- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-05-2017 09:46 AM
I am using PAN-OS 7.1.
I have figured out how to use basic data-filtering to block traffic with certain patterns in the payload, but I want to do the opposite. I want to configure a rule that will only ALLOW packets with a certain pattern, and automatically drop everything else. Is there a way to do this?
04-05-2017 04:02 PM
Hello,
Yes you should be able to do this. Just put the rules you want to allow at the begining of the policies and then either put a DENY ALL rule at the bottom or use the one built in. I prefer my own DENY ALL rule since its easier to see in the logs.
Hope that helps.
04-06-2017 02:04 AM
I'm not sure this is actually possible because you can't use the result of a data filtering profile as a factor of policy.
what may be possible is to create a custom app and to apply policy based on that. you would have to also allow a supporting policy/app (such as web-browsing and ssl) that would allow enough initial traffic through for the AppID to work, however.
the whole thing sounds a little ambitious to me though to be frank. that has to be a very specific/curious use case.
04-06-2017 02:18 AM - edited 04-06-2017 02:21 AM
you could use a negate on your sources to block 'everything except these sources' (or destination, whatever is more convenient)
::edit:: you'll need to figure a way to make your pattern into a custom application or custom threat (i misread your initial post)
data filtering is one of the only exceptions to what i describe above as i can only be configured to 'add' weight rather than substract and you'll need to allow traffic prior to being able to block because of the weight exceeding your limit, so purely on datafiltering this is not possible
04-06-2017 07:27 AM
Thank you all for the responses. I am coming to the sad conclusion that this is not possible with a straight-forward configuration.
By the way, my application is that I want to filter the port-53 traffic headed from the outside-world to my DNS-servers and scan the payload for our domain-name. Any DNS lookup coming in from the outside that is NOT for our domain is necessarily bogus (by our definition) and probably a DoS attack and should be dropped. I realize that there are flood-checks that we can use, and we do that already, but I’d really like to add this extra layer. All I think that it would take is in the “Objects/Security Profiles/Data Filtering” page, to have an “Allow Threshold” in addition to the “Block Threshold”. Then (theoretically) I could write a “Deny” rule and use the Data Filtering profile as an “Allow” exception to that. Oh well. I suppose that a flavor of DNSSec might help too, but it would be nice to do this in the firewall.
04-06-2017 07:31 AM
you could give custom app a go, since you are hitting on a string
create a rule to allow your custom app, then a second rule to drop all dns
04-06-2017 07:42 AM
that is an interesting use case. I'll take your word for it that action is necessary.
if you opt to explore a custom app. you can look at dns-req-section, see page page 19 of https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Creating-Custom-Application-and-Threat-Signa...
I briefly had another idea involving a SIEM and an action that could result in blocking the IP, but I don't think you'll ever see the actual DNS request itself inside the logs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!