Limitations and features of DLP

With a”Threat Prevention” subscription you have access to the “Data Filtering” feature, part of Content-ID.  This will log or block traffic based on the number of pattern matches, and is configured on a per-rule basis.

Data Filtering is not a high-accuracy “exact data match” type of DLP solution, it is more of a light form of DLP.  You can configure a limited number of strings or regular expressions to match, it also has built-in matching of credit card numbers (luhn checksum) and Social Security numbers.

Palo Alto will look for these numbers and patterns in all ports and protocols matching any rule on which you configure a data filtering policy, including within encrypted (TLSv1.0, TLSv1.1 and SSLv3) protocols where you have enabled SSL decryption. Looking inside SFTP is more difficult, SSH(SFTP) decryption enables the firewall to  detect and restrict SSH and SFTP, but does not decrypt files transferred via SFTP, so cannot do DLP on file contents.
Personally, I am a proponent of using Symantec DLP for email and when you can do exact data matching.  For customers with a “SPAN” or tap-based sniffer/DLP solution,  there is a licensable Palo Alto feature called “Decrypt Mirror” which will send a copy of decrypted traffic to an outbound tap port.


DLP is usually just desired as a checkbox for compliance.

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.