04-15-2011 09:10 AM
Hi,
I'm trying to enable some data patterns in order to block banking informations going out from the network.
Model PA-500 PANOS 4.0.2
The first task is to block Italian IBAN code starting from Checkpoint's DLP blade pattern. This is the regex extracted from a UTM-1 R75
IT\d{2}( )?[A-Z]\d{3}( )?\d{4}( )?\d{3}[0-9A-Za-z]( )?([0-9A-Za-z]{4}( )?){2}[0-9A-Za-z]{3}
As far as I know (Admin guide source) Palo Alto pattern recognition doesn't have some features like \d{2} and repetition {2} and I've changed the format into a new one according to PA's needs.
.*(IT[0-9][0-9]( )?[A-Z][0-9][0-9][0-9]( )?[0-9][0-9][0-9][0-9]( )?[0-9][0-9][0-9][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z])
The first problem is due to 7 bytes lenght: in this format always I received the error and only adding some other words i can continue with the commit. I added, for example, a simpe phrase:
.*(IBAN Italia).*(IT[0-9][0-9]( )?[A-Z][0-9][0-9][0-9]( )?[0-9][0-9][0-9][0-9]( )?[0-9][0-9][0-9][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z][0-9A-Za-z]( )?[0-9A-Za-z][0-9A-Za-z][0-9A-Za-z])
I' ve tried other format (without long IBAN code) still receiving 7 bytes error so might there is a bug somewhere in pattern recognition:
.*(IBAN).*((Italia)|(ITALIA)|(italia)
The second problem is an increbilbe increasing in commit time from 1 minute to 5-10 minute and often this is the result:
The only way to create this pattern match is creating a subset rule but commit long time still remains and the match is due the first two words not the real IBAN code.
.*(IBAN Italia).*(IT[0-9][0-9]( )?[A-Z][0-9][0-9][0-9])
If someone has an idea how to resolve this odd behavior please send me an update. If not I will open a support case.
Regards
06-17-2011 02:45 AM
Update after 2 month from opening the case:
Problem still remains even with the new 4.0.3 due to limit in long regex pattern. There is a limit that you can't trespass that generates errors in commit operation like commit failure or commit thread not responding.
For now DLP has big limitations respect other vendors and I want to remark that having a strong DLP support is quite important in this kind of device.
Please verify the error in the future and improve this feature.
Now the case with the support is closed with the note: not solved. By the way thanks to the support team.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
