PAN-OS 8.0 Support for Data Classification Tags

PAN-OS 8.0 Support for Data Classification Tags

0
Created On 09/25/18 18:59 PM - Last Modified 07/19/22 23:09 PM


Resolution


This article highlights a new capability or feature introduced in PAN-OS 8.0. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.

 

Have you been waiting for more in working with Data Patterns? See what more PAN-OS 8.0 brings to data pattern matching with added robustness to this important capability.

 

Support for data classification tags expands on the existing Data Patterns functionality in a couple of ways:

  • Separates the Credit Card/SSN and the Regular Expression pattern match to individual objects.
  • Adds the ability to scan files for specific tags and file properties.
  • Provides greater flexibility when configuring Data Filtering profiles.

 

Configuration workflow:

  1. Objects > Custom Objects > Data Patterns > Add
  2. Name the object, provide an optional description, and select one of the options:
    a. Predefined Pattern
    b. Regular Expression
    c. File Properties
  3. Add items to the Data Pattern object as needed.
  4. Objects > Security Profiles > Data Filtering > Add
  5. Add the Data Pattern object(s) previously configured.
  6. Apply the configured Data Filtering profile to one or more security policies.

data paterns.pngdata paterns 2.png

 

 

 

Note: Property Values must be at least 2 bytes

fie properties.png

 

File Type selection in Data Filtering profile has also been improved:

data filtering profile.png

 

Configuration Gotchas on Data Patterns in PAN-OS 8.0

 

If an attribute has a reference instead of a value pair, the firewall will log an entry explaining it.

  • Value pair: Titus GUID=Confidential
  • Reference: Titus GUID={byte 48678}
    ‒The above byte value is some string or other data at that byte in the file in question.

Data filtering log will be populated with an informational log containing “Could not match file property Titus GUID={byte 48678}”.

This lets admins know that something was present in the document but that we were unable to match the referenced data.

 

When creating a Data Pattern object, the admin can optionally specify the file type. If this is done, any Data Filtering profile using that object must also specify the same file type.

For example, if an admin creates:

  • File Property object for PDF files.
  • Data Filtering profile referencing that object, but specifying MS Office Documents as the file type.

There will never be a match. This type of granularity is not present in PAN-OS 7.1 or older.

 

 

Client software (such as a browser) will often re-attempt or resume the download. Prevent this with:

 

# set deviceconfig setting ctd skip-block-http-range no

Or via the GUI

Device > Setup > Content-ID tab > Content-ID Settings

dct7.png

 

 

 

 

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSICA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail