How to troubleshoot commonly encountered DLP issues

The purpose of this document is to provide useful information (such as basic troubleshooting, information collection for opening support cases) on most commonly encountered DLP issues.  

• DLP
• Panorama
• Prisma Access/SaaS

Symptoms

1. Expected pattern matching did not generate incident(s)
2. Incident does not contain correct number of matching(s)
3. Unable to log into Enterprise DLP portal
4. Cannot view DLP data profiles in Panorama
5. Cannot locate DLP functions under data security in Prisma Access/SaaS
6. Problem with uploading EDM data set

Expected Pattern Matching Did Not Generate Incident(s)

Potential cause(s):

1. Data pattern needs update/modification
2. Data file was never forwarded to DLP cloud correctly
3. Potential configuration problem with nested data profiles

Incident does not contain correct number of matching(s)

Potential cause(s):

1. EDM data set may not meet requirements
2. Matches are under a different confidence level from expected

 Unable to log into Enterprise DLP portal

Potential cause(s):

1. Cloud platform is experiencing difficulties
2. Onboarding of DLP failed 
3. Account used to log into portal is not entitled

 Cannot locate DLP functions under data security in Prisma Access/SaaS

Potential cause(s):

1. Onboarding of DLP failed 
2. DLP entitlement may not be associated correctly with managing product

Cannot view DLP data profiles in Panorama

Potential cause(s):

1. Onboarding of DLP failed 
2. DLP entitlement may not be associated correctly with managing product

 Problem with uploading EDM data set

Potential cause(s):

1. EDM upload permission issue
2. DLP entitlement may not be associated correctly with managing product

Data Pattern Needs Update/Modification

How to troubleshoot:

• If this is a pre-defined data pattern, collect the necessary information and open a support case.
• If this is a custom data pattern:
  1. Include all variations of data formats (e.g. (xxx) xxx-xxxx, xxxxxxxxxx for phone numbers) and proximity keywords (telephone number, tel no., phone #, etc).  Keep in mind that without proximity keywords, 10 digits numbers can be identified with many things. 
  2. Use https://regex101.com to test your regex
  3. Perform a control test on the data pattern in question, use a data sample file with https://dlptest.com to trigger an incident.  This will test the data pattern as a whole (including effects of proximity keywords, score of weighted regex)
  4. If you still have problems, collect necessary information  and open a support case.

Data file was never forwarded to DLP cloud correctly

How to troubleshoot:

• This problem requires firewall log analysis, Generate tech support files on firewall(s), collect necessary information and open a support case.

Potential configuration problem with nested data profiles

How to troubleshoot:

• If there are any conflicting settings (between parent and child data profiles), the parent profile settings will always override.  
  • File based (yes/no)
  • Non-file based (yes/no)
  • Action (alert/block)
  • File type
  • Direction 
  • Log severity

EDM data set may not meet requirements

How to troubleshoot:

• Up to 120 million cells are supported with a maximum of 30 columns.  For example, you have one EDM data set containing 30 columns and 4 million rows and a second EDM data set containing 6 columns and 20 million rows. Both EDM data sets are supported because they each have 120 million cells in each data set.
• Up to 500 million cells are supported for a single user across all EDM datasets uploaded to the DLP cloud service.
• In order for EDM data set to work:
  • A Unique Column preferably such as SSN, Email, Phone, CCN, MRN, UID Bank Account Number, etc., Or a Column that may contain duplicate values but each duplicate count cannot exceed 12.
  • The Column must be a single-valued entry such as SSN, Email, Phone, CCN, MRN, UID Bank Account Number, etc. The Column cannot be multi-valued such as Address, Description
  • Definition of single-valued entry is bound to the Data Type we mention in the config file (along with the usage of space). 

Matches are under a different confidence level from expected

How to troubleshoot:

• Check confidence value for data filtering profile
• Different predefined data pattern may have different conditions for distinguishing confidence level, refer to corresponding details
• Generally:
  • A confidence level of Low means that the managed firewall will not use proximity keywords. 
  • A confidence level of High means that the managed firewall looks for the proximity keywords of the first 200 characters of the regular expressions in the pattern before it considers the data pattern in a file to be a match.
• Keep in mind that a 10 digit numbers can be matched by multiple patterns, and proximity keywords are very crucial to accurate matches.  While you cannot modify a predefined pattern, you can clone a predefined pattern and modify (add/remove/modify) the proximity keywords.

Cloud platform is experiencing difficulties

How to troubleshoot:

• Go to https://status.paloaltonetworks.com to double check current system statuses
• Check Live community customer advisory for any announcements 

Onboarding of DLP failed

How to troubleshoot:

• Go to common services -> tenant management -> licensed products on https://apps.paloaltonetworks.com, look for DLP enterprise and make sure the status says “completed”
• Collect necessary information and open a support case

Account used to log into portal is not entitled

How to troubleshoot:

• Assuming DLP had been onboarded (and other users e.g. admin can login), go to common services -> identify & access/access management on https://apps.paloaltonetworks.com, and verify that the user has proper permissions

DLP entitlement may not be associated correctly with managing product

How to troubleshoot:

• If there was a previous DLP entitlement (e.g. trial license), the new production DLP license can potentially be associated with the incorrect tenant ID and result in this problem
• Collect necessary information and open a support case

EDM upload permission issue

How to troubleshoot:

• EDM secure cli has two methods of authentication
  • If you are leveraging Enterprise DLP using the SASE Platform, you must add a service account that includes a Client ID and Client Secret . These are used to authenticate and connect the EDM CLI application to the DLP cloud service.
  • Otherise, you can create access token on Enterprise DLP on the hub
• When using user id/secret, in additional to setting the correct client_id and client_secret, be sure to set have_access_token_refresh_token=no.  All of these settings are inside upload_config.properties file
• Access token is generated on enterprise DLP app on the hub (enterprise DLP -> settings -> api token).  Note that you have to keep a copy of the token values when you create it.  Once you get past the creation screen there is no way to retrieve the token values.

What to collect for support case:

• DLP tenant ID (How to Find My DLP Tenant ID )
• CSP ID (see below)
• DLP product association (what product is using DLP?)
• Data profile name that includes the data pattern in question
• Data pattern name in question
• File that should trigger data pattern match (the actual file)
• Time of incident
• Serial number of NGFW

How to find my CSP ID

• Go to https://support.paloaltonetworks.com
• After logging in, at the top of the page there is a field named account selector, your CSP id is shown there.