Administration
  • Administration
  • Enterprise DLP Documentation
  • All Documentation
>
How Does Endpoint DLP Work?
Focus
Download PDF
Focus
  1. Home
  2. Enterprise DLP
  3. Configure Enterprise DLP
  4. Endpoint DLP
  5. How Does Endpoint DLP Work?
Download PDF
Enterprise DLP

How Does Endpoint DLP Work?

Table of Contents

How Does Endpoint DLP Work?

Learn more about how Endpoint DLP works to prevent exfiltration of sensitive data over peripheral devices.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
Where Can I Use This?What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
  • Endpoint DLP license
  • Enterprise Data Loss Prevention (E-DLP) license
  • Autonomous DEM 5.3.4 or later
  • Prisma Access Agent
  • One of the following Prisma Access versions
    • 10.2Prisma Access 5.2
    • 11.2Prisma Access 5.1 or 5.2
Endpoint DLP enables your security administrators to control the use of peripheral devices by allowing you to allow or block their use. To prevent exfiltration of sensitive data to peripheral devices Endpoint DLP uses Enterprise Data Loss Prevention (E-DLP) advanced detection methods, as well as custom data profiles to define custom traffic match criteria or predefined ML-based and regex data profiles.
The Prisma Access Agent evaluates and enforces your Endpoint DLP policy rules when files are moved between the endpoint and peripheral device. The Prisma Access Agent detects when file movement between the endpoint and peripheral device occurs and evaluates the Endpoint DLP policy rulebase. When necessary, Prisma Access Agent forwards the traffic to Enterprise DLP for inspection and verdict rendering. Enterprise DLP then communicates the verdict to the Prisma Access Agent which then takes the action configured in the Endpoint DLP policy rule. Additionally, the Prisma Access Agent is also responsible for displaying the end user a notification when they generate a DLP incident.
The following is an example of the process Enterprise DLP uses to inspect endpoints. This process succeeds only if you installed the Prisma Access Agent and that you already configured your Endpoint DLP policy rules.
  1. A user in your organization connects a peripheral device to their laptop.
  2. The user moves a file from their endpoint to the connected peripheral device.
  3. The Prisma Access Agent registers that the user attempted to move a file from the endpoint to the peripheral device and evaluates your Endpoint DLP policy rules.
    • No Policy Rule Match—If there is no Endpoint DLP policy rule match identified, then the agent allows the peripheral device to connect and the endpoint has full read and write access privileges to the peripheral device.
    • Peripheral Control Policy Rule—If you created a peripheral control policy rule to control access, then the agent executes the allow or block action that you configured in the policy rule.
      For example, if the Endpoint DLP policy rule blocks the connection to the peripheral device, then the agent revokes write privileges to the peripheral device. In this case, the endpoint can't upload files to the peripheral device.
      Alternatively, if the Endpoint DLP policy rule allows the connection to the peripheral device, then the agent grants the endpoint write access privileges to the peripheral device. In this case, the endpoint can upload files to the peripheral device.
    • Data in Motion Policy Rule—The agent allows the connection to the peripheral device. When the Prisma Access Agent detects file movement from the endpoint to a peripheral device, it forwards the file to Enterprise DLP for inspection and verdict rendering. The agent also forwards important file metadata, such as the fileSHA, which Enterprise DLP uses to identify each forwarded file.
      Enterprise DLP then sends the verdict to the Prisma Access Agent. If Enterprise DLP detects sensitive data, the agent takes the Endpoint DLP policy rule action. When Enterprise DLP detects forwarded files that were already inspected based on the fileSHA, then Enterprise DLP returns the existing verdict to the agent. Enterprise DLP does not inspect the same file twice.
  4. The Prisma Access Agent executes the Endpoint DLP policy rule action that you configured in either the Peripheral Control or Data in Motion policy rules.
  5. Enterprise DLP generates a DLP incident when appropriate. Additionally, if you configured End User Coaching, the Prisma Access Agent displays a notification on the endpoint to alert the user.

What Operating Systems Does Endpoint DLP Support?

Endpoints running the following operating systems support Endpoint DLP.
Operating System
Version
Microsoft Windows
Windows 10 version 2004 or later release
macOS
12 (Monterey) or later release

What File Types Does Endpoint DLP Support?

Endpoint DLP supports the inspection and verdict rendering on the following file types.
File Characteristic
Support
File Type
Endpoint DLP supports inspection of all file types supported by Enterprise DLP
File Size
The maximum file size Endpoint DLP supports depends on the Endpoint DLP policy rule Action.
  • Alert— Up to 100 MB
  • Block—Up to 20 MB

Which Protocols Does Endpoint DLP Support for Network Shares?

Endpoint DLP supports the following network protocols for network share peripheral devices.
Operating System
Version
Microsoft Windows
Server Message Block (SMB)
macOS
These protocols are supported only if you mount the protocol as a network share
Server Message Block (SMB)
File Transfer Protocol (FTP)
Secure File Transfer Protocol (SFTP)
FTP Secure (FTPS)
Network File System (NFS)

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.