topic Re: Data-Filtering ALLOW in General Topics

Data-Filtering ALLOW

JohnPa — Wed, 05 Apr 2017 16:46:18 GMT

I am using PAN-OS 7.1.

I have figured out how to use basic data-filtering to block traffic with certain patterns in the payload, but I want to do the opposite. I want to configure a rule that will only ALLOW packets with a certain pattern, and automatically drop everything else. Is there a way to do this?

Re: Data-Filtering ALLOW

OtakarKlier — Wed, 05 Apr 2017 23:02:07 GMT

Hello,

Yes you should be able to do this. Just put the rules you want to allow at the begining of the policies and then either put a DENY ALL rule at the bottom or use the one built in. I prefer my own DENY ALL rule since its easier to see in the logs.

Hope that helps.

Re: Data-Filtering ALLOW

bradk14 — Thu, 06 Apr 2017 09:04:55 GMT

I'm not sure this is actually possible because you can't use the result of a data filtering profile as a factor of policy.

what may be possible is to create a custom app and to apply policy based on that. you would have to also allow a supporting policy/app (such as web-browsing and ssl) that would allow enough initial traffic through for the AppID to work, however.

the whole thing sounds a little ambitious to me though to be frank. that has to be a very specific/curious use case.

Re: Data-Filtering ALLOW

reaper — Thu, 06 Apr 2017 09:21:49 GMT

you could use a negate on your sources to block 'everything except these sources' (or destination, whatever is more convenient)

::edit:: you'll need to figure a way to make your pattern into a custom application or custom threat (i misread your initial post)

data filtering is one of the only exceptions to what i describe above as i can only be configured to 'add' weight rather than substract and you'll need to allow traffic prior to being able to block because of the weight exceeding your limit, so purely on datafiltering this is not possible

Re: Data-Filtering ALLOW

JohnPa — Thu, 06 Apr 2017 14:27:07 GMT

Thank you all for the responses. I am coming to the sad conclusion that this is not possible with a straight-forward configuration.

By the way, my application is that I want to filter the port-53 traffic headed from the outside-world to my DNS-servers and scan the payload for our domain-name. Any DNS lookup coming in from the outside that is NOT for our domain is necessarily bogus (by our definition) and probably a DoS attack and should be dropped. I realize that there are flood-checks that we can use, and we do that already, but I’d really like to add this extra layer. All I think that it would take is in the “Objects/Security Profiles/Data Filtering” page, to have an “Allow Threshold” in addition to the “Block Threshold”. Then (theoretically) I could write a “Deny” rule and use the Data Filtering profile as an “Allow” exception to that. Oh well. I suppose that a flavor of DNSSec might help too, but it would be nice to do this in the firewall.

Re: Data-Filtering ALLOW

reaper — Thu, 06 Apr 2017 14:31:25 GMT

you could give custom app a go, since you are hitting on a string

create a rule to allow your custom app, then a second rule to drop all dns

Re: Data-Filtering ALLOW

bradk14 — Thu, 06 Apr 2017 14:42:34 GMT

that is an interesting use case. I'll take your word for it that action is necessary.

if you opt to explore a custom app. you can look at dns-req-section, see page page 19 of https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Creating-Custom-Application-and-Threat-Signatures/ta-p/58569

I briefly had another idea involving a SIEM and an action that could result in blocking the IP, but I don't think you'll ever see the actual DNS request itself inside the logs.