https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/objects/objects-security-profiles-data-filtering

Data filtering enables the firewall to detect sensitive information—such as credit card or social security numbers or internal corporate documents—and prevent this data from leaving a secure network. Before you enable data filtering, select Objects > Custom Objects > Data Patterns to define the type of data you want to filter (such as social security numbers or document titles that contain the word “confidential”). You can add several data pattern objects to a single Data Filtering profile and, when attached to a Security policy rule, the firewall scans allowed traffic for each data pattern and blocks matching traffic based on the data filtering profile settings.

the key in this question is Security policy rule, the traffic will flow through the firewall within two rules, Nat rule policy+Security rule policy.

Predefined IP Address—A predefined IP address list is a type of IP address list that refers to the built-in, dynamic IP lists with fixed or “predefined” contents. These Built-In External Dynamic Lists—for bulletproof hosting providers, known malicious, and high-risk IP addresses—are automatically added to your firewall if you have an active Threat Prevention license. A predefined IP address list can also refer to an EDL that uses one of the built-in lists as a source. Because you can’t modify the contents of a predefined list, you can use a predefined list as a source for a different EDL if you want to add or exclude list entries.

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list

Palo Alto Networks Bulletproof IP Addresses—Contains IP addresses provided by bulletproof hosting providers. Because bulletproof hosting providers place few, if any, restrictions on content, attackers frequently use these services to host and distribute malicious, illegal, and unethical material.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM0pCAG

Panorama can download only one update at a time for updates of the same type. If you schedule multiple updates of the same type to download during the same time Recurrence, only the first download succeeds.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-panorama/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/schedule-a-content-update-using-panorama