Strata Cloud Manager

1. Log into Strata Cloud Manager.
2. Enable Non-File Inspection.
3. Select ConfigurationNGFW and Prisma AccessSecurity ServicesDecryption and create the decryption profile and policy rule required to enable Enterprise DLP on Strata Cloud Manager.

   Do not enable Strip ALPN in the decryption profile. Enterprise DLP cannot inspect egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN) headers from decrypted traffic.
4. (Optional) Create a data pattern.

   Create a custom regex data pattern to define your own match criteria. You can skip this step if you plan to use predefined or existing data patterns to define match criteria in your data filtering profile.
5. Create a data profile or use an existing data profile.
6. Select ConfigurationData Loss PreventionDLP Rules and in the Actions column, Edit the DLP rule.

   1. Enable Non-File Based Match Criteria.

      DLP rules configured for non-file detection are required to prevent exfiltration of sensitive data to ChatGPT. You can further modify the DLP rule to enforce your organization’s data security standards. The DLP rule has an identical name as the data profile from which it was automatically created.

      You can keep File Based Matched Criteria enabled or disable as needed. Enabling this setting has no impact on detection of egress traffic to ChatGPT as long as Non-File Based Match Criteria is enabled.

   2. Modify the Action and Log Severity.
   3. Modify the rest of the DLP rule as needed.
   4. Save.
7. Create a Shared Profile Group for the Enterprise DLP data filtering profile.

   1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesProfile Groups and Add Profile Group.
   2. Enter a descriptive Name for the Profile Group.
   3. For the Data Loss Prevention Profile, select the Enterprise DLP data profile.
   4. Add any other additional profiles as needed.
   5. Save the profile group.

8. Create a Security policy and attach the Profile Group.

   Alternatively, you can create or add ChatGPT to an Internet Access policy rule. You can skip this step if you create a Internet Access policy rule for ChatGPT.

   1. Select ConfigurationSecurity ServicesSecurity Policy and Add Rule.

      You can also update an existing Security policy to attach a Profile Group for Enterprise DLP filtering.
   2. In the Applications, Services, and URLs section, Add Applications to search for and select openai-chatgpt.

   3. Navigate to the Action and Advanced Inspection section, and select the Profile Group you created in the previous step.

   4. Configure the Security policy as needed.

      The Action you specify in the data profile determines whether egress traffic to ChatGPT is blocked. The Security policy rule Action does not impact whether matched traffic is blocked.

      For example, you configured the data filtering profile to Block matching egress traffic but configure the Security policy rule Action to Allow. In this scenario, the matching egress traffic to ChatGPT is blocked.
   5. Save the Security policy.
9. Push your Security policy rule.

   For the Admin Scope, select All Admins to ensure Enterprise DLP configuration changes propagate to all enforcement points.

   Enterprise DLP configuration changes don't display in Strata Cloud Manager config snapshots.

   1. Push Config and Push.
   2. Select (enable) Remote Networks and Mobile Users.
   3. Push.