Data-Filtering ALLOW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Data-Filtering ALLOW

L1 Bithead

I am using PAN-OS 7.1.

 

I have figured out how to use basic data-filtering to block traffic with certain patterns in the payload, but I want to do the opposite. I want to configure a rule that will only ALLOW packets with a certain pattern, and automatically drop everything else. Is there a way to do this?

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello,

Yes you should be able to do this. Just put the rules you want to allow at the begining of the policies and then either put a DENY ALL rule at the bottom or use the one built in. I prefer my own DENY ALL rule since its easier to see in the logs.

 

Hope that helps.

I'm not sure this is actually possible because you can't use the result of a data filtering profile as a factor of policy.

 

what may be possible is to create a custom app and to apply policy based on that. you would have to also allow a supporting policy/app (such as web-browsing and ssl) that would allow enough initial traffic through for the AppID to work, however.

 

the whole thing sounds a little ambitious to me though to be frank. that has to be a very specific/curious use case.

--
CCNA Security, PCNSE7

Cyber Elite
Cyber Elite

you could use a negate on your sources to block 'everything except these sources' (or destination, whatever is more convenient)

 

negate.png

 

 

 

::edit:: you'll need to figure a way to make your pattern into a custom application or custom threat (i misread your initial post)

data filtering is one of the only exceptions to what i describe above as i can only be configured to 'add' weight rather than substract and you'll need to allow traffic prior to being able to block because of the weight exceeding your limit, so purely on datafiltering this is not possible

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L1 Bithead

Thank you all for the responses. I am coming to the sad conclusion that this is not possible with a straight-forward configuration.

 

By the way, my application is that I want to filter the port-53 traffic headed from the outside-world to my DNS-servers and scan the payload for our domain-name. Any DNS lookup coming in from the outside that is NOT for our domain is necessarily bogus (by our definition) and probably a DoS attack and should be dropped. I realize that there are flood-checks that we can use, and we do that already, but I’d really like to add this extra layer. All I think that it would take is in the “Objects/Security Profiles/Data Filtering” page, to have an “Allow Threshold” in addition to the “Block Threshold”. Then (theoretically) I could write a “Deny” rule and use the Data Filtering profile as an “Allow” exception to that. Oh well. I suppose that a flavor of DNSSec might help too, but it would be nice to do this in the firewall.

you could give custom app a go, since you are hitting on a string 

 

create a rule to allow your custom app, then a second rule to drop all dns

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

that is an interesting use case. I'll take your word for it that action is necessary.

 

if you opt to explore a custom app. you can look at dns-req-section, see page page 19 of https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Creating-Custom-Application-and-Threat-Signa...

 

I briefly had another idea involving a SIEM and an action that could result in blocking the IP, but I don't think you'll ever see the actual DNS request itself inside the logs.

--
CCNA Security, PCNSE7
  • 2991 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!