Enterprise DLP
Troubleshoot Endpoint DLP
Table of Contents
Troubleshoot Endpoint DLP
Investigate your configuration and logs to troubleshoot Endpoint DLP if incidents
don't generate.
| Where Can I Use This? | What Do I Need? |
|---|---|
| Prisma Access (Managed by Strata Cloud Manager) |
|
Use the troubleshooting steps below to triage and understand why some or all of your
endpoints are erroneously allowing file movement between the endpoint and a
peripheral device when you have Endpoint DLP configured to prevent exfiltration of
sensitive data.
- Log in to Strata Cloud Manager.Review your Endpoint DLP incidents to confirm whether impacted endpoints are generating DLP incidents as expected.Enterprise Data Loss Prevention (E-DLP) creates a DLP incident every time the DLP Cloud service detects sensitive data in forwarded traffic. Start by reviewing your Endpoint DLP incidents if you know a DLP incident should have been generated. If you expected a DLP incident to be generated, but none was, it might mean there is an issue with your Endpoint DLP policy rulebase or an issue with the Prisma Access Agent.For example, you have an Endpoint DLP policy rule configured to inspect for personally identifiable information (PII). You know a user moved a file containing PII data from a specific endpoint to a peripheral device. In this case, you expect Endpoint DLP to block the file move and generate an incident. If Enterprise DLP does not create a DLP incident, then it warrants further investigation to resolve.To narrow down the list of DLP incidents you need to review, select and apply the Endpoint: Data in Motion and Endpoint: Peripheral Control filters to display only Endpoint DLP incidents. You can also use the User-ID search option if you know the User-ID of the endpoint you're troubleshooting.Review your Endpoint DLP policy rules.In some cases, your Endpoint DLP policy rulebase might have issues that unintentionally allow exfiltration of sensitive data or might not be configured correctly. Some things to look for when reviewing your Endpoint DLP policy rulebase are:
- Is your Endpoint DLP policy rulebase ordered correctly? Traffic is evaluated against your policy rulebase in a top-down priority. If traffic matches a policy rule, the Prisma Access Agent takes the configured action and no further evaluation against any other policy rule occurs.
- Are the correct Endpoint DLP policy rules enabled? The Prisma Access Agent only evaluates traffic against enabled policy rules.
- Are your Endpoint DLP policy rules configured correctly? Are the correct users or user groups configured? Are the correct peripheral devices configured? Did you select the correct data profile?
If you confirm that your Endpoint DLP policy rulebase is ordered and configured correctly it may mean there are issues with the Prisma Access Agent.Check your Endpoint DLP audit and push logs to confirm the committed configuration changes pushed to endpoints.The audit the history of all configuration changes made across your entire Enterprise DLP configuration. Push logs are specific to Endpoint DLP and track all configuration changes pushes from Strata Cloud Manager to Prisma Access Agents installed on protected endpoints.For example, you reviewed your audit logs and confirm that your Endpoint DLP admin made configuration and policy rule changes. However, upon review of your push logs you discover that the operation to push these changes from Strata Cloud Manager to all endpoints failed with the message Endpoint DLP Policy/Configuration failed. This means that even though your Endpoint DLP admin made the appropriate configuration changes, they never made it down to the Prisma Access Agent.If you're consistently seeing Endpoint DLP Policy/Configuration failed in your push logs, it could mean there is an issue with one or more Prisma Access Agents that need further investigation.Select and verify that the Prisma Access Agent installed on impacted endpoints are connected.This is required to push Endpoint DLP configurations and policy rules from Strata Cloud Manager. If the Prisma Access Agent isn't connected then it can't receive Endpoint DLP configuration and policy rule changes or forward matched traffic to Enterprise DLP for inspection and verdict rendering. Review the Prisma Access Agent documentation for configuration details.Confirm the Enterprise DLP and Endpoint DLP connectivity status. If the status is Disabled then the Prisma Access Agent can't receive the Endpoint DLP configuration and policy rules required to prevent exfiltration of sensitive data to peripheral devices.- In the Device list, confirm that the Endpoint DLP Status is Enabled.
- Click the Hostname of an impacted endpoint and in the Endpoint DLP Information section and confirm the DLP Status is Enabled.
If you verify that the Prisma Access Agent on impacted endpoints is connected and the Prisma Access Agent configuration has no issues then you need to contact Palo Alto Networks for additional support.Generate a Prisma Access Agent logs to submit to Palo Alto Networks Customer Support. Select Check the Prisma Access Agent Enterprise DLP logs.- Select and click one of the impacted endpoints.Select . The logs download to your local device.Repeat this step for all impacted endpoints.Contact Palo Alto Networks Customer Support to submit a support ticket. Be sure to include the Prisma Access Agent logs you downloaded.
