Focus

PAN-OS ® New Features Guide

Enterprise Data Loss Prevention

Table of Contents

Enterprise Data Loss Prevention

Leverage Enterprise Data Loss Prevention (DLP) to protect sensitive information against unauthorized access, misuse, extraction, or sharing.

Enterprise Data Loss Prevention (DLP) is a subscription consisting of set of tools and processes that allow you to protect sensitive information against unauthorized access, misuse, extraction, or sharing. To leverage Enterprise DLP, you must install the Enterprise DLP plugin on the Panorama™ management server where you can centrally managed the data patterns and data filtering profiles that enforce your organization’s data security standards and prevent the loss of sensitive data across mobile users and remote networks for your managed firewalls. To leverage Enterprise DLP, Panorama and managed firewalls must have Internet connectivity.

Enterprise DLP is a cloud-based service that uses supervised machine learning algorithms to sort sensitive documents into Financial, Legal, Healthcare, and other categories for document classification to guard against exposures, data loss, and data exfiltration.These patterns can identify the sensitive information in traffic flowing through your network and protect them from exposure.

When you apply a data filtering profile to a Security policy rule, the managed firewall generates data filtering logs containing detailed information regarding the traffic that match one or more data pattern in the data filtering profile. The log details enables forensics by allowing you to verify whey an uploaded file generated an alert notification or was blocked.

You view the snippets in the Data Filtering logs. By default, managed firewalls use data masking to partially mask the snippets to prevent the sensitive data from being exposed. You can configure your managed firewalls to completely mask the sensitive information, unmask snippets, or disable snippet extraction and viewing.

Enterprise DLP is supported on all Panorama and firewall models, except for the CN-Series firewalls, running PAN-OS 10.0.2 and later releases.

Read about Enterprise DLP to learn more about supported applications and file types, as well as the predefined data filtering profiles.
Install the Enterprise DLP plugin on Panorama and your managed firewalls.
Enable Enterprise DLP by creating:
- A Service route to enable managed firewalls to connect to the Internet.
- A Decryption policy rule to remove ALPN headers for HTTP/2 files.
- A Security policy rule to disable the QUIC protocol to deny traffic on ports 80 and 443.
Create a data pattern to specify the match criteria and identify patterns, file properties, or keywords that represent sensitive information on your network.
Create a data filtering profile to add multiple data patterns and specify matches and confidence levels. Data filtering profiles are assigned to Security policy rules for enforcement.
Configure the Enterprise DLP file settings.
1. Edit the Cloud Content Settings to specify a DLP cloud service in your region if you have specific data residency requirements
2. Edit the Data Filtering Settings to configure the network settings for files scanned to the Enterprise DLP cloud service and specify the actions the firewall leveraging Enterprise DLP takes.
3. Edit the Enterprise DLP Snippet Settings to specify whether snippets of sensitive data that match your Enterprise DLP data patterns in the DLP cloud service and configure how to mask sensitive data if stored.
View the Enterprise DLP log details to view detailed log data for matched traffic such as the policy rule information, the source and destination of traffic, and the data filtering profile that the data pattern is associated with.

Enterprise Data Loss Prevention Features

SD-WAN Features