File policy not blocking uploads to generative AI apps like ChatGPT or Gemini
4903
Created On 05/28/25 01:31 AM - Last Modified 11/01/25 04:51 AM
Symptom
- There is a requirement to block file uploads to generative AI apps like ChatGPT, Google Gemini.
- The file policy is configured to block uploads and works well for other websites like dlptest.com but does not block file uploads to any AI apps.
- The traffic is decrypted correctly and the traffic is identified correctly as per the corresponding AI App.
- There security group applied to the security policy has Data profile as well and the firewall in question has Enterprise DLP license.
- There are either no file logs generated for the file upload to AI apps or intermittently generated only for some files.
- The Non-file DLP is for AI apps is working as expected. (ie: the DLP policy correctly blocks the non file content in AI apps)
Environment
- Prisma Access
- Palo Alto Strata NGFW
- PanOS 11.2.3 or below.
- Enterprise DLP license
Cause
- The Enterprise DLP currently does not support file based DLP for most of the common generative AI Apps.
- The regular PanOS file policy created to block uploads to AI apps also does not work consistently due the way the file uploads are handled by these apps which are not correctly detected by the firewall.
- This requires enabling of brotli decoding which is supported starting from PanOS 11.2.4.
Resolution
- Verify your platform's minimum required PAN-OS version and upgrade it to support Brotli decompression.
- If this is Prisma Access, reach out to your customer success rep or Palo Alto sales rep to request for dataplane upgrade to Prisma Access 5.1 innovation or 5.2 innovation release or above.
- Post upgrade, Enable the brotli encoding support using command line interface.