Palo Alto Networks Knowledgebase: Data Filtering Best Practices

Data Filtering Best Practices

9350
Created On 08/27/19 19:29 PM - Last Updated 08/27/19 19:34 PM
Data Filtering Policy 7.1 PAN-OS
Environment
  • PAN-OS 7.1
  • Data Filtering configured


Resolution

Two signatures exist for data filtering:

  • Credit Card: the device will look for 16 digit numbers and will run thru a hash algorithm. It must match the hash algorithm before detecting this as a Credit Card number. This method has less false positive.
  • Social Security Number: is detected as any 9 digit number, regardless of format. This is prone to false positive.

 

It is important to determine which types of documents in which to look for credit card and social security numbers.

Attached to this document are two PDF files that can be used to test the policy. One has fake social security numbers and the other fake credit card numbers.

 

Set up a profile to detect the two key words and trigger an alert. The second condition -- if the device sees any file that has 10 nine-digit numbers or 10 Credit Card numbers or a combination of both that total to 10.

  1. Set up the custom Data Patterns.
  2. Set up the data pattern profile.
  3. Set up the data pattern in the security profile.

 

The custom data pattern is set the following way:

  • Set the weight of the custom data pattern to 10.
  • Set the social security and credit card to 1 (see screenshot below).
    2016-09-20_12-34-46.jpg
  • Set the Data Filtering profile to trigger on 10 (see screenshot below).2016-09-20_12-35-37.jpg

 

  • Add this profile to the security rule. This rule will look for the data pattern and alert on the above condition.  This should prevent some of the false detection.2016-09-20_12-44-16.jpg

 

Monitor Data Filter Log

2016-09-20_12-39-21.jpg

 

The green arrow next to a log entry is a packet capture of the single packet that triggered the data filtering.

To protect the data contained in the packetcaptures, Dta Protection can be enabled which password protects all the packetcaptures. The password can be set from the Device > Setup > Content-ID > Manage Data Protection

2016-09-20_12-41-09.jpg

 

Note: Attached to this KB document are two test files that can be used to confirm that the policy is working.

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSSCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language