07-28-2011 06:47 AM
We were at a demo yesterday and they demostrated that you could see all the documents that leave your company through the Palo Alto device. Went back and tried to find it in the documention and no such luck. Does any one know how this work?
Thanks
07-28-2011 03:52 PM
One last note, it's important for you to know for what you need to filter. Casting too wide of a net will result in false positives. Be sure that you define specific data patterns for specifc scenarios. You'll find the supported regex information in the PAN-OS 4.0 Admin Guide. This link also provides a basic tutorial in the event you're not experienced with regex (http://www.regular-expressions.info/quickstart.html).
Best Regards,
Jared
07-28-2011 07:35 AM
Hello,
you configure Date Filetering Profiles from Security Profiles menu. There you can input what type of files to scan, what keywords you are looking for and even say you want to capture/keep a copy of the file on the firewall itself if it matches.
regards
07-28-2011 01:36 PM
Thanks for the reply, is their any documentation to show how to do this? I see you have to make a data pattern first, but it is not clear on how to do that for checking all documents not just key words. Also, if you capture the data how do you find it?
Thanks again!
07-28-2011 03:41 PM
The PAN-OS 4.0 Admin Guide combined with documents in KnowledgePoint will provide you with the information you need to configure Data Filtering profiles for use with your "allow" security policies. Just remember that "Weight" is basically a value by which a counter is incremented before an alert or block is triggered. Each instance of a data pattern increments the data pattern within the Data Filtering profile by its defined "weight".
Also, if a Data Filtering profile is triggered, and a data capture is performed, you can find the capture under the Data Filtering log. Look for a green arrow, pointing downward to the left of the Receive Time column. This icon indicates there is a data capture associated with the log entry.
Consider a Data Filtering profile that is set to Alert for ten 16-digit credit card numbers (i.e. predefined Credit Card Number data pattern) and to block for 20 credit card numbers. A MS-Word document containing ten 16-digit numbers would trigger an alert in the Data Filtering log. A data capture would be indicated in the Data Filtering log if this had been configured previously. A similar document with 20 credit card numbers would be blocked and generate another Data Filtering log entry. [ When weight of credit card number (CC) equals 1 then CC_1 + CC_2... + CC_10 = Alert OR CC_1 + CC_2... + CC_20 = Block (for this example.]
The use of a predefined keyword can add additional "weight". For example, the keyword "confidential" could have a weight of 10. Thus, a document that contains the keyword "confidential" and 10 credit card numbers would be blocked and trigger a Data Filtering log entry [(keyword "confidential" = weight of 10) + (10 credit card numbers; each with weight of 1) = 20].
I hope that helps!
Jared
07-28-2011 03:52 PM
One last note, it's important for you to know for what you need to filter. Casting too wide of a net will result in false positives. Be sure that you define specific data patterns for specifc scenarios. You'll find the supported regex information in the PAN-OS 4.0 Admin Guide. This link also provides a basic tutorial in the event you're not experienced with regex (http://www.regular-expressions.info/quickstart.html).
Best Regards,
Jared
07-29-2011 09:38 AM
Great, this sounds like everything we would be looking for. I appreciate your help.
Thanks again!!
08-01-2011 03:07 AM
But if you wanted to log the all the filenames of files exiting the company - rather than scan the content - what would you do?
Thanks
n.
08-02-2011 05:54 PM
Best idea in this situation would be to create a an aleart on all file types for a file blocking profile. This will show all file types the the pan has signatures for (which can be viewed on the drop down for file types).
Dominic
08-04-2011 01:32 AM
Thanks. We will give that a try.
05-31-2012 09:05 PM
I got few data pattern filters in place and we are seeing, what is expected to see. Just curious, how does the matching data filter is taking place for things that are going over https?, We don't have https/ssl decoding enabled on the firewall.
Rgds
Junaid
05-31-2012 10:27 PM
You need to enable ssl-termination in order to be able to inspect the contents of ssl/https streams.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
