47.119
• India
34.93.185.212 and 35.200.159.173
• Japan
34.84.8.170 and 35.221.111.27
• United Kingdom
34.105.128.121 and 34.89.40.221
• United States
34.168.197.200 and 34.83.143.116

STEP 2 | Log in to the Google Admin Console.

Administration April 2025 232 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Add an SMTP relay service entry to forward outbound emails to Enterprise DLP.
1. Select Apps > Google Workspace > Gmail > Routing.
2. For the SMTP relay service, Add Another Rule.
3. In the Description, enter a descriptive name for the Enterprise DLP SMTP relay service.
4. For Allowed Senders, verify Only addresses in my domains is selected.
5. For Authentication, check (enable) Only accept mail from the specified IP addresses.
6. Add a new SMTP relay service
7. In the Enter IP address/range field, enter the required IP addresses for the region where
you host your email domain. You can add multiple sets of IP addresses if needed.
• APAC
35.186.151.226 and 34.87.43.120
• Australia
35.197.179.113 and 35.244.122.65
• Europe
34.141.90.172 and 34.107.47.119
• India
34.93.185.212 and 35.200.159.173
• Japan
34.84.8.170 and 35.221.111.27
• United Kingdom
34.105.128.121 and 34.89.40.221
• United States
34.168.197.200 and 34.83.143.116
8. Verify that the SMTP relay service is Enabled.
9. Save.
10. Repeat this step to add both the required Enterprise DLP SMTP relay service IP
addresses for the region where you host your email domain.
11. For Encryption, check (enable) Require TLS Encryption.
12. Save.

Administration April 2025 233 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure Gmail to allow the download of emails for investigative analysis when you review
Email DLP incidents.
1. Log in to the Google Workspace Marketplace.
2. Download the Email DLP app for your region.
You can only download the Email DLP app for the region from which you're currently
accessing the Google Workspace Marketplace.
For example, if you access the Google Workspace Marketplace from California, click the
United States link below to download the Email DLP app.
• APAC
• Australia
• Europe
• India
• Japan
• United Kingdom
• United States
3. Click Admin Install.
4. You're prompted with a confirmation that you're about to install the Email DLP by
Palo Alto Networks app. Click Continue.
5. Select for which users you want to install the Email DLP app.
• Everyone at your organization—Select this option if you want to be able to download
emails for everybody in your organization who generates an Email DLP incident.
• Certain groups or organizational units—Select this option if you want to be able to
download emails for specific user groups and organizational units when they generate
an Email DLP incident.
For example, you have user groups Group1, Group2, and Group3 where your
CEO and other executives are part of Group3. You don't want to give your security
administrators the ability to download emails sent by the CEO and other executives.
In this case, you would select the Certain groups or organizational units option and
add Group1 and Group2 but not Group3.
6. Agree to the app Terms and Conditions.
7. (Certain groups or organizational units) Select the user groups and organizational you
want to install the app for.
8. Click Finish.
9. A notification is displayed notifying you the Email DLP by Palo Alto Networks
app successfully installed.
10. Click Done.
11. Enter Email DLP in the search bar and select the Email DLP app for your region. Verify
that the app tile displays Installed

Administration April 2025 234 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Set Up a Proofpoint Server for Email Encryption.

This is required to encrypt emails inspected by Enterprise DLP that match your encryption
Email DLP policy rule.

STEP 6 | Create the Gmail transport rules, and create the Email DLP Policy.
Palo Alto Networks recommends setting Email DLP Host, transport rules, and Email DLP policy
rules to ensure enforcements begins as soon as you successfully connect Gmail to Enterprise
DLP.
• Set Up the Email DLP Host
Setting up a routing to the Email DLP Host allows Gmail to forward emails to Enterprise
DLP and for inspection and verdict rendering to prevent exfiltration of sensitive data.
• Create Gmail Transport Rules
Transport rules instruct Gmail to forward emails to Enterprise DLP and establish the actions
Gmail takes based on verdicts rendered by Enterprise DLP.

A transport rule isn't required for emails that match your Email DLP policy where
you set the action to Monitor. In this case, the x-panw-action - monitor
email header is added, a DLP incident is created, and the email continues to its
intended recipient.
• Add a Enterprise DLP Email Policy
The DLP email policy specifies the incident severity and the action Enterprise DLP takes
when matching traffic is inspected and sensitive data is detected.

STEP 7 | Log in to Strata Cloud Manager.

STEP 8 | Select Manage > Configuration > SaaS Security > Settings > Apps Onboarding.

STEP 9 | Add the Gmail app to SaaS Security.

1. Search for Gmail and click the Gmail app.

2. Add the Gmail app to SaaS Security.

STEP 10 | In the Email DLP Instance, click Add Instance.

Administration April 2025 235 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 11 | In the Setup Connectors and Rules page, add the email domains and relay hosts.
Enterprise DLP requires you add one or more email domains and the Gmail Relay Host to
ensure Gmail successfully forwards emails inspected by Enterprise DLP to the Gmail Relay
Host.
1. Enter an Email Domain.
The Gmail Relay Host is always smtp-relay.gmail.com. The Port is always 587. This
fields are automatically populated by default.
2. (Optional) Add any additional email domains as needed.
3. Connect.

STEP 12 | Gmail is now successfully connected and onboarded.

STEP 13 | Configure the Email DLP settings.

Set Up the Email DLP Host

Administration April 2025 236 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

Enterprise Data Loss Prevention (E-DLP) requires you set up routing from Gmail to the Enterprise
DLP Email DLP Host to allow Gmail to forward emails to Enterprise DLP for inspection and verdict
rendering to prevent exfiltration of sensitive data.
STEP 1 | Log in to the Google Admin portal.

STEP 2 | In the Dashboard, select Apps > Google Workspace > Gmail > Hosts and Add Route.

Administration April 2025 237 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Configure the Email DLP host.

1. Enter a descriptive Name.
2. In Specify email server, select Single host if not already selected.
3. Enter the host name and port.
Enterprise DLP requires adding the Email DLP host name for positive identification of
the Enterprise DLP cloud service. The CA issuer FQDN you add must match the email
routing FQDN you added in the previous step.
• APAC

mail.asia-southeast1.email.dlp.paloaltonetworks.com

• Australia

mail.australia-southeast1.email.dlp.paloaltonetworks.com

• Europe

mail.europe-west3.email.dlp.paloaltonetworks.com

• India

mail.asia-south1.email.dlp.paloaltonetworks.com

• Japan

mail.asia-northeast1.email.dlp.paloaltonetworks.com

• United Kingdom

mail.europe-west2.email.dlp.paloaltonetworks.com

• United States

mail.us-west1.email.dlp.paloaltonetworks.com

4. For the Options, enable the following settings if not already enabled.
• Require mail to be transmitted via a secure (TLS) connection
• Require CA signed certificate
• Validate certificate hostname
5. Test TLS connection to verify Gmail can successfully connect to Enterprise DLP.
6. Save.

Administration April 2025 238 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Back in the Hosts page, verify that you successfully created the Email DLP host.

STEP 5 | Set Up a Proofpoint Server for Email Encryption.

Enterprise DLP requires this setting to encrypt inspected emails inspected that match your
encryption Email DLP policy rule.
Skip this step if you already configured routing to your Proofpoint server.

Administration April 2025 239 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | Create Gmail Transport Rules.

Email DLP does not require a transport rule for emails that match your Email DLP
policy when you configure the action to Monitor. In this case, Enterprise DLP adds
x-panw-action - monitor to the email header, creates a DLP incident, and
sends the email continues to the intended recipient.

Set Up a Proofpoint Server for Email Encryption

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

Set up routing to your Proofpoint server to encrypt emails inspected by Enterprise Data Loss
Prevention (E-DLP) that match your encryption Email DLP policy rule.

Administration April 2025 240 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 1 | Prepare your Proofpoint server to encrypt emails inspected by Enterprise DLP.
1. Enable DKIM signing for your Proofpoint server.
When enabling DKIM signing, you must also select Enabled for the domain.
Additionally, keep a record of your DKIM public key. This is required when updating your
domain host records.
2. Contact your email domain provider to update your SPF record.
• Add your Proofpoint IP address to your SPF record.
This is required to forward emails to Proofpoint for encryption. Skip this step if you
have already updated your SPF record with your Proofpoint IP address.
• Add the DKIM public key to your domain host records.

STEP 2 | Log in to the Google Admin Console.

STEP 3 | In the Dashboard, select Apps > Google Workspace > Gmail > Hosts and Add Route.

Administration April 2025 241 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure your Proofpoint server.

1. Enter a descriptive Name for the Proofpoint server route.
2. In Specify email server, verify Single host is selected.
Only a single host Proofpoint server is supported.
3. Enter the hostname and port for the Proofpoint server.
4. For the Options, verify the following settings are enabled.
• Require mail to be transmitted via a secure (TLS) connection
• Require CA signed certificate
• Validate certificate hostname
5. Test TLS connection to verify that your Proofpoint server can successfully connect to
Enterprise DLP.
6. Save.

Administration April 2025 242 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 5 | Back in the Hosts page, verify that the Proofpoint server route is displayed.

STEP 6 | Set Up the Email DLP Host.

This is required to forward emails to Enterprise DLP for inspection and verdict rendering
to prevent exfiltration of sensitive data. Skip this step if you already configured routing to
Enterprise DLP.

STEP 7 | Create Gmail Transport Rules.

After you successfully set up the Email DLP host on Gmail, you must create the Gmail
transports rule to instruct Gmail to forward emails to Enterprise DLP and establish the actions
Gmail takes based on verdicts rendered by Enterprise DLP.
This is required to forward emails to Enterprise DLP for inspection and verdict rendering
to prevent exfiltration of sensitive data. Skip this step if you already configured routing to
Enterprise DLP.

A transport rule isn't required for emails that match your Email DLP policy where
the action is set to Monitor. In this case, Enterprise DLP adds x-panw-action -
monitor to the email header, a DLP incident is created, and the email continues to
its intended recipient.

Create Gmail Transport Rules

Administration April 2025 243 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

Transport rules instruct Gmail to forward emails to Enterprise Data Loss Prevention (E-DLP) and
establish the actions Gmail takes based on the quarantine,or block verdicts rendered by Enterprise
DLP.
Create Gmail transport rules to forward emails from Gmail to the Enterprise DLP cloud service for
inspection to prevent exfiltration of sensitive data. Additionally, you must create transport rules to
specify the actions Gmail takes based on the verdicts rendered by Enterprise DLP. The following
transport rules are required:
• Email Transport
Required to forward all outbound emails from Gmail to the Enterprise DLP cloud service for
inline email inspection and verdict rendering. The email transport rule is required in all cases
regardless of the verdict Enterprise DLP renders.
Enterprise DLP adds x-panw-inspected: true to the email header for all inspected emails.
If an outbound email already includes this header, it will not be forwarded to Enterprise DLP
again. Instead, Gmail takes the action specified in the quarantine, or block transport rules based
on the verdict already rendered by Enterprise DLP.
• Quarantine
Instructs Gmail to quarantine and forward the email to the spam quarantine mailbox hosted
by Gmail when Enterprise DLP cloud service returns a Quarantine verdict for an email that
contains sensitive data. An email administrator must review and take action on quarantined
emails after Enterprise DLP inspection.
Enterprise DLP adds x-panw-action: quarantine to the email header for inspected
emails if Enterprise DLP renders a Quarantine verdict. The email is transported back to Gmail
and forwarded to the hosted quarantine spam inbox so an email administrator can review the
email contents and decide whether to approve or block the email. Any future emails with this
header already included will not be forwarded to Enterprise DLP again. Instead, Gmail will take
the action specified in the quarantine transport rule.

Administration April 2025 244 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• Block
Instructs Gmail on the action to take when Enterprise DLP cloud service returns a Block
verdict for an email that contains sensitive data.
Enterprise DLP adds x-panw-action: block to the email header for all inspected emails.
Any future emails with this header already included will not be forwarded to Enterprise DLP
for inspection. Instead, Gmail takes the action specified in the Block transport rule.
• Encrypt
Instructs Gmail on the action to take when Enterprise DLP cloud service returns a Encrypt
verdict for an email that contains sensitive data.
Enterprise DLP adds x-panw-action: encrypt to the email header for all inspected emails.
Any future emails with this header already included will not be forwarded to Enterprise DLP
for inspection. Instead, Gmail takes the action specified in the Encrypt transport rule.

• Email Transport
• Quarantine
• Block
• Encrypt
Create a Gmail Email Transport Rule

STEP 1 | Log in to the Google Admin portal.

STEP 2 | In the Dashboard, select Apps > Google Workspace > Gmail > Compliance.

Administration April 2025 245 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | In the Content compliance section, Add Another Rule.

Administration April 2025 246 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the email transport rule.

1. In the Content compliance field, enter a descriptive name for the transport rule.
2. For the Email messages to affect, select Outbound.
This instructs Gmail to forward the email to Enterprise DLP before it leaves your
network when the email recipient is outside your organization.

3. Configure email forwarding to Enterprise DLP for emails that have not been inspected.
1. In the Add experiences that describe the content you want to
search for in each message section, select If ALL of the following match the
message.
2. Add a condition to forward emails that haven't been inspected by Enterprise DLP.
• In the Add setting page, select Advanced content match.
• For the Location, select Full Headers.
• For the Match type, select Not contains text.
• For the Content, enter x-panw-inspected.
Click Save to continue.
3. Add a condition to forward emails to Enterprise DLP when the sender is blank or
empty.
• In the Add setting page, select Advanced content match.
• For the Location, select Any envelope sender.
• For the Match type, select Not matches regex.
• For the Regexp, enter ^$.
Click Save to continue.
4. Save.

Administration April 2025 247 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

4. Configure the action Gmail takes for emails that have already been inspected by
Enterprise DLP, and the encryption settings.
1. In the If the above expressions match, do the following section,
enable Change Route.
2. Select the Email DLP Host you created.
3. For the Encryption (onward delivery only), select Require secure transport
(TLS).

5. Configure the types of Gmail accounts the transport rule affects.

1. Show Options.
After you expand the options menu, the button displays Hide Options.
2. In the Account types to affect section, select Users, Groups, and
Unrecognized / Catch-all.

Administration April 2025 248 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

6. Save.

STEP 5 | Verify that the email transport rule was successfully added and that the Status is Enabled.

Create a Gmail Quarantine Transport Rule

STEP 1 | Log in to the Google Admin portal.

STEP 2 | In the Dashboard, select Apps > Google Workspace > Gmail > Compliance.

Administration April 2025 249 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | In the Content compliance section, Add Another Rule.

Administration April 2025 250 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the quarantine transport rule.

3. Configure email forwarding to Enterprise DLP for emails that have not been inspected.
1. In the Add experiences that describe the content you want to
search for in each message section, select If ANY of the following match the
message.
2. Add.
3. In the Add setting page, select Advanced content match.
4. For the Location, select Full Headers.
5. For the Match type, select Starts with.
6. For the Content, enter x-panw-action: quarantine.
7. Save.

4. Configure the action Gmail takes for emails that need to be quarantined.
1. In the If the above expressions match, do the following section,
select Quarantine message.
2. In the Move the message to the following quarantine, select the Gmail
quarantine inbox you want to forward emails that need to be reviewed by an email
administrator.
3. Enable Notify sender when email is quarantined (onward delivery only).

Administration April 2025 251 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

5. Configure the types of Gmail accounts the transport rule affects.

1. Show Options.
After you expand the options menu, the button displays Hide Options.
2. In the Account types to affect section, select Users, Groups, and
Unrecognized / Catch-all.

6. Save.

STEP 5 | Verify that the email transport rule was successfully added and that the Status is Enabled.

Administration April 2025 252 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | An email administrator must review and allow or reject quarantined emails forwarded to the
quarantine mailbox.

Due to a Gmail limitation, SaaS Security generates two Email DLP logs (Manage >
Configuration > SaaS Security > Data Security > Logs > Email DLP Logs) when a
quarantined email is allowed. The first Email DLP log describes the initial outbound
email blocked by Email DLP. The second Email DLP log describes the allowed outbound
email that is sent back to Enterprise DLP to add x-panw-inspected: true and
x-panw-action: monitor to the email header before it continues on its path to
the intended recipient.

Create a Gmail Block Transport Rule

STEP 1 | Log in to the Google Admin portal.

STEP 2 | In the Dashboard, select Apps > Google Workspace > Gmail > Compliance.

STEP 3 | In the Content compliance section, Add Another Rule.

Administration April 2025 253 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the email transport rule.

3. Configure email forwarding to Enterprise DLP for emails that have not been inspected.
1. In the Add experiences that describe the content you want to
search for in each message section, select If ANY of the following match the
message.
2. Add.
3. In the Add setting page, select Advanced content match.
4. For the Location, select Full Headers.
5. For the Match type, select Starts with.
6. For the Content, enter x-panw-action: block.
7. Save.

4. Configure the action Gmail takes for emails that are blocked.
1. In the If the above expressions match, do the following section,
select Reject message.
2. (Optional) Enter a customized rejection notice when an email is blocked.

Administration April 2025 254 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

5. Configure the types of Gmail accounts the transport rule affects.

1. Show Options.
After you expand the options menu, the button displays Hide Options.
2. In the Account types to affect section, select Users, Groups, and
Unrecognized / Catch-all.

6. Save.

STEP 5 | Verify that the email transport rule was successfully added and that the Status is Enabled.

Create a Gmail Encrypt Transport Rule

STEP 1 | Log in to the Google Admin portal.

STEP 2 | In the Dashboard, select Apps > Google Workspace > Gmail > Compliance.

Administration April 2025 255 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | In the Content compliance section, Add Another Rule.

Administration April 2025 256 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the email transport rule.

3. Configure email forwarding to Enterprise DLP for emails that have not been inspected.
1. In the Add experiences that describe the content you want to
search for in each message section, select If ANY of the following match the
message.
2. Add.
3. In the Add setting page, select Advanced content match.
4. For the Location, select Full Headers.
5. For the Match type, select Contains text.
6. For the Content, enter x-panw-action: encrypt.
7. Save.

4. Configure the action Gmail takes for encrypted emails.

1. In the If the above expressions match, do the following section,
select Modify message.
2. For the Subject, select Modify message.
3. For the Headers, select Add customer headers
4. Add the custom message header.
• For the Header key, enter x-proof-pointencryptdesktop.
• For the Header value, enter encrypt.

Administration April 2025 257 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Save to continue.

5. Configure the route to forward emails to your Proofpoint server for encryption.
1. In the Route section, select Change route.
2. Select the Proofpoint server route you created.

6. Save.

STEP 5 | Verify that the email transport rule was successfully added and that the Status is Enabled.

Administration April 2025 258 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Add an Email DLP Policy Rule

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

Add and configure an Enterprise Data Loss Prevention (E-DLP) email policy rule so Enterprise
DLP to prevent sensitive data exfiltration contained in outbound emails. The Email DLP policy
rule specifies the incident severity and the action Enterprise DLP takes when matching traffic is
inspected and sensitive data is detected.

Enterprise DLP supports inspection and detection of documents containing sensitive data
that are attached to an email. Enterprise DLP does not support inspection of document
links.

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | (Optional) Create custom data patterns and data profiles to specify custom match criteria.
Skip this step if you want to use the predefined Enterprise DLP data profiles available by
default.
1. Create custom data patterns and custom document types as needed.
2. Create a data profile.

STEP 3 | Select Manage > Configuration > SaaS Security > Data Security > Policies > Email DLP
Policies and Add Policy.

Administration April 2025 259 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Configure the Basic Information of the Email DLP policy rule.
1. Enter a descriptive Name.
2. Specify the Evaluation Priority of the Email DLP policy rule.
This Evaluation Priority determines the order Email DLP policy rules are evaluated.
Select whether the new Email DLP policy rule goes before or after an existing Email DLP
policy rule.
1. For the Email Application, select Microsoft Exchange or Gmail.
2. Select the Enterprise DLP incident severity for when Enterprise DLP detects matching
traffic.
3. Select the DLP Data Profile to associate with the Email DLP policy rule.
The DLP data profile you select is used as the traffic match criteria that Enterprise DLP
evaluates inspected traffic against. The data profile can be either a predefined data
profile or a custom data profile.
4. Verify that Enable Policy is toggled on.
This setting is enabled by default when you add a new Email DLP policy rule.

STEP 5 | Configure the Email DLP policy rule Conditions.

The Email DLP policy rule conditions determine the email sender and recipient criteria for
when inline inspection of email traffic should or should not be performed by Enterprise DLP.
The Email DLP policy rule conditions have an AND relationship. This means that all email
sender and recipient Conditions you configure must be met for Enterprise DLP to take action.
You can configure all or only some of the Email DLP policy rule conditions settings as needed.
If no email sender or recipient conditions are configured, then all outbound email traffic

Administration April 2025 260 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

is inspected by Enterprise DLP and evaluated against the data profile you selected in the
previous step.
For example, you configure the Email DLP policy rule conditions to inspect for the
yourcompany.com Sender Email Domain and gmail.com Recipient Email Domain only.
For Enterprise DLP to take action, the email sender domain and recipient email domain must

Administration April 2025 261 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

match what you have configured. In this instance, Enterprise DLP does not take action if the
Recipient Email Domain is yahoo.com.
1. Configure the email sender conditions.
To configure the email sender conditions, you must specify whether the conditions are
inclusive or exclusive of the specified email domains, user groups, or specific senders.
• Sender Email Domain
• Is one of—Email DLP matches and forwards outbound emails to Enterprise DLP for
email addresses associated with selected email domains only.
Email DLP does not match and forward outbound emails to Enterprise DLP if sent
from an email address that's not associated with a selected email domain.
• Is not one of—Email DLP matches and forwards outbound emails to Enterprise
DLP for all email addresses except for those associated with selected email
domains.
Email DLP does not match and forward outbound emails to Enterprise DLP if sent
from an email address associated with a selected email domain.
• Sender User Group
The sender user groups are derived from Cloud Identity Engine (CIE) that you set up
when you that you connected Microsoft Exchange or Gmail.
• Is one of—Email DLP matches and forwards outbound emails to Enterprise DLP for
email addresses associated with selected user groups only.
Email DLP does not match and forward outbound emails to Enterprise DLP if sent
from an email address not associated with a selected user group.
• Is not one of—Email DLP matches and forwards outbound emails to Enterprise
DLP for all email addresses except for the email addresses associated with selected
user groups.
Email DLP does not match and forward outbound emails to Enterprise DLP if sent
from an email address associated with a selected user group.
• Sender User
The sender user addresses are derived from Cloud Identity Engine (CIE) that you set
up when you that you connected Microsoft Exchange or Gmail.
Click add ( ) to include additional sender email addresses.
• Is one of—Email DLP matches and forwards outbound emails to Enterprise DLP for
only selected sender email addresses.
Email DLP does not match and forward outbound emails to Enterprise DLP if sent
from a sender email address that's not selected.
• Is not one of—Email DLP matches and forwards outbound emails to Enterprise
DLP for all sender email addresses except for the sender email addresses you
selected.
Email DLP does not match and forward outbound emails to Enterprise DLP if sent
from a selected sender email address.

Administration April 2025 262 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

2. Configure the email Recipient conditions.

To configure the email recipient conditions, you must specify whether the conditions are
inclusive or exclusive of the specified email domains, user groups, or specific recipients.
• Recipient Email Domain
Enterprise DLP supports all valid email domains. The email domain is the web
address that follows the @ symbol in an email address. For example, gmail.com or
yahoo.com.
Click add ( ) to include additional recipient email domains.
• Is one of—Email DLP matches and forwards outbound emails to Enterprise DLP for
email addresses associated with selected recipient email domains only.
Email DLP does not match and forward outbound emails to Enterprise DLP if the
recipient email address isn't associated with the specified recipient email domain.
• Are all one of—Email DLP policy rule matches and forwards outbound emails to
Enterprise DLP only if all the specified recipient email addresses in the outbound
email are associated with a specified email domain.
Email DLP does not match and forward outbound emails to Enterprise DLP if any
of the recipient email addresses associated with the recipient email domain are not
included in the outbound email.
• Are all not one of—Email DLP policy rule matches and forwards outbound emails
to Enterprise DLP only if all the specified recipient email addresses associated with
the specified email domain are not included in the outbound email.
Email DLP does not match and forward outbound emails to Enterprise DLP if any
of the recipient email addresses associated with the recipient email domain are
included in the outbound email.
• Is not one of—Email DLP matches and forwards outbound emails to Enterprise
DLP for all email addresses except for those associated with selected email
domains.
Email DLP does not match and forward outbound emails to Enterprise DLP if any
of the recipient email addresses associated with the recipient email domain are
included in the outbound email.
• Recipient User
Click add ( ) to include additional recipient email addresses.
• Is one of—Email DLP policy rule matches and forwards outbound emails to
Enterprise DLP for only the specified recipient email addresses.
Email DLP does not match and forward outbound emails to Enterprise DLP if the
recipient email address isn't included in the outbound email.
• Are all one of—Email DLP policy rule matches and forwards outbound emails to
Enterprise DLP only if all the specified recipient email addresses are included in the
outbound email.
Email DLP does not match and forward outbound emails to Enterprise DLP if any
of the recipient email addresses aren't included in the outbound email.

Administration April 2025 263 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

• Are all not one of—Email DLP policy rule matches and forwards outbound emails
to Enterprise DLP only if all the specified recipient email addresses are not
included in the outbound email.
Email DLP does not match and forward outbound emails to Enterprise DLP if any
of the recipient email addresses are included in the outbound email.
• Is not one of—Email DLP policy rule matches and forwards outbound emails to
Enterprise DLP for all email addresses except for the email addresses associated
with the selected user groups.
Email DLP does not match and forward outbound emails to Enterprise DLP if the
recipient email address is included in the outbound email.
3. Configure the email components Enterprise DLP needs to Evaluate.
Enterprise DLP can inspect and evaluate the Email Subject, Email Body, and Email
Attachment(s) as needed. You can select one, two, or all available evaluation criteria. At
least one evaluation criterion must be selected to save the Email DLP policy rule.

Administration April 2025 264 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 6 | Configure the Email DLP policy rule Response.

The Email DLP policy rule response configuration specifies the action Enterprise DLP takes
when inspected traffic matches the data profile associated with the policy rule.
1. Specify the Action Enterprise DLP takes when inspected traffic matches the data profile
associated with the policy rule.
• Monitor—Outbound email is allowed to leave your organization to the intended
recipient. A DLP incident is generated
• Block—Outbound email is blocked from leaving your organization's network.
The action Microsoft Exchange or Gmail takes on a Block verdict rendered by
Enterprise DLP is based on the block transport rule you created.
• Quarantine—Outbound email is transported back to the email server and quarantined.
The email is forwarded to the hosted quarantine spam inbox and requires review
by an email administrator before the email is allowed to leave your organization's
network.
The action Microsoft Exchange or Gmail takes on a Quarantine verdict rendered by
Enterprise DLP is based on the quarantine transport rule you created.
• (Microsoft Exchange only) Forward email for approval by end user's manager—
Outbound email is transported back to Microsoft Exchange and sent to the sender's
manager for approval. Independent review is required by the sender's manager before
the email is allowed to leave your organization's network.
The action Microsoft Exchange takes on a Forward email for approval
by end user's manager verdict rendered by Enterprise DLP is based on the
transport for manager approval rule you created.
• (Microsoft Exchange only) Forward email for approval admin—Outbound email is
transported back to Microsoft Exchange and sent to the specified email admin for

Administration April 2025 265 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

approval. Independent review is required by the specified email administrator before

the email is allowed to leave your organization's network.
The action Microsoft Exchange takes on a Forward email for approval
admin verdict rendered by Enterprise DLP is based on the transport for admin
approval rule you created.
• Encrypt—Outbound email is allowed to leave your organization but is encrypted
before continuing its path to the intended recipient.
The action Microsoft Exchange takes on a Encrypt verdict rendered by Enterprise
DLP is based on the encrypt transport rule you created.
For Microsoft Exchange, the email is transported back to Microsoft Exchange for
encryption.
For Gmail, the email is transported to your Proofpoint server for encryption.
2. (Optional) Automatically assign an Incident Assignee when Enterprise DLP renders a
Block or Quarantine verdict on matching traffic.
Strength your security posture by assigning an incident assignee to follow up on and
resolve events where Enterprise DLP detects outbound emails that contain sensitive
information.
3. (Optional) Add emails to send Notifications to receive alerts when Enterprise DLP
renders Block or Quarantine verdicts on inspected outbound traffic.
Click add ( ) to include additional emails to receive notifications.
4. (Optional; Microsoft Exchange only) Enable Send an email notification to sender.
If enabled, an email is sent to the email sender if Enterprise DLP detects sensitive data
and the Email DLP policy rule Action is any of the following:
• Forward email for approval to end user's manager
• Forward email for approval to admin
• Quarantine

Administration April 2025 266 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 7 | Save Policy.

Review Email DLP Incidents

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

Review your Enterprise Data Loss Prevention (E-DLP) Email DLP incidents to understand which
outbound emails were inspected, review which were blocked, quarantined, or sent for approval,
and to download files inspected by Enterprise DLP.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > SaaS Security > Data Security > Incidents > Email DLP
Incidents.

Administration April 2025 267 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 3 | Review your Email DLP incidents.

• Severity—Severity of the DLP incident specified in the Email DLP policy.
• Updated On—Date the Email DLP incident status or assignee was updated.
• Created On—Date the Email DLP incident occurred.
• Sender—Email of the sender who generated the Email DLP incident.
• Subject—Subject line for the email that generated the Email DLP incident.
• Policy—Email DLP policy rule that the email matched against.
• Action—Action taken by Enterprise DLP based on the Email DLP policy rule the outbound
email matched against.
• Assigned to—Incident assignee responsible to review and address the Email DLP incident.
• Status—Resolution status of the Email DLP incident.

Administration April 2025 268 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

STEP 4 | Click the Email DLP Policy to view a summary of the Email DLP policy rule the email
matched against.
• Basic Information—Email DLP policy rule priority, whether the rule is Enabled or Disabled,
the incident severity, and the email service provider.
• Conditions—Data profile associated with the Email DLP policy rule, the sender and recipient
information, and the email components the Email DLP policy rule is configured to evaluate.
• Response— Action configured in the Email DLP policy rule, the primary Incident Assignee
specified in the Email DLP policy rule, and the email address that notifications are sent to
when an Email DLP incident is generated against this Email DLP policy rule.

STEP 5 | Click the Email DLP incident Subject to view the Incident Details.
• The From and To fields display the email sender and recipient for the email that generated
the DLP incident.
• The Email content field allows you to download the email in .eml format.
To successfully download an email, you must have configured evidence storage before the
outbound email was inspected by Enterprise DLP. Emails of existing Email DLP incidents

Administration April 2025 269 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

cannot be downloaded if you configure evidence storage after the Email DLP incident
occurred.
• The Message ID can be used to create a message trace on Microsoft Exchange Online or
a custom Email Log Search on Gmail.

STEP 6 | Review the Matching Data Patterns.

The Matching Data Patterns shows snippets of the sensitive data Enterprise DLP detected and
the data pattern that it matched against. All data patterns added to the data profile are listed
in the left-hand side. All traffic matches are grouped by match confidence (High, Medium, and
Low) and list the total number of patterns against which traffic matches were detected.
Additionally, Enterprise DLP provides the location each snippet was detected in. Enterprise
DLPonly inspects the parts of the email configured in the Email DLP policy rule evaluation

Administration April 2025 270 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

criteria. Possible values are found in body, found in attachment, or found in

subject.

STEP 7 | (Quarantine only) If an outbound email was quarantined, an email administrator must review
and approve these emails before they can continue to their intended recipient.
• Microsoft Exchange
• Gmail

Due to a Gmail limitation, SaaS Security generates two Email DLP logs (Manage >
Configuration > SaaS Security > Data Security > Logs > Email DLP Logs) when a
quarantined email is allowed. The first Email DLP log describes the initial outbound
email blocked by Email DLP. The second Email DLP log describes the allowed
outbound email that is sent back to Enterprise DLP to add x-panw-inspected:
true and x-panw-action: monitor to the email header before it continues
on its path to the intended recipient.

Why Are Emails Not Being Blocked?

Administration April 2025 271 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

• Data Security One of the following licenses that include

Review your Email DLP and Enterprise Data Loss Prevention (E-DLP) configurations to help
you investigate why an email containing sensitive data wasn't blocked by Enterprise DLP. To
investigate, you will need to review the DLP logs, the connectors and transport rules, as well
as your data patterns, profiles, and Security policy rules to understand why one or more emails
containing sensitive data are not being blocked.
STEP 1 | Review your Email DLP logs to confirm that the email you believe contains sensitive data
really contained sensitive data.
If the email you want to investigate is listed here, it means that Email DLP configuration for
Microsoft Exchange or Gmail are configured correctly. An Email DLP incident and log indicate
that the email was forwarded to Enterprise DLP.
If you can't find the email you want to investigate, it might mean that something is wrong with
the Email DLP configurations for Microsoft Exchange or Gmail.
1. Review your Email DLP incidents to confirm the email was allowed to leave your
network.
Select Add Filter > Action and for the Action filter, select Monitored to quickly filter
for emails that were allowed to leave your network. If the email you are interested in

Administration April 2025 272 ©2025 Palo Alto Networks, Inc.

Configure Enterprise DLP

is listed, view the Incident Details to gather the email Created On date, Sender, and
Subject for the email. You can also download the email for your review.
Additionally, make note of the Policy the email matched against. As part of the
investigation, you need to review your Email DLP policy to ensure it is configured
correctly.
2. Select Manage > Configuration > SaaS Security > Data Security > Logs.
3. In the Email DLP Logs, click View Logs.
4. Locate the email you want to investigate using the Time Captures and Sender User
columns.
5. Review the Subject column for the email to understand whether sensitive data was
detected in the email.
6. Review the Status Note to gather additional information about the email.
• If the Email did not match with an Email DLP Policy or Email matched with a DLP
Profile in a policy and evaluation was completed are displayed, it might mean you
need to review and modify your data profile match criteria or Email DLP policy.
• If the Email DLP policy evaluation timed out is displayed, you might need to modify
the Max Latency and Action on Max Latency settings.
For example, if the Action on Max Latency is set to Allow, it means that Enterprise
DLP allowed the outbound email to leave your network even though the forwarded
email evaluation timed out.

STEP 2 | Review the Email DLP policy the email matched against to ensure it is configured correctly.
Important Email DLP configurations to verify are the email sender conditions, the sender
email domain, email recipient conditions, and recipient email domains to confirm that they are
defined correctly. If these are not configured correctly, Email DLP is unable to inspect for and
prevent exfiltration of outbound emails containing sensitive data.
Additionally, you can review the Recommendations for Security Policy Rules for more
information on recommendations and best practices for writing Security policy rules and
managing your policy rulebase.

STEP 3 | Review the data patterns and data profiles associated with your Email DLP policy.
For example, review your custom and file property data patterns to ensure the match criteria
defined in them are configured correctly to inspect for and block the correct sensitive data.
Incorrectly defined match criteria results in Enterprise DLP being unable to inspect for and
prevent exfiltration of outbound emails containing sensitive data.
If you are using predefined data patterns in your data profiles, you can add custom match
criteria like proximity keywords to increase detection accuracy.

STEP 4 | Review the Email DLP configuration for your email provider.
Microsoft Exchange Online or Gmail are unable to forward emails to Enterprise DLP if they are
incorrectly configured and are unable forward outbound emails for inspection. Additionally,

Configure Enterprise DLP

Email DLP is designed to inspect outbound emails only. Inspection of emails from within your
network is not supported.
When reviewing your Email DLP configurations, consider the following:
• Have you updated your SFP record to add the required Enterprise DLP service IP addresses
for Microsoft Exchange Online or Gmail?
This is required to successfully forward outbound emails to Enterprise DLP.
• (Microsoft Exchange Online only) Are your transport rules enabled?
In some cases, a newly created Microsoft Exchange transport rule might be disabled and
require you to manually enable it. All transport rules, especially the transport and block
rules, must be enabled to successfully forward outbound emails to Enterprise DLP and for
Microsoft Exchange to take action based on the verdict rendered.
• Is the transport rule for Microsoft Exchange Online or Gmail configured correctly?
If your email provider is unable to forward outbound emails to Enterprise DLP, then the
email continues to its intended recipient.
• Is the block transport rule for Microsoft Exchange Online or Gmail configured correctly?
For example, if there is a typo when you define the x-panw-action: block header that
your email provider should take a block action on then the email continues to its intended
recipient.
• (Microsoft Exchange Online only) Are managers assigned correctly in Active Directory
configured?
By default, Microsoft Exchange sends the outbound email to the target recipient if a
manager isn't correctly assigned for the sender when you create a transport rule for
manager approval.

Configure Enterprise DLP

Endpoint DLP
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

Prisma Access (Managed by Strata Cloud Enterprise Data Loss Prevention (E-DLP)
Manager) license
Autonomous DEM 5.3.4 or later
Prisma Access Agent
One of the following Prisma Access
versions
• 10.2—Prisma Access 5.2
• 11.2—Prisma Access 5.1 or 5.2

Use Endpoint DLP to prevent exfiltration of sensitive data to peripheral devices such as USB
devices, printers, and network shares, or to control access to them. To prevent exfiltration of
sensitive data, files moved between a device and the connected peripheral device are sent to
Enterprise Data Loss Prevention (E-DLP) for inspection and verdict rendering.
• How Does Endpoint DLP Work?
• Add a Peripheral
• Create a Peripheral Group
• Create an Endpoint DLP Policy Rule
• Troubleshoot Endpoint DLP

How Does Endpoint DLP Work?

Where Can I Use This? What Do I Need?

Prisma Access (Managed by Strata Cloud Enterprise Data Loss Prevention (E-DLP)
Manager) license

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

Autonomous DEM 5.3.4 or later
Prisma Access Agent
One of the following Prisma Access
versions
• 10.2—Prisma Access 5.2
• 11.2—Prisma Access 5.1 or 5.2

Endpoint DLP enables your security administrators to control the use of peripheral devices by
allowing you to allow or block their use. To prevent exfiltration of sensitive data to peripheral
devices Endpoint DLP uses Enterprise Data Loss Prevention (E-DLP) advanced detection
methods, as well as custom data profiles to define custom traffic match criteria or predefined ML-
based and regex data profiles.
The Prisma Access Agent evaluates and enforces your Endpoint DLP policy rules when files are
moved between the endpoint and peripheral device. The Prisma Access Agent detects when
file movement between the endpoint and peripheral device occurs and evaluates the Endpoint
DLP policy rulebase. When necessary, Prisma Access Agent forwards the traffic to Enterprise
DLP for inspection and verdict rendering. Enterprise DLP then communicates the verdict to the
Prisma Access Agent which then takes the action configured in the Endpoint DLP policy rule.
Additionally, the Prisma Access Agent is also responsible for displaying the end user a notification
when they generate a DLP incident.

Configure Enterprise DLP

The following is an example of the process Enterprise DLP uses to inspect endpoints. This process
succeeds only if you installed the Prisma Access Agent and that you already configured your
Endpoint DLP policy rules.
1. A user in your organization connects a peripheral device to their laptop.
2. The user moves a file from their endpoint to the connected peripheral device.
3. The Prisma Access Agent registers that the user attempted to move a file from the endpoint to
the peripheral device and evaluates your Endpoint DLP policy rules.
• No Policy Rule Match—If there is no Endpoint DLP policy rule match identified, then the
agent allows the peripheral device to connect and the endpoint has full read and write
access privileges to the peripheral device.
• Peripheral Control Policy Rule—If you created a peripheral control policy rule to control
access, then the agent executes the allow or block action that you configured in the policy
rule.
For example, if the Endpoint DLP policy rule blocks the connection to the peripheral device,
then the agent revokes write privileges to the peripheral device. In this case, the endpoint
can't upload files to the peripheral device.
Alternatively, if the Endpoint DLP policy rule allows the connection to the peripheral device,
then the agent grants the endpoint write access privileges to the peripheral device. In this
case, the endpoint can upload files to the peripheral device.
• Data in Motion Policy Rule—The agent allows the connection to the peripheral device.
When the Prisma Access Agent detects file movement from the endpoint to a peripheral
device, it forwards the file to Enterprise DLP for inspection and verdict rendering. The agent
also forwards important file metadata, such as the fileSHA, which Enterprise DLP uses to
identify each forwarded file.
Enterprise DLP then sends the verdict to the Prisma Access Agent. If Enterprise DLP detects
sensitive data, the agent takes the Endpoint DLP policy rule action. When Enterprise DLP
detects forwarded files that were already inspected based on the fileSHA, then Enterprise
DLP returns the existing verdict to the agent. Enterprise DLP does not inspect the same file
twice.
4. The Prisma Access Agent executes the Endpoint DLP policy rule action that you configured in
either the Peripheral Control or Data in Motion policy rules.
5. Enterprise DLP generates a DLP incident when appropriate. Additionally, if you configured End
User Coaching, the Prisma Access Agent displays a notification on the endpoint to alert the
user.

What Operating Systems Does Endpoint DLP Support?

Endpoints running the following operating systems support Endpoint DLP.

Operating System Version

Microsoft Windows Windows 10 version 2004 or later release

macOS 12 (Monterey) or later release

Configure Enterprise DLP

What File Types Does Endpoint DLP Support?

Endpoint DLP supports the inspection and verdict rendering on the following file types.

File Characteristic Support

File Type Endpoint DLP supports inspection of all file

types supported by Enterprise DLP

File Size The maximum file size Endpoint DLP supports

depends on the Endpoint DLP policy rule
Action.
• Alert— Up to 100 MB
• Block—Up to 20 MB

Which Protocols Does Endpoint DLP Support for Network Shares?

Endpoint DLP supports the following network protocols for network share peripheral devices.

Operating System Version

Microsoft Windows Server Message Block (SMB)

macOS Server Message Block (SMB)

These protocols are supported only if you File Transfer Protocol (FTP)
mount the protocol as a network share
Secure File Transfer Protocol (SFTP)
FTP Secure (FTPS)
Network File System (NFS)

Add a Peripheral
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

Prisma Access (Managed by Strata Cloud Enterprise Data Loss Prevention (E-DLP)
Manager) license
Autonomous DEM 5.3.4 or later
Prisma Access Agent

Configure Enterprise DLP

Where Can I Use This? What Do I Need?

One of the following Prisma Access
versions
• 10.2—Prisma Access 5.2
• 11.2—Prisma Access 5.1 or 5.2

Add a USB, printer, or network share peripheral device to Enterprise Data Loss Prevention (E-
DLP) for endpoint protection. Only one type of peripheral device can be added at a time.
Adding peripheral devices is required only if you want to allow or block access to specific
peripheral devices. If you want to allow or block access to all peripheral devices of any type, you
can create an Endpoint DLP policy rule configured for this purpose.

Peripheral devices added to Enterprise Data Loss Prevention (E-DLP) cannot be deleted.

• USB
• Network Share
• Printer

Add a USB Peripheral to Endpoint DLP

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Settings > Peripheral
Configuration.

STEP 3 | Select Add Peripheral > > Manual.

STEP 4 | Select USB.

Configure Enterprise DLP

STEP 5 | Configure the details for the USB peripheral you're adding.
To add a USB peripheral device to Enterprise DLP, you must enter the peripheral Name and
either the Serial Number, Vendor ID, or Product ID.
For example, you enter only the peripheral Name and Vendor ID, but not the Serial Number or
Product ID. This meets the minimum configuration requirements and you can successfully add
the peripheral.
Manufacturer and Model are optional and used to filter your USB peripherals.
• Name—Name of the USB. The Name is displayed in Strata Cloud Manager when managing
your Endpoint DLP configurations and in your Enterprise DLP incidents.
• (Optional) Manufacturer—Name of the company that manufactured the USB.
• (Optional) Model—Model of the USB peripheral.
• Serial Number—Unique identifier of the specific USB peripheral.
• Vendor ID—Unique number used to identify the manufacturer of the USB peripheral.
• Product ID—Unique number used to identify a specific USB product line.
• (Optional) Description—Description of the USB peripheral.

STEP 6 | Save.

STEP 7 | Create a Peripheral Group to group multiple USB peripheral devices and apply the same
security enforcement.
You must create peripheral groups to create an Endpoint DLP policy rule.

Add a Network Share Peripheral to Endpoint DLP

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Settings > Peripheral
Configuration.

STEP 3 | Select Add Peripheral > > Manual.

STEP 4 | Select Network Share.

STEP 5 | Configure the details for the network share peripheral you're adding.
The network share peripheral Name and Server Name or IPv4 Address are required.
Server Name or IPv4 Address and the optional Directory Path are used to filter your Network
Share peripherals.
• Name—Name of the network share. The Name is displayed in Strata Cloud Manager when
managing your Endpoint DLP configurations and in your Enterprise DLP incidents.
• Server Name or IPv4 Address—Fully Qualified Domain Name (FQDN) or IPv4 address of
the network share.
• (Optional) Directory Path—Network directory path of the network share.
• (Optional) Description—Optional description of the network share peripheral.

Configure Enterprise DLP

STEP 6 | Save.

STEP 7 | (Optional) Create a Peripheral Group to group multiple network share peripheral devices and
apply the same security enforcement.
You must create peripheral groups to create an Endpoint DLP policy rule.

add a Printer Peripheral to Endpoint DLP

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Settings > Peripheral
Configuration.

STEP 3 | Select Add Peripheral > > Manual.

STEP 4 | Select Printer.

Configure Enterprise DLP

STEP 5 | Configure the details for the USB peripheral you are adding.
To add a printer peripheral device to Enterprise DLP, you must enter the peripheral Name and
select the printer Printer Type.
Printer Type is also used to filter your Printer peripherals.
• Name—Name of the printer. The Name is displayed in Strata Cloud Manager when
managing your Endpoint DLP configurations and in your Enterprise DLP incidents.
• Printer Type—Select the type of printer device you are adding. You can select USB Printer
or Network Printer.
• USB Printer—Printer peripheral device physically connected to the endpoint using a USB
cable.
• Network Printer—Printer peripheral device accessible to the endpoint through the
network.
• (Optional) Model—Model of the USB.
• USB Printer
To add a USB printer peripheral device, you must enter either the Serial Number, Vendor
ID, or Product ID.
For example, you enter only the peripheral Vendor ID, but not the Serial Number or
Product ID. This meets the minimum configuration requirements and you can successfully
add the peripheral.
• (Optional) Manufacturer—Name of the company that manufactured the USB printer.
• (Optional) Model—Model of the printer.
• Serial Number—Unique identifier of the specific USB printer.
• Vendor ID—Unique number used to identify the manufacturer of the USB printer.
• Product ID—Unique number used to identify a specific USB printer product line.
• Network Printer
The network printer peripheral Server Name or IPv4 Address is required.
• Server Name or IPv4 Address—Fully Qualified Domain Name (FQDN) or IPv4 address of
the network printer.
• (Optional) Directory Path—Network directory path of the network printer.
• (Optional) Description—Description of the USB peripheral.

STEP 6 | Save.

STEP 7 | (Optional) Create a Peripheral Group to group multiple printer peripheral devices and apply
the same security enforcement when you create your Endpoint DLP security policy rule. You
can group USB and network printers in the same peripheral group.

Configure Enterprise DLP

Create a Peripheral Group

Where Can I Use This? What Do I Need?

Prisma Access (Managed by Strata Cloud Endpoint DLP license

Manager)
Enterprise Data Loss Prevention (E-DLP)
license
Autonomous DEM 5.3.4 or later
Prisma Access Agent
One of the following Prisma Access
versions
• 10.2—Prisma Access 5.2
• 11.2—Prisma Access 5.1 or 5.2

Create a peripheral device group to group multiple of the same peripheral devices types into a
single group. This allows you to apply Endpoint DLP policy rules to multiple peripheral devices
that have the same enforcement requirements. A peripheral device can be part of multiple
peripheral groups.
After you create and push a peripheral group configuration change, you can view your audit and
push logs to review your configuration change history and to verify the configuration change was
successfully pushed to the Prisma Access Agent.
• USB
• Network Share
• Printer

Create an Endpoint DLP USB Peripheral Group

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Settings > Peripheral
Configuration.

STEP 3 | Add USB peripheral devices to Enterprise DLP.

STEP 4 | In the Onboarded Peripherals, select USB Device.

STEP 5 | Select one or more USB devices and Add/Create Group.

Configure Enterprise DLP

STEP 6 | Add the selected USB devices to a peripheral group.

• Add to USB Group
Select this option if you already created a USB peripheral group and want to add the
selected devices to an existing peripheral group.
To add the selected USB peripherals to an existing peripheral group, select the target Group
from the drop-down.
• Create USB Group
Select this option if no USB peripheral group exists or if you want to create and add the
selected USB devices to a new peripheral group.
Enter a peripheral group Name to add the selected USB devices to a new peripheral group.

STEP 7 | Save.

STEP 8 | Push your new peripheral group configuration to the Prisma Access Agent.
1. Select Endpoint DLP Policy > Push Policies and Push Policies.
2. (Optional) Enter a Description for the Endpoint DLP policy push.
3. Review the Push Policies scope to understand the changes included the Endpoint DLP
configuration push.
4. Push.

STEP 9 | Create an Endpoint DLP Policy Rule.

Create an Endpoint DLP Network Share Peripheral Group

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Settings > Peripheral
Configuration.

STEP 3 | Add network share peripheral devices to Enterprise DLP.

STEP 4 | In the Onboarded Peripherals, select Network Share.

To narrow down the list of USB peripherals use the search bar to search for a specific USB
peripheral Name or filter by Groups, Manufacturers, or Models

STEP 5 | Select one or more network shares and Add/Create Group.

Configure Enterprise DLP

STEP 6 | Add the selected network shares to a peripheral group.

• Add to Network Share Group
Select this option if you already created a network share peripheral group and want to add
the selected network shares to an existing peripheral group.
To add the selected network shares to an existing peripheral group, select the target Group
from the drop-down.
• Create Printer Group
Select this option if no network share peripheral group exists or if you want to create and
add the selected network share to a new peripheral group.
Enter a network share group Name to add the selected printers to a new network share
group.

STEP 7 | Save.

STEP 9 | Create an Endpoint DLP Policy Rule.

Create an Endpoint DLP Printer Peripheral Group

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Settings > Peripheral
Configuration.

STEP 3 | Add printer peripheral devices to Enterprise DLP.

STEP 4 | In the Onboarded Peripherals, select Printer.

STEP 5 | Select one or more printers and Add/Create Group.

Configure Enterprise DLP

STEP 6 | Add the selected printers to a peripheral group.

• Add to Printer Group
Select this option if you already created a printer peripheral group and want to add the
selected printers to an existing peripheral group.
To add the selected printers to an existing peripheral group, select the target Group from
the drop-down.
• Create Printer Group
Select this option if no printer peripheral group exists or if you want to create and add the
selected printers to a new peripheral group.
Enter a peripheral group Name to add the selected printers to a new peripheral group.

STEP 7 | Save.

STEP 9 | Create an Endpoint DLP Policy Rule.

Create an Endpoint DLP Policy Rule

Where Can I Use This? What Do I Need?

Configure Enterprise DLP

Enterprise Data Loss Prevention (E-DLP) supports creation of the following types of Endpoint
DLP policy rules.
• Peripheral Control—Policy rule to granularly control who in your organization can use
peripheral devices. You can block access to multiple user groups while excluding others.
• Data in Motion—Policy rule to inspect and block exfiltration of sensitive data moving between
an endpoint and a peripheral device. Traffic that matches your Endpoint DLP policy rule is
forwarded to Enterprise DLP inspection and verdict rendering.
Endpoint DLP policy rules are evaluated in a top-down priority. This means that in the event that
two policy rules in the rule hierarchy apply to the same users and peripherals, Enterprise DLP
takes the Response action based on the first policy rule that was matched.
After pushing your Endpoint DLP policy rule, you can view your audit and push logs to review
your configuration change history and to verify the configuration change was successfully pushed
to the Prisma Access Agent.
Palo Alto Networks recommends reviewing the Endpoint DLP policy rule example before you
create your Peripheral Control and Data in Motion policy rules. In this example, example, we
create two Endpoint DLP policy rules. The first is a Policy Control policy rule to block access to
USB peripheral devices for all users while excluding a specific user group for which you allow
access to USB peripherals. The second is a Data in Motion policy rule to prevent exfiltration of
sensitive data from the endpoint to the peripheral for those users associated with the excluded
user group using Enterprise DLP.
• Policy Rule Example
• Peripheral Control
• Data in Motion

Endpoint DLP Policy Rule Example

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Add a Peripheral to Endpoint DLP and Create a Peripheral Group.

Adding peripheral devices and creating peripheral groups is required only if you want to allow
or block access to specific peripheral devices. You can skip this step if you want to allow or
block access to all peripheral devices of any type.
Repeat this step to add all peripheral devices you want to control access to using Endpoint
DLP. In this example, we are allowing access to a specific peripheral group.

STEP 3 | Configure the Enterprise DLP match criteria to define custom sensitive data that you want to
inspect for and block in your Data in Motion policy rule.
1. Create custom data patterns to define your match criteria.
Alternatively, you can use the predefined data patterns instead of creating custom data
patterns.
2. Create a data profile and add your data patterns.
Alternatively, you can use the predefined data profiles instead of creating custom data
profiles.

Configure Enterprise DLP

STEP 4 | Select Manage > Configuration > Data Loss Prevention > Endpoint DLP Policy and Add
Policy.

Configure Enterprise DLP

STEP 5 | Create a Peripheral Control policy rule.

In this example, we want to configure a policy rule that restricts endpoint access to all USB
peripheral devices for all users, while excluding two users approved to have USB connectivity
for their endpoints.
1. Configure the Basic Information for the Peripheral Control policy rule.
Make sure that you Enable Policy. Click Next to continue.
2. For the Scope, select Any Users & Groups.
This option blocks access to all users regardless of the user group they are associated
with. You can exclude one or more users, thereby allowing their endpoint connectivity to
USB peripheral devices you specify.
In the example below, the Peripheral Control policy rule Scope is configured to block
access to all users while allowing endpoint connectivity to USB peripheral devices for
Alex Smith and Ashok Kachana.

3. For the Peripherals, select Any to block connectivity to all USB peripheral devices.
Alternatively, you can Select specific USB peripheral devices to Include or Exclude.
• If you Include specific USB peripheral devices then endpoint connectivity to only
the specified USB peripheral devices is blocked. All other USB peripheral device
connectivity is allowed.
• If you Exclude specific USB peripheral devices then endpoint connectivity is blocked
for all but excluded USB peripheral devices.
In this example, Any is selected because we want to block endpoint connectivity for all
USB peripheral devices. This particular policy rule is specific to USB devices so None is
selected for Printers and Network Shares.

Click Next to continue.

4. For the Response Action, select Block.

Configure Enterprise DLP

Click Next to continue.

5. For the Evaluation Priority, configure the Priority Selection as 1st.
Palo Alto Networks recommends adding Peripheral Control policy rules designed to
block access to peripheral devices at the top of your policy rulebase hierarchy. This
ensures that the correct users are blocked and not unintentionally given access.
Click Next to continue.
6. Review the Endpoint DLP policy rule Summary and Save.

Configure Enterprise DLP

STEP 6 | Create a Data in Motion policy rule.

In this example, we want to configure a policy rule that restricts uses Enterprise DLP to
prevent exfiltration of sensitive data for the users we excluded in the Peripheral Control policy
rule.
1. Configure the Basic Information for the Data in Motion policy rule.
Make sure that you Enable Policy. Click Next to continue.
2. For the Classifiers, select the Data Profile you created in the previous step or select a
predefined data profile.
Click Next to continue.
3. For the Scope, select Select Users.
This option allows you to select the specific users for to which the policy rule applies
while excluding all other users.
In the example below, the Data in Motion policy rule Scope is configured to inspect file
movement from the endpoint devices of Alex Smith and Ashok Kachana to the USB
peripheral devices you specify in the next step.

Click Next to continue.

4. For the Peripherals, Select a USB peripheral groups to Include or Exclude.
• If you Include specific USB peripheral group then Enterprise DLP inspects and
renders verdicts on file movement between the endpoint device and all the specified
USB peripheral devices associated with the selected peripheral groups. Enterprise
DLP inspection and verdict rendering doesn't occur for file movement for any other
USB device.
• If you Exclude one or more USB peripheral groups then Enterprise DLP inspects
and renders verdicts on file movement between the endpoint device and all but the
excluded USB peripheral groups.
In this example, we included the SANDISK group to allow write access to a specific set
of USB devices and we want Enterprise DLP inspection and verdict rendering for these
USB peripheral devices when connected to Alex and Ashok's endpoints. This particular

Configure Enterprise DLP

policy rule is specific to USB devices so None is selected for Printers and Network
Shares.

Click Next to continue.

5. For the Response Action, select Block.
This instructs Enterprise DLP to block file movement from the endpoint to the USB
peripheral device if sensitive data is detected.

Click Next to continue.

6. For the Evaluation Priority, configure the Priority Selection as 2nd.
Palo Alto Networks recommends adding the Data in Motion policy rules after your
Peripheral Control policy rules to ensure the correct users are blocked and not
unintentionally given access while forwarding traffic for allowed users to Enterprise DLP.
Click Next to continue.
7. Review the Endpoint DLP policy rule Summary and Save.

STEP 7 | Review your Endpoint DLP policy rulebase to verify your policy rules are enabled and
ordered correctly.
Review the Priority to ensure your policy rules are ordered correctly, the Users to confirm
your policy rules target the correct set of users, and the Peripherals to ensure the policy rules
apply to the intended peripheral device types.

STEP 8 | Review your Endpoint DLP Audit and Push Logs.

Configure Enterprise DLP

STEP 9 | Review your Enterprise DLP Incidents.

A DLP incident is generated when a user moves a file from the endpoint to the peripheral
device but sensitive data is detected and the file move is blocked because sensitive data was
detected.

Create an Endpoint DLP Peripheral Control Policy Rule

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Endpoint DLP Policy and Add
Policy.

STEP 3 | Configure the Basic Information.

1. For the Policy Type, select Peripheral Control.
2. Enter a descriptive Name for the Endpoint DLP policy rule.
3. (Optional) Enter a Description to describe the Endpoint DLP policy rule.
4. Select the Severity of the Enterprise DLP incident when sensitive data is moved
between an endpoint and a peripheral device.
5. Enable Policy is enabled by default and enables the Endpoint DLP policy rule after you
save.
Disable this setting if you don't want to immediately enable the Endpoint DLP policy rule
after creation.
6. Click Next to continue.

Configure Enterprise DLP

STEP 4 | Configure the Scope to define which users can use peripheral devices.
For Enterprise DLP to take the configured Response action, both Users and Peripherals must
be matched.
1. Select the Users the policy rule applies to.
• Any Users & Groups
Create a peripheral control policy rule that applies to all users. Additionally, you can
Exclude one or more users from the peripheral control policy rule.
• Select Users & Groups
Create a peripheral control policy rule that applies to specific users and groups. You
can configure the policy rule to apply to either specific users or user groups, or to
both.
Include
• Select Users—Select one or more specific users to which the rule applies.
• Select Groups—Select one or more user groups to which the rule applies.
Exclude—Select one or more users to exclude from the peripheral control policy
group. You must select at least one user group in order to exclude one or more users.
2. Select the Peripherals you want to allow or block access to.
You can define user access to USB devices, printers, and network shares in a single
peripheral control policy rule. The access configuration for each type of peripheral
device are independent of each other and can be configured as needed. For example,
you can create a policy rule to block access to all USB devices, allow access to all
printers, and allow access to only specific network shares you selected.
• Any (default)—Policy rule applies all USB, printer, or network share peripherals
peripherals added to Enterprise DLP.
• Select— Policy Rule applies only to the selected peripheral devices or peripheral
groups.
• None—Policy rule doesn't apply to any USB, printer, or network share peripherals
added to Enterprise DLP.
3. Click Next to continue.

Configure Enterprise DLP

STEP 5 | Configure the Response to define the action Enterprise DLP takes when a user access a
blocked peripheral.
• Action—Action Enterprise DLP takes if a User accesses a Peripheral device defined in the
policy rule Scope.
• Alert—Enterprise DLP generates a DLP incident but allows the endpoint to access the
peripheral.
• Block—Enterprise DLP generates a DLP incident and blocks the endpoint from accessing
the peripheral.
• Incident Assignee—The administrator the Enterprise DLP incident is assigned to if one is
generated against the policy rule.
• Email Notifications—Add administrators to send email notifications when an incident is
generated against the policy rule.
Click Next to continue.

STEP 6 | Define the Evaluation Priority for the peripheral control policy rule in your Endpoint DLP
policy rulebase.
You can use the Priority Selection to quickly insert the peripheral control policy rule in the
appropriate location in your policy rulebase hierarchy.
click Next to continue.

STEP 7 | Review the policy rule Summary to verify its configured correctly and Save.

STEP 8 | Push your Endpoint Policy rule.

1. Select Push Policies and Push Policies.
2. (Optional) Enter a Description for the Endpoint DLP policy push.
3. Review the Push Policies scope to understand which Endpoint DLP policy rules and
peripheral group configuration changes are included in the push.
4. Push.

STEP 9 | Review your Endpoint DLP Audit and Push Logs.

STEP 10 | Review your Enterprise DLP Incidents.

A DLP incident is generated when a user moves a file from the endpoint device to the
peripheral but you have blocked all access to a peripheral device type.

Create an Endpoint DLP Data in Motion Policy Rule

STEP 1 | Log in to Strata Cloud Manager.

Configure Enterprise DLP

STEP 2 | Configure the Enterprise DLP match criteria to define custom sensitive data that you want to
inspect for and block.
1. Create custom data patterns to define your match criteria.
Alternatively, you can use the predefined data patterns instead of creating custom data
patterns.
2. Create a data profile and add your data patterns.
Alternatively, you can use the predefined data profiles instead of creating custom data
profiles.

STEP 3 | Select Manage > Configuration > Data Loss Prevention > Endpoint DLP Policy and Add
Policy.

STEP 4 | Configure the Basic Information.

1. For the Policy Type, select Data in Motion.
2. Enter a descriptive Name for the Endpoint DLP policy rule.
3. (Optional) Enter a Description to describe the Endpoint DLP policy rule.
4. Select the Severity of the Enterprise DLP incident when sensitive data is moved
between an endpoint and a peripheral device.
5. Enable Policy is enabled by default and enables the Endpoint DLP policy rule after you
save.
Disable this setting if you don't want to immediately enable the Endpoint DLP policy rule
after creation.
6. Click Next to continue.

STEP 5 | Configure the policy rule Classifiers to define the match criteria.
1. Select the Data Profile that contains the match criteria you want to inspect for and
block. You can select a predefined or custom data profile.
2. Select the File Types you want the Endpoint DLP policy rule to apply to.
You can select Any File Types (default) to inspect all supported file types moved
between an endpoint and the peripheral device.

Configure Enterprise DLP

STEP 6 | Configure the Scope to define which users and peripheral devices the policy rule applies to.
For Enterprise DLP to take the configured Response action, both Users and Peripherals must
be matched.
1. Select the Users the policy rule applies to.
• Any Users & Groups
Create a peripheral control policy rule that applies to all users. Additionally, you can
Exclude one or more users from the peripheral control policy rule.
• Select Users & Groups
Create a peripheral control policy rule that applies to specific users and groups. You
can configure the policy rule to apply to either specific users or user groups, or to
both.
Include
• Select Users—Select one or more specific users to which the rule applies.
• Select Groups—Select one or more user groups to which the rule applies.
Exclude—Select one or more users to exclude from the peripheral control policy
group. You must select at least one user group in order to exclude one or more users.
2. Select the Peripherals you want to inspect and block file movement to if sensitive data is
detected.
You can add USB devices, printers, and network shares in a single data in motion policy
rule. The list of included devices for each type of peripheral device are independent of
each other and can be configured as needed. For example, you can create a policy rule
that includes no USB devices, all printers, and only specific network shares you selected.
• Any (default)—Policy rule applies all USB, printer, or network share peripherals added
to Enterprise DLP.
• Select— Policy Rule applies only to the selected peripheral devices or peripheral
groups.
• None—Policy rule doesn't apply to any USB, printer, or network share peripherals
added to Enterprise DLP.
3. Click Next to continue.

Configure Enterprise DLP

STEP 7 | Configure the Response to define the action Enterprise DLP takes when sensitive data is
detected.
• Action—Action Enterprise DLP takes if a User accesses a Peripheral device defined in the
policy rule Scope.
• Alert—Enterprise DLP generates a DLP incident but allows file movement from the
endpoint to the peripheral.
• Block—Enterprise DLP generates a DLP incident and blocks file movement from the
endpoint to the peripheral.
• Incident Assignee—The administrator the Enterprise DLP incident is assigned to if one is
generated against the policy rule.
• Email Notifications—Add additional administrators to send email notifications when an
incident is generated against the policy rule.
Click Next to continue.

STEP 8 | Define the Evaluation Priority for the peripheral control policy rule in your Endpoint DLP
policy rulebase.
You can use the Priority Selection to quickly insert the peripheral control policy rule in the
appropriate location in your policy rulebase hierarchy.
click Next to continue.

STEP 9 | Review the policy rule Summary to verify its configured correctly and Save.

STEP 10 | Push your Endpoint Policy rule.

STEP 11 | Review your Endpoint DLP Audit and Push Logs.

STEP 12 | Review your Enterprise DLP Incidents.

A DLP incident is generated when a user moves a file from the endpoint to the peripheral
device but sensitive data is detected and the file move is blocked because sensitive data was
detected.

STEP 13 | (Block policy rule for USB and Network Share Peripherals on macOS only) The Prisma Access
Agent automatically moves a blocked file to the following local folder on the endpoint for
quarantine for 90 days when Endpoint DLP detects and blocks a file containing sensitive
data. The Prisma Access Agent automatically deletes the file from the endpoint after 90
days.
/Library/Application Support/PaloAltoNetworks/DLP/quarantine/
This applies to all file movement operations available on macOS. Navigate to the local folder
on the endpoint and move the file to a different folder on the endpoint to recover the file.

Configure Enterprise DLP

Troubleshoot Endpoint DLP

Where Can I Use This? What Do I Need?

Use the troubleshooting steps below to triage and understand why some or all of your endpoints
are erroneously allowing file movement between the endpoint and a peripheral device when you
have Endpoint DLP configured to prevent exfiltration of sensitive data.
STEP 1 | Verify that the Endpoint DLP service is enabled on Prisma Access Agent installed on the
endpoint after setting up Endpoint DLP and pushing an Endpoint DLP policy rule.
1. Open the Command Line Interface (CLI) on the endpoint.
2. Navigate to the Prisma Access Agent folder.
• Microsoft Windows—/Program Files/Palo Alto Networks/Prisma
Access Agent
• macOS—/Applications/Prisma\ Access\ Agent.app/Contents/
Helpers/
3. Check the status of the Endpoint DLP service.
./PACli dlp status
The Endpoint DLP service is enabled if the command returns DLP Status: enabled.

STEP 2 | Log in to Strata Cloud Manager.

STEP 3 | Review your Endpoint DLP incidents to confirm whether impacted endpoints are generating
DLP incidents as expected.
Enterprise Data Loss Prevention (E-DLP) creates a DLP incident every time the DLP Cloud
service detects sensitive data in forwarded traffic. Start by reviewing your Endpoint DLP
incidents if you know a DLP incident should have been generated. If you expected a DLP

Configure Enterprise DLP

incident to be generated, but none was, it might mean there is an issue with your Endpoint
DLP policy rulebase or an issue with the Prisma Access Agent.
For example, you have an Endpoint DLP policy rule configured to inspect for personally
identifiable information (PII). You know a user moved a file containing PII data from a specific
endpoint to a peripheral device. In this case, you expect Endpoint DLP to block the file move
and generate an incident. If Enterprise DLP does not create a DLP incident, then it warrants
further investigation to resolve.
To narrow down the list of DLP incidents you need to review, select Add Filter > Policy Type
and apply the Endpoint: Data in Motion and Endpoint: Peripheral Control filters to display
only Endpoint DLP incidents. You can also use the User-ID search option if you know the
User-ID of the endpoint you're troubleshooting.

STEP 4 | Review your Endpoint DLP policy rules.

In some cases, your Endpoint DLP policy rulebase might have issues that unintentionally allow
exfiltration of sensitive data or might not be configured correctly. Some things to look for
when reviewing your Endpoint DLP policy rulebase are:
• Is your Endpoint DLP policy rulebase ordered correctly? Traffic is evaluated against your
policy rulebase in a top-down priority. If traffic matches a policy rule, the Prisma Access
Agent takes the configured action and no further evaluation against any other policy rule
occurs.
• Are the correct Endpoint DLP policy rules enabled? The Prisma Access Agent only evaluates
traffic against enabled policy rules.
• Are your Endpoint DLP policy rules configured correctly? Are the correct users or user
groups configured? Are the correct peripheral devices configured? Did you select the
correct data profile?
If you confirm that your Endpoint DLP policy rulebase is ordered and configured correctly it
may mean there are issues with the Prisma Access Agent.

STEP 5 | Check your Endpoint DLP audit and push logs to confirm the committed configuration
changes pushed to endpoints.
The audit the history of all configuration changes made across your entire Enterprise DLP
configuration. Push logs are specific to Endpoint DLP and track all configuration changes
pushes from Strata Cloud Manager to Prisma Access Agents installed on protected endpoints.
For example, you reviewed your audit logs and confirm that your Endpoint DLP admin made
configuration and policy rule changes. However, upon review of your push logs you discover
that the operation to push these changes from Strata Cloud Manager to all endpoints failed
with the message Endpoint DLP Policy/Configuration failed. This means that
even though your Endpoint DLP admin made the appropriate configuration changes, they
never made it down to the Prisma Access Agent.
If you're consistently seeing Endpoint DLP Policy/Configuration failed in your
push logs, it could mean there is an issue with one or more Prisma Access Agents that need
further investigation.

Configure Enterprise DLP

STEP 6 | Select Manage > Prisma Access Agent and verify that the Prisma Access Agent installed on
impacted endpoints are connected.
This is required to push Endpoint DLP configurations and policy rules from Strata Cloud
Manager. If the Prisma Access Agent isn't connected then it can't receive Endpoint DLP
configuration and policy rule changes or forward matched traffic to Enterprise DLP for
inspection and verdict rendering. Review the Prisma Access Agent documentation for
configuration details.
Confirm the Enterprise DLP and Endpoint DLP connectivity status. If the status is Disabled
then the Prisma Access Agent can't receive the Endpoint DLP configuration and policy rules
required to prevent exfiltration of sensitive data to peripheral devices.
• In the Device list, confirm that the Endpoint DLP Status is Enabled.
• Click the Hostname of an impacted endpoint and in the Endpoint DLP Information section
and confirm the DLP Status is Enabled.
If you verify that the Prisma Access Agent on impacted endpoints is connected and the Prisma
Access Agent configuration has no issues then you need to contact Palo Alto Networks for
additional support.

STEP 7 | Generate a Prisma Access Agent logs to submit to Palo Alto Networks Customer Support.
Select Manage > Prisma Access Agent Check the Prisma Access Agent Enterprise DLP logs.
1. Select Manage > Prisma Access Agent and click one of the impacted endpoints.
2. Select Actions > Generate Agent Logs. The logs download to your local device.
3. Repeat this step for all impacted endpoints.
4. Contact Palo Alto Networks Customer Support to submit a support ticket. Be sure to
include the Prisma Access Agent logs you downloaded.

Configure Enterprise DLP

Data Dictionaries
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Data dictionaries are a collection of one or more keywords or phrases that you want to detect
and prevent exfilitration. A data dictionary is added as a match criteria alongside the other
supported match criteria in advanced and nested data profiles to increase the Enterprise Data
Loss Prevention (E-DLP) detection accuracy.
You can add multiple data dictionaries to a single data profile. For example, you create an
advanced data profile with the OR condition and multiple match criteria Groups. You can add a
unique data dictionary for each match criteria group to ensure high detection accuracy for each
OR match criteria conditions.
Review the requirements to upload a data dictionary to Enterprise DLP:
• Up to 100 custom dictionaries are supported per tenant
• Only .csv and .txt file types are supported.
• Files up to 1 MB are supported.
• Maximum of 200 words per custom dictionary
• Maximum of 128 characters and minimum of 3 characters per word
• Files containing double byte characters, for example Chinese Japanese, and Korean, are
supported
STEP 1 | Log in to Strata Cloud Manager.

Configure Enterprise DLP

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Detection Methods > Data
Dictionary and Add Custom Dictionary.

Configure Enterprise DLP

STEP 3 | Upload the data dictionary to Enterprise DLP.

1. Enter a descriptive Name for the data dictionary.
The data dictionary must have a unique name. The upload fails if a data dictionary with
an identical name already exits.
Special characters are not supported.
2. (Optional) Enter a Description for the data dictionary.
Special characters are not supported.
3. Select the data dictionary Category.
The data dictionary category is used to group together similar types of data dictionaries
for administrative purposes.
You can specify one of the following predefined categories—Academia, Confidential,
Employment, Financial, Government, Healthcare, Legal, Marketing, or Source Code.
4. Specify whether proximity keywords are Case Sensitive.
This settings instructs Enterprise DLP to treat uppercase and lowercase letters for all
proximity keywords in the data dictionary as distinct (case sensitive) if enabled or as
equivalent (case insensitive) if disabled.
5. In the Keywords section, drag and drop the data dictionary file or Browse Files to
navigate to and select the data dictionary file.
Only one data dictionary file can be uploaded at a time. Upload will fail if you attempt to
upload multiple data dictionaries at one time.
6. Create.

Configure Enterprise DLP

STEP 4 | Verify that the data dictionary was successfully uploaded.

STEP 5 | Create or modify an advanced or nested to add your data dictionary.

Data dictionaries compliment the match criteria in your advanced and nested data profiles and
increase the likelihood of positive detections.

Configure Enterprise DLP

Recommendations for Security Policy Rules

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

How you create your Security policy rules using Enterprise Data Loss Prevention (E-DLP) and
how you order those Security policy rules within your rulebase has significant impact on your
security outcomes. Review the recommendations and tips for creating a Security policy rule using
Enterprise DLP to prevent exflitration of sensitive data and strengthen your overall security
posture.
For both new and existing security administrators, review the Security Policy Best Practices.
Regardless of the Security product you use, Palo Alto Networks recommends you review and
implement these best practices when creating or updating your Security policy rulebase. These
best practices are designed to reduce your attack surface and help safeguard your network and
business assets.
Before you associate a data profile with a Security policy rule, review the recommendations to
reduce false positive detections.
False positive detections are commonly caused by traffic match criteria in your data patterns
that are too generalized or may be instances where the Enterprise DLP machine learning (ML)
models need to be manually trained. Create specific and narrow data pattern match criteria
to add to your data profiles to help reduce the likelihood of false positive detections. This can
help you triage and more easily implement changes when sensitive data isn't detected and
blocked.

Configure Enterprise DLP

Consider the Security policy rule orderings in your policy rulebase.

Security action is taken based on the first Security rule the inspected traffic matches. If the
first policy rule is too broad or overly permissive, it may result in sensitive data leaving your
network.
• Order Security policy rules with more granular and specific data profiles, or for the more
sensitive and business-critical applications, at the top of the policy rulebase.
This lets you filter traffic for sanctioned applications based on the App-ID with the
Enterprise DLP data profile for a specific set of users, traffic, or applications.
• Order Security policy rules with broad data profiles, or for the less risky applications and set
of users, at the bottom of the policy rulebase.
This lets you filter traffic based on the App-ID category and can use predefined data profiles
for one or more less risky sets of users, traffic, or applications.

Consider the traffic direction and whether you want a different security action taken
depending on whether the traffic is a download or an upload.
Review the supported apps to understand which applications support download inspection,
upload inspection, or both. You can create specific data profiles if you want to take different
security actions based on whether the traffic is a download or an upload.
• Panorama—Create a data profile for file-based or non-file based detections
• Strata Cloud Manager—Modify a DLP Rule on Strata Cloud Manager

Configure Enterprise DLP

Consider the scope of your Security policy rule.

• Match Criteria Source and Destination— Add specific addresses or users, and don't select
Any.
For granular Security policy rules, Palo Alto Networks recommends you select one or more
specific users or a single user group. For broad Security policy rules, you can select multiple
user groups.
• Application/Service—Select one or more of the supported Enterprise DLP supported apps.
For a granular Security policy rules, Palo Alto Networks recommends adding only a single
application. For broad Security policy rules, you can create an application group to which
you want to apply the same security requirements.
• (Strata Cloud Manager) Profile Group—For granular and specific match criteria, add a
custom data profile with the specific match criteria you went to inspect for and block to the
Security Profile Group you want to associate with the Security policy rule.
For broad match criteria, you can use the predefined best-practice Security Profile
Group or create a new Security Profile Group with one of the predefined data profiles.
• (Panorama)Profile Settings - Profiles or Groups—For granular and specific match criteria,
add a custom data profile or profile group with the specific match criteria you want to
inspect for and block. For broad match criteria, you can use a predefined data profile.
Take advantage of External Dynamic Lists (EDL) to allow common services on your network.
EDLs are dynamic and allow you to make changes to endpoints you want to protect without
requiring additional commits when a chance is made. Custom EDLs are useful because they
can be hosted on a web server as a simple text file. Alternatively, you can use the Feed URLs
provided by the EDL Hosting Service for supported apps.

Configure Enterprise DLP

Enterprise DLP Migrator

Where Can I Use This? What Do I Need?

• NGFW (Managed by Strata Cloud Enterprise Data Loss Prevention (E-DLP)

Use the Enterprise Data Loss Prevention (E-DLP) Migrator to migrate your Symantec DLP policy
rules and convert them into SaaS Security Data Asset policy rules. This allows you to quickly
transition to Palo Alto Networks Enterprise DLP without the need to manually recreate all your
Data Asset policy rules designed to prevent exfiltration of sensitive data.
To migrate your existing Symantec DLP policy rules, you simply need to export them from
Symantec DLP and import them into the Enterprise DLP migration tool. The Enterprise DLP
migration tool then evaluates the imported Security policy rules to verify that they are compatible
with Enterprise DLP and SaaS Security. Enterprise DLP creates a data pattern and a classic data
profile with names identical to the migrated Symantec DLP policy rule as part of the migration to
capture the traffic match criteria.
If Enterprise DLP detects an incompatible Security policy rule traffic match criteria, you can
choose to delete the incompatible match criteria from the Symantec DLP policy rule before
the migration begins or choose to exclude that specific Symantec DLP policy from migration.
Enterprise DLP adds a successfully migrated Symantec DLP policy rule as a Disabled SaaS
Security Data Asset policy rule. You can then review the Data Asset policy rule, make changes if
needed, and enable the policy rule.
Enterprise DLP supports migration of Symantec DLP policy rules in .xml format and with one or
more of the following match criteria:
• Regular expressions—A customized expression that defines a specific text pattern to inspect
for and block.

Configure Enterprise DLP

• Keywords—Specific words specified to improve detection accuracy and reduce false positives.
Referred to as Proximity Keywords in Palo Alto Networks Enterprise DLP.
• Data Identifiers—The data match criteria added to a Symantec DLP policy rule Referred to as a
data pattern in Palo Alto Networks Enterprise DLP.
• Response Action—Enterprise DLP supports one Response Action per Symantec DLP policy
rule. Enterprise DLP applies the highest priority Response Action if it detects a Symantec DLP
policy rule with more than one Response Action.
The priority list of Symantec DLP Response Actions is:
1. Quarantine
2. Remove Collaboration Action and Remove Collaboration Link
In SaaS Security, the Change Sharing Action in a Data Asset policy rule allows you to
remove collaborators and links using one Data Asset policy rule.
3. Notify Owner
STEP 1 | Export your existing Symantec DLP policy rules in .xml format.

STEP 2 | Log in to Strata Cloud Manager.

STEP 3 | Select Manage > Configuration > SaaS Security > Settings > All Settings > DLP Migration
Assistant.

STEP 4 | Upload the Symantec DLP policy rules to the Enterprise DLP Migrator.
1. Enter a descriptive Migration Name for the Symantec DLP policy rule migration.
2. In the Upload XML Files section, drag and drop the Symantec DLP policy rules files in
.xml format.

Configure Enterprise DLP

STEP 5 | Import the XML files you uploaded to the Enterprise DLP Migrator.
Enterprise DLP begins to import and analyze your uploaded policy rules to verify compatibility.
Continue to the next step once the import status reaches 100%.

STEP 6 | Review your uploaded policy rules.

Enterprise DLP lists the number of compatible, partially compatible, and incompatible policy
rules from the total number of policy rules uploaded in the previous step.
• Compatible—Policy rule is compatible with Enterprise DLP and is ready for migration. No
further review required to prepare the policy rule for migration to Enterprise DLP.
• Partially Compatible—Policy rule contains one or more traffic match criteria that are
incompatible with Enterprise DLP. Review and delete the incompatible traffic match
conditions before you can migrate the policy rule to Enterprise DLP.
• Incompatible—All traffic match criteria in the policy rule are incompatible with Enterprise
DLP. You can't migrate an incompatible Symantec DLP policy rule to Enterprise DLP.
The Notes column displays the specific issue causing the traffic match incompatibility with
Enterprise DLP.

Configure Enterprise DLP

STEP 7 | Review and address your Partially Compatible policy rules.

Skip this step if you want to only migrate Compatible rules and don't want to migrate any
Partially Compatible policy rules.

You can also select multiple Partially Compatible policy rules to review. If you select
multiple policy rules, you must switch between them to address each policy rule
individually.
Enterprise DLP Migrator does not support turning an Incompatible policy rule into a
Compatible policy rule.

Below is an example of Partially Compatible Symantec DLP policy rules an admin might need
review before migration to Enterprise DLP.
1. Select one or more Partially Compatible policy rules you want to review.
2. Review Selected.

3. Select the Incompatible traffic match criteria and Delete.

When prompted, confirm you want to Delete the selected incompatible traffic match
criteria.
If you selected multiple policy rules, use the navigation arrows in the top-right corner
of the Review Policy page and repeat this step until you delete all incompatible traffic
match criteria.
After you delete all incompatible traffic match criteria from the selected Partially
Compatible policy rules, click the X in the top-right corner to continue migration to
Enterprise DLP.

4. The policy rules now show that they are Compatible and Ready to Migrate.

Configure Enterprise DLP

STEP 8 | Migrate one or more policy rules to Enterprise DLP.

1. In the Review Policies page, select one or more policy rules and Migrate to PANW.
2. Enterprise DLP displays a verification window detailing the number of Compatible policy
rules selected for migration.
Additionally, you can specify whether these policy rules are automatically Enabled after
successful migration. By default, all migrated policy rules are Disabled.
3. Migrate the selected policy rules.

4. A progress bar displays the current policy rule migration progress.

Configure Enterprise DLP

STEP 9 | Enterprise DLP displays a summary of the successfully migrated policy rules.
Additionally, you can:
• Export PDF—Export a PDF file of the policy rules you migrated to Enterprise DLP. You
download the PDF to your local device.
• Migration History—Redirected to the view the history of all previous successful policy rule
migrations.
• View Policies—Redirected to view your migrated policy rules in the SaaS Security Data
Asset Policies to review and enable.
Click View Policies to continue to the next step.

Configure Enterprise DLP

STEP 10 | Review and enable your migrated policy rules.

1. After a successful policy rule migration, click View Policies or select Manage >
Configuration > SaaS Security > Data Security > Policies > Data Asset Policies.

If you manually navigated to the SaaS Security Data Asset Policies, you also
need to apply the Status: Disabled filter.
2. Click the Policy Name to review the traffic match criteria and verify Enterprise DLP
successfully migrated the policy rule.
The Data Asset policy rule name is the same as the Symantec DLP policy rule XML file
name you uploaded in the previous step. Enterprise DLP automatically populates the
following Data Asset policy rule settings:
• Description—Original Symantec DLP policy rule honored during migration and
applied to the new Data Asset policy rule to preserve any important information and
descriptions about the policy rule.

• Data Profile—Enterprise DLP enables the Data Pattern/Profile match criteria and
attaches the Data Profile created during the migration that contains all the traffic
match criteria to the Data Asset policy rule.

Classic data profiles support predefined, custom, and file property data
patterns only.
If you want to improve Enterprise DLP detection capabilities and accuracy
with advanced detection methods, you must recreate the data profile as an
advanced data profile or create a nested data profile. In either case, you
must reattach the new data profile to the Data Asset policy rule.

• Action—The SaaS Security equivalent of the Response Action from the Symantec DLP
policy rule.

Configure Enterprise DLP

You can edit the migrated Data Asset policy rule Policy Name or make any other
changes as needed from this page. Click Save if you made any changes or Cancel if you
reviewed the migrated policy rule match criteria and confirmed you don't need to make
any changes.
3. Expand the Action column and Enable the policy rule.
4. Apply the Status: Enabled filter and order your policy rule as needed.
Refer to the Recommendations for Security Policy Rules for more information on how to
order your policy rules in your policy rulebase.
5. Repeat this step for all migrated policy rules.

Monitor Enterprise DLP
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

View the log details, snippets, and Insights for traffic that matches your Enterprise Data Loss
Prevention (E-DLP) data patterns or filtering profiles and check the health of Enterprise DLP cloud
service.
• Monitor DLP Status with the DLP Health and Telemetry App
• Enterprise DLP Incident Management
• View Enterprise DLP Log Details
• Manage Enterprise DLP Incidents
• View Enterprise DLP Audit Logs
• Reasons for Inspection Failure
• Save Evidence for Investigative Analysis with Enterprise DLP
• Data Risk
• End User Coaching
• Data Asset Explorer
• Report a False Positive Detection

317
Monitor Enterprise DLP

Monitor DLP Status with the DLP Health and Telemetry

App
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

With an Enterprise Data Loss Prevention (E-DLP) license, you can access the DLP Health &
Telemetry app, which provides visibility into the health of the Enterprise DLP service. Enterprise
DLP service insights are available for any Palo Alto Networks product where you purchased an
Enterprise DLP license.
• Access the DLP Health and Telemetry Dashboard on Strata Cloud Manager
• Monitor DLP Service Status

Access the DLP Health and Telemetry Dashboard on Strata Cloud

Manager
DLP Health and Telemetry Dashboard is accessible from Strata Cloud Manager. All you need is an
account administrator or app administrator role and a valid Enterprise DLP license.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Health &
Telemetry.

Monitor Enterprise DLP

Monitor DLP Service Status

The Dashboard displays real-time DLP status. If you experience issues with DLP (for example, the
Prisma Access (Managed by Strata Cloud Manager) web interface doesn’t display data patterns or
data profiles), verify that the DLP service status is Operational.

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Observe the DLP Service Status and the Last Updated timestamp.

Status Description

Operational DLP services are up and running.

Degraded Experience DLP services are up and running, but not operating at optimally.

Service Unavailable DLP services are down.

Planned Maintenance DLP services are down due to scheduled maintenance.

Monitor Enterprise DLP

View Enterprise DLP Log Details

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

An Enterprise Data Loss Prevention (E-DLP) Incident is generated when traffic matches your
Enterprise DLP data profiles for Prisma Access (Managed by Strata Cloud Manager) and SaaS
Security on Strata Cloud Manager. You can then filter and view the DLP Incident for the detected
traffic, such as matched data patterns, the source and destination of the traffic, the file and file
type. Additionally, the DLP Incident displays the specific data pattern that the traffic matched and
also displays the total number of unique and total occurrences of those data pattern matches.
You can then view this sensitive content called a snippet. A snippet is evidence or identifiable
information associated with a pattern match. For example, if you specified a data pattern of Credit
Card Number, the managed firewall returns the credit card number of the user as the snippet that
was matched. By default, the managed firewall returns snippets.
Strata Cloud Manager uses data masking to mask the data in the snippets. By default, the DLP
Incident displays the last four digits of the value in cleartext (partial masking). For example, a
DLP Incident displays a snippet of a credit card number as XXXX-XXXX-XXXX-1234. You can
also specify the data to be completely displayed in cleartext or to fully mask the data and hide all
values.

Snippets are available for regular expression (regex)-based patterns only.

• Strata Cloud Manager

• Panorama

Monitor Enterprise DLP

• Email DLP
• Endpoint DLP

Strata Cloud Manager

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > DLP Incidents.

STEP 3 | Select a Scan Date and Region to filter the DLP Incidents.
Enterprise DLP Incidents are generated in the Region where the Public Cloud Server is located.
For Prisma Access (Managed by Strata Cloud Manager) and NGFW (Managed by Strata Cloud
Manager), Enterprise DLP automatically resolves to the closest Public Cloud Server to where
the inspected traffic originated.

When a new Public Cloud Server is introduced, Enterprise DLP automatically resolve to
it if it’s closer to where the inspected traffic originated.
This might mean that new DLP Incidents generated after the release of a new Public
Cloud Server are generated in a different Region.

STEP 4 | Review the DLP Incidents summary information to help focus your incident investigation.
These lists are updated hourly.
• Top Data Profiles to Investigate—Lists up to seven data profiles with the highest number of
incidents in descending order.
• Top Sources to Investigate—Lists up to seven source IP addresses and Fully Qualified
Domain Names (FQDN) with the highest number of incidents in descending order.
• Sensitive Files by Action—Lists the number of incidents based on the Action taken by
Enterprise DLP in descending order.

STEP 5 | Review the Incidents and click the File name to review detailed information for a specific
incident.
You can Add New Filter to filter the DLP incidents by Action, Channel, Data Profile or
Response Status to search for a specific incident you want to review.

Monitor Enterprise DLP

STEP 6 | Review the Incident Details to review specific file upload details.
Make note of the Report ID for the DLP incident if you haven’t already done so. The Report ID
is used to view additional Traffic log details regarding the DLP incident.
• Info
The Info panel displays general information about the DLP incident.
• Channel/Source—The security endpoint using Enterprise DLP through which the
incident occurred.
• Incident ID—Unique ID for the DLP incident.
• Report ID—Unique ID used to view additional Traffic log details regarding the DLP
incident.
• Action—The action Enterprise DLP took on the traffic that matched your DLP rule.
• Data Profile—Data profile that traffic matched against that generated the incident.
• Assign To—Select an admin to review and manage the DLP incident.
• Status—Select the resolution status of the DLP incident.
• Priority—Specify the DLP incident priority. You can select P1, P2, P3, P4, or P5.
• Data
• Asset—Name of the file containing sensitive data that generated the incident. For non-
file inspection, the asset name is http-post-put.
• Type—File type for the file that generated the incident. For non-file inspection, the type
is non-file.
• Direction—Indicates whether the matched traffic was a Download or an Upload when
the incident occurred.
• Scan Date—Date and time the matched traffic was scanned and the DLP incident was
generated.
• User
User data requires integration with Cloud Identity Engine (CIE) to display. The User data
displayed correspond to Palo Alto Networks Attributes that correlate to specific directory
provider fields in CIE.
• User ID—ID of the user that generated the DLP incident.
The User ID field does not require CIE integration. However, the corresponding Palo Alto
Networks Attribute is User Principal Name.
• Role—Role of the user that generated the DLP incident.
Corresponding Palo Alto Networks Attribute is Title.
• Organization—Organization the user that generated the DLP incident is associated with.
Corresponding Palo Alto Networks Attribute is Department.
• Location—Location of the user that generated the DLP incident.
Corresponding Palo Alto Networks Attribute is Location.
• Manager—Manager of the user that generated the DLP incident.

Monitor Enterprise DLP

Corresponding Palo Alto Networks Attribute is Manager.

• Session
• Device—Serial number of the firewall that blocked a file or generated an alert.
• Destination IP—Target upload or download IP address of the application or user.
• App—App ID for the target application.
• URL—Fully Qualified Domain Name (FQDN) of the target application or user.
• Annotations
The Annotations sections allows you to add notes and details regarding the DLP incident.
Save any annotations regarding the DLP incident so other administrators can view.

Monitor Enterprise DLP

STEP 7 | Review the Matches within Data Profiles to review snippets of matching traffic and the data
patterns that matched the traffic to better understand what data was detected.

For nested data profiles, Enterprise DLP displays the name of the nested data profile
and not the specific data profile containing the match criteria that matched inspected
traffic. For example, you create a DataProfile, with the nested profiles Profile1,
Profile2, and Profile3. Enterprise DLP inspects traffic that match Profile2
and blocks it. In this scenario, the Matches within Data Profile displays
DataProfile.
Additionally, you can filter the Matches within Data Profile for a nested
data profile to display traffic matches against specific associated data profiles.

Monitor Enterprise DLP

STEP 8 | Review the file log to learn about the traffic data for the DLP incident.
1. Select Incidents & Alerts > Log Viewer.
2. From the Firewall drop-down, select File.
3. Filter to view the file log for the DLP incident using the Report ID.
Report ID = <report-id>
4. Review the file log to learn more about the traffic data for the DLP incident.

STEP 9 | Manage Enterprise DLP Incidents.

Panorama
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Select Monitor > Logs > Data Filtering and Filter the data filtering logs by entering
( subtype eq dlp ).

Monitor Enterprise DLP

STEP 3 | View more details about the file including file snippets.
1. Click to the left of the specific log entry for which you want to view more details.
2. Select DLP to view the pattern details.
3. Show Snippet to view a snippet of the data that matched the specific data pattern.

For nested data profiles, Enterprise DLP displays the name of the nested
data profile and not the specific data profile containing the match criteria
that matched inspected traffic. For example, you create a nested data profile
called DataProfile and you add Profile1, Profile2, and Profile3.
Enterprise DLP inspects traffic that matches Profile2 and blocks it. In
this scenario, the Data Profile Name in the DLP incident logs displays
DataProfile.

4. Review the masked snippet to understand what data was detected.

STEP 4 | Manage Enterprise DLP Incidents.

View Enterprise DLP Log Details for Email DLP

Monitor Enterprise DLP

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > SaaS Security > Data Security > Logs.

STEP 3 | Click View Logs for Email DLP Logs.

Monitor Enterprise DLP

STEP 4 | Filter your Email DLP logs as needed.

• You can search for specific Email DLP logs based on the email Subject, Message ID, Sender
email, or Recipient email.
• Click Add Filter and filter your Email DLP logs based on:
• Processing Time—Time it took the Email DLP to scan and forward email back to your
Microsoft Exchange or Gmail relay host. The processing time is the Time Released minus
the Time Captured.
• Status—The Enterprise DLP inspection status indicating whether sensitive data was
detected and whether the forwarded email was bounced.
Common scenarios that cause Email DLP to return a bounce log are typically related
to incorrect relay host settings when your connected Microsoft Exchange or Gmail, or
networking issues affecting your email server relay host:
• Recipient Issues
• Recipient's email address is incorrect, their mailbox doesn't exist or isn't accepting
new emails.
Resolution—Verify the recipient's email address and ensure their account is active.
• Recipient's inbox is full.
Resolution—Reduce the email or email attachment size, or ask the recipient to free
space in their inbox
• Invalid recipient email address.
Resolution—The recipient's email address might be in the wrong format or not
allowed by the receiving email server's policies. Review the email address for typos
or errors.
• Authentication and Configuration Issues
• Authentication issues such as incorrect login credentials or missing authentication.
Resolution—Ensure you are using the correct username and password and that you
properly configured authentication for your email server.
• Domain Name Server (DNS) configuration and resolution issues.
Resolution—Verify you configured your DNS records correctly and that the email
server can resolve the recipient's domain.
• Email Server Policy Issues
• Anti-spam policies might have anti-spam policies blocking your email.
Resolution—Ensure your domain and IP address are not blacklisted and that your
email meets the requirements of anti-spam policies.
• Poor sender reputation leading to automated email blocks.
Resolution—Improve your sender reputation by sending legitimate emails and
following best practices for email marketing.
• IP address or domain blacklisting causing your emails to be blocked.

Monitor Enterprise DLP

Resolution—Check if your IP address or domain is listed on any blacklists and take

steps to remove them if necessary.
• Status Note—Detailed note populated by Enterprise DLP further describing the
Enterprise DLP inspection Status.
• Time Captured—Date and time Email DLP captured the forwarded email.
• Time Released—Date and time Email DLP returned the forwarded email back to the
sender's email server.

View Enterprise DLP Log Details for Endpoint DLP

No data profile or snippet is displayed for a Peripheral Control Endpoint DLP policy rule.
A peripheral control policy rule controls an endpoint device's access to a peripheral device
(block or alert). As a result, no data profile is required because no traffic inspection occurs.

Multiple DLP Incidents (Manage > Configuration > Data Loss Prevention > DLP
Incidents) can be generated for a single file move operation from the endpoint and
peripheral device. Some examples of when this may occur are:
• Extracting the file contents of a compressed file from the endpoint to a peripheral
device.
• An application that generates any artifact files when writing to a peripheral device. For
example, the Microsoft BITSAdmin tool generates multiple .tmp files when writing to a
peripheral device.
To prevent exfiltration of sensitive data, Enterprise DLP inspects every file associated with
the file move operation from the endpoint to the peripheral device. This ensures that all
impacted files are captured in your logs and analyzed. However, this may result in the
creation of unnecessary DLP Incidents.

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > DLP Incidents.

Monitor Enterprise DLP

STEP 3 | Select a Scan Date and Region to filter the DLP Incidents.
Enterprise DLP Incidents are generated in the Region where the Public Cloud Server is located.
For Prisma Access (Managed by Strata Cloud Manager)and NGFW (Managed by Strata Cloud
Manager), Enterprise DLP automatically resolves to the closest Public Cloud Server to where
the inspected traffic originated.

STEP 4 | Add Filter and select the Action to filter for the specific Endpoint DLP policy rule action you
want to investigate.
For example, select only Block if you wanted to investigate all Endpoint DLP incidents where
access to a peripheral device or file movement from the endpoint to the peripheral device was
blocked.

Monitor Enterprise DLP

STEP 5 | Review the Incidents and click the Incident ID to review detailed information for a specific
incident.

Monitor Enterprise DLP

STEP 6 | Review the Incident Details to review specific file upload details.
Make note of the Report ID for the DLP incident if you haven’t already done so. The Report ID
is used to view additional Traffic log details regarding the DLP incident.
• Info
The Info panel displays general information about the DLP incident.
• Channel/Source—The enforcement point using Enterprise DLP through which the
incident occurred. This field always displays Endpoint DLP.
• Incident ID—Unique ID for the DLP incident.
• Report ID—Unique ID used to view additional Traffic log details regarding the DLP
incident.
• Action—The action Enterprise DLP took on the traffic that matched your DLP rule.
• Data Profile—Data profile that traffic matched against that generated the incident.
A data profile is displayed for Data in Motion Endpoint DLP policy rules only. For
Peripheral Control Endpoint DLP policy rules, Not Found is displayed.
• Assign To—Select an admin to review and manage the DLP incident.
• Status—Select the resolution status of the DLP incident.
• Priority—Specify the DLP incident priority. You can select P1, P2, P3, P4, or P5.
• Data
• Asset—Name of the file containing sensitive data that generated the incident. For non-
file inspection, the asset name is http-post-put.
• Type—File type for the file that generated the incident. For non-file inspection, the type
is non-file.
• Direction—Indicates whether the matched traffic was a Download or an Upload when
the incident occurred.
• Scan Date—Date and time the matched traffic was scanned and the DLP incident was
generated.
• User
User data requires integration with Cloud Identity Engine (CIE) to display. The User data
displayed correspond to Palo Alto Networks Attributes that correlate to specific directory
provider fields in CIE.
• User ID—ID of the user that generated the DLP incident.
The User-ID field does not require CIE integration. However, the corresponding Palo
Alto Networks Attribute is User Principal Name.
• Role—Role of the user who generated the DLP incident.
Corresponding Palo Alto Networks Attribute is Title.
• Organization—Organization the user who generated the DLP incident is associated with.
Corresponding Palo Alto Networks Attribute is Department.
• Location—Location of the user who generated the DLP incident.

Monitor Enterprise DLP

Corresponding Palo Alto Networks Attribute is Location.

• Manager—Manager of the user who generated the DLP incident.
Corresponding Palo Alto Networks Attribute is Manager.
• Session
• Prisma Access Device SN—Serial number of the endpoint that generated the DLP
incident.
• Endpoint OS—Operating system and version running on the endpoint that generated the
DLP incident.
• App—App-ID for the target application.
• URL—Fully Qualified Domain Name (FQDN) of the target application or user.
• Peripheral Information—Details about the specific peripheral device connected to the
endpoint that generated the DLP incident.
This information includes the Peripheral Type, Name, Manufacturer, Model, Product ID,
Vendor ID, and Serial Number.
• Annotations
The Annotations sections allow you to add notes and details regarding the DLP incident.
Save any annotations regarding the DLP incident so other administrators can view it.

Monitor Enterprise DLP

STEP 7 | (Data in Motion only) Review the Matches within Data Profiles to review snippets of
matching traffic and the data patterns that matched the traffic to better understand what
detected data.

Monitor Enterprise DLP

STEP 9 | Manage Enterprise DLP Incidents.

Monitor Enterprise DLP

Manage Enterprise DLP Incidents

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Manage your Enterprise Data Loss Prevention (E-DLP) incidents to investigate and resolve
incidents when traffic matches your Enterprise DLP data profiles.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > DLP Incidents.

STEP 3 | View your Enterprise DLP incidents.

STEP 4 | (Optional) Add New Filter to filter the Enterprise DLP incidents.

Monitor Enterprise DLP

STEP 5 | Select one or more Incidents and Assign To a team member.

You can search and assign an incident to an existing user or type a new name to Create User. If
you create a new user, the user must have access to Strata Cloud Manager.

STEP 6 | Change Resolution as your team works to resolve the incident that triggered Enterprise DLP
enforcement.
You can select one of the predefined incident resolution statues or type a new resolution
status to Create Tag.

STEP 7 | For additional auditing and clarity for your team members, you can Edit Notes to provide
further details.
Save after you finish providing the additional information in your notes. The existing note is
overwritten if you save a new note.
Delete the note if no longer needed.

Monitor Enterprise DLP

View Enterprise DLP Audit Logs

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Review your Enterprise Data Loss Prevention (E-DLP) audit logs for a comprehensive history of
the changes that occurred across your Enterprise DLP security service.Enterprise DLP audit logs
maintain a history of when data patterns and data profiles are created, updated, or deleted.
For Endpoint DLP, you can view the audit logs to review the change history for your Endpoint
DLP configuration changes as you would for Enterprise DLP. Additionally, Push Logs reflect the
latest Endpoint DLP policy rule and setting changes that were pushed as well as the Push Log
history to review the history of when Endpoint DLP policy or rule configuration changes were
pushed, by who, and a summary of all the changes included in the push.
• Strata Cloud Manager
• Email DLP
• Push Logs (Endpoint DLP)

View Enterprise DLP Audit Logs on Strata Cloud Manager

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Audit Log.

Monitor Enterprise DLP

STEP 3 | (Optional) Filter Enterprise DLP audit logs as needed.

• Enter an email in the search bar to filter the audit logs by user.
• Add New Filter to filter the Enterprise DLP audit logs based on:
• Time—Select a predefined time frame or specify a Custom time frame. For the predefine
time frame, you can select Past 60 Minutes, Past 24 Hours, Past 7 Days, Past 30 Days,
or All
• Channel—Select the security enforcement point where the change occurred. You can
select Enterprise DLP, NGFW, Prisma Access, SaaS Security, and Strata Cloud Manager.
• Event—Select the type of audit log event to view. You can select Create, Update, and
Delete.

STEP 4 | Click View Details to see detailed information about a specific audit log.
You can view additional audit log details to better understand what changes in your Enterprise
DLP configuration. When you update an existing data pattern, data profile, or other Enterprise
DLP configuration object, Enterprise DLP highlights in red what the security admin deleted and
highlights in green what the security admin added or changed.
Some audit log data displayed when you View Details include:
• What was configured in a newly created data pattern or data profile.
• What was updated in an existing data pattern, data profile, or DLP Rule.
• When you create an advanced detection method like a custom document type and data
dictionary.
• When you add or update an Endpoint DLP peripheral device.
• When you add or update an Endpoint DLP policy rule.

View Enterprise DLP Audit Logs for Email DLP

STEP 1 | Log in to Strata Cloud Manager.

Monitor Enterprise DLP

STEP 2 | Select Manage > Configuration > SaaS Security > Settings > Monitor Actions Taken by SaaS
Security.

STEP 3 | Filter the audit logs as needed.

• Enter an email in the search bar to filter the audit logs by user email.
• Specify the time frame Duration you want to investigate. You can select Past 24 Hours,
Past 7 Days, Past 30 Days, Past 90 Days, or Past 1 Year.
• Filter the Email DLP audit logs based on the Event you want to investigate. The common
Email DLP events are Create, Update, Delete, and Download.

STEP 4 | Review your Email DLP audit logs.

In the Resources column, allSaaS Security prepends all Email DLP events with Email. For
example, Email Policy, Email Content, and Email Evidence Storage.

View Enterprise DLP Push Logs for Endpoint DLP

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Audit Log > Push Logs.

STEP 3 | Review your Endpoint DLP Push Logs.

• Time—Date and time the Endpoint DLP policy push was performed. Timestamp is in MM/
DD/YY hh:mm format.
• User—Email of the administrator that performed the Endpoint DLP policy push.
• Request ID—ID of the policy push operation from Strata Cloud Manager to Prisma Access
Agent installed on endpoint devices. The Request ID is used for troubleshooting in the
event you push Endpoint DLP changes but the Prisma Access Agent doesn't take the
expected Endpoint DLP policy rule action.
• Event—Status of the Endpoint DLP policy rule and configuration push. For a successful
push, the Event column displays Endpoint DLP Policy/Configuration pushed

Monitor Enterprise DLP

successfully. For a failed push, the Event column displays Endpoint DLP Policy/
Configuration failed.
Click View Details to review detailed information about a specific Endpoint DLP policy rule
and configuration push.

STEP 4 | Review detailed information about a specific Endpoint DLP policy rule and configuration
push.
• Status—Status of the push operation; can be Success or Failure.
• Start Time—Date and time the push operation was initiated. Timestamp is in MM/DD/YY
hh:mm format.
• End Time—Date and time the push operation completed regardless of status. Timestamp is
in MM/DD/YY hh:mm format.
• Description—Description for the push operation added by the security administrator. This
field is blank if description was added when the push was initiated.
• Request ID—ID of the policy push operation from Strata Cloud Manager to Prisma Access
Agent installed on endpoint devices. The Request ID is used for troubleshooting in the

Monitor Enterprise DLP

event you push Endpoint DLP changes but the Prisma Access Agent doesn't take the
expected Endpoint DLP policy rule action.
• Policies—List of new or modified Endpoint DLP policy rules included in the push.
• Peripherals—List of peripheral devices added to Endpoint DLP.
• Peripheral Groups—List of newly created or modified peripheral groups.
• Settings—List of Endpoint DLP data filtering and snippet setting changes.

Monitor Enterprise DLP

Reasons for Inspection Failure

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

In some cases, Enterprise Data Loss Prevention (E-DLP) is unable to inspect and render a verdict
on either file or non-file based traffic that match an Enterprise DLP data profile, and as a result
no DLP incident is generated. However, a log is generated if Enterprise DLP is unable to inspect
matched traffic.

Monitor Enterprise DLP

• Strata Cloud Manager—View the File log (Incident & Alerts > Log Viewer)
Apply a Sub Type = dlp or Sub Type = dlp-non-file filter to narrow down the list of
file logs.
If the Reason for Data Filtering Action column isn’t displayed, expand the menu for any
displayed column to search for and check (enable) Reason for Data Filtering Action.

• Panorama™ management server—View the Data Filtering log (Monitor > Logs > Data
Filtering).
Apply a (subtype eq dlp) filter to narrow down the list of data filtering logs.
If the Reason for Action column isn’t displayed, expand the menu for any displayed column and
click Columns and check (enable) Reason for Action.

File logs display a Reason for Data Filtering Action and data filtering logs display a
Reason for Action column describing what data filtering action was taken by your security
endpoint. In this case, the reason why Enterprise DLP was unable to inspect the matched traffic is
described. Review the list of reasons why Enterprise DLP was unable to inspect matched traffic.

Monitor Enterprise DLP

Reason for Action Description

Scan Skipped: File Size > Limit Inspection skipped because the maximum file
size limit was exceeded.
To avoid this in the future, you can increase
the Max File Size.

Scan Skipped: Latency > Limit Inspection skipped because the maximum
latency limit was exceeded.
To avoid this in the future, you can increase
the Max Latency

Scan Skipped: Rate > Limit Inspection skipped because Enterprise DLP
received the maximum number of inspection
requests.

Scan Skipped: Out of memory Inspection skipped because Enterprise DLP

memory usage was exceeded.

Scan Skipped: Profile not found Inspection skipped because NGFW or Prisma
Access tenant couldn't find the matched data
profile.
Review your Security policy rules to ensure
the associated data profile exists.

Scan Skipped: Scan req timeout Inspection was skipped because the
inspection request timed out.

Scan ERR: Rule1 invalid action Inspected traffic matched the Primary rule in
the data profile, but the Action is invalid. The
Action must be either Block or Alert.

Scan ERR: Rule2 invalid action Inspected traffic matched the Secondary rule
in the data profile, but the Action is invalid.
The Action must be either Block or Alert.

FW Skipped: Data Length > Limit NGFW or Prisma Access tenant did not
forward traffic to Enterprise DLP due to the
non-file traffic exceeding the Max Data Size
in the Non-File Based Settings.
To avoid this, you can increase the Max Data
Size for non-file traffic.

FW Skipped: Resource Limit Enterprise DLP was unable to inspect traffic

due to an error when forwarding traffic. This

Monitor Enterprise DLP

Reason for Action Description

can occur when the NGFW or Prisma Access
tenant memory usage reaches 100%.

FW Skipped: Fail to Start NGFW or Prisma Access tenant was unable

to forward traffic to Enterprise DLP for
inspection because the session between
the NGFW or Prisma Access tenant and
Enterprise DLP couldn't be initialized. This
can occur when the NGFW or Prisma Access
tenant memory usage reaches 80% or higher.

FW Skipped: Transmit Pkts The NGFW or Prisma Access tenant

encountered an error when forwarding
packets or finishing the forwarding operation
to Enterprise DLP. This can occur when the
firewall memory usage reaches 100%.

Internal Errors Generic error due to an internal error.

Requires troubleshooting by Palo Alto
Networks Support to understand the cause of
the error that prevented traffic inspection by
Enterprise DLP.

Monitor Enterprise DLP

Save Evidence for Investigative Analysis with Enterprise

DLP
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Connect an AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise Data Loss
Prevention (E-DLP) to automatically store evidence of traffic scanned by the Enterprise DLP that
match your Enterprise DLP data profiles. After evidence is successfully stored, you can download
a file of the matched traffic for further investigation. Enterprise DLP supports setting up and
connecting only one storage bucket to automatically store evidence of scanned traffic. You can't
set up and connect multiple storage buckets to Enterprise DLP.
Enterprise DLP supports evidence storage for file based traffic, non-file based traffic, and Email
DLP.
• Set Up SFTP Storage to Save Evidence
• Set Up Cloud Storage on AWS to Save Evidence
• Set Up Cloud Storage on Microsoft Azure to Save Evidence
• Download Files for Evidence Analysis

Monitor Enterprise DLP

Set Up SFTP Storage to Save Evidence

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

To store your files scanned by the DLP cloud service, you must specify the SFTP server
connectivity information to successfully upload and write files to a target location on the SFTP
server. When the DLP cloud service uploads a file to your SFTP server, a reportId folder
is created by default. All files uploaded to your SFTP server by the DLP cloud service are
uploaded to the reportId folder within your folder path. Files uploaded to your SFTP server
are automatically named using the SFTP target folder location, default reportId folder, and
filename.
The following special characters in a file name are not supported and prevent Enterprise Data
Loss Prevention (E-DLP) from saving files to SFTP storage: '/ \ * ? <>'. If you have a file
name that includes one of these special characters, you must change the special character to an
underscore (_) so Enterprise DLP can save a copy of the file.
In case of connection issues to your SFTP server due to configuration error or change in settings
on the SFTP server, an email is automatically generated and sent to the admin that originally
connected Enterprise DLP to the SFTP server and to the user who last modified the storage
bucket connection settings. This email is sent out every 48 hours until the connection is restored.

Files that are scanned by the DLP cloud service while Enterprise DLP is disconnected from
your storage bucket can’t be stored and are lost. This means that all impacted files aren’t
available for download. However, all snippet data is preserved and can still be viewed on
Enterprise DLP on the hub.
File storage automatically resumes after the connection status is restored.

Monitor Enterprise DLP

This procedure assumes you have already set up an SFTP server to save evidence for investigative
analysis.
STEP 1 | Review the setup prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.
• You must allow all IP addresses for Evidence Storage in the region where the SFTP server
is deployed. This is gives Enterprise DLP access to your network in order to write to your
SFTP server.
• You must allow the IP or FQDN of the SFTP server on your network. The SFTP server
must be accessible on your network so Enterprise DLP can successfully write to your SFTP
server.

STEP 2 | Log in to Strata Cloud Manager.

STEP 3 | Select Manage > Configuration > Data Loss Prevention > Settings > Sensitive Data and
select Configure Bucket > SFTP as the Public Cloud Storage Bucket.

STEP 4 | Review the Instructions - SFTP and click Next.

STEP 5 | Input Bucket Details to configure the SFTP server connection settings.
1. Enter the Username of the SFTP server user used for secure file uploads.
The user is required to have read and write access to the SFTP server.
2. Enter the Private Key for the SFTP server.
This is required to authenticate the SSH connection to the SFTP server. The Private
Key must include both the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY
prompts.
3. (Optional) Enter the public PGP Key to sign and encrypt files uploaded to the SFTP
server.
Pretty Good Privacy (PGP) is an encryption program providing privacy and
authentication for data communication, and used for signing, encrypting, and decrypting

Monitor Enterprise DLP

files. The PGP Key must include both the BEGIN RSA PRIVATE KEY and END RSA
PRIVATE KEY prompts.

4. Enter the Hostname of the SFTP server.

The Hostname can be a Fully Qualified Domain Name (FQDN) or an IPv4 address.
If you enter a FQDN, the FQDN must be publicly resolvable. If you enter an IPv4
address, the IP address must be public. Enterprise DLP cannot connect to a private
FQDN or IPv4 address.
5. (Optional) Enter the Folder Path for uploaded files to specify the target location where
files are uploaded to on the SFTP server.
If no Folder Path is specified, the DLP cloud service creates the default reportId folder
at the top-most folder the Username has read and write access to. The folder path for
uploaded files depends on whether a Folder Path is specified.
• Folder Path Specified—<folder path>/reportId/<file name>
• Folder Path Not Specified—/reportId/<file name>
6. Enter the Port number through which files are uploaded to the SFTP server.
Palo Alto Networks recommends using Port 22 for file uploads to your SFTP server.
For uncommon ports, Enterprise DLP needs to open the egress port for connection and
upload.

Monitor Enterprise DLP

STEP 6 | Connect to the SFTP server.

As part of the setup process, a file called
Palo_Alto_Networks_DLP_Connection_Test.txt is uploaded to the target Folder

Monitor Enterprise DLP

Path on your SFTP server. Connectivity between the DLP cloud service and your SFTP server
is successful if DLP cloud service successfully uploads the test file.
The Connection Status displays whether the initial connection test was successful. Continue to
the next step when the Bucket connected successfully.
Click Previous if the connection isn’t successful to modify the SFTP server and connection
settings as needed.

STEP 7 | Save the SFTP server connectivity settings.

STEP 8 | Enable Sensitive Files for your enforcement points.

You can enable evidence storage of sensitive files for Prisma Access, NGFW, and Endpoint
DLP. Enable evidence storage when prompted to confirm.

STEP 9 | Download Files for Evidence Analysis.

Monitor Enterprise DLP

Set Up Cloud Storage on AWS to Save Evidence

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Amazon Web Services (AWS) users can configure an S3 storage bucket to automatically upload all
files that match an Enterprise Data Loss Prevention (E-DLP) data profile for Enterprise DLP.
To store your files scanned by the DLP cloud service, you must create an S3 storage bucket
and Identity and Access Management (IAM) role that allows the DLP cloud service access to
automatically store files. Palo Alto Networks provides you with a JSON data containing the
required policy permissions to create the IAM role. Files uploaded to your S3 storage bucket are
automatically named using a unique Report ID for each file. The Report ID is used to search and
download specific files for more in-depth investigation.
In case of connection issues to your S3 storage bucket due to configuration error or change in
settings on the bucket, an email is automatically generated and sent to the admin that originally
connected Enterprise DLP to the storage bucket and to the user who last modified the storage
bucket connection settings. This email is sent out every 48 hours until the connection is restored.

Files that are scanned by the DLP cloud service while Enterprise DLP is disconnected from
your storage bucket can't be stored and are lost. This means that all impacted files are not
available for download. However, all snippet data is preserved and can still be viewed.
File storage automatically resumes after the connection status is restored.

• AWS
• AWS KSM

Monitor Enterprise DLP

Set up Evidence Storage on Strata Cloud Manager Using AWS

STEP 1 | Review the setup prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.

STEP 2 | Create a public S3 storage bucket to store files scanned by the Enterprise DLP cloud service.
1. Log in to the Amazon AWS console.
2. Select Services > Storage > S3 > Buckets and Create bucket.
3. Enter a descriptive Bucket name.
4. Select the AWS Region for the S3 storage bucket.
5. In the Default encryption section, select Amazon S3 managed keys (SSE-S3) as the
Encryption key type.
You can Create a KMS Key if one does not already exist. Refer to AWS Documentation
for more information on creating a new KMS key.

6. Create bucket.
7. Obtain the ARN for the S3 storage bucket.
After creating the S3 storage bucket, you're redirected back to the Buckets page. Search
for and click the storage bucket you created.
Click Properties. The storage bucket ARN is displayed in the Bucket overview.

Monitor Enterprise DLP

STEP 3 | Enable the AWS KMS setting for the storage bucket and locate the trust relationship and
access policy JSONs provided by Palo Alto Networks.
1. Log in to Strata Cloud Manager.
2. Select Manage > Configuration > Data Loss Prevention > Settings > Sensitive Data.
3. In Evidence Storage, select Configure Bucket > AWS as the Public Storage Bucket.
4. In Instructions - AWS, locate the trust relationship and access policy JSON provided
to define the trust relationship and access policy between the IAM role and Palo Alto
Networks.
The first JSON provided is the trust relationship and the second is the access policy.
Highlighted are the copy buttons that you will use later on to create the IAM role for the
S3 storage bucket.
Leave the Configure Bucket for Evidence Storage display open and continue
to create the IAM role for the S3 storage bucket in a separate browser window.

Monitor Enterprise DLP

STEP 4 | Create the IAM role for the S3 storage bucket.

This role is required to allow the DLP cloud service to write to the S3 storage bucket.
1. Log in to the Amazon AWS console.
2. Select Services > Security, Identity, and Compliance > IAM > Access management >
Roles and Create role.
3. Select Custom trust policy.
4. For the Trusted entity type, select Custom trust policy.
5. Return to Strata Cloud Manager and copy the trust relationship JSON.
6. In the Amazon AWS console, paste the trust relationship JSON into the Custom trust
policy to configure the trust policy.

7. Click Next.
8. In Add permissions, select Create policy > JSON.
A new window is automatically opened in your browser to create the new access policy.
9. Return to Strata Cloud Manager and copy the access policy JSON.
10. In the Amazon AWS console, paste the access policy JSON into the Policy editor.
11. Add the bucket ARN for the S3 storage bucket you created.
Throughout the JSON, you must replace all instances of
bucket_name_to_be_replaced with the S3 storage bucket ARN you created.

Monitor Enterprise DLP

12. Click Next.

13. Enter a Policy name and Create policy.
14. Return to the browser window where you're creating the IAM role,
15. Search for and select the access policy you created.

16. Click Next.

17. Enter a descriptive Role name for the IAM role.
18. Review the IAM role trust relationship and access policy.
19. Create role.

Monitor Enterprise DLP

STEP 5 | Configure the S3 storage bucket for evidence file storage.

1. Log in to Strata Cloud Manager.

Access to evidence storage settings and files on Strata Cloud Manager is allowed
only for an account administrator or app administrator role with Enterprise
DLP read and write privileges. This is to ensure that only the appropriate users
have access to report data and evidence.
2. Select Manage > Configuration > Security Services > Data Loss Prevention > Settings >
Sensitive Data and select AWS as the Public Cloud Storage Bucket.
3. Select Input Bucket Details.
4. Enter the S3 Bucket Name of the bucket you created.
The name you enter in the Strata Cloud Manager must match the name of the S3 storage
bucket on AWS.
5. Enter the Role ARN for the IAM role you created.
The IAM Role ARN can be found in the IAM role Permissions. The role ARN is displayed
in the Summary.
6. Select the AWS Region where the bucket is located.

7. Select Connect to verify the connections status your S3 storage bucket.

Select Save if Enterprise DLP can successfully connect your bucket. A
Palo_Alto_Networks_DLP_Connection_Test.txt file is uploaded to your
storage bucket by the DLP cloud service to verify connectivity.

Monitor Enterprise DLP

If Enterprise DLP can't successfully connect your bucket, select Previous and edit the
bucket connection settings.

STEP 6 | Enable Sensitive Files for your enforcement points.

You can enable evidence storage of sensitive files for Prisma Access, NGFW, and Endpoint
DLP. Enable evidence storage when prompted to confirm.

STEP 7 | Download Files for Evidence Analysis.

Set up Evidence Storage on Strata Cloud Manager Using AWS KMS

STEP 1 | Review the setup prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.

Monitor Enterprise DLP

STEP 2 | Create a public S3 storage bucket to store files scanned by the Enterprise DLP cloud service.
1. Log in to the Amazon AWS console.
2. Select Services > Storage > S3 > Buckets and Create bucket.
3. Enter a descriptive Bucket name.
4. Select the AWS Region for the S3 storage bucket.
5. In the Default encryption section, select AWS Key Management Service (SSE-
KMS) as the Encryption key type.
6. To specify the AWS KMS key, you can Choose from your AWS KMS keys or you can
Enter AWS key ARN.
You can Create a KMS Key if one does not already exist. Refer to AWS Documentation
for more information on creating a new KMS key.

7. Create bucket.
8. Obtain the ARN for the S3 storage bucket.
After creating the S3 storage bucket, you're redirected back to the Buckets page. Search
for and click the storage bucket you created.
Click Properties. The storage bucket ARN is displayed in the Bucket overview.

Monitor Enterprise DLP

STEP 3 | Enable the AWS KMS setting for the storage bucket and locate the trust relationship and
access policy JSONs provided by Palo Alto Networks.
1. Log in to Strata Cloud Manager.
2. Select Manage > Configuration > Data Loss Prevention > Settings > Sensitive Data.
3. In Evidence Storage, select Configure Bucket > AWS as the Public Storage Bucket.
4. Toggle KMS Enabled enable an S3 storage bucket using AWS KMS.
5. In Instructions - AWS, locate the trust relationship and access policy JSON provided
to define the trust relationship and access policy between the IAM role and Palo Alto
Networks.
The first JSON provided is the trust relationship and the second is the access policy.
Highlighted are the copy buttons that you will use later on to create the IAM role for the
S3 storage bucket.
Leave the Configure Bucket for Evidence Storage display open and continue
to create the IAM role for the S3 storage bucket in a separate browser window.

Monitor Enterprise DLP

STEP 4 | Create the IAM role for the S3 storage bucket.

This role is required to allow the DLP cloud service to write to the S3 storage bucket.
1. Log in to the Amazon AWS console.
2. Select Services > Security, Identity, and Compliance > IAM > Access management >
Roles and Create role.
3. Select Custom trust policy.
4. For the Trusted entity type, select Custom trust policy.
5. Return toStrata Cloud Manager and copy the trust relationship JSON.
6. In the Amazon AWS console, paste the trust relationship JSON into the Custom trust
policy to configure the trust policy.

Monitor Enterprise DLP

12. Add the AWS KMS key ARN.

The AWS KMS ARN you add here must be the same AWS KMS Key ARN you provided
when you created the S3 storage bucket.

13. Click Next.

14. Enter a Policy name and Create policy.
15. Return to the browser window where you're creating the IAM role,
16. Search for and select the access policy you created.

Monitor Enterprise DLP

17. Click Next.

18. Enter a descriptive Role name for the IAM role.
19. Review the IAM role trust relationship and access policy.
20. Create role.

Monitor Enterprise DLP

STEP 5 | Configure the S3 storage bucket for evidence file storage.

1. Log in to Strata Cloud Manager.

Access to evidence storage settings and files on Strata Cloud Manager is allowed
only for an account administrator or app administrator role with Enterprise
DLP read and write privileges. This is to ensure that only the appropriate users
have access to report data and evidence.
2. Select Manage > Configuration > Security Services > Data Loss Prevention > Settings >
Sensitive Data and select AWS as the Public Cloud Storage Bucket.
3. Select Input Bucket Details.
4. Enter the S3 Bucket Name of the bucket you created.
The name you enter in Strata Cloud Manager must match the name of the S3 storage
bucket on AWS.
5. Enter the Role ARN for the IAM role you created.
The IAM Role ARN can be found in the IAM role Permissions. The role ARN is displayed
in the Summary.
6. Select the AWS Region where the bucket is located.

7. Select Connect to verify the connections status your S3 storage bucket.

Monitor Enterprise DLP

If Enterprise DLP can't successfully connect your bucket, select Previous and edit the
bucket connection settings.

STEP 6 | Enable Sensitive Files for your enforcement points.

You can enable evidence storage of sensitive files for Prisma Access, NGFW, and Endpoint
DLP. Enable evidence storage when prompted to confirm.

STEP 7 | Download Files for Evidence Analysis.

Set Up Cloud Storage on Microsoft Azure to Save Evidence

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

Monitor Enterprise DLP

Where Can I Use This? What Do I Need?

Prisma Access CASB license
Next-Generation CASB for Prisma Access
and NGFW (CASB-X) license
Data Security license

Microsoft Azure users can configure a blog storage bucket to automatically upload all files that
match an Enterprise Data Loss Prevention (E-DLP) data profile for Enterprise DLP.
To store your files scanned by the DLP cloud service, you must create a storage account
and Identity and Access Management (IAM) role that allows the DLP cloud service access to
automatically store files. Files uploaded to your storage account are automatically named using
a unique Report ID for each file. The Report ID is used to search and download specific files for
more in-depth investigation.
In case of connection issues to your storage account due to configuration error or change in
settings, an email is automatically generated and sent to the admin that originally connected
to Enterprise DLP to the storage bucket and to the user who last modified the storage account
connection settings. This email is sent out every 48 hours until the connection is restored.

Files scanned by the DLP cloud service while Enterprise DLP was disconnected from your
storage account can’t be stored and are lost. This means that all impacted files aren’t
available for download. However, all snippet data is preserved and can still be viewed in
the Enterprise DLP
File storage automatically resumes after the connection status is restored.

STEP 1 | Review the setup prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.

STEP 2 | Log in to the Microsoft Azure portal as an administrator.

Administrator level privileges are required to successfully add the Enterprise DLP evidence
storage application using Cloud Shell and to configure access to the storage account to enable
file uploads by the DLP cloud service to save files for evidence analysis.

STEP 3 | (Optional) From the portal menu, select Storage groups and Create a new storage group.
You can also search for storage groups.

The storage group is required to associate the storage account you create next for
storing matched files.
Skip this step if you have an existing resource group that you want to associate with
the storage account.

STEP 4 | From the portal menu, select Storage accounts and Create a new storage account.
You can also search for storage accounts.

Monitor Enterprise DLP

STEP 5 | Obtain the App-ID, Tenant ID, and blob service endpoint URL.
This information is required to add the Palo Alto Networks Enterprise DLP application to your
Microsoft Azure tenant and to configure connectivity to the DLP cloud service.
• Palo Alto Networks Enterprise DLP App ID - 65def4b7-bae6-4bff-ab73-63fe8c9a3c8d
The Palo Alto Networks Enterprise DLP App-ID can be found in the DLP app on the hub
(Settings > Sensitive Data > Configure Bucket > Azure).
1. Obtain your Tenant ID.
1. From the portal menu, select Azure Active Directory.
You can also search for azure active directory.
2. In the Basic Information section, copy the Tenant ID.
2. Obtain the blob service endpoint URL.
1. From the portal menu, select Storage accounts and select the storage account you
will use to save files for evidence analysis.
2. Select Settings > Endpoints and copy the Blob service endpoint URL.

STEP 6 | Add the Palo Alto Networks Enterprise DLP application.

1. Open Cloud Shell.
Click the Cloud Shell icon located in the top-right corner of the Microsoft Azure portal.
2. Add the Palo Alto Networks Enterprise DLP application.
Connect-AzureAD -TenantID <Your_Tenant_ID>
New-AzureADServicePrincipal -AppId 65def4b7-bae6-4bff-
ab73-63fe8c9a3c8d
It might take a few minutes for Microsoft Azure to add a new application to your Azure
tenant.
3. Close the Cloud Shell.
4. Search for and select Enterprise applications.
5. For the Application type, select All applications.
6. Search for the Palo Alto Networks Enterprise DLP application name to verify
you successfully added the application.

Monitor Enterprise DLP

STEP 7 | Configure permissions for the Palo Alto Networks Enterprise DLP application.
1. Select the Palo Alto Networks Enterprise DLP application name.
2. Select Security > Permissions and Grant Admin consent.
3. Select the administrator email in the Microsoft login prompt that is displayed.
4. Accept the permissions request to allow the Palo Alto Networks Enterprise DLP
application to view your Azure storage accounts.
It might take a few minutes for the permissions to be successfully granted to the Palo
Alto Networks Enterprise DLP application.
You still need to grant the Palo Alto Networks Enterprise DLP application permission to
write to a specific storage account.
5. Verify that the Azure Storage and Microsoft Graph API names are displayed in
the Admin consent section.

6. From the portal menu, select Storage accounts and select the storage account you want
to use to save files for evidence analysis.
7. Select Access Control (IAM) > Add > Add Role Assignment > Storage Blob Data Owner
and click Next.
8. Select to assign access to User, group, or service principle and select members.
9. Search and select the Palo Alto Networks Enterprise DLP application and Select the
application.
10. Review + assign to allow the Palo Alto Networks Enterprise DLP application to write to
the storage account.
It can take up to 10 minutes for the write permissions to be successfully granted to the
Palo Alto Networks Enterprise DLP application.

Monitor Enterprise DLP

STEP 8 | Configure the storage bucket for evidence file storage.

1. Log in to Strata Cloud Manager.

Access to evidence storage settings and files on Strata Cloud Manager is allowed
only for an account administrator or app administrator role with Enterprise
DLP read and write privileges. This is to ensure that only the appropriate users
have access to report data and evidence.
2. Select Manage > Configuration > Data Loss Prevention > Settings > Sensitive Data and
select Azure as the Public Cloud Storage Bucket.
3. Select Input Bucket Details.
4. Enter Microsoft Azure Tenant ID.
5. Enter the Storage Endpoint.
This is the blob service endpoint URL that you gathered for the storage account.
6. Connect the storage account and the DLP cloud service.

7. View the Connection Status to verify that the DLP cloud service successfully connected
to the storage account.
Select Save if Strata Cloud Manager can successfully connect your bucket. A
connectiontest file is uploaded to your storage account by the DLP cloud service to
verify connectivity.
If Strata Cloud Manager can’t successfully connect your bucket, select Previous and edit
the bucket connection settings.
8. In the Store Sensitive Files settings, enable storage of sensitive files for Strata Cloud
Manager.

Monitor Enterprise DLP

STEP 9 | Enable Sensitive Files for your enforcement points.

You can enable evidence storage of sensitive files for Prisma Access, NGFW, and Endpoint
DLP. Enable evidence storage when prompted to confirm.

STEP 10 | Download Files for Evidence Analysis.

Download Files for Evidence Analysis

Where Can I Use This? What Do I Need?

• Panorama Enterprise Data Loss Prevention (E-DLP)

• Strata Cloud Manager license
(SaaS Security only) SaaS Security license
(Panorama) Device management license
(Panorama) Support license
(Strata Cloud Manager) Prisma Access
license
(Strata Cloud Manager) AIOps for NGFW
Premium license
(Strata Cloud Manager) AIOps for NGFW
Free license

After you successfully connect your AWS storage bucket, Azure storage bucket, or SFTP server to
Enterprise Data Loss Prevention (E-DLP) to store evidence for traffic that match your Enterprise
DLP data profiles, you can download a file to your local device the instance of traffic scanned by
the DLP cloud service that generated the DLP incident to allow for in-depth investigation.
Traffic scanned by the DLP cloud service while Enterprise DLP is disconnected from your cloud
storage bucket isn't stored in your cloud storage. This means that all files created by traffic that
generated a DLP incident aren’t available for download. However, all snippet data is preserved
and can still be viewed in Enterprise DLP.

Monitor Enterprise DLP

The file format or the matched traffic is dependent on the type of traffic that generated the DLP
incident.
• File Based—Copy of the file that generated the incident is saved in the same file format in
which it was inspected.
• Non-File—Non-file traffic is saved in .txt format.
If a file is shared in a non-file based app, for example Slack, then the file is saved in the same
file format in which it was inspected.
• Email DLP—Outbound emails are saved in .eml format.
STEP 1 | Connect your AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise DLP
if not already connected.
The files available to download are only files scanned by the DLP cloud service after you
successfully connected Enterprise DLP to your cloud storage bucket.

STEP 2 | (AWS and Azure only) Log in to the Amazon AWS console or Microsoft Azure portal and
access the cloud storage you connected to Strata Cloud Manager. Select Reports and enter a
Report ID to Search.
The object Name is the Report ID.

STEP 3 | Log in to Strata Cloud Manager.

STEP 4 | Select Manage > Configuration > Data Loss Prevention > DLP Incidents and search for the
Report ID.

STEP 5 | Review report summary and click the download button to download the file to your device.
Whether the stored file is downloaded directly to your local device is dependent on the
storage bucket you connected to Enterprise DLP.
• AWS and Azure—The file associated with the particular Report ID is downloaded locally to
your device.
• SFTP Server—Enterprise DLP displays the folder path of the location the file was uploaded
to on your SFTP server. You must access your SFTP server to download the file to your
local device.

Monitor Enterprise DLP

Data Risk
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog
Forwarding service IP addresses to improve performance and expand availability for these
services globally.
You must allow these new service IP addresses on your network to avoid disruptions for
these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Strata Cloud Enterprise Data Loss Prevention (E-DLP)

Data Risk provides deep insights into the data security risk for your organization with contextual
recommendations to help improve your security posture.
• What Is Data Risk?
• Analyze the Data Risk Dashboard
• Configure Risk Score Ranges
• Configure Risk Factor Importance
• Configure Severity for Data Profiles
• Data Risk Recommendations

What Is Data Risk?

Monitor Enterprise DLP

Where Can I Use This? What Do I Need?

• NGFW (Managed by Strata Cloud Enterprise Data Loss Prevention (E-DLP)

Data Risk provides quantifiable metrics to measure the overall data risk for your organization. It
provides administrators the ability to analyze and take preventative action to strengthen your data
risk security posture using the Data Risk Dashboard.
• Visibility—Provides administrators visibility to measure risk down to an individual data asset.
Additionally, it allows the administrator to group and filter risk at an aggregate level to identify
risk hotspots.
The Data Risk Dashboard offers a Risk Breakdown to identify risk across multiple clusters and
individual nodes, giving you visibility into the riskiest assets on your network. In addition to
the data asset and document level risk measurement, the Data Risk Dashboard also provides a
high-level summary of the Data Risk score across your deployment. This includes a risk trend
for the past 7, 30, or 90 days and visibility into the industry average to help you compare your
data risk security posture against your industry peers.
• Customization—Administrators can configure the Data Risk risk model weights and severity for
contextual risk analysis.
This allows you to customize the Data Disk Dashboard with visibility into only data exposures
you're interested in preventing. Data Risk weighs three categories of risk factors; data,
application, and users. You can configure the overall data risk score based on each of these
three data risk categories. Within each data risk category, you can configure individual risk
factors related to each.
• Remediation Recommendations—The Data Risk Dashboard provides administrators with
actionable recommendations to address risky hotspots and improve your security posture.
Enterprise DLP provides insights based on security gaps that most impact your overall Data
Risk score. This allows you to immediately take action to address the weakest security points
and strengthen your security posture.

How Is Data Risk Calculated?

The customized data security risk scoring framework draws inspiration from the NIST Cyber
Risk Scoring (CRS) model to create a flexible and transparent approach to evaluating your
organization's data security posture. Customized risk scoring offers a dynamic and adaptable

Monitor Enterprise DLP

approach to assessing your data security risk, aligning it with your organization's unique needs,
and provides actionable recommendations for improving your data security posture.
Identification of Key Risk Factors—Data Risk begins by identifying critical attributes within three
main categories: application, data, and users. These attributes are carefully chosen by security
experts, incorporating their knowledge, threat intelligence, and industry insights.
Configurable Risk Factors—Administrators have the flexibility to configure the risk score ranges,
risk factor importance, and data profile severity settings to align with your organization's specific
business processes and technical requirements. Enterprise DLP uses these importance settings to
determine the weighting (multiplier) for each risk attribute.
Assessing the Likelihood of a Breach—The attributes help assess the likelihood of a data breach.
Data Risk considers factors like application configurations, user behavior, and data exposure. This
analysis helps in quantifying the potential threats an organization faces.
Evaluating the Impact of Data Breaches—Data Risk also factors in the potential impact of a data
breach by examining data sensitivity and data profiles. This enables a more nuanced evaluation of
the consequences of security incidents.
Aggregated Risk Score—Using these attributes and assessments, Data Risk calculates an
aggregated risk score for all discovered assets. This score provides a comprehensive overview of
the risk associated with sensitive data stored in SaaS applications.
Incorporation of SaaS App Compliance Data—Risk scoring attributes incorporate data related to
SaaS application compliance, ensuring that regulatory and industry standards are part of the risk
assessment.
Continuous Monitoring and Change Tracking—Use the Data Risk Dashboard for ongoing
monitoring. It continuously monitors changes in data asset properties and tracks the effectiveness
of implemented security and privacy controls. This ongoing monitoring provides insights into
shifts in your organization's overall risk posture.
Insights and Recommendations—Data Risk goes beyond just providing a risk score and offers
insights into the specific security and privacy controls that significantly influence the risk score.
It also provides actionable recommendations for improving the organization's security posture,
allowing for informed decision-making and risk mitigation.

Analyze the Data Risk Dashboard

Monitor Enterprise DLP

Where Can I Use This? What Do I Need?

• NGFW (Managed by Strata Cloud Enterprise Data Loss Prevention (E-DLP)

Analyze the Data Risk Dashboard to understand your overall data risk score and get an
assessment of your overall security posture. It helps you identify data security hotspots where
data risk may be high and needs priority attention. The Data Risk Dashboard provides a granular
Risk Breakdown that allows you to explore potential data risks across your control points,
applications, and data profiles. By default, the Risk Breakdown displays the risks for what
Enterprise DLP has calculated to be your riskiest data asset exposures. However, you can modify
and change the Risk Breakdown as needed. The default Risk Breakdown display is restored when
the page is refreshed. The Data Risk Dashboard recalculates your data risk every 24 hours.
Additionally, actionable Recommendations are provided. These are contextual recommendations
made by Enterprise DLP based on your data risk model. The recommendations are sorted and
displayed based on the highest impact changes to your security posture. These actionable
recommendations address platform-wide changes you can make rather to applications, data
assets, or users rather than addressing an individual data asset.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Data Risk.

Monitor Enterprise DLP

STEP 3 | Review the high-level summary for your data risk exposure.
To begin, apply the time filter for which you want to review. You can select Past 7 Days
(default), Past 30 Days, or Past 90 Days.
• Risk Summary —Your overall data risk score out of 100 across all your data profiles,
instances, applications, and control points. Additionally, a widget displays whether your data
risk score has improved or gotten worse over the specified time period.
• Risk Trend—Line graph to show you how your data security posture has improved or gotten
worse over the specified period of time.
• Recommendations—Actionable security recommendations you can take to strengthen your
security posture. Each recommendation allows you to:
• View App Details to understand which applications are impacted by the
recommendation.
• View Assets to understand which files and file types are impacted by the
recommendation.

STEP 4 | Review the Risk Breakdown.

The Risk Breakdown provides in-depth details about each node in your data security
deployment. As each node is displayed, you can apply additional filters as needed. You can

Monitor Enterprise DLP

filter each node independent of one another to display to review the risk breakdown that is
most important to you.
• Data Profiles—Enterprise DLP data profiles with traffic matches.
• Instances—Application instances for applications onboarded to SaaS Security.
• Applications—Applications onboarded to SaaS Security that has seen activity such as data
profile matches, uploaded assets, or downloaded assets.
• Control Points—The security enforcement points where data security incidents have
occurred.

Monitor Enterprise DLP

STEP 5 | Click a specific data risk node to view detailed information for assets matching that group.
• Total Risk—Average Data Risk for all assets matching that specific group.
• Total Assets—Total number of unique and sensitive data assets inspected.
• Users—Total number of unique users who have either owned, uploaded, or downloaded
assets with sensitive data.
• Publicly Shared Assets—Data asset on a SaaS application that is publicly accessible by
anybody with the public link.
• External Assets—Data asset created using your corporate domain that is shared with a
specific user outside of your corporate domain.
• Uploaded Assets—Files uploaded to a SaaS application.
• Downloaded Assets—Files downloaded from a SaaS application.
• Data Profile Matches—Number of Enterprise DLP data profiles that were matched.
• Applications—Total number of applications with inspected traffic that generated a data
security risk.
• Top 10 Risky Assets—List of data assets sorted by Data Risk. The Asset Name, Owner, and
Risk Score are displayed. Additionally, you can expand the Actions and View Asset or View
Related Incident.

STEP 6 | View Related Incident to view more details about the specific DLP Incident.

Monitor Enterprise DLP

Configure Risk Score Ranges

Where Can I Use This? What Do I Need?

• NGFW (Managed by Strata Cloud Enterprise Data Loss Prevention (E-DLP)

Configure the overall risk score ranges for data risk. This helps you better visualize data risk across
different levels when you analyze Data Risk.
If you have already configured the overall risk score ranges to custom values, you can Reset to
Default to reapply the default risk score ranges.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Settings > Data Risk > Risk Score
Ranges.

STEP 3 | Configure the overall risk score ranges as needed.

The risk level From and To values specify the lower and upper ranges for each risk level. This
helps visualize assets or groups across different risk levels.

STEP 4 | Save Changes.

Monitor Enterprise DLP

STEP 5 | Configure Risk Factor Importance.

Configure Risk Factor Importance

Where Can I Use This? What Do I Need?

• NGFW (Managed by Strata Cloud Enterprise Data Loss Prevention (E-DLP)

Data Risk is calculated based on multiple risk factors across data, application, and users for an
asset. Configure the overall risk factor importance to customize the risk factor weight for each risk
factor when calculating the overall data risk for a data security asset. You can apply the following
Importance Levels for each risk factor.
• Extremely Important
• Very Important
• Important
• Somewhat Important
• Of Little Importance
• Not Important
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Settings > Data Risk > Risk Factor
Importance.

Monitor Enterprise DLP

STEP 3 | Configure the overall Data Application, and User risk factor importance.
• Data
• Data Profile—Predefined and custom Enterprise Data Loss Prevention (E-DLP) data
profiles.
• Data Exposure—Exposure of a data asset exposure.

• Application
• Application Tag—Default SaaS Security Inline application tags categorize discovered
applications on SaaS Security to monitor users of SaaS apps more efficiently.

Monitor Enterprise DLP

Applications can be tagged as Sanctioned, Tolerated, Unsanctioned, Unknown, or have

custom tags.
• Sanctioned—Applications sanctioned by your organization and being used by
employees in your organization.
• Unsanctioned—Applications unsanctioned by your organization for use by employees
in your organization.
• Tolerated—Application that is not trusted like a sanctioned app, but that is allowed to
be used by employees until your organization is able to replace it with a more secure
app so as not to inhibit the productivity of your users.
• Unknown—Default for SaaS applications that are not tagged.
• Application Risk—SaaS Security Inline risk scores assigned to a SaaS application.
• Application Tenant Type—Determines whether a particular instance of an application is
Managed, Not Managed, Personal, or Other
• SSPM Posture—SaaS Security Posture Management (SSPM) application posture used to
detect and address misconfigured settings in sanctioned SaaS applications.

• Users
• Owner Risk—Risk factor weight for the owner of a data asset that is consumed based on
the User Risk information collected from Cloud Identity Engine (CIE)
• Collaborator Risk—Risk Factor weight based on the risk of all collaborators who have
access to a data asset

STEP 4 | Save Changes.

STEP 5 | Configure Severity for Data Profiles.

Configure Severity for Data Profiles

Monitor Enterprise DLP

Where Can I Use This? What Do I Need?

• NGFW (Managed by Strata Cloud Enterprise Data Loss Prevention (E-DLP)

Configure the severity for each data profile. Setting higher severity increases the effect a match
of a particular Data Profile has on the data risk for a data asset. If an asset matches multiple data
profiles, it will be assigned the highest matching severity for the Data Profile risk factor. The data
profiles listed here included all Enterprise Data Loss Prevention (E-DLP) predefined and custom
data profiles. All custom data profiles are assigned a default severity. You can apply the following
severity levels:
• Critical
• High
• Medium
• Low
• Very Low
• None
If you have already configured the severity levels for different data profiles to custom values, you
can Reset to Default to reapply the default severities.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Select Manage > Configuration > Data Loss Prevention > Settings > Data Risk > Data
Profile Severity.

Monitor Enterprise DLP

STEP 3 | Configure the data profile risk levels as needed.

STEP 4 | Save Changes.

Data Risk Recommendations

Data Risk Recommendations are currently in Beta. Palo Alto Networks is continuing to expand
and add more granular recommendations.

Where Can I Use This? What Do I Need?

• NGFW (Managed by Strata Cloud Enterprise Data Loss Prevention (E-DLP)

Monitor Enterprise DLP

Data Risk provides configuration change recommendations to help improve your data security
posture. These contextual recommendations are based on the current data risk model and data
assets inspected by Enterprise DLP. These recommendations are sorted based on those that will
have the highest impact on your organization's Data Risk score. Additionally, recommendations
are at a group or platform level and may include multiple data assets, applications, or users.
For example, Enterprise DLP has detected that a sensitive data asset has been uploaded to an
Unsanctioned application and that this is a major contributor to reducing your overall Data Risk
Summary score. In this scenario, remediation steps may be to create or update a Security policy
rule to block access to the unsanctioned application. Conversely, if this application is incorrectly
tagged as Unsanctioned, the remediation may be to update the application tag.
STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Analyze the Data Risk Dashboard.

Analyze the data risk dashboard to identify data security hotspots where data risk may be high
and needs priority attention.
1. Review your Risk Summary to get an assessment of your overall security posture.
2. Review your Risk Breakdown and navigate through the Risk Breakdown tree to explore
potential data security risks across your control points, applications, and data profiles.
By default, the Risk Breakdown displays the path where data risk is highest.
3. View Related Incident or View Asset to view more details about the specific DLP
incident or data asset.
This allows you to review the individual incident or asset and take the necessary action.

STEP 3 | Take a recommended action.

1. View Asset to learn more about the data asset contributing to risky data security
behavior on your network.
2. View App Details to learn more about the application contributing to risky data security
behavior on your network.
3. Make configuration changes based on the app and asset details.
For example, you may need to create or update a Security policy for a specific
application to better control access or update the tag on an app to reduce your data risk.

Monitor Enterprise DLP

End User Coaching

Where Can I Use This? What Do I Need?

• NGFW (Managed by Strata Cloud GlobalProtect app version 6.2.7 or later

Manager) Enterprise Data Loss Prevention (E-DLP)
• Prisma Access (Managed by Strata Cloud license
Manager) Prisma Access Mobile Users License
Prisma Access license
Or any of the following licenses that include
the Enterprise DLP license
Prisma Access CASB license
Next-Generation CASB for Prisma Access
and NGFW (CASB-X) license

End User Coaching allows you to display notifications to your users in the Access Experience User
Interface (UI) when they generate an Enterprise Data Loss Prevention (E-DLP) or Endpoint DLP
incident.
To determine what is considered sensitive data, you add one or more Inline DLP Rules or
Endpoint DLP Rules. These rules contain the traffic match criteria that define what is considered
sensitive data. For the Inline DLP Rules, the rule name is derived from the Enterprise DLP data
profile of the same name. For the Endpoint DLP Rules, it's based on the name you configured
when you created the policy rule. Additionally, you can configure custom messages for when an
Enterprise DLP or Endpoint DLP incident is generated. After an incident is generated, the user
who generated the incident can view the Data Security notification for more information about
the sensitive data uploaded, downloaded, or posted.
Access Experience User Interface displays only one notification per DLP incident in a 30 second
period regardless of how many times the user generates the same incident. For example, a user
attempts to upload a file containing sensitive data to the Box Web app and Enterprise DLP blocks
the upload. The user then immediately tries to upload the same file 5 more times but is blocked
each time. In this case only one Access Experience alert is generated even though the user was
blocked from uploading a file containing sensitive date to the Box Web app 6 total times.
• Set Up End User Coaching (Enterprise DLP)
• Set Up End User Coaching (Endpoint DLP)

Monitor Enterprise DLP

Set Up End User Coaching for Enterprise DLP

STEP 1 | Contact your Palo Alto Networks representative to enable End User Coaching on your
tenant.

STEP 2 | Install the GlobalProtect app version 6.2.7 or later on Windows or macOS.

STEP 3 | Log in to Strata Cloud Manager.

STEP 4 | Enable Autonomous DEM.

On Strata Cloud Manager, select Workflows > Prisma Access Setup > GlobalProtect
> GlobalProtect App and Add App Settings. Configure the required settings to display
notifications to your users in the Access Experience UI when they generate a DLP incident.
• Enable Autonomous DEM and GlobalProtect Log Collection for Troubleshooting
• DEM for Prisma Access (Windows and Mac Only)—Select Install and User Can’t Enable or
Disable DEM
• DEM for Prisma Access version 6.3 and above (Windows and Mac Only)—Select Install the
Agent

STEP 5 | (macOS only) In the Access Experience UI, select Settings > Notifications and enable Allow
notifications.
This setting must be enabled in the Access Experience UI for each user and is required to
display notifications when the user generates a DLP incident. Configure the rest of the Access
Experience notifications settings as needed.

STEP 6 | Configure Enterprise DLP.

1. Create a decryption profile and policy rule.
This is required for Enterprise DLP to decrypt and inspect traffic for sensitive data.
2. Create custom data patterns to define your match criteria.
Alternatively, you can use the predefined data patterns instead of creating custom data
patterns.
3. Create a data profile and add your data patterns.
Only custom data profiles are supported. By default, all predefined DLP Rules' Action are
set to Alert. You must clone the predefined data profile to edit the DLP Rule Action.
4. Modify the DLP Rule.
• When modifying the DLP Rule, you must set the Action to Block. This is required to
generate alerts in the Access Experience UI. No alerts are displayed if the Action is
set to Alert.
• Add the DLP Rule to a Profile Group and attach the Profile Group to a Security
policy rule. This is required for Enterprise DLP to generate a DLP incident that then
generates a notification in the Access Experience UI.

Monitor Enterprise DLP

STEP 7 | Select Manage > Configuration > NGFW and Prisma Access > Global Settings > User
Coaching Notification Template and create an End User Notification Template.
The end user notification template defines which DLP Rules generate a notification in the
Access Experience UI and the contents of the notification. You should only add DLP Rules
added to a Profile Group that is associated with a Security policy rule. This is required for
Enterprise DLP to generate a DLP incident that then generates a notification in the Access
Experience UI. A single DLP Rule can be added to multiple User Coaching Notification
Templates.
1. For the Product Name, select Inline Data Loss Prevention.
2. Check (enable) Enable Notification Template to enable the template after creation.
This setting is enabled by default.
3. Enter a Notification Template Name.
4. (Optional) Enter a Description
5. (Optional) Check (enable) High Confidence Detections Only.
High confidence matches reflect how confident Enterprise DLP is when detecting
matched traffic. For regular expression (regex) patterns, this is based on the character
distance to the configured proximity keywords. For machine learning (ML) patterns, the
ML models calculate the confidence level.
6. Add one or more Applied Rules to the notification template.
You must add at least one DLP rule to the notification template. The end user
notification template defines which DLP Rules generate a notification in the Access
Experience UI and the contents of the notification. Only add DLP rules added to a Profile
Group that is associated with a Security policy rule. This is required for Enterprise DLP to
generate a DLP incident that then generates a notification in the Access Experience UI.
You can add a single DLP rule to multiple User Coaching Notification Templates.

You can View Details for each DLP rule or Endpoint DLP policy rule you add to review
the specific inspection details. This includes the traffic inspection Direction, applicable

Monitor Enterprise DLP

File Type, Action, and whether the DLP Rule is inspecting for File Based Match Criteria,
Non-File Based Match Criteria, or both.

7. Define the Notification Message users receive when Enterprise DLP blocks sensitive
data that match the data profiles associated with the DLP Rule.
The message templates are the Access Experience toast notifications users receive
when Enterprise DLP blocks sensitive data. You can use the following variables in your
message templates. You must include the brackets for each variable.
• [file name]—File name and extension containing sensitive data blocked by
Enterprise DLP.
• (File Based only) [direction]—Specifies whether Enterprise DLP blocked a file
upload or download.
• [app name]—Application user attempted to upload to, download from, or post non-
file based content.
• [action]—Action Enterprise DLP took when sensitive data was detected. This value
is always Blocked.
1. Define the Message Template for File based detections.
Skip this step if the DLP Rule isn't configured for file based detections.
2. Define the Message Template for Non-File based detections.
Skip this step if the DLP Rule isn't configured for non-file based detections.
3. Add a Support Link.
You can add links directly into the Access Experience toast notification that describe
your company policy for sharing or downloading sensitive data.

Monitor Enterprise DLP

STEP 8 | Save.

STEP 9 | The user who generated the Enterprise DLP incident can view the Data Security notification
for more information about the sensitive data uploaded, downloaded, or posted.
A Data Security notification is displayed for 7 days. There is no limit to the number of
notifications displayed.

End User Coaching for Endpoint DLP

STEP 1 | Contact your Palo Alto Networks representative to enable End User Coaching on your
tenant.

STEP 2 | Install the GlobalProtect app version 6.2.7 or later on Windows or macOS.

STEP 3 | Log in to Strata Cloud Manager.

STEP 4 | Enable Autonomous DEM.

On Strata Cloud Manager, select Workflows > Prisma Access Setup > GlobalProtect >
GlobalProtect App and Add App Settings. You must configure these required settings to
display notifications to your users in the Access Experience UI when they generate a DLP
incident.
• Enable Autonomous DEM and GlobalProtect Log Collection for Troubleshooting
• DEM for Prisma Access (Windows and Mac Only)—Select Install and User Cannot Enable
or Disable DEM
• DEM for Prisma Access version 6.3 and above (Windows and Mac Only)—Select Install the
Agent

Monitor Enterprise DLP

STEP 6 | Configure Enterprise DLP.

Monitor Enterprise DLP

distance to the configured proximity keywords. For machine learning (ML) patterns, this
confidence level is calculated by the ML models.

5. Add one or more Applied Rules to the notification template.

You must add at least one Endpoint DLP policy rule to the notification template. The
end user notification template defines which Endpoint DLP policy rules generate a
notification in the Access Experience UI and the contents of the notification.
You can View Details for each DLP rule or Endpoint DLP policy rule you add to review
the specific inspection details. This includes associated Data Profile, impacted users

Monitor Enterprise DLP

and peripheral device types, Action, the Incident Assignee, and the Notification email
recipient when an Endpoint DLP incident is generated.
6. Define the Notification Message users receive when Enterprise DLP blocks sensitive
data that match the data profiles associated with the DLP Rule.
The message templates are the Access Experience toast notifications users receive
when Enterprise DLP blocks sensitive data. You can use the following variables in your
message templates. You must include the brackets for each variable.
• [File Name]—File name and extension containing sensitive data blocked by
Enterprise DLP.
• [Transfer Method]—Application user attempted to upload to, download from, or
post non-file based content.
• [Peripheral Type]—Type of peripheral device associated with the Endpoint DLP
incident.
• [Peripheral Name]—Name of the peripheral device associated with the Endpoint
DLP incident.
• [Action]—Action Enterprise DLP took when sensitive data was detected. This value
is always Blocked.
• [Policy Name]—Name of the Endpoint DLP policy rule against which the Endpoint
DLP incident was generated.
1. Define the Message Template for File.
This is the message displayed when traffic matches a Data in Motion Endpoint DLP
policy rule.
2. Define the Message Template for Peripheral Control based detections.
This is the message displayed when traffic matches a Peripheral Control Endpoint
DLP policy rule.
3. Add a Support Link.
You can add links directly into the Access Experience toast notification that describe
your company policy for sharing or downloading sensitive data.

STEP 8 | Save.

Monitor Enterprise DLP

STEP 9 | The user who generated the Endpoint DLP incident can view the Data Security notification
for more information about the sensitive data uploaded, downloaded, or posted.
A Data Security notification is displayed for 7 days. There is no limit to the number of
notifications displayed.

Monitor Enterprise DLP

Data Asset Explorer

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

The Data Asset Explorer eliminates the fragmented approach to data security that leaves
organizations vulnerable. It provides comprehensive visibility into all sensitive files, messages,
and non-file based traffic, referred to as assets, detected by Enterprise Data Loss Prevention
(E-DLP) across your data security enforcement channels. The Data Asset Explorer allows your
data security admins to perform cross-channel asset discovery, centralize your data security risk
assessments, and provides enterprise-wide visibility into sensitive assets moving to and from apps
and peripherals, and across your network.
The core concept of Data Asset Explorer is to provide a single pane of glass for viewing and
managing sensitive data assets. It allows admins to:
• Discover and inventory sensitive assets across various platforms and channels
• Analyze data sensitivities, types, and distribution patterns
• Investigate asset metadata, activities, matched policy rules, and incidents
• Visualize data leak paths and potential vulnerabilities
By centralizing this information and functionality, Data Asset Explorer enables data security teams
to make informed decisions, optimize their Security policy rules, and enhance their overall data
protection strategies. It transforms fragmented data security management into a cohesive and
efficient process to strengthen your organization's security posture.
You can access the Data Asset Explorer on Strata Cloud Manager (Manage > Configuration >
Data Loss Prevention > Data Asset Explorer) only.

Monitor Enterprise DLP

• Filters
The Data Asset Explorer allows you to apply filters to narrow down the scope of sensitive
assets the Data Asset Explorer displays. Apply these filters to more quickly identify the
sensitive assets you want to investigate. The Data Asset Explorer automatically applies any
filters to the Asset Aggregates widget and the Assets table.
• Time Filter—Specify the time frame to narrow down the list of sensitive assets. You can
select Past 1 Hour, Past 3 Hours, Past 24 Hours, Past 7 Days, Past 30 Days, or Past 90
Days.
• Region—Select the region where Enterprise DLP inspected sensitive assets. The default
Global displays all sensitive assets detected across all regions.
• GenAI Apps Only—Toggle this filter to display only the GenAI apps supported by Enterprise
DLP.
• Add Filter—Add additional filters to narrow down the scope of assets.
• Reset—Remove any of the additional filters added. This does not remove the time, region, or
GenAI apps only filters.

• Asset Aggregates
• Asset Aggregates Widget
The Asset Aggregates widget provides an interactive visualization to view aggregated asset
information detected by Enterprise DLP. Click on the asset characteristics to automatically
apply filters to and narrow down the number of assets displayed. Click on the same
characteristic again to remove the filter.
The characters described below display only if Enterprise DLP has matching data. For
example, you apply the Past 7 Days filter and Asset Type displays Data at Rest and
Data in Motion but only displays Data in Motion when you apply the Past 24 Hours.
This is because Enterprise DLP inspected traffic for both data at rest and in motion at some
point in the last seven days, but only sensitive data in motion detected by Enterprise DLP in
the past 24 hours.
• Applications—App classification for inspected traffic.
Can be Sanctioned, Tolerated, or Unsanctioned.
• Data Type—Data asset file type, message, or non-file traffic inspected by Enterprise DLP.
The Data Asset Explorer lists the four data asset types with the largest number of assets
and displays Others to combine all other data asset types.
• Asset Type—Type asset traffic inspected. Can be Data at Rest or Data in Motion.
• Policy Action—Action configured in the DLP rule (Strata Cloud Manager), data profile
(Panorama) or data asset policy rule (Data Security).
Can be Blocked, Alerted, Quarantined, or Deleted.
• Data Profiles—Data profiles containing the match criteria the asset inspected by
Enterprise DLP matched against. The Data Asset Explorer lists the four data profiles

Monitor Enterprise DLP

with the largest number of traffic matches and displays Others to combine all other data
profiles.
• Channels—Data security channel where Enterprise DLP inspection and verdict rendering
occurred.
Can be NGFW, Prisma Access, Email DLP, Endpoint DLP, SaaS API, or PA
Browser.
• Users—Top users who uploaded, downloaded, sent messages, or generated non-file
based data assets forwarded to Enterprise DLP for inspection.
• Assets by Risk—Distribution of the assets across different Risk Scores as defined in the DLP
rule (Strata Cloud Manager) or data profile (Panorama).
• Top Users—Top 3 users who uploaded data assets containing sensitive data based on the
currently applied filters and the total number of data assets.
• Top Applications—Top 3 apps where users uploaded, downloaded, sent messages, or
generated non-file based data assets containing sensitive data and the total number of data
assets.

This Assets by Risk, Top Users, and Top Applications data are a summary of the total
assets based on the currently selected time filter. Click the asset value to automatically
apply the corresponding filters to the Asset Aggregates widget.

Monitor Enterprise DLP

• Asset List
List of all data assets inspected by Enterprise DLP. This list dynamically updates based on the
currently applied filters.
• Last Modified—Date and time Enterprise DLP inspected the asset, message, or non-file
based traffic.
• Name—Name of the asset inspected by Enterprise DLP. Click the asset Name to view the
asset details.
• Channel—Data security channel that forwarded the asset to Enterprise DLP for inspection.
Can be NGFW, Prisma Access, Email DLP, Endpoint DLP, SaaS API, or PA
Browser.
• Data Risk Score—A Data risk score assigned to the asset to measure the overall risk the
asset poses to your organization.
• Policy Action—Action configured in the DLP rule (Strata Cloud Manager), data profile
(Panorama) or data asset policy rule (Data Security)
• (Data Security only) Exposure—Exposure level describing the accessibility of the asset.
• Data Profiles—One or more Data profiles containing the match criteria the asset inspected
by Enterprise DLP matched against.
• Application Name—App-ID of the destination or source app.
• User—User who uploaded or downloaded the asset to the destination or source app. If you
enabled Cloud Identity Engine (CIE), the user identification displays here.
• File Format—File format of the asset inspected by Enterprise DLP.
• (Email File Format only) Actions—Expand the Actions menu to open the email inspected by
Enterprise DLP.

Monitor Enterprise DLP

• Asset Details
The Asset Details provides detailed information about the asset inspected by Enterprise DLP.
• General Info—General information of the asset that includes information such as the asset
name, type, and the data security channel where Enterprise DLP detected the asset.
• Data—Information about the asset. This can include the data risk score, the size of the asset,
the data profiles containing the match criteria the asset matched against, and the data type
of the asset.
• User—Information about the users who own the asset or have uploaded or download the
asset, sent a message, or generated non-file-based traffic.
• (SaaS API Channel only) Exposure—Data Security exposure level information.
• Application—Information about the specific source or destination app including the App-ID
and classification.
• Matches Within Data Profile—Displays snippets of the asset that matched the data pattern
match criteria within the data profile.
• Incidents—List of DLP incidents generated by the asset.
• Policies—Policy rules that match the selected asset.
• User Activities—Information about the users who uploaded, downloaded, sent messages, or
generated non-file based data assets.

Monitor Enterprise DLP

Report a False Positive Detection

Where Can I Use This? What Do I Need?

• NGFW (Managed by Panorama or Strata Enterprise Data Loss Prevention (E-DLP)

In some instances, Enterprise Data Loss Prevention (E-DLP) might incorrectly detect and take
action on the file or network traffic that it should not have. This is called a false positive
detection and they can cause productivity impacts to individual employees and Enterprise DLP
administrators alike. False positive detections are commonly caused by traffic match criteria in
predefined regular expression (regex). Report false positive detections to Palo Alto Networks
to improve Enterprise DLP detection accuracy for yourself and other Enterprise DLP users. You
report a false positive detection against the DLP Incident where the false positive detection
occurred.
The DLP Incident must meet the following conditions to report a false positive detection:
• Traffic matched against a predefined regular expression (regex) data patterns
• The traffic is match is high confidence
• There is a snippet available of the false positive detection to share with Palo Alto Networks
For predefined data patterns marked with Augmented with ML, Enterprise DLP uses AI and
advanced machine learning (ML) techniques to improve its detection engine when you report a
false positive detection. This enables Enterprise DLP to continuously learn from your feedback to
reduce false positive detections and increase detection accuracy for yourself and other Enterprise
DLP users. For Enterprise DLP to use AI and ML to learn from your false positive detections and
improve its detection engine:
• Files in inspected traffic must be 19 MB and smaller

Monitor Enterprise DLP

• The number of traffic matches per data pattern in the data profile is 100 matches or less

All selected DLP incident snippets are shared with Palo Alto Networks when you submit
a false positive report. The selected snippets are stored and accessible by Palo Alto
Networks for up to 90 days to enable Palo Alto Networks to investigate and improve
Enterprise DLP detection accuracy.

Enterprise DLP does not support reporting false positive detections for incidents
generated from Email DLP or SaaS Security.

STEP 1 | Log in to Strata Cloud Manager.

STEP 2 | Reviewed your data patterns, profiles, and Security policy rules to reduce false positive
detections.

STEP 3 | Select Manage > Configuration > Data Loss Prevention > DLP Incidents.

STEP 4 | In the Incidents, click the File name of the false positive DLP incident you want to report to
Palo Alto Networks.

STEP 5 | In the Matches within Data Profile window, click Report False Positive.

STEP 6 | In the Falsely Detection Information, select one or more data patterns.
Enterprise DLP displays the list of available data patterns based on the data profile that
generated a false positive detection. Enterprise DLP only displays data patterns associated
with the data profile.

STEP 7 | Select one or more snippets of false positive detections.

You can select snippets from multiple data patterns associated with the data profile if selected.

Monitor Enterprise DLP

STEP 8 | (Optional) Add a Comment to provide additional details to Palo Alto Networks.
This helps Palo Alto Networks understand how to improve the predefined data pattern match
criteria or how to train the ML models to improve detection accuracy.
Click Next.

STEP 9 | A notification displays to confirm submission of the false positive report and that the snippet
will be shared with Palo Alto Networks for investigative purposes.
Click Submit to report the false positive detection.

Monitor Enterprise DLP

Enterprise DLP Administration
No ratings yet
Enterprise DLP Administration
368 pages
Enterprise DLP Admin
No ratings yet
Enterprise DLP Admin
328 pages
Log Forwarding Schema Reference
No ratings yet
Log Forwarding Schema Reference
774 pages
Information Protection Demo Guide - v4.0
No ratings yet
Information Protection Demo Guide - v4.0
24 pages
Compatibility Matrix
No ratings yet
Compatibility Matrix
276 pages
Palo Alto Networks Enterprise DLP Vs Zscaler BC
No ratings yet
Palo Alto Networks Enterprise DLP Vs Zscaler BC
3 pages
Strata Cloud Manager Getting Started
No ratings yet
Strata Cloud Manager Getting Started
594 pages
Compatibility Matrix
No ratings yet
Compatibility Matrix
310 pages
EDU 262 X36 LabGuide - Consigas
No ratings yet
EDU 262 X36 LabGuide - Consigas
126 pages
Palo Alto Networks Security Operating Platform
100% (1)
Palo Alto Networks Security Operating Platform
54 pages
Compatibility Matrix Reference
No ratings yet
Compatibility Matrix Reference
326 pages
NetSecGeneralist Datasheet
No ratings yet
NetSecGeneralist Datasheet
6 pages
Cortex XDR XQL Language Reference
No ratings yet
Cortex XDR XQL Language Reference
96 pages
Unleash The Full Power of Your Palo Alto Networks Technology
No ratings yet
Unleash The Full Power of Your Palo Alto Networks Technology
19 pages
Data Center Best Practices
No ratings yet
Data Center Best Practices
118 pages
Enterprise DLP for IT Security Teams
No ratings yet
Enterprise DLP for IT Security Teams
5 pages
Data Center Best Practices
No ratings yet
Data Center Best Practices
118 pages
EDB Postgres Advanced Server Guide v10
100% (1)
EDB Postgres Advanced Server Guide v10
328 pages
PCNSA Datasheet
No ratings yet
PCNSA Datasheet
6 pages
Palo Alto Firewall PCNSE Guide
100% (2)
Palo Alto Firewall PCNSE Guide
4 pages
Securing Data Center Public Cloud
No ratings yet
Securing Data Center Public Cloud
40 pages
Data Protection Advisor 6.2 Installation and Administration Guide
No ratings yet
Data Protection Advisor 6.2 Installation and Administration Guide
182 pages
Data Center Best Practices
No ratings yet
Data Center Best Practices
104 pages
Cortex XDR Pro Admin
No ratings yet
Cortex XDR Pro Admin
974 pages
XDR Insights for Security Pros
No ratings yet
XDR Insights for Security Pros
35 pages
PCNSE Datasheet
No ratings yet
PCNSE Datasheet
9 pages
SDI Administration Guide PDF
No ratings yet
SDI Administration Guide PDF
200 pages
Cortex XDR Pro Admin
No ratings yet
Cortex XDR Pro Admin
506 pages
EDB Postgres Advanced Server Guide v11
100% (1)
EDB Postgres Advanced Server Guide v11
320 pages
EDU-210-8.1-Lab Guide PDF
0% (1)
EDU-210-8.1-Lab Guide PDF
167 pages
Installation and Administration Guide DPA
No ratings yet
Installation and Administration Guide DPA
204 pages
Table of Contents Palo Alto PCNSE
No ratings yet
Table of Contents Palo Alto PCNSE
3 pages
Practitioner Datasheet
No ratings yet
Practitioner Datasheet
7 pages
Security Policy Administration
No ratings yet
Security Policy Administration
348 pages
Opmanager User Guide
No ratings yet
Opmanager User Guide
185 pages
HP Man SPI Documentum2.1 Hpux User PDF
No ratings yet
HP Man SPI Documentum2.1 Hpux User PDF
140 pages
DataFlux Data Management Studio 2.8 - Administrator's Guide
No ratings yet
DataFlux Data Management Studio 2.8 - Administrator's Guide
128 pages
SD Wan Admin
No ratings yet
SD Wan Admin
220 pages
Advanced Url Filtering Administration
No ratings yet
Advanced Url Filtering Administration
186 pages
Cortex XDR Pro Admin
No ratings yet
Cortex XDR Pro Admin
1,048 pages
Enterprise User - Guide en
No ratings yet
Enterprise User - Guide en
477 pages
Pcnse Study Guide PDF
No ratings yet
Pcnse Study Guide PDF
344 pages
Forcepoint DLP Getting - Started - Guide
No ratings yet
Forcepoint DLP Getting - Started - Guide
46 pages
Panorama Admin Guide Palo Alto Networks
100% (2)
Panorama Admin Guide Palo Alto Networks
414 pages
Pcnse Study Guide Strony 1 36
No ratings yet
Pcnse Study Guide Strony 1 36
36 pages
Otros DLP
No ratings yet
Otros DLP
4 pages
Global Deduplication Array Administration Guide: DD OS 5.0
No ratings yet
Global Deduplication Array Administration Guide: DD OS 5.0
70 pages
Panorama Admin
100% (1)
Panorama Admin
478 pages
Panorama Admininistration
No ratings yet
Panorama Admininistration
446 pages
AI-Powered ADEM Administrator's Guide
No ratings yet
AI-Powered ADEM Administrator's Guide
200 pages
Administration Guide
No ratings yet
Administration Guide
330 pages
PAN - EDU-210-11.0b-Lab Guide2023
No ratings yet
PAN - EDU-210-11.0b-Lab Guide2023
360 pages
NSX T Deployment Guide
100% (3)
NSX T Deployment Guide
81 pages
PPT2
No ratings yet
PPT2
35 pages
Data Loss Prevention Guide
No ratings yet
Data Loss Prevention Guide
10 pages
DLP Release Notes
No ratings yet
DLP Release Notes
12 pages
Guardium 11.3: New Features & Updates
No ratings yet
Guardium 11.3: New Features & Updates
19 pages
Icici Bank
No ratings yet
Icici Bank
78 pages
Long Quiz On Internal Auditing
No ratings yet
Long Quiz On Internal Auditing
4 pages
Bomba Waterous
No ratings yet
Bomba Waterous
57 pages
Exide Battery
No ratings yet
Exide Battery
14 pages
SternMed Xenox C400 Leaflet
No ratings yet
SternMed Xenox C400 Leaflet
10 pages
F.R.leavis.
0% (1)
F.R.leavis.
10 pages
Prospectus 23 24
No ratings yet
Prospectus 23 24
63 pages
For Training Only: SAP Ariba Services
No ratings yet
For Training Only: SAP Ariba Services
1 page
Minutesof 287 Thmeetingof Registration Board
No ratings yet
Minutesof 287 Thmeetingof Registration Board
933 pages
Dresser-Rand Journal Bearing Guide
No ratings yet
Dresser-Rand Journal Bearing Guide
92 pages
Online Math Lesson Plan 2
No ratings yet
Online Math Lesson Plan 2
4 pages
10 Reflection Lesson Plan 10 English
100% (2)
10 Reflection Lesson Plan 10 English
2 pages
A Case Study On Fixed Deposit Position of Civil Bank LTD Central Office, Kathmandu
No ratings yet
A Case Study On Fixed Deposit Position of Civil Bank LTD Central Office, Kathmandu
42 pages
Igcse C Energy Resources and Enenrgy Transfers
No ratings yet
Igcse C Energy Resources and Enenrgy Transfers
13 pages
A Wadood CV
No ratings yet
A Wadood CV
3 pages
2014 Indian Election Media Framing
No ratings yet
2014 Indian Election Media Framing
174 pages
Doc-20250710-Wa0003 250711 145514
No ratings yet
Doc-20250710-Wa0003 250711 145514
11 pages
Importance of Culture in Comm
100% (1)
Importance of Culture in Comm
30 pages
Glass Production and Processing
No ratings yet
Glass Production and Processing
10 pages
Environmental Footprint Methods-KH0624103ENN
No ratings yet
Environmental Footprint Methods-KH0624103ENN
2 pages
Charles Walker
No ratings yet
Charles Walker
16 pages
Cox Mill Elementary September News
No ratings yet
Cox Mill Elementary September News
7 pages
Reconciliation
No ratings yet
Reconciliation
28 pages
Understanding Drug Abuse and Addiction
No ratings yet
Understanding Drug Abuse and Addiction
2 pages
PHOT 125 02 Fung Jonathan-Fall 2021
No ratings yet
PHOT 125 02 Fung Jonathan-Fall 2021
9 pages
Presentation Latex
No ratings yet
Presentation Latex
39 pages
Compliance Measurement - Oecd
No ratings yet
Compliance Measurement - Oecd
23 pages
Pre-Vietnam Recondo Training Overview
No ratings yet
Pre-Vietnam Recondo Training Overview
2 pages
American Patch Brochure
No ratings yet
American Patch Brochure
4 pages
Successful Orchard Growers in The Community 2
100% (2)
Successful Orchard Growers in The Community 2
4 pages