Recommendations for Security Policy Rules

Table of Contents

Recommendations and tips for creating Security policy rules using Enterprise Data Loss Prevention (E-DLP) data profiles.

On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.

You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This?	What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager) Prisma Access (Managed by Panorama or Strata Cloud Manager)	Enterprise Data Loss Prevention (E-DLP) license Review the Supported Platforms for details on the required license for each enforcement point. Or any of the following licenses that include the Enterprise DLP license Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license Data Security license

How you create your Security policy rules using Enterprise Data Loss Prevention (E-DLP) and how you order those Security policy rules within your rulebase has significant impact on your security outcomes. Review the recommendations and tips for creating a Security policy rule using Enterprise DLP to prevent exflitration of sensitive data and strengthen your overall security posture.

For both new and existing security administrators, review the Security Policy Best Practices.
Regardless of the Security product you use, Palo Alto Networks recommends you review and implement these best practices when creating or updating your Security policy rulebase. These best practices are designed to reduce your attack surface and help safeguard your network and business assets.
Before you associate a data profile with a Security policy rule, review the recommendations to reduce false positive detections.
False positive detections are commonly caused by traffic match criteria in your data patterns that are too generalized or may be instances where the Enterprise DLP machine learning (ML) models need to be manually trained. Create specific and narrow data pattern match criteria to add to your data profiles to help reduce the likelihood of false positive detections. This can help you triage and more easily implement changes when sensitive data isn't detected and blocked.
Consider the Security policy rule orderings in your policy rulebase.
Security action is taken based on the first Security rule the inspected traffic matches. If the first policy rule is too broad or overly permissive, it may result in sensitive data leaving your network.
- Order Security policy rules with more granular and specific data profiles, or for the more sensitive and business-critical applications, at the top of the policy rulebase.
  This lets you filter traffic for sanctioned applications based on the App-ID with the Enterprise DLP data profile for a specific set of users, traffic, or applications.
- Order Security policy rules with broad data profiles, or for the less risky applications and set of users, at the bottom of the policy rulebase.
  This lets you filter traffic based on the App-ID category and can use predefined data profiles for one or more less risky sets of users, traffic, or applications.
Consider the traffic direction and whether you want a different security action taken depending on whether the traffic is a download or an upload.
Review the supported apps to understand which applications support download inspection, upload inspection, or both. You can create specific data profiles if you want to take different security actions based on whether the traffic is a download or an upload.
- Panorama—Create a data profile for file-based or non-file based detections
- Strata Cloud Manager—Modify a DLP Rule on Strata Cloud Manager
Consider the scope of your Security policy rule.
- Match Criteria Source and Destination— Add specific addresses or users, and don't select Any.
  For granular Security policy rules, Palo Alto Networks recommends you select one or more specific users or a single user group. For broad Security policy rules, you can select multiple user groups.
- Application/Service—Select one or more of the supported Enterprise DLP supported apps.
  For a granular Security policy rules, Palo Alto Networks recommends adding only a single application. For broad Security policy rules, you can create an application group to which you want to apply the same security requirements.
- (Strata Cloud Manager) Profile Group—For granular and specific match criteria, add a custom data profile with the specific match criteria you went to inspect for and block to the Security Profile Group you want to associate with the Security policy rule.
  For broad match criteria, you can use the predefined best-practice Security Profile Group or create a new Security Profile Group with one of the predefined data profiles.
- (Panorama)Profile Settings - Profiles or Groups—For granular and specific match criteria, add a custom data profile or profile group with the specific match criteria you want to inspect for and block. For broad match criteria, you can use a predefined data profile.
Take advantage of External Dynamic Lists (EDL) to allow common services on your network.
EDLs are dynamic and allow you to make changes to endpoints you want to protect without requiring additional commits when a chance is made. Custom EDLs are useful because they can be hosted on a web server as a simple text file. Alternatively, you can use the Feed URLs provided by the EDL Hosting Service for supported apps.

Data Dictionaries

Enterprise DLP Migrator

Enterprise DLP Docs

Recommendations for Security Policy Rules

Enterprise DLP Docs

Recommendations for Security Policy Rules

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner

Technical Documentation

Company

Legal Notices