Perform Initial AI Access Security Configuration

1. Set up and configure Enterprise Data Loss Prevention (E-DLP).
   Enterprise DLP is the detection engine that prevents exfiltration of sensitive data to GenAI apps. Associate an Enterprise DLP data profile with a Security policy rule to define what is considered sensitive data and the action Enterprise DLP takes when sensitive data is detected.
   1. Set Up Enterprise DLP.
      • Panorama—Install the Enterprise DLP plugin.
      • Strata Cloud Manager—Enable Enterprise DLP.
   2. Edit the Enterprise DLP settings to define the Cloud Content, data filtering, and snippet settings.
   3. Review the supported advanced Detection Methods to use in your Enterprise DLP configuration.
      The are advanced traffic match detection techniques used to prevent exfiltration of sensitive data. They can be used alongside any combination of predefined, custom regex, or file property data patterns in an advanced data profile.
   4. Create data patterns and data profiles to define your sensitive data match criteria.
      Palo Alto Networks recommends creating advanced data profiles as they allow you to use advanced detection method techniques to strengthen your security posture.
   5. (Strata Cloud Manager only) Modify the DLP Rule to specify the impacted file types and file direction (upload or download) and the action Enterprise DLP takes when sensitive data is detected.
2. Enable Role Based Access to define the access privileges for your security administrators.
   Configuring access privileges AI Access Security and Enterprise DLP, as well as for the management interface (Panorama™ management server or Strata Cloud Manager.
3. Create a Vulnerability Protection profile.
   Vulnerability Protection profiles are associated with your Security policy rule and stop attempts to exploit system flaws or gain unauthorized access to systems.
4. (NGFW only) Create an internal trust zone and an outbound untrusted zone.
   Zones are a logical way to group physical and virtual interfaces on the NGFW to control and log the traffic that traverses specific interfaces on your network. Policy rules on the NGFW use zones to identify where the traffic comes from and where it's going.

   The internal trust zone designates traffic originating from within your organization while the outbound untrusted zone designates traffic destined for the internet.
5. Create application filters to dynamically group GenAI apps for which you want to apply the same Security policy requirements.
   AI Access Security includes dynamic predefined GenAI application filters based on the GenAI app use case.
6. Create Custom Security policy rules to begin safely adopting GenAI apps in your organization.
7. Modify the Default Web Access Policies to allow Enterprise DLP to successfully inspect traffic for non-GenAI apps.
   Skip this step if you don't have an active Enterprise DLP license. An active Enterprise DLP, CASB-PA, or CASB-X license is required to forward traffic to Enterprise DLP for inspection and verdict rendering.
   1. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesPoliciesWeb Security.
   2. Select your Configuration Scope.
   3. Navigate to the Default Web Access Policies.
   4. Select the Global Catch All Policy policy rule and Disable.
   5. Select the Global Web Access policy rule to edit it.
   6. Remove all entries from the Global Web Access policy rule configuration.
      • Allowed Web Applications
      • Blocked URL Categories
      • Allowed URL Categories
   7. Save.
   8. Push Config and Push.