03-29-2011 01:10 PM
It seems obvious to me that you can't simply apply the built in CC and SS filters in a Security Profile with an "any any". In my testing it really fouls up general web surfing.
Why is there no detailed documentation (at least any I can find in KnowledgePoint or elsewhere) about how to craft an effective data filtering profile. Should it be applied to applications like hotmail or ftp or file types like .doc or .xls? Should it be on upload only since we are trying to prevent outbound data leakage? When I tried crafting regular expressions and saving them I was knocked out of the GUI and had literally reboot Panorama - instead of just rejecting them with an error message.
I need better guidance on this important feature.
04-15-2011 11:05 AM
It seems obvious to me that you can't simply apply the built in CC and SS filters in a Security Profile with an "any any". In my testing it really fouls up general web surfing.
Correct, applying any filter to an "Any, Any....." rule is a bad Idea!
Why is there no detailed documentation (at least any I can find in KnowledgePoint or elsewhere) about how to craft an effective data filtering profile. Should it be applied to applications like hotmail or ftp or file types like .doc or .xls? Should it be on upload only since we are trying to prevent outbound data leakage?
The greater majority of content on the KB is a result of a question or request, we are in most cases responding to threads though we have tried to be proactive clearly we havent covered every possible need. That said we are forever working to improve our offering.
When I tried crafting regular expressions and saving them I was knocked out of the GUI and had literally reboot Panorama - instead of just rejecting them with an error message.
There is nothing that should cause this, if you are able to reproduce it please contact support imediately and provide details so that it can be fixed in a future version.
I need better guidance on this important feature.
Please see the attached document
04-15-2011 11:35 AM
Hi, the attached guidance is quite short and inclomplete, i prefer better documentation.
For example Checkpoint has a quite long list of best practices, example and data pattern implemente in default configuration and should be interesting see the Palo Alto thought and tips.
04-18-2011 01:36 PM
I have been testing data filtering functionality and meeting with mixed results. Using some of the (limited) documentation I've found here I have been able to get SSN and a custom credit card pattern to work, but blocking by file type is failing.
I've attached a file with the filter/policy w/ my results. Can anyone tell if I'm doing something wrong? I really need this to work. Thanks in advance!!!
Message was edited by: cwillms@tcfbank.com
06-21-2011 03:11 PM
Hi,
I'm doing same tests using IBAN codes and your results are similar to mine. I've also opened a case of 2 months but no real solution was found over DLP.
In my opinion DLP lacks some capabilities:
I've tried also with the new 4.0.3 but nothing changed.
I hope in future improvement. Other vendors DLP is better.
03-13-2012 10:15 AM
Just found this thread as I was considering turning on data filtering for SSN's and CC's and maybe specific record number we use at my company.
Have you guys gotten any further ? Still stuck ?
03-13-2012 01:44 PM
To be honest this feature is a bust in my opinion. We were primarily interested in applying it to web-based e-mail both in the body and for attachments. Using documentation from this forum I created a custom regex pattern for Credit Cards- such as - .*((Credit Card)|(VISA card)|(Visa card)|(Debit Card)).*([0-9][0-9][0-9][0-9].[0-9][0-9][0-9][0-9].[0-9][0-9][0-9][0-9].[0-9][0-9][0-9][0-9]) then applied it to my rule that allowed web-based e-mail and it sort-of, kind-of worked. It worked for attachments for some applications but not others - I never got it to work for FTP at all.
Be warned: we have since completely removed the Custom Pattern above when it blew up our upgrade from 3.x to 4.x. The escalation engineer said it was crap and that we should not use a Custom Filter like that (remember, I found it in this forum.)
We never expected it to be DLP, but we were really counting on it for policing web-based e-mail - so we've had to blocked web-based e-mail for 99% of our employees
Craig W
04-04-2013 07:54 AM
Searching around can get you the inside scoop on how these numbers are constructed which will help cut down on false positives. A couple of sample credit card regexes:
04-09-2013 12:06 PM
If your looking for DLP get Vontu.......DLP "lite" is what you have here similiar to checkpoint......if you like being flooded with false positives, by all means.....
I do have a question though on file content....I am writing some Arcsight use cases and tracking which file names are transfered over which application protocol by user. I do not seem to be able to find a document which outlines the signature matches for the various documents. (such as File microsoft MSOFFICE(52033) or a File Microsoft Office 2007 xls document 52024) etc etc.....
I built some nice use cases with fireeye to pickup on the .jar files coming in but since this client doesnt have a dlp solution (yet) I do want to give an idea of what type of file names are leaving the perimeter to give them a little "boost" in acquiring DLP capability.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
