Enterprise DLP
Set Up SFTP Storage to Save Evidence
Table of Contents
Set Up SFTP Storage to Save Evidence
Connect your SFTP server to store files that match your Enterprise Data Loss Prevention (E-DLP) data
profiles.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
To store your files scanned by the DLP cloud service, you must specify the SFTP
server connectivity information to successfully upload and write files to a target
location on the SFTP server. When the DLP cloud service uploads a file to your SFTP
server, a reportId folder is created by default. All
files uploaded to your SFTP server by the DLP cloud service are uploaded to the
reportId folder within your folder path. Files
uploaded to your SFTP server are automatically named using the SFTP target folder
location, default reportId folder, and filename.
The following special characters in a file name are not supported and prevent Enterprise Data Loss Prevention (E-DLP) from saving files to SFTP storage: '/ \ * ?
<>'. If you have a file name that includes one of these special
characters, you must change the special character to an underscore
(_) so Enterprise DLP can save a copy of the
file.
In case of connection issues to your SFTP server due to configuration error or change
in settings on the SFTP server, an email is automatically generated and sent to the
admin that originally connected Enterprise DLP to the SFTP server and to the
user who last modified the storage bucket connection settings. This email is sent
out every 48 hours until the connection is restored.
Files that are scanned by the DLP cloud service while Enterprise DLP is
disconnected from your storage bucket can’t be stored and are lost. This means
that all impacted files aren’t available for download. However, all snippet data
is preserved and can still be viewed on Enterprise DLP on the hub.
File storage automatically resumes after the connection status is restored.
This procedure assumes you have already set up an SFTP server to save evidence for
investigative analysis.
- Review the setup prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
- You must allow all IP addresses for Evidence Storage in the region where the SFTP server is deployed. This is gives Enterprise DLP access to your network in order to write to your SFTP server.
- You must allow the IP or FQDN of the SFTP server on your network. The SFTP server must be accessible on your network so Enterprise DLP can successfully write to your SFTP server.
Log in to Strata Cloud Manager.Access to evidence storage settings and files on Strata Cloud Manager is allowed only for an account administrator or app administrator role with Enterprise DLP read and write privileges. This is to ensure that only the appropriate users have access to report data and evidence.Select and select as the Public Cloud Storage Bucket.Review the Instructions - SFTP and click Next.Input Bucket Details to configure the SFTP server connection settings.- Enter the Username of the SFTP server user used for secure file uploads.The user is required to have read and write access to the SFTP server.Enter the Private Key for the SFTP server.This is required to authenticate the SSH connection to the SFTP server. The Private Key must include both the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY prompts.(Optional) Enter the public PGP Key to sign and encrypt files uploaded to the SFTP server.Pretty Good Privacy (PGP) is an encryption program providing privacy and authentication for data communication, and used for signing, encrypting, and decrypting files. The PGP Key must include both the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY prompts.
![]()
Enter the Hostname of the SFTP server.The Hostname can be a Fully Qualified Domain Name (FQDN) or an IPv4 address.If you enter a FQDN, the FQDN must be publicly resolvable. If you enter an IPv4 address, the IP address must be public. Enterprise DLP cannot connect to a private FQDN or IPv4 address.(Optional) Enter the Folder Path for uploaded files to specify the target location where files are uploaded to on the SFTP server.If no Folder Path is specified, the DLP cloud service creates the default reportId folder at the top-most folder the Username has read and write access to. The folder path for uploaded files depends on whether a Folder Path is specified.- Folder Path Specified—<folder path>/reportId/<file name>
- Folder Path Not Specified—/reportId/<file name>
Enter the Port number through which files are uploaded to the SFTP server.Palo Alto Networks recommends using Port 22 for file uploads to your SFTP server. For uncommon ports, Enterprise DLP needs to open the egress port for connection and upload.![]()
Connect to the SFTP server.As part of the setup process, a file called Palo_Alto_Networks_DLP_Connection_Test.txt is uploaded to the target Folder Path on your SFTP server. Connectivity between the DLP cloud service and your SFTP server is successful if DLP cloud service successfully uploads the test file.The Connection Status displays whether the initial connection test was successful. Continue to the next step when the Bucket connected successfully.Click Previous if the connection isn’t successful to modify the SFTP server and connection settings as needed.![]()
Save the SFTP server connectivity settings.Enable Sensitive Files for your enforcement points.You can enable evidence storage of sensitive files for Prisma Access, NGFW, and Endpoint DLP. Enable evidence storage when prompted to confirm.![]()
