Install the Enterprise DLP Plugin
Focus
Focus
Enterprise DLP

Install the Enterprise DLP Plugin

Table of Contents


Install the Enterprise DLP Plugin

Install the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama™ management server.
  1. Review the Compatibility Matrix to verify the Enterprise DLP plugin version is supported on the PAN-OS version running on Panorama.
  2. (Best Practices) Before you install the plugin and activate your Enterprise DLP license, select AssetsDevices to locate Panorama and your managed firewalls to verify that they all belong to the same CSP account.
    Panorama and any managed firewalls on which you want to use Enterprise DLP must belong to the same CSP account, which enables you to share data profiles and maintain consistent Security policy rule enforcement.
  3. Add your NGFW or Prisma Access tenants to a device group and template stack.
    Device groups and template stacks are required to manage your NGFW or Prisma Access tenant configurations and are required to push Enterprise DLP configuration changes.
    Skip this step if you already added your NGFW or Prisma Access tenants to a device group and template stack.
  4. Install the Device Certificate for Managed Firewalls.
    The device certificate is required for all managed firewalls using Enterprise DLP.
  5. Install the plugin on Panorama.
    1. Log in to the Panorama web interface.
    2. Select PanoramaPlugins and search for the latest version of the Enterprise DLP plugin.
    3. Download and Install the Enterprise DLP plugin on Panorama.
  6. Commit and push the new configuration to your managed firewalls to complete the Enterprise DLP plugin installation.
    This step is required for Enterprise DLP data filtering profile names to appear in Data Filtering logs.
    The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select CommitCommit to Panorama and Commit.
      2. Select CommitPush to Devices and Edit Selections.
      3. Select Device Groups and Include Device and Network Templates.
      4. Click OK.
      5. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
    • Partial configuration push from Panorama
      You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and the DLP cloud service in sync.
      For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
      1. Select CommitCommit to Panorama.
      2. Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      3. Commit.
      4. Select CommitPush to Devices.
      5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      6. Select Device Groups and Include Device and Network Templates.
      7. Click OK.
      8. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
  7. Activate your Enterprise DLP license for your managed firewalls.
    Repeat this step for all managed firewalls using Enterprise DLP.
    1. Log in to the Palo Alto Networks Customer Support Portal.
    2. Select AssetsLicenses & Subscriptions and locate the managed firewall for which you want to activate Enterprise DLP
    3. In the Actions column, click Licenses & Subscriptions.
    4. Click Activate License at the bottom of the page.
    5. Select Activate License from the list of Activation Types.
    6. In the Activate Auth-Code field, enter the auth code provided by Palo Alto Networks.
    7. Agree and Submit.
  8. (Optional) Create a Palo Alto Networks Support ticket to enable your Enterprise DLP license to transfer between firewalls.
    Requesting that the Enterprise DLP license is transferable enables you to transfer your DLP license to other managed firewalls.
    In the support ticket, include the following information:
    • The request for a firewall transfer for the Enterprise DLP license.
    • Your CSP account ID and the email associated with your CSP account.
    • The managed firewall serial number. If you activated the Enterprise DLP license on multiple managed firewalls, include the serial numbers for all the managed firewalls in a single support ticket.
    • The auth codes used to activate the Enterprise DLP license on your managed firewalls.
    • Also provide the CSP account ID with which additional managed firewalls are associated if you have managed firewalls that belong to a different CSP account.
  9. Verify that you successfully activated Enterprise DLP.
    1. On Panorama, select ObjectsDLP to confirm that the Data Filtering Patterns and Data Filtering Profiles automatically populate with the predefined data patterns and profiles.
    2. On the firewall web interface, select DeviceLicenses and verify that the Enterprise DLP successfully activated.
  10. After you successfully install the Enterprise DLP plugin on Panorama, you must create Security policy rules to enable your managed firewalls to leverage Enterprise DLP.