Enterprise DLP
How Does Endpoint DLP Work?
Table of Contents
How Does Endpoint DLP Work?
Learn how Endpoint DLP prevents exfiltration of sensitive data over peripheral
devices and discovers sensitive data stored on managed endpoints.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLP
Release Notes for more
information.
| Where Can I Use This? | What Do I Need? |
|---|---|
| Prisma Access (Managed by Strata Cloud Manager) |
|
Endpoint DLP enables you to allow or block peripheral devices to prevent exfiltration
of sensitive data. Endpoint DLP uses Enterprise Data Loss Prevention (E-DLP)
advanced detection methods, as well as custom data profiles to define custom traffic match criteria or
predefined ML-based and regex data profiles.
Endpoint DLP enforces data in motion policy rules at the point of file transfer between
an endpoint and a peripheral device. When Prisma Access Agent detects file
movement, it evaluates the Endpoint DLP policy rulebase and forwards the file to Enterprise DLP for inspection when necessary. Enterprise DLP renders a verdict
and communicates it to Prisma Access Agent, which executes the action you
configured in the policy rule. Prisma Access Agent also displays a notification to
the end user when they generate a DLP incident.
The following example illustrates how Enterprise DLP inspects endpoints. This
process requires Prisma Access Agent and your Endpoint DLP policy rules.
- A user connects a peripheral device to their endpoint.
- The user moves a file from the endpoint to the connected peripheral device.
- Prisma Access Agent registers that the user attempted to move a file from the endpoint to the peripheral device and evaluates your Endpoint DLP policy rules.
- No Policy Rule Match—If no Endpoint DLP policy rule matches, the agent allows the peripheral device to connect and the endpoint retains full read and write access to the peripheral device.
- Peripheral Control Policy Rule—If you created a peripheral control policy rule, the agent executes the allow or block action you configured.For example, if the policy rule blocks the connection, the agent revokes write privileges and the endpoint can't upload files to the peripheral device.If the policy rule allows the connection, the agent grants write access and the endpoint can upload files to the peripheral device.
- Data in Motion Policy Rule—The agent allows the connection. When Prisma Access Agent detects file movement from the endpoint to a peripheral device, it forwards the file to Enterprise DLP for inspection and verdict rendering. The agent also forwards file metadata, such as the fileSHA, which Enterprise DLP uses to identify each forwarded file.Enterprise DLP sends the verdict to Prisma Access Agent. If Enterprise DLP detects sensitive data, the agent takes the Endpoint DLP policy rule action. If Enterprise DLP detects a forwarded file that was already inspected based on the fileSHA, Enterprise DLP returns the existing verdict without reinspecting the file.
- Prisma Access Agent executes the Endpoint DLP policy rule action that you configured in the Peripheral Control or Data in Motion policy rule.
- Enterprise DLP generates a DLP incident when appropriate. If you configured End User Coaching, Prisma Access Agent displays a notification on the endpoint to alert the user.
How Does Data at Rest Scanning Work?
Contact your Palo Alto Networks sales representative to enable this feature
on your Enterprise DLP tenant.
Endpoint DLP data at rest scanning discovers sensitive data stored on managed
endpoints. You can identify improperly stored or unsecured sensitive information,
such as personal data, financial records, and intellectual property, that increases
your risk of data breaches and regulatory noncompliance with GDPR, HIPAA, and
PCI-DSS.
Data at rest scans run locally on the endpoint using the local detection engine on
Prisma Access Agent, which minimizes latency and maintains protection even
when the endpoint is offline. You create data at rest policy rules in Strata Cloud Manager
to define which data profiles, file types, folder paths, and users the scan targets.
The local detection engine uses predefined regular expression (regex) data
patterns to identify sensitive data.
Prisma Access Agent uses delta scanning after the initial full scan,
inspecting only files created or modified since the last scan. Prisma Access Agent crawls the folder paths you configured, discovers files,
and ignores symbolic links. Prisma Access Agent also monitors file system
events to track file creations, modifications, and deletions. Each scan verdict
expires after 90 days, at which point Prisma Access Agent automatically
rescans the file regardless of whether the content changed.
When a scan identifies sensitive data that matches your data profiles, Enterprise DLP generates a DLP incident that you can investigate and remediate
through the centralized incident management workflow in Strata Cloud Manager. You
can view scan results for all discovered assets in the Data
Asset Explorer, including matched data profiles, scan policies, and last
scan times for each asset. If the endpoint is offline during a scan, Prisma Access Agent queues incidents locally and sends them to Enterprise DLP when connectivity is restored.
Data at rest scanning uses the local detection engine, which supports regex-based
data patterns only. Classifiers that require cloud infrastructure, such as ML,
EDM, IDM, and trainable classifiers, aren't supported for data at rest
scans.
What Operating Systems Does Endpoint DLP Support?
Endpoints running the following operating systems support Endpoint DLP.
|
Operating System
|
Version
|
|---|---|
|
Microsoft Windows
|
Windows 10 version 2004 or later release
|
|
macOS
| 12 (Monterey) or later release |
What File Types Does Endpoint DLP Support?
Endpoint DLP supports inspection and verdict rendering for the following file
types.
|
File Characteristic
|
Support
|
|---|---|
|
File Type
|
Endpoint DLP can inspect all file types supported
by Enterprise DLP.
|
|
File Size
|
The maximum file size depends on the Endpoint DLP policy rule
Action.
|
Which Protocols Does Endpoint DLP Support for Network Shares?
Endpoint DLP supports the following network protocols for network
share peripheral devices.
|
Operating System
|
Version
|
|---|---|
|
Microsoft Windows
|
Common Internet File System (CIFS)
Server Message Block (SMB)
|
|
macOS
These protocols are supported only if you mount the protocol
as a network share
|
Common Internet File System (CIFS)
File Transfer Protocol (FTP)
FTP Secure (FTPS)
Network File System (NFS)
Server Message Block (SMB)
Secure File Transfer Protocol (SFTP)
|
Which Languages Does Endpoint DLP Support for Printing?
Endpoint DLP supports the following printing languages for printer
peripheral devices depending on the printer and driver combination in
use.
Enterprise DLP performs a best-effort inspection on printing outputs if
the printer and driver combination produces output in a language not explicitly
supported by Enterprise DLP. Enterprise DLP might not detect
sensitive data in these outputs.
|
Operating System
|
Language
|
Printer Brands
|
|---|---|---|
|
Microsoft Windows
|
PostScript (PS)
Printer Command Language (PCL)
XML Paper Specifications (XPS)
|
Cannon
Epson
Ricoh
Sharp
Xerox
Contact
Palo Alto Networks Support if a printer brand you use isn't
listed here.
|
|
macOS
| Enterprise DLP inspection is language agnostic and supports all printing languages supported by macOS. |