Enterprise DLP
Update a Data Profile
Table of Contents
Expand All
|
Collapse All
Enterprise DLP Docs
Update a Data Profile
Update and modify an existing Enterprise Data Loss Prevention (E-DLP) data profile.
Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
You can edit and modify an existing custom Enterprise Data Loss Prevention (E-DLP) data profile at
any time. Enterprise DLP synchronizes any changes you make to an existing data
profile between Panorama and Strata Cloud Manager.
If you update a data profile to include a predefined data pattern, be sure to
consider the detection types used by the predefined
data patterns because the detection type determines how Enterprise DLP arrives
at a verdict for scanned files. For example, when you create a data profile that
includes three machine learning (ML)-based data patterns and seven regex-based data
patterns, Enterprise DLP will return verdicts based on the seven regex-based
patterns whenever the scanned file exceeds 1 MB.
Any changes to the data profile match criteria made on Strata Cloud Manager are
synchronized to Panorama but don’t display in the Panorama web
interface. Security policy rules using a data profile updated on Strata Cloud Manager inspect traffic using the new or modified match
criteria.
(Panorama only) Updating the data profile
Name is supported but you must manually update the
existing Security policy rules (PoliciesSecurity to reassociate the renamed data filtering profile. Commits on Panorama fail if you do not reassociate the renamed data filtering
profile with the Security policy rule after the updated data profile name is
synchronized to Panorama.
Strata Cloud Manager
Modify an existing Enterprise Data Loss Prevention (E-DLP) data profile on Strata Cloud Manager.
- Log in to Strata Cloud Manager.Select ManageConfigurationData Loss PreventionData Profiles and navigate to the data profile you want to modify.Edit (Modify the data profile as needed.
- See Create a Classic Data Profile for details on configuring configure a data profile that uses only predefined or custom data patterns.Modifying a classic data profile to include advanced detection methods isn’t supported.
- See Create an Advanced Data Profile for details on configuring a profile that uses any combination of predefined or custom data patterns and advanced detection methods.Modifying an advanced data profile to only include data patterns isn’t supported if the advanced data profile included both data patterns and advanced detection methods when it was initially created.Enterprise DLP includes predefined document templates that were converted from ML-based data patterns. Palo Alto Networks recommends modifying the match criteria in the event your existing data profile references the list ML-based data patterns that were converted.
- See Create a Nested Data Profile for details on configuring a single data profile that contains multiple data profiles.Adding an advanced data profile to an existing nested data profile if one wasn’t included when the nested data profile was originally created is supported.
Test a Data Profile to verify it accurately detects the sensitive data you configured it to detect.Save your changes.Panorama
Modify an existing Enterprise Data Loss Prevention (E-DLP) data filtering profile on the Panorama™ management server.- Log in to the Panorama web interface.Select ObjectsDLPData Filtering Profiles and specify the Device Group.Select a data filtering profile to edit.Edit the data filtering profile as needed.
- Modify the data filtering profile scan for File Based traffic, Non-File Based traffic, or both.Modify the Primary Pattern and Secondary Pattern match criteria.Modifying the data filtering profile match criteria on Panorama is supported only for Enterprise DLP data filtering profiles created on Panorama. See File Based for Panorama for details on configuring data pattern criteria using predefined or custom data patterns.(Data Filtering Profile for Non-File Traffic Inspection Only) Modify the URL Category Excluded List from Non-File and Application List Excluded from Non-File to configure which URL and application traffic is excluded from Enterprise DLP inspection.See Create a Classic Data Profile (Non-File Based for Panorama) for more information.Edit the data filtering profile settings.
- Select the data filtering profile Action (Alert or Block)If the data profile has both Primary and Secondary Patterns, changing the data filtering profile Action on Panorama deletes all Secondary Pattern match criteria.
- Specify a File Type.Leave the file type as any to match any of the supported file types.
- Set the Log Severity recorded for files that match this data filtering profile.
Click OK.Commit and push the new configuration to your managed firewalls.The Commit and Push command isn’t recommended for Enterprise DLP configuration changes. Using the Commit and Push command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.- Full configuration push from Panorama
- Select CommitCommit to Panorama and Commit.
- Select CommitPush to Devices and Edit Selections.
- Select Device Groups and Include Device and Network Templates.
- Click OK.
- Push your configuration changes to your managed firewalls that are using Enterprise DLP.
- Partial configuration push from PanoramaYou must always include the temporary __dlp administrator when performing a partial configuration push. This is required to keep Panorama and the DLP cloud service in sync.For example, you have an admin Panorama admin user who is allowed to commit and push configuration changes. The admin user made changes to the Enterprise DLP configuration and only wants to commit and push these changes to managed firewalls. In this case, the admin user is required to also select the __dlp user in the partial commit and push operations.
- Select CommitCommit to Panorama.
- Select Commit Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial commit.In this example, the admin user is currently logged in and performing the commit operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.Click OK to continue.
- Commit.
- Select CommitPush to Devices.
- Select Push Changes Made By and then click the current Panorama admin user to select additional admins to include in the partial push.In this example, the admin user is currently logged in and performing the push operation. The admin user must click admin and then select the __dlp user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.Click OK to continue.
- Select Device Groups and Include Device and Network Templates.
- Click OK.
- Push your configuration changes to your managed firewalls that are using Enterprise DLP.