Create a Classic Data Profile
Focus
Focus
Enterprise DLP

Create a Classic Data Profile

Table of Contents

Create a Classic Data Profile

Create a classic Enterprise Data Loss Prevention (E-DLP) data profile that contains predefined, custom regular expression, or file property data patterns.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
After you create a data pattern, you need to create a data profile to add those data patterns and specify matches and confidence levels. All data profiles you create are shared across Panorama™ management server and Strata Cloud Manager deployments associated with the tenant. All classic data profiles created on Panorama or Strata Cloud Manager can be edited and copied as needed. Viewing a data profile created on the DLP on Panorama requires Panorama plugin for Enterprise DLP 1.0.4 or later release.
(Panorama only) A data profile configured for detection of non-file traffic allows you to configure URL and application exclusion lists. The URL and application exclusion lists allow you to select Shared URL and application traffic to exclude from inspection. For the application exclusion list, at least one application exclusion is required to create a data filtering profile for inspecting non-file traffic. The predefined DLP App Exclusion Filter is provided containing commonly used applications that can be safely excluded from inspection. When you create a data filtering profile using predefined data patterns, be sure to consider the detection type used by the predefined data patterns because the detection type determines how Enterprise Data Loss Prevention (E-DLP) arrives at a verdict for scanned files. If you downgrade from PAN-OS 10.2.1 or later release and Enterprise DLP plugin 3.0.1 or late release to PAN-OS 10.1 and Enterprise DLP plugin 1.0, data filtering profiles created on Panorama for non-file inspection are automatically converted into file-based data filtering profiles.
When you create a data profile using predefined data patterns, be sure to consider the detection type used by the predefined data patterns because the detection type determines how Enterprise Data Loss Prevention (E-DLP) arrives at a verdict for scanned files.
Updating a classic data profile to include an advanced detection method such as Exact Data Matching (EDM) and custom document types set isn’t supported.
You need to create an advanced data profile if you want to create a data profile that combines a predefined or custom data pattern and advanced detection methods, see

Strata Cloud Manager

Create an Enterprise Data Loss Prevention (E-DLP) data profile on Strata Cloud Manager.
  1. Log in to Strata Cloud Manager.
  2. Edit the data filtering settings on Strata Cloud Manager to configure the minimum and maximum data size limits and the actions the firewall takes when uploading files or to the DLP cloud service or when inspecting non-file based traffic.
  3. Select ManageConfigurationData Loss PreventionData Profiles and Add Data ProfileClassic Data Profile.
    You can also create a new data profile by copying an existing data profile. This allows you to quickly modify an existing data profile with additional match criteria while preserving the original data profile from which the new data profile was copied.
    Data profiles created by copying an existing data profile are appended with Copy - <name_of_original_data_profile>. This name can be edited as needed.
    Adding an EDM data set to a copied data profile is supported only if the original data profile had an EDM data set to begin with. Adding an EDM data set to a data profile that doesn’t already have an EDM data set isn’t supported.
  4. Configure the Primary Rule for the data profile.
    Data pattern match criteria for traffic that you want to allow must be added to the Primary Rule. Data pattern match criteria for traffic that you want to block can be added to either Primary Rule or Secondary Rule.
    1. Enter a descriptive Data Profile Name.
    2. Add Pattern Group and Add Data Pattern.
    3. Configure the match criteria.
      • Data Pattern—Select a custom or predefined data pattern.
        Predefined ML-based data patterns support only the Any occurrence condition with either High or Lowconfidence. You can't configure any other traffic match criteria other than the confidence level for Predefined ML-based data patterns.
      • Occurrence Condition—Specify the occurrences condition required to trigger a Security policy rule action.
        • Any—Security policy rule action triggered if Enterprise DLP detects at least one instance of matched traffic.
        • Less than or equal to—Security policy rule action triggered if Enterprise DLP detects instances of matched traffic, with the maximum being the specified Count.
        • More than or equal to—Security policy rule action triggered if Enterprise DLP detects instances of matched traffic, with a minimum being the specified Count.
        • Between (inclusive)—Security policy rule action triggered if Enterprise DLP detects any number of instances of matched traffic between the specific Count range.
      • Count—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
        For example, to match a pattern that appears three or more times in a file, select More than or equal to as the Occurrence Condition and specify 3 as the Threshold.
      • Confidence—Specify the confidence level required for a Security policy rule action to be taken (High or Low).
    4. (Optional) Add Data Pattern to add additional data pattern match criteria to the Primary rule.
    5. (Optional) Add Data Pattern Group to add additional data pattern conditions using AND or OR operators to the Primary Rule.
      Refer to the descriptions above to configure any additional data pattern conditions as needed.
    6. (Optional) Configure a Secondary Rule.
      Data pattern match criteria added to the Secondary Rule block all traffic that meets the match criteria for the data pattern conditions. If you want to allow traffic that matches a data pattern match criteria, add it to the Primary Rule.
    7. Review the Data Profile Preview to verify the data profile match criteria.
    8. Save the data profile.
  5. Test a Data Profile to verify it accurately detects the sensitive data you configured it to detect.
  6. Select ManageConfigurationSecurity ServicesData Loss Prevention and search for the data profile you created to verify it was successfully created.
  7. Attach the data profile to a Security policy rule.

File Based for Panorama

Create a data filtering profile for the Enterprise Data Loss Prevention (E-DLP) on the Panorama™ management server.
  1. Log in to the Panorama web interface.
  2. Edit the data filtering settings on Panorama to configure the minimum and maximum data size limits and the actions the firewall takes when uploading files to the DLP cloud service.
  3. Create one or more data patterns.
  4. Select ObjectsDLPData Filtering Profiles.
  5. Add a new data filtering profile.
  6. Enter a descriptive Name for the data profile.
  7. Verify the following settings are enabled.
    • File Based—New data profiles have Yes selected by default.
    • Shared—All Enterprise DLP data profiles must be Shared across all device groups. This setting is enabled by default and cannot be disabled.
  8. Define the match criteria.
    • If you select Basic, configure the following:
      • Primary PatternAdd one or more data patterns to specify as the match criteria.
        If you specify more than one data pattern, the managed firewall uses a boolean OR match in the match criteria.
      • Match—Select whether the pattern you specify should match (include) or not match (exclude) the specified criteria.
      • Operator—Select a boolean operator to use with the Threshold parameter. Specify Any to ignore the threshold.
        • Any—Security policy rule action triggered if Enterprise DLP detects at least one instance of matched traffic.
        • Less than or equal to—Security policy rule action triggered if Enterprise DLP detects instances of matched traffic, with the maximum being the specified Threshold.
        • More than or equal to—Security policy rule action triggered if Enterprise DLP detects instances of matched traffic, with a minimum being the specified Threshold.
        • Between (inclusive)—Security policy rule action triggered if Enterprise DLP detects any number of instances of matched traffic between the specific Threshold range.
      • Occurrence—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
        For example, to match a pattern that appears three or more times in a file, select more_than_or_equal_to as the Operator and specify 3 as the Threshold.
      • Confidence—Specify the confidence level required for a Security policy rule action to be taken (High or Low).
    • If you select Advanced, you can create expressions by dragging and dropping data patterns, Confidence levels, Operators, and Occurrence values into the field in the center of the page.
      Specify the values in the order that they’re shown in the following example (data pattern, Confidence, and Operator or Occurrence).
  9. Select an Action (Alert or Block) to perform on the file.
    If the data profile has both Primary and Secondary Patterns, changing the data profile Action on Panorama deletes all Secondary Pattern match criteria.
  10. Specify the file types the DLP cloud service takes action against.
    • DLP plugin 4.0.0 and earlier releases
      Select the File Type. By default, any is selected and inspects all supported file types.
    • DLP plugin 4.0.1 and later releases
    1. Select File Types.
    2. Select the Scan Type to create a file type include or exclude list.
      • Include—DLP cloud service inspects only the file types you add to the File Type Array.
      • Exclude—DLP cloud service inspects all supported file types except for those added to the File Type Array.
    3. Click Modify to add the file types to the File Type Array and click OK.
  11. Select traffic Direction you want to inspect.
    You can select Upload, Download, or Both.
  12. Set the Log Severity recorded for files that match this rule.
    You can select critical, high, medium, low, or informational. The default severity is informational.
  13. Click OK to save your changes.
  14. Attach the data filtering profile to a Security policy rule.
    1. Select PoliciesSecurity and specify the Device Group.
    2. Select the Security policy rule to which you want to add the data filtering profile.
    3. Select Actions and set the Profile Type to Profiles.
    4. Select the Data Filtering profile you created previously.
    5. Click OK.
  15. Commit and push the new configuration to your managed firewalls.
    The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select CommitCommit to Panorama and Commit.
      2. Select CommitPush to Devices and Edit Selections.
      3. Select Device Groups and Include Device and Network Templates.
      4. Click OK.
      5. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
    • Partial configuration push from Panorama
      You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and the DLP cloud service in sync.
      For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
      1. Select CommitCommit to Panorama.
      2. Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      3. Commit.
      4. Select CommitPush to Devices.
      5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      6. Select Device Groups and Include Device and Network Templates.
      7. Click OK.
      8. Push your configuration changes to your managed firewalls that are using Enterprise DLP.

Non-File Based for Panorama

Create a data filtering profile for the Enterprise Data Loss Prevention (E-DLP) on the Panorama™ management server to inspect non-file traffic for sensitive data.
  1. Log in to the Panorama web interface.
  2. Edit the data filtering settings on Panorama to configure the minimum and maximum data size limits and the actions the firewall takes when uploading non-file data to the DLP cloud service.
    Palo Alto Networks recommends verifying you Enable Non File DLP after you install Panorama plugin for Enterprise DLP 3.0.1.
  3. Create one or more data patterns.
  4. (Optional) Create a custom application filter or application group to define predefined or custom application traffic you want to exclude from inspection.
    The application filter and application group must be Shared to be used in the data filtering profile application exclusion list. Data filtering profiles for non-file traffic inspection support either both custom application filters and application groups. You aren’t required to add both.
  5. (Optional) Create a custom URL category to define URL traffic you want to exclude from inspection.
    The URL category must be Shared to be used in the data filtering profile URL exclusion list.
    To include the custom URL category in the URL exclusion list of a data filtering profile, adding the custom URL category to a URL Filtering profile isn’t required.
  6. Select ObjectsDLPData Filtering Profiles.
  7. Add a new data filtering profile.
  8. (Optional) Configure the data filtering profile to scan File Based traffic.
    Data filtering profiles support scanning both file based and non-file based traffic. Select Yes to scan for both file based and non-file based traffic. Select No to only scan for non-file based traffic. Configuring the data filtering profile not to scan for file based traffic has no impact on scanning non-file based traffic.
  9. Configure the data filtering profile to scan Non-File Based traffic.
    Select Yes to scan for non-file based traffic.
  10. Verify that Shared is enabled.
    All Enterprise DLP data profiles must be Shared across all device groups. This setting is enabled by default and cannot be disabled.
  11. Define the match criteria.
    • If you select Basic, configure the following:
      • Primary PatternAdd one or more data patterns to specify as the match criteria.
        If you specify more than one data pattern, the managed firewall uses a boolean OR match in the match criteria.
      • Match—Select whether the pattern you specify should match (include) or not match (exclude) the specified criteria.
      • Operator—Select a boolean operator to use with the Threshold parameter. Specify Any to ignore the threshold.
        • Any—Security policy rule action triggered if Enterprise DLP detects at least one instance of matched traffic.
        • Less than or equal to—Security policy rule action triggered if Enterprise DLP detects instances of matched traffic, with the maximum being the specified Threshold.
        • More than or equal to—Security policy rule action triggered if Enterprise DLP detects instances of matched traffic, with a minimum being the specified Threshold.
        • Between (inclusive)—Security policy rule action triggered if Enterprise DLP detects any number of instances of matched traffic between the specific Threshold range.
      • Occurrence—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
        For example, to match a pattern that appears three or more times in a file, select more_than_or_equal_to as the Operator and specify 3 as the Threshold.
      • Confidence—Specify the confidence level required for a Security policy rule action to be taken (High or Low).
    • If you select Advanced, you can create expressions by dragging and dropping data patterns, Confidence levels, Operators, and Occurrence values into the field in the center of the page.
      Specify the values in the order that they’re shown in the following screenshot (data pattern, Confidence, and Operator or Occurrence).
  12. Select an Action (Alert or Block) to perform on matching traffic.
    If the data profile has both Primary and Secondary Patterns, changing the data profile Action on Panorama deletes all Secondary Pattern match criteria.
  13. (Optional) Configure the URL category list to exclude URL traffic from inspection.
    The URL category list can only be configured when Non-File Based traffic inspection is enabled.
    1. Select URL Category List Excluded From Non-File.
    2. Add a new URL category list.
    3. Select a predefined URL category, custom URL category or EDL.
  14. Configure the application exclusion list to exclude application traffic from inspection.
    The application list can only be configured when Non-File Based traffic inspection is enabled. At least one application list or application group is required to create a data filtering profile for inspecting non-file traffic.
    1. Select Application List Excluded From Non-File.
    2. Add an application filter or application group.
      If you didn’t create a custom application filter or application group, you must add the DLP App Exclusion Filter.
  15. For the Direction, only Upload is supported for inspection of non-file based traffic.
  16. Set the Log Severity recorded for files that match this rule.
    You can select critical, high, medium, low, or informational. The default severity is informational.
  17. Click OK to save your changes.
  18. Attach the data filtering profile to a Security policy rule.
    1. Select PoliciesSecurity and specify the Device Group.
    2. Select the Security policy rule to which you want to add the data filtering profile.
    3. Select Actions and set the Profile Type to Profiles.
    4. Select the Data Filtering profile you created previously.
    5. Click OK.
  19. Commit and push the new configuration to your managed firewalls.
    The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select CommitCommit to Panorama and Commit.
      2. Select CommitPush to Devices and Edit Selections.
      3. Select Device Groups and Include Device and Network Templates.
      4. Click OK.
      5. Push your configuration changes to your managed firewalls that are using Enterprise DLP.
    • Partial configuration push from Panorama
      You must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and the DLP cloud service in sync.
      For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
      1. Select CommitCommit to Panorama.
      2. Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      3. Commit.
      4. Select CommitPush to Devices.
      5. Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click OK to continue.
      6. Select Device Groups and Include Device and Network Templates.
      7. Click OK.
      8. Push your configuration changes to your managed firewalls that are using Enterprise DLP.