Set Up the EDM CLI App

Table of Contents

Configure EDM CLI App Connectivity to Enterprise DLP

Download the secure Exact Data Matching (EDM) CLI app on your local Windows or Linux device.

On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.

You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This?	What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager) Prisma Access (Managed by Panorama or Strata Cloud Manager)	Enterprise Data Loss Prevention (E-DLP) license Review the Supported Platforms for details on the required license for each enforcement point. Or any of the following licenses that include the Enterprise DLP license Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license Data Security license

The Exact Data Matching (EDM) CLI app is a secure CLI tool used to upload hash encrypted EDM data sets to Enterprise Data Loss Prevention (E-DLP). The EDM CLI app accepts a source file in CSV or TSV format. The EDM CLI app then generates an encrypted hash EDM data set with AES-256 encryption of the source file and saves it as a zip file that you can upload to Enterprise DLP. The EDM CLI app applies a one-way hash to each field in the CSV or TSV file that is then encoded in Base64. After securing the file, the EDM CLI app generates a zip file containing the secured data set.

The EDM CLI app is supported on Microsoft Windows and Linux operating systems such as Ubuntu, Debian, and CentOS.

The EDM CLI app is downloaded from Strata Cloud Manager and includes the following:

README.TXT—Quick overview of the EDM CLI app functionality, including descriptions of data types and column values.
edm-secure-cli-<version>.jar—The executable Java app.
config.properties—Configuration file you can prepopulate to upload a file to Enterprise DLP.
upload_config.properties—Configuration file for the connectivity settings to connect to Enterprise DLP.
lib—Directory containing all the dependency libraries required by the EDM Secure CLI app.
log4j2.xml—Configuration files for debugging and logging.
sample_dataset.csv—Sample CSV file you can use as a template for upload to Enterprise DLP.
(Windows) edm-secure-cli.bat—Windows batch file used to create and upload an EDM data set to Enterprise DLP.
(Linux) edm-secure-cli.sh—Bash script used to create and upload an EDM data set to Enterprise DLP.

Review the setup prerequisites for Enterprise DLP before you set up the EDM CLI app.

Allow the required FQDNs and IP addresses listed here to successfully upload EDM data sets and forward traffic to Enterprise DLP for inspection.
Deploy the device you will use to upload EDM data sets to Enterprise DLP.

You can upload EDM data sets to Enterprise DLP using any physical or virtual device running a Windows or Linux operating system.

If you plan to deploy a dedicated virtual machine to upload EDM data sets to Enterprise DLP, Palo Alto Networks recommends you allocate a minimum of four CPUs and 8 GB memory to the virtual machine.
Log in to Strata Cloud Manager.
Enable Exact Data Matching (EDM).

It might take up to 24 hours for Palo Alto Networks to enable EDM functionality.
Continue to the next step after Palo Alto Networks enabled EDM. You can verify you enabled EDM when you have the ability to download the EDM CLI app to your local device.
Download the EDM CLI app.

The entire contents of the EDM CLI app are downloaded as a .zip file.
1. Select ManageConfigurationData Loss PreventionDetection MethodsExact Data Matching and expand the EDM Setup Guide
2. Click Download EDM Tool and Download the latest version of the EDM CLI app.
  Select Windows 64-bit if you’re installing the EDM CLI app on a Microsoft Windows device.
  Select Linux 64-bit if you're installing the EDM CLI app on a Linux device.
  Select and download the latest EDM CLI version available.
  Download version 3.5 or later to upload EDM data sets in an air-gapped environment.
  
  If you use an older unsupported version of the CLI, the CLI will display an error message: Please use the latest version of cli tool. Latest version: <latest-version>.
(Optional) Create a new folder for EDM on your local device.
The EDM CLI app generates secured versions of all EDM data sets uploaded to Enterprise DLP and logs for EDM CLI app activity. As a best practice, create a folder just for the EDM CLI app to contain all EDM-specific files to a single folder.
Refer to the documentation for Microsoft Windows or your specific Linux OS for more information on creating a new folder.
Extract the EDM zip file contents.
1. On your local device, navigate to the downloaded package-edm-secure-cli-<version>-<platform>.zip file.
2. Right-click the package-edm-secure-cli-<version>-<platform>.zip file and click Extract To.
3. Select a folder and Extract.
  (Best Practices) Select the folder you created for your EDM CLI app files.
Verify the extracted .zip file contains all the required EDM CLI app files.
Install Java on your local device.
The EDM CLI app requires a 64-bit Java version, such as JDK 64-Bit, to run.
1. Open the terminal and view the Java version currently installed.
  admin: java -version
2. Install the latest version of Java.
  
  Skip this step if you already have a 64-bit Java version, such as JDK 64-Bit, already installed. Refer to the Microsoft Windows or your Linux OS documentation for the command to install the latest version of Java.
(Linux only) Make the EDM CLI app script readable, writable, and executable.
1. Navigate to the directory where you extracted the EDM CLI app .zip contents.
  
  In this example, we extracted the package-edm-secure-cli-<version>-<platform>.zip contents to the EDM directory.
2. Make the EDM CLI app script readable, writable, and executable.
  admin: chmod 777 ./edm-secure-cli.sh
Configure EDM CLI App Connectivity to Enterprise DLP.