>
    Policy Object: Custom Objects
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Policy Objects
    5. Policy Object: Custom Objects
    Download PDF
    Network Security

    Policy Object: Custom Objects

    Table of Contents

    Policy Object: Custom Objects

    Create custom data patterns, vulnerability and spyware signatures, and URL categories to use with security rules.
    Where Can I Use This?
    What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS & Panorama Managed)
    • Prisma Access (Cloud Management)
    • Prisma Access (Panorama Managed)
    Check for any license or role requirements for the products you're using.
    Create custom data patterns, vulnerability and spyware signatures, and URL categories to use with security rules.

    Policy Object: Data Patterns

    Data Patterns define the categories of sensitive information that you may want to filter.
    You can create three types of data patterns to use when scanning for sensitive information:
    • Predefined
      —Use the predefined data patterns to scan files for social security and credit card numbers.
    • Regular Expression
      —Create custom data patterns using regular expressions.
    • File Properties
      —Scan files for specific file properties and values.

    Custom Objects: Spyware/Vulnerability

    Your configuration supports the ability to create custom spyware and vulnerability signatures using the threat engine. You can write custom regular expression patterns to identify spyware phone home communication or vulnerability exploits. The resulting spyware and vulnerability patterns become available for use in any custom vulnerability profiles. Your configuration looks for the custom-defined patterns in network traffic and takes the specified action for the vulnerability exploit.
    Weekly content releases periodically include new decoders and contexts for which you can develop signatures.
    You can optionally include a time attribute when defining custom signatures by specifying a threshold per interval for triggering possible actions in response to an attack. Action is taken only after the threshold is reached.

    Policy Object: URL Category

    Use the custom URL category page to create your custom list of URLs and use it in a URL Filtering profile or as match criteria in security rules. In a custom URL category, you can add URL entries individually or you can import a text file that contains a list of URLs.
    URL entries added to custom categories are case insensitive.

    Create Custom Objects

    Cloud Managed

    Create custom data patterns, vulnerability and spyware signatures, and URL categories to use with security rules.
    Create custom data patterns, vulnerability and spyware signatures, and URL categories to use with security rules.

    Custom Objects: Data Patterns

    Select
    Manage
    Configuration
    NGFW and Prisma Access
    Security Services
    Data Loss Prevention
    Detection Methods
    Data Patterns
     to define the categories of sensitive information that you may want to filter.
    Also, be sure to learn about defining data filtering profiles
    Select
    Add Data Patterns
    Custom
     and configure the settings in this table to add your custom data pattern:
    Data Pattern Settings
    Description
    Name
    Enter the data pattern name (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
    Description
    Enter a description for the data pattern (up to 255 characters).
    Pattern Type
    Select the type of data pattern you want to create:
    • Predefined
      —Use the predefined data patterns to scan files for social security and credit card numbers.
    • Regular Expression
      —Create custom data patterns using regular expressions.
    • File Properties
      —Scan files for specific file properties and values.
    Predefined Pattern
    Palo Alto Networks provides predefined data patterns to scan for certain types of information in files, for example, for credit card numbers or social security numbers. To configure data filtering based on a predefined pattern,
    Add
     a pattern and select the following:
    • Name
      —Select a predefined pattern to use to filter for sensitive data. When you pick a predefined pattern, the
      Description
       populates automatically.
    • Select the
      File Type
       in which you want to detect the predefined pattern.
    Regular Expression
    Add
     a custom data pattern. Give the pattern a descriptive
    Name
    , set the
    File Type
     you want to scan for the data pattern, and enter the regular expression that defines the
    Data Pattern
    .
    For regular expression data pattern syntax details and examples, see:
    File Properties
    Build a data pattern to scan for file properties and the associated values. For example,
    Add
     a data pattern to filter for Microsoft Word documents and PDFs where the document title includes the words “sensitive”, “internal”, or “confidential”.
    • Give the data pattern a descriptive
      Name
      .
    • Select the
      File Type
       that you want to scan.
    • Select the
      File Property
       that you want to scan for a specific value.
    • Enter the
      Property Value
       for which you want to scan.

    Custom Objects: Spyware/Vulnerability

    Use the
    Custom Spyware Signature
     page to define signatures for Anti-Spyware profiles.
    Manage
    Configuration
    NGFW and Prisma Access
    Security Services
    Anti-Spyware
    Use the
    Custom Vulnerability Signature
     page to define signatures for Vulnerability Protection profiles.
    Manage
    Configuration
    NGFW and Prisma Access
    Security Services
    URL Access Management
    Select the
    Custom Signatures
     tab,
    Add Custom Signature
    , and Configure the settings in this table:
    Custom Vulnerability and Spyware Signature Settings
    Description
    Configuration Tab
    Threat ID
    Enter a numeric identifier for the configuration (spyware signatures range is 15000-18000 and 6900001 - 7000000; vulnerability signatures range is 41000-45000 and 6800001-6900000).
    Name
    Specify the threat name.
    Comment
    Enter an optional comment.
    Severity
    Assign a level that indicates the seriousness of the threat.
    Default Action
    Assign the default action to take if the threat conditions are met. For a list of actions, see Actions in Security Profiles.
    Direction
    Indicate whether the threat is assessed from the client to server, server to client, or both.
    Affected System
    Indicate whether the threat involves the client, server, either, or both. Applies to vulnerability signatures, but not spyware signatures.
    CVE
    Specify the common vulnerability enumeration (CVE) as an external reference for additional background and analysis.
    Vendor
    Specify the vendor identifier for the vulnerability as an external reference for additional background and analysis.
    Bugtraq
    Specify the bugtraq (similar to CVE) as an external reference for additional background and analysis.
    Reference
    Add any links to additional analysis or background information. The information is shown when a user clicks on the threat from the ACC, logs, or vulnerability profile.
    Signatures Tab
    Standard Signature
    Select
    Standard
     and then
    Add
     a new signature. Specify the following information:
    • Standard
      —Enter a name to identify the signature.
    • Comment
      —Enter an optional description.
    • Ordered Condition Match
      —Select if the order in which signature conditions are defined is important.
    • Scope
      —Select whether to apply this signature only to the current transaction or to the full user session.
    Add a condition by clicking
    Add Or Condition
     or
    Add And Condition
    . To add a condition within a group, select the group and then click
    Add Condition
    . Add a condition to a signature so that the signature is generated for traffic when the parameters you define for the condition are true. Select an
    Operator
     from the drop-down. The operator defines the type of condition that must be true for the custom signature to match to traffic. Choose from
    Less Than
    ,
    Equal To
    ,
    Greater Than
    , or
    Pattern Match
     operators.
    • When choosing a
      Pattern Match
       operator, specify for the following to be true for the signature to match to traffic:
      • Context
        —Select from the available contexts.
      • Pattern
        —Specify a regular expression. See Pattern Rules Syntax for pattern rules for regular expressions.
      • Qualifier and Value
        —Optionally, add qualifier/value pairs.
      • Negate
        —Select
        Negate
         so that the custom signature matches to traffic only when the defined Pattern Match condition isn't true. This allows you to ensure that the custom signature isn't triggered under certain conditions.
        A custom signature can't be created with only Negate conditions; at least one positive condition must be included for a negate condition to be specified. Also, if the scope of the signature is set to session, a Negate condition can't be configured as the last condition to match to traffic.
        You can define exceptions for custom vulnerability or spyware signatures using the new option to negate signature generation when traffic matches both a signature and the exception to the signature. Use this option to allow certain traffic in your network that might otherwise be classified as spyware or a vulnerability exploit. In this case, the signature is generated for traffic that matches the pattern; traffic that matches the pattern but also matches the exception to the pattern is excluded from signature generation and any associated policy action (such as being blocked or dropped). For example, you can define a signature to be generated for redirected URLs; however, you can now also create an exception where the signature isn't generated for URLs that redirect to a trusted domain.
    • When choosing an
      Equal To
      ,
      Less Than
      , or
      Greater Than
       operator, specify for the following to be true for the signature to match to traffic:
      • Context
        —Select from unknown requests and responses for TCP or UDP.
      • Position
        —Select between the first four or second four bytes in the payload.
      • Mask
        —Specify a 4-byte hex value, for example, 0xffffff00.
      • Value
        —Specify a 4-byte hex value, for example, 0xaabbccdd.
    Combination Signature
    Select
    Combination
     and specify the following information:
    Select
    Combination Signatures
     to specify conditions that define signatures:
    • Add a condition by clicking
      Add AND Condition
       or
      Add OR Condition
      . To add a condition within a group, select the group and then click
      Add Condition
      .
    • To move a condition within a group, select the condition and click
      Move Up
       or
      Move Down
      . To move a group, select the group and click
      Move Up
       or
      Move Down
      . You can't move conditions from one group to another.
    Select
    Time Attribute
     to specify the following information:
    • Number of Hits
      —Specify the threshold that will trigger any policy-based action as a number of hits (1-1000) in a specified number of seconds (1-3600).
    • Aggregation Criteria
      —Specify whether the hits are tracked by source IP address, destination IP address, or a combination of source and destination IP addresses.
    • To move a condition within a group, select the condition and click
      Move Up
       or
      Move Down
      . To move a group, select the group and click
      Move Up
       or
      Move Down
      . You can't move conditions from one group to another.

    Custom Objects: URL Category

    Go to
    Manage
    Configuration
    NGFW and Prisma Access
    Security Services
    URL Access Management
    , and
    Add Category
     to create your custom list of URLs and use it in a URL filtering profile or as match criteria in security rules. In a custom URL category, you can add URL entries individually or you can import a text file that contains a list of URLs.
    URL entries added to custom categories are case insensitive.
    Configure the settings in this table:
    Custom URL Category Settings
    Description
    Name
    Enter a name to identify the custom URL category (up to 31 characters). This name displays in the category list when defining URL filtering security rules and in the match criteria for URL categories in security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
    Description
    Enter a description for the URL category (up to 255 characters).
    Type
    Select the category type:
    • Category Match
      —Select
      Category Match
       to define a new custom category containing URLs matching all of the specified URL categories (a URL has to match all categories in the list). Specify between 2-4 categories.
    • URL List
      —Select
      URL List
       to add or import a list of URLs for the category. This category type also contains URLs added before PAN-OS 9.0.
    Sites
    Manage sites for the custom URL category (each URL added or imported can have a maximum of 255 characters).
    • Add
      Add
       URLs, only one per row. Each URL can be in the format “www.example.com” or can include wildcards, such as “*.example.com”.
    • Import
      Import
       and browse to select the text file that contains the list of URLs. Enter only one URL per row. Each URL can be in the format “www.example.com” or can include wildcards, such as “*.example.com”.
    • Export
      Export
       custom URL entries included in the list (exported as a text file).
    • Delete
      Delete
       an entry to remove the URL from the list.
    To delete a custom category that you used in a URL Filtering profile , you must set the action to
    None
     before you can delete the custom category.

    PAN-OS & Panorama

    Create custom data patterns, vulnerability and spyware signatures, and URL categories to use with security rules.
    Create custom data patterns, vulnerability and spyware signatures, and URL categories to use with security rules.

    Custom Objects: Data Patterns

    Select
    Objects
    Custom Objects
    Data Patterns
     to define the categories of sensitive information that you may want to filter.
    Also, be sure to learn about defining data filtering profiles
    Add
     your custom data pattern and configure the settings in this table:
    Data Pattern Settings
    Description
    Name
    Enter the data pattern name (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
    Description
    Enter a description for the data pattern (up to 255 characters).
    Shared
    Select this option if you want the data pattern to be available to:
    • Every virtual system (vsys) on a multi-vsys. If you clear this selection, the data pattern will be available only to the
      Virtual System
       selected in the
      Objects
       tab.
    • Every device group on Panorama. If you clear this selection, the data pattern will be available only to the
      Device Group
       selected in the
      Objects
       tab.
    Disable override (
    Panorama only
    )
    Select this option to prevent administrators from overriding the settings of this data pattern object in device groups that inherit the object. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the object.
    Pattern Type
    Select the type of data pattern you want to create:
    • Predefined
      —Use the predefined data patterns to scan files for social security and credit card numbers.
    • Regular Expression
      —Create custom data patterns using regular expressions.
    • File Properties
      —Scan files for specific file properties and values.
    Predefined Pattern
    Palo Alto Networks provides predefined data patterns to scan for certain types of information in files, for example, for credit card numbers or social security numbers. To configure data filtering based on a predefined pattern,
    Add
     a pattern and select the following:
    • Name
      —Select a predefined pattern to use to filter for sensitive data. When you pick a predefined pattern, the
      Description
       populates automatically.
    • Select the
      File Type
       in which you want to detect the predefined pattern.
    Regular Expression
    Add
     a custom data pattern. Give the pattern a descriptive
    Name
    , set the
    File Type
     you want to scan for the data pattern, and enter the regular expression that defines the
    Data Pattern
    .
    For regular expression data pattern syntax details and examples, see:
    File Properties
    Build a data pattern to scan for file properties and the associated values. For example,
    Add
     a data pattern to filter for Microsoft Word documents and PDFs where the document title includes the words “sensitive”, “internal”, or “confidential”.
    • Give the data pattern a descriptive
      Name
      .
    • Select the
      File Type
       that you want to scan.
    • Select the
      File Property
       that you want to scan for a specific value.
    • Enter the
      Property Value
       for which you want to scan.

    Custom Objects: Spyware/Vulnerability

    Use the
    Custom Spyware Signature
     page to define signatures for Anti-Spyware profiles.
    Objects
    Custom Objects
    Spyware
    Add
    Use the
    Custom Vulnerability Signature
     page to define signatures for Vulnerability Protection profiles.
    Objects
    Custom Objects
    Vulnerability
    Add
    Configure the settings in this table:
    Custom Vulnerability and Spyware Signature Settings
    Description
    Configuration Tab
    Threat ID
    Enter a numeric identifier for the configuration (spyware signatures range is 15000-18000 and 6900001 - 7000000; vulnerability signatures range is 41000-45000 and 6800001-6900000).
    Name
    Specify the threat name.
    Shared
    Select this option if you want the custom signature to be available to:
    • Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the custom signature will be available only to the
      Virtual System
       selected in the
      Objects
       tab.
    • Every device group on Panorama. If you clear this selection, the custom signature will be available only to the
      Device Group
       selected in the
      Objects
       tab.
    Disable override (
    Panorama only
    )
    Select this option to prevent administrators from overriding the settings of this signature in device groups that inherit the signature. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the signature.
    Comment
    Enter an optional comment.
    Severity
    Assign a level that indicates the seriousness of the threat.
    Default Action
    Assign the default action to take if the threat conditions are met. For a list of actions, see Actions in Security Profiles.
    Direction
    Indicate whether the threat is assessed from the client to server, server to client, or both.
    Affected System
    Indicate whether the threat involves the client, server, either, or both. Applies to vulnerability signatures, but not spyware signatures.
    CVE
    Specify the common vulnerability enumeration (CVE) as an external reference for additional background and analysis.
    Vendor
    Specify the vendor identifier for the vulnerability as an external reference for additional background and analysis.
    Bugtraq
    Specify the bugtraq (similar to CVE) as an external reference for additional background and analysis.
    Reference
    Add any links to additional analysis or background information. The information is shown when a user clicks on the threat from the ACC, logs, or vulnerability profile.
    Signatures Tab
    Standard Signature
    Select
    Standard
     and then
    Add
     a new signature. Specify the following information:
    • Standard
      —Enter a name to identify the signature.
    • Comment
      —Enter an optional description.
    • Ordered Condition Match
      —Select if the order in which signature conditions are defined is important.
    • Scope
      —Select whether to apply this signature only to the current transaction or to the full user session.
    Add a condition by clicking
    Add Or Condition
     or
    Add And Condition
    . To add a condition within a group, select the group and then click
    Add Condition
    . Add a condition to a signature so that the signature is generated for traffic when the parameters you define for the condition are true. Select an
    Operator
     from the drop-down. The operator defines the type of condition that must be true for the custom signature to match to traffic. Choose from
    Less Than
    ,
    Equal To
    ,
    Greater Than
    , or
    Pattern Match
     operators.
    • When choosing a
      Pattern Match
       operator, specify for the following to be true for the signature to match to traffic:
      • Context
        —Select from the available contexts.
      • Pattern
        —Specify a regular expression. See Pattern Rules Syntax for pattern rules for regular expressions.
      • Qualifier and Value
        —Optionally, add qualifier/value pairs.
      • Negate
        —Select
        Negate
         so that the custom signature matches to traffic only when the defined Pattern Match condition isn't true. This allows you to ensure that the custom signature isn't triggered under certain conditions.
        A custom signature can't be created with only Negate conditions; at least one positive condition must be included for a negate condition to specified. Also, if the scope of the signature is set to session, a Negate condition can't be configured as the last condition to match to traffic.
        You can define exceptions for custom vulnerability or spyware signatures using the new option to negate signature generation when traffic matches both a signature and the exception to the signature. Use this option to allow certain traffic in your network that might otherwise be classified as spyware or a vulnerability exploit. In this case, the signature is generated for traffic that matches the pattern; traffic that matches the pattern but also matches the exception to the pattern is excluded from signature generation and any associated policy action (such as being blocked or dropped). For example, you can define a signature to be generated for redirected URLs; however, you can now also create an exception where the signature isn't generated for URLs that redirect to a trusted domain.
    • When choosing an
      Equal To
      ,
      Less Than
      , or
      Greater Than
       operator, specify for the following to be true for the signature to match to traffic:
      • Context
        —Select from unknown requests and responses for TCP or UDP.
      • Position
        —Select between the first four or second four bytes in the payload.
      • Mask
        —Specify a 4-byte hex value, for example, 0xffffff00.
      • Value
        —Specify a 4-byte hex value, for example, 0xaabbccdd.
    Combination Signature
    Select
    Combination
     and specify the following information:
    Select
    Combination Signatures
     to specify conditions that define signatures:
    • Add a condition by clicking
      Add AND Condition
       or
      Add OR Condition
      . To add a condition within a group, select the group and then click
      Add Condition
      .
    • To move a condition within a group, select the condition and click
      Move Up
       or
      Move Down
      . To move a group, select the group and click
      Move Up
       or
      Move Down
      . You can't move conditions from one group to another.
    Select
    Time Attribute
     to specify the following information:
    • Number of Hits
      —Specify the threshold that will trigger any policy-based action as a number of hits (1-1000) in a specified number of seconds (1-3600).
    • Aggregation Criteria
      —Specify whether the hits are tracked by source IP address, destination IP address, or a combination of source and destination IP addresses.
    • To move a condition within a group, select the condition and click
      Move Up
       or
      Move Down
      . To move a group, select the group and click
      Move Up
       or
      Move Down
      . You can't move conditions from one group to another.

    Custom Objects: URL Category

    Go to
    Objects
    Custom Objects
    URL Category
    , and select
    Add
    to create your custom list of URLs and use it in a URL filtering profile or as match criteria in security rules. In a custom URL category, you can add URL entries individually or you can import a text file that contains a list of URLs.
    URL entries added to custom categories are case insensitive.
    Configure the settings in this table:
    Custom URL Category Settings
    Description
    Name
    Enter a name to identify the custom URL category (up to 31 characters). This name displays in the category list when defining URL filtering security rules and in the match criteria for URL categories in security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
    Description
    Enter a description for the URL category (up to 255 characters).
    Type
    Select the category type:
    • Category Match
      —Select
      Category Match
       to define a new custom category containing URLs matching all of the specified URL categories (a URL has to match all categories in the list). Specify between 2-4 categories.
    • URL List
      —Select
      URL List
       to add or import a list of URLs for the category. This category type also contains URLs added before PAN-OS 9.0.
    Shared
    Select this option if you want the URL category to be available to:
    • Every virtual system (vsys) on a multi-vsys. If you disable (clear) this option, the URL category is available only to the
      Virtual System
       selected in the
      Objects
       tab.
    • Every device group on Panorama. If you disable (clear) this option, the URL category is available only to the
      Device Group
       selected in the
      Objects
       tab.
    Disable override (
    Panorama only
    )
    Select this option to prevent administrators from overriding the settings of this custom URL object in device groups that inherit the object. This selection is disabled by default, which means administrators can override the settings for any device group that inherits the object.
    Sites
    Manage sites for the custom URL category (each URL added or imported can have a maximum of 255 characters).
    • Add
      Add
       URLs, only one per row. Each URL can be in the format “www.example.com” or can include wildcards, such as “*.example.com”.
    • Import
      Import
       and browse to select the text file that contains the list of URLs. Enter only one URL per row. Each URL can be in the format “www.example.com” or can include wildcards, such as “*.example.com”.
    • Export
      Export
       custom URL entries included in the list (exported as a text file).
    • Delete
      Delete
       an entry to remove the URL from the list.
    To delete a custom category that you used in a URL Filtering profile , you must set the action to
    None
     before you can delete the custom category.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.