Enterprise DLP Limitations
Focus
Focus
Enterprise DLP

Enterprise DLP Limitations

Table of Contents

Enterprise DLP Limitations

Review the Enterprise Data Loss Prevention (E-DLP) cloud service and plugin limitations.
The following are limitations associated with Enterprise Data Loss Prevention (E-DLP) cloud service, plugin, and Endpoint DLP.

Enterprise DLP Cloud Service and Plugin

Issue ID
Description
The following NGFW do not support Enterprise DLP.
  • PA-410
  • PA-415
  • PA-415-5G
When using Enterprise DLP on Hub 1.0, the DLP app on the hub supports only Superuser administrative privileges. Role based access control for Enterprise DLP is supported on Hub 2.0 only.
A custom block response page for matched traffic blocked by Enterprise DLP is not supported for NGFW and Prisma Access managed by Strata Cloud Manager or Panorama.
WIF-1127
For PA-3250 firewalls running PAN-OS 10.2.4 or PAN-OS 10.2.5, .zip file uploads to the Zendesk application cannot be successfully blocked by Enterprise DLP and do not generate a DLP Incident on Panorama or the NGFW (MonitorLogsData Filtering).
WIF-484
Detection of floating images is not supported when Optical Character Recognition on Panorama or Prisma Access (Managed by Strata Cloud Manager) is enabled.
WIF-215
On Panorama, the original connection to the Service URL FQDN is terminated before the connection to the new Service URL FQDN can be established after reconfiguring the Service URL Setting (DeviceSetupContent-ID).
PLUG-12944
After you upgrade Panorama and managed NGFW to PAN-OS 11.0.2, the Panorama plugin for Enterprise DLP 4.0.1 you downloaded on Panorama prior to upgrade does not automatically install.
Workaround: After you successfully upgrade Panorama to PAN-OS 11.0.2, manually install the downloaded Enterprise DLP plugin (PanoramaPlugins).
PLUG-12756
This limitation is addressed in Enterprise DLP version 3.0.4.
Predefined data filtering profile (ObjectsDLPData Filtering Profiles) File Direction displays Default instead of Upload.
PLUG-11837
On Panorama, downgrading from the following PAN-OS releases does not restore the default Upload File Direction for data filtering profiles (ObjectsDLPData Filtering Profiles).
  • Downgrading from PAN-OS 11.0.1 to PAN-OS 11.0.0.
  • Downgrading from PAN-OS 10.2.4 to PAN-OS 10.2.3 or earlier release.
PLUG-10323
After you downgrade Panorama and NGFW to PAN-OS 10.2.0 and Enterprise DLP plugin 3.0.0, the Non-File Based (ObjectsDLPData Filtering Profiles) setting for a data filtering profile configured for non-file traffic data inspection erroneously displays as enabled on the managed firewall CLI.
Workaround: Disable the Non-File Based setting on the data filtering profile before downgrading to PAN-OS 10.2.0 and Enterprise DLP plugin 3.0.0.
  1. Log in to the Panorama web interface.
  2. Select ObjectsDLPData Filtering Profiles.
  3. Configure the Non-File Based setting as No and click OK.
  4. Commit and push your configuration changes to your managed firewalls leveraging Enterprise DLP.
    1. Select CommitCommit to Panorama and Commit.
    2. Select CommitPush to Devices and Edit Selections.
    3. Select Device Groups and Include Device and Network Templates.
    4. Push your configuration changes to your managed firewalls leveraging Enterprise DLP.
PLUG-10252
Renaming an existing data profile on the DLP app on the hub creates an entirely new data filtering profile (ObjectsDLPData Filtering Profiles) on Panorama.
PLUG-10172
On Panorama, the commit fails if the same profile (ObjectsDLPData Filtering Profiles) is being edited on Panorama and the DLP app at the same time.
Workaround: If you experience a commit failure when editing the data filtering profile on Panorama, you must discard the edits, reset the Enterprise DLP plugin, and reconfigure the data filtering profile.
  1. Log in to the Panorama CLI.
  2. Reset the Enterprise DLP plugin.
    admin> request plugins dlp reset
  3. Log in to the Panorama web interface.
  4. Update the data filtering profile on Panorama.
PLUG-6159
On the Panorama, all Enterprise DLP data profiles (ObjectsDLPData Filtering Profiles) are not displayed if you Remove Config (PanoramaPlugins) for the Enterprise DLP plugin and install the Cloud Services plugin.
Workaround: After you successfully Enterprise DLP plugin configuration, log in to the Panorama CLI and reset the Enterprise DLP plugin to display the DLP data profiles.
admin> request plugins dlp reset
PLUG-6121
On Panorama, Enterprise DLP data patterns and profiles do not function as expected after you load or revert a firewall configuration.
Workaround: After you successfully load or revert a NGFW configuration, log in to the Panorama CLI and reset the Enterprise DLP plugin.
admin> request plugins dlp reset
PAN-205319
PA-410 firewalls are not supported.
PAN-215405
File uploads to the Box application exceeding 20MB create multiple sessions if the data filtering profile (Objects DLPData Filtering Profile Action is set to Block. This results in the Box application requiring multiple retries before the file upload is successfully attempted and blocked by the DLP cloud service.
PAN-211913
Enterprise DLP does not support maintaining a session connection to continue inspection if a file download is paused. The DLP cloud service inspection is terminated for the file if the download operation is paused.
PAN-206877
The Gmail file attachment operation may sometimes get stuck or fail after multiple attempts if the DLP cloud service already scanned and blocked the file.
PAN-142785
Enterprise DLP does not support custom response pages on Panorama and uses the default File Blocking Block Page response page (DeviceResponse Pages).
PAN-140057
Enterprise DLP and IoT logs share log severity levels and cannot be configured individually.
DIT-27539
(Enterprise DLP 3.0.3 only) Increasing the max file size for the Enterprise DLP data filtering settings to 21 MB or greater is supported only from the Panorama CLI.
  1. Enter configuration mode.
    admin>configure
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  2. Set the max file size data filtering setting.
    admin#set template <template_name> config shared dlp-settings max-file-size <1 - 100>
    Code copied to clipboard
    Unable to copy due to lack of browser support.

Endpoint DLP

Issue ID
Description
For endpoint devices running macOS, the Prisma Access Agent inspects file movement within a USB peripheral device connected to the endpoint device due to a macOS limitation that prevents macOS from being able to determine the file operation source path.
For example, you move a file from the endpoint device to Folder A in the connected USB device and the Prisma Access Agent inspects the file for sensitive data. A few minutes later you move the same file from Folder A to Folder B. In this case, the Prisma Access Agent once again inspects the file for sensitive data.
PANG-5687
Multiple DLP Incidents (ManageConfigurationData Loss PreventionDLP Incidents) can be generated for a single file move operation from the endpoint and peripheral device. Some examples of when this may occur are:
  • Extracting the file contents of a compressed file from the endpoint to a peripheral device.
  • An application that generates any artifact files when writing to a peripheral device. For example, the Microsoft BITSAdmin tool generates multiple .tmp files when writing to a peripheral device.
To prevent exfiltration of sensitive data, Enterprise DLP inspects every file associated with the file move operation from the endpoint to the peripheral device. This ensures that all impacted files are captured in your logs and analyzed. However, this may result in creation of unnecessary DLP Incidents.
PANG-5530
Installing the Prisma Access Agent on an endpoint device with Cortex 8.3.0 or earlier installed generates an error titled cytray.exe - Bad Image and alerts the user that DLP is either not designed to run on Windows or it contains an error.
This error can be ignored. It has no impact on the Prisma Access Agent installation or Endpoint DLP policy rule enforcement. Click OK when prompted to Finish the Prisma Access Agent installation.
PANG-5122
The Prisma Access Agent is unable to enforce policy rules when the endpoint on which it is installed is in Safe Mode. As a result, the Prisma Access Agent is unable to inspect and block files moved between the endpoint and the peripheral device if the endpoint is in Safe Mode.
DSS-17434
For printer peripheral devices, a data profile (ManageConfigurationData Loss PreventionData Profile) that includes an IDM document type (ManageConfigurationData Loss PreventionDocument Types) with a high matching value results in Enterprise DLP being unable to render a match verdict for inspected traffic.
Workaround: In your data profile, configure a low matching value for IDM document types to increase the likelihood of successful match verdicts for printer peripheral devices.