Data Filtering timers and inner workings

cancel
Showing results for 
Search instead for 
Did you mean: 

Data Filtering timers and inner workings

L2 Linker

Hello, Live Community!

 

I've been using Data Filtering profiles for a while now and they work really well, but it has come to my attention that I don't really know some of the inner workings of it, specially today when someone asked me about it, so...

 

  • Does DF work with timers? I mean, what's the time range for detecting a data pattern/regex/file property and for it to count towards the defined threshold? Is this configurable? If I set an alert threshold of 2 for a CC# and someone transfers one number now and then waits for a week until transferring another one, will the threshold be met?

 

  • To my understanding, DF counts any instance of the data pattern/regex/property towards meetings the threshold, but is this per IP/User identity? Is this configurable?

Looking forward to your replies. Many thanks!

1 REPLY 1

Community Team Member

Hi @CMachado ,

 

The Alert Threshold and Block Threshold fields specify how many instances of a data match, within a single session, that must be observed before the Palo Alto Networks device performs an alert or block action, respectively.

 

Source: HOW TO CONFIGURE A DATA FILTERING PROFILE TO ALERT BUT NOT BLOCK 

 

Cheers !

-Kiwi.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!