Data pattern strange behavior

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Data pattern strange behavior

Not applicable

Hi,

I'm trying to enable some data patterns in order to block banking informations going out from the network.

Model PA-500 PANOS 4.0.2

The first task is to block Italian IBAN code starting from Checkpoint's DLP blade pattern. This is the regex extracted from a UTM-1 R75

IT\d{2}( )?[A-Z]\d{3}( )?\d{4}( )?\d{3}[0-9A-Za-z]( )?([0-9A-Za-z]{4}( )?){2}[0-9A-Za-z]{3}

As far as I know (Admin guide source) Palo Alto pattern recognition doesn't have some features like \d{2} and repetition {2} and I've changed the format into a new one according to PA's needs.

.*(IT[0-9][0-9]( )?[A-Z][0-9][0-9][0-9]( )?[0-9][0-9][0-9][0-9]( )?[0-9][0-9][0-9][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z])

The first problem is due to 7 bytes lenght: in this format always I received the error and only adding some other words i can continue with the commit. I added, for example,  a simpe phrase:

.*(IBAN Italia).*(IT[0-9][0-9]( )?[A-Z][0-9][0-9][0-9]( )?[0-9][0-9][0-9][0-9]( )?[0-9][0-9][0-9][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z])

I' ve tried other format (without long IBAN code) still receiving 7 bytes error so might there is a bug somewhere in pattern recognition:

.*(IBAN).*((Italia)|(ITALIA)|(italia)

  • -> pattern -> IBAN-IT -> regex '.*(IBAN).*((Italia)|(ITALIA)|(italia))' is invalid. pattern must be at least 7 bytes

The second problem is an increbilbe increasing in commit time from 1 minute to 5-10 minute and often this is the result:

  • device: response from cfgpush.s1.dp0.comm.cfg: config push error
  • Commit failed

The only way to create this pattern match is creating a subset rule but commit long time still remains and the match is due the first two words not the real IBAN code.

.*(IBAN Italia).*(IT[0-9][0-9]( )?[A-Z][0-9][0-9][0-9])

If someone has an idea how to resolve this odd behavior please send me an update. If not I will open a support case.

Regards

2 REPLIES 2

Not applicable

Quick update: the long commit time is only for the first commit after the regex insertion. The others take the normal time, about one min, the coffee time Smiley Happy

Update after 2 month from opening the case:

Problem still remains even with the new 4.0.3 due to limit in long regex pattern. There is a limit that you can't trespass that generates errors in commit operation like commit failure or commit thread not responding.

For now DLP has big limitations respect other vendors and I want to remark that having a strong DLP support is quite important in this kind of device.

Please verify the error in the future and improve this feature.

Now the case with the support is closed with the note: not solved. By the way thanks to the support team.

  • 3587 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!