Data pattern strange behavior

zanonibs — Fri, 15 Apr 2011 16:10:28 GMT

Hi,

I'm trying to enable some data patterns in order to block banking informations going out from the network.

Model PA-500 PANOS 4.0.2

The first task is to block Italian IBAN code starting from Checkpoint's DLP blade pattern. This is the regex extracted from a UTM-1 R75

IT\d{2}( )?[A-Z]\d{3}( )?\d{4}( )?\d{3}[0-9A-Za-z]( )?([0-9A-Za-z]{4}( )?){2}[0-9A-Za-z]{3}

As far as I know (Admin guide source) Palo Alto pattern recognition doesn't have some features like \d{2} and repetition {2} and I've changed the format into a new one according to PA's needs.

.*(IT[0-9][0-9]( )?[A-Z][0-9][0-9][0-9]( )?[0-9][0-9][0-9][0-9]( )?[0-9][0-9][0-9][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z])

The first problem is due to 7 bytes lenght: in this format always I received the error and only adding some other words i can continue with the commit. I added, for example, a simpe phrase:

.*(IBAN Italia).*(IT[0-9][0-9]( )?[A-Z][0-9][0-9][0-9]( )?[0-9][0-9][0-9][0-9]( )?[0-9][0-9][0-9][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z])

I' ve tried other format (without long IBAN code) still receiving 7 bytes error so might there is a bug somewhere in pattern recognition:

.*(IBAN).*((Italia)|(ITALIA)|(italia)

-> pattern -> IBAN-IT -> regex '.*(IBAN).*((Italia)|(ITALIA)|(italia))' is invalid. pattern must be at least 7 bytes

The second problem is an increbilbe increasing in commit time from 1 minute to 5-10 minute and often this is the result:

device: response from cfgpush.s1.dp0.comm.cfg: config push error
Commit failed

The only way to create this pattern match is creating a subset rule but commit long time still remains and the match is due the first two words not the real IBAN code.

.*(IBAN Italia).*(IT[0-9][0-9]( )?[A-Z][0-9][0-9][0-9])

If someone has an idea how to resolve this odd behavior please send me an update. If not I will open a support case.

Regards

Re: Data pattern strange behavior

zanonibs — Fri, 15 Apr 2011 16:38:28 GMT

Quick update: the long commit time is only for the first commit after the regex insertion. The others take the normal time, about one min, the coffee time

Re: Data pattern strange behavior

zanonibs — Fri, 17 Jun 2011 09:45:10 GMT

Update after 2 month from opening the case:

Problem still remains even with the new 4.0.3 due to limit in long regex pattern. There is a limit that you can't trespass that generates errors in commit operation like commit failure or commit thread not responding.

For now DLP has big limitations respect other vendors and I want to remark that having a strong DLP support is quite important in this kind of device.

Please verify the error in the future and improve this feature.

Now the case with the support is closed with the note: not solved. By the way thanks to the support team.

topic Re: Data pattern strange behavior in General Topics

Data pattern strange behavior

Re: Data pattern strange behavior

Re: Data pattern strange behavior