Network Security
Policy Object: Custom Objects
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Policy Object: Custom Objects
Create custom data patterns, vulnerability and spyware signatures, and URL categories to
use with security rules.
Create custom data patterns, vulnerability and spyware signatures, and URL
categories to use with security rules.
Policy Object: Data Patterns
Data Patterns define the categories of sensitive information that you may want to
filter.
You can create three types of data patterns to use when scanning for sensitive
information:
- Predefined—Use the predefined data patterns to scan files for social security and credit card numbers.
- Regular Expression—Create custom data patterns using regular expressions.
- File Properties—Scan files for specific file properties and values.
Custom Objects: Spyware/Vulnerability
Your configuration supports the ability to create custom spyware and vulnerability
signatures using the threat engine. You can write custom regular expression patterns
to identify spyware phone home communication or vulnerability exploits. The
resulting spyware and vulnerability patterns become available for use in any custom
vulnerability profiles. Your configuration looks for the custom-defined patterns in
network traffic and takes the specified action for the vulnerability exploit.
Weekly content releases periodically include new decoders and contexts for which
you can develop signatures.
You can optionally include a time attribute when defining custom signatures by
specifying a threshold per interval for triggering possible actions in response to
an attack. Action is taken only after the threshold is reached.
Policy Object: URL Category
Use the custom URL category page to create your custom list of URLs and use it in a
URL Filtering profile or as match criteria in security rules. In a custom URL
category, you can add URL entries individually or you can import a text file that
contains a list of URLs.
URL entries added to custom categories are case insensitive.
Create Custom Objects
Create Custom Objects (Strata Cloud Manager)
Create custom data patterns, vulnerability and spyware signatures, and URL categories
to use with security rules.
Create custom data patterns, vulnerability and spyware signatures, and
URL categories to use with security rules.
Custom Objects: Data Patterns
Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesData Loss PreventionDetection MethodsData Patterns to define the categories of sensitive information that you may
want to filter.
Also, be sure to learn about defining data filtering profiles
Select Add Data PatternsCustom and configure the settings in this table to add your custom data
pattern:
Data Pattern Settings
|
Description
|
---|---|
Name
|
Enter the data pattern name (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters,
numbers, spaces, hyphens, and underscores.
|
Description
|
Enter a description for the data pattern (up to 255
characters).
|
Pattern Type
|
Select the type of data pattern you want to create:
|
Predefined Pattern
|
Palo Alto Networks provides predefined data patterns to scan
for certain types of information in files, for example, for
credit card numbers or social security numbers. To configure
data filtering based on a predefined pattern,
Add a pattern and select the
following:
|
Regular Expression
| Add a custom data
pattern. Give the pattern a descriptive
Name, set the File
Type you want to scan for the data pattern,
and enter the regular expression that defines the
Data Pattern. For regular
expression data pattern syntax details and examples, see: |
File Properties
|
Build a data pattern to scan for file properties and the
associated values. For example, Add a
data pattern to filter for Microsoft Word documents and PDFs
where the document title includes the words “sensitive”,
“internal”, or “confidential”.
|
Custom Objects: Spyware/Vulnerability
Use the Custom Spyware Signature page to define signatures
for Anti-Spyware profiles. ManageConfigurationNGFW and Prisma AccessSecurity ServicesAnti-Spyware
Use the Custom Vulnerability Signature page to define
signatures for Vulnerability Protection
profiles. ManageConfigurationNGFW and Prisma AccessSecurity ServicesURL Access Management
Select the Custom Signatures tab, Add Custom
Signature, and Configure the settings in this table:
Custom Vulnerability and Spyware
Signature Settings
|
Description
|
---|---|
Configuration Tab
| |
Threat ID
|
Enter a numeric identifier for the configuration (spyware
signatures range is 15000-18000 and 6900001 - 7000000;
vulnerability signatures range is 41000-45000 and
6800001-6900000).
|
Name
|
Specify the threat name.
|
Comment
|
Enter an optional comment.
|
Severity
|
Assign a level that indicates the seriousness of the
threat.
|
Default Action
|
Assign the default action to take if the threat conditions
are met. For a list of actions, see Actions in
Security Profiles.
|
Direction
|
Indicate whether the threat is assessed from the client to
server, server to client, or both.
|
Affected System
|
Indicate whether the threat involves the client, server,
either, or both. Applies to vulnerability signatures, but
not spyware signatures.
|
CVE
|
Specify the common vulnerability enumeration (CVE) as an
external reference for additional background and
analysis.
|
Vendor
|
Specify the vendor identifier for the vulnerability as an
external reference for additional background and
analysis.
|
Bugtraq
|
Specify the bugtraq (similar to CVE) as an external reference
for additional background and analysis.
|
Reference
|
Add any links to additional analysis or background
information. The information is shown when a user clicks on
the threat from the ACC, logs, or vulnerability profile.
|
Signatures Tab
| |
Standard Signature
|
Select Standard and then
Add a new signature. Specify the
following information:
Add a condition by clicking Add Or
Condition or Add And
Condition. To add a condition within a
group, select the group and then click Add
Condition. Add a condition to a signature so
that the signature is generated for traffic when the
parameters you define for the condition are true. Select an
Operator from the drop-down. The
operator defines the type of condition that must be true for
the custom signature to match to traffic. Choose from
Less Than, Equal
To, Greater Than, or
Pattern Match operators.
|
| |
Combination Signature
|
Select Combination and specify the
following information:
Select Combination Signatures to
specify conditions that define signatures:
Select Time Attribute to specify the
following information:
|
Custom Objects: URL Category
Go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesURL Access Management, and Add Category to create your custom
list of URLs and use it in a URL filtering profile or
as match criteria in security rules. In a custom URL category, you can add URL
entries individually or you can import a text file that contains a list of
URLs.
URL entries added to custom categories are case insensitive.
Configure the settings in this table:
Custom URL Category Settings
|
Description
|
---|---|
Name
|
Enter a name to identify the custom URL category (up to 31
characters). This name displays in the category list when
defining URL filtering security rules and in the match
criteria for URL categories in security rules. The name is
case-sensitive and must be unique. Use only letters,
numbers, spaces, hyphens, and underscores.
|
Description
|
Enter a description for the URL category (up to 255
characters).
|
Type
|
Select the category type:
|
Sites
|
Manage sites for the custom URL category (each URL added or
imported can have a maximum of 255 characters).
To delete a custom category that you used in a URL
Filtering profile , you must set the action to
None before you can delete
the custom category. |
Create Custom Objects (PAN-OS & Panorama)
Create custom data patterns, vulnerability and spyware signatures, and URL categories
to use with security rules.
Create custom data patterns, vulnerability and spyware signatures, and
URL categories to use with security rules.
Custom Objects: Data Patterns
Select ObjectsCustom ObjectsData Patterns to define the categories of sensitive information that you may
want to filter.
Also, be sure to learn about defining data filtering profiles
Add your custom data pattern and configure the settings in
this table:
Data Pattern Settings
|
Description
|
---|---|
Name
|
Enter the data pattern name (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters,
numbers, spaces, hyphens, and underscores.
|
Description
|
Enter a description for the data pattern (up to 255
characters).
|
Shared
|
Select this option if you want the data pattern to be
available to:
|
Disable override (Panorama only)
|
Select this option to prevent administrators from overriding
the settings of this data pattern object in device groups
that inherit the object. This selection is cleared by
default, which means administrators can override the
settings for any device group that inherits the object.
|
Pattern Type
|
Select the type of data pattern you want to create:
|
Predefined Pattern
|
Palo Alto Networks provides predefined data patterns to scan
for certain types of information in files, for example, for
credit card numbers or social security numbers. To configure
data filtering based on a predefined pattern,
Add a pattern and select the
following:
|
Regular Expression
| Add a custom data
pattern. Give the pattern a descriptive
Name, set the File
Type you want to scan for the data pattern,
and enter the regular expression that defines the
Data Pattern. For regular
expression data pattern syntax details and examples, see: |
File Properties
|
Build a data pattern to scan for file properties and the
associated values. For example, Add a
data pattern to filter for Microsoft Word documents and PDFs
where the document title includes the words “sensitive”,
“internal”, or “confidential”.
|
Custom Objects: Spyware/Vulnerability
Use the Custom Spyware Signature page to define signatures
for Anti-Spyware profiles. ObjectsCustom ObjectsSpywareAdd
Use the Custom Vulnerability Signature page to define
signatures for Vulnerability Protection
profiles. ObjectsCustom ObjectsVulnerabilityAdd
Configure the settings in this table:
Custom Vulnerability and Spyware
Signature Settings
|
Description
|
---|---|
Configuration Tab
| |
Threat ID
|
Enter a numeric identifier for the configuration (spyware
signatures range is 15000-18000 and 6900001 - 7000000;
vulnerability signatures range is 41000-45000 and
6800001-6900000).
|
Name
|
Specify the threat name.
|
Shared
|
Select this option if you want the custom signature to be
available to:
|
Disable override (Panorama only)
|
Select this option to prevent administrators from overriding
the settings of this signature in device groups that inherit
the signature. This selection is cleared by default, which
means administrators can override the settings for any
device group that inherits the signature.
|
Comment
|
Enter an optional comment.
|
Severity
|
Assign a level that indicates the seriousness of the
threat.
|
Default Action
|
Assign the default action to take if the threat conditions
are met. For a list of actions, see Actions in
Security Profiles.
|
Direction
|
Indicate whether the threat is assessed from the client to
server, server to client, or both.
|
Affected System
|
Indicate whether the threat involves the client, server,
either, or both. Applies to vulnerability signatures, but
not spyware signatures.
|
CVE
|
Specify the common vulnerability enumeration (CVE) as an
external reference for additional background and
analysis.
|
Vendor
|
Specify the vendor identifier for the vulnerability as an
external reference for additional background and
analysis.
|
Bugtraq
|
Specify the bugtraq (similar to CVE) as an external reference
for additional background and analysis.
|
Reference
|
Add any links to additional analysis or background
information. The information is shown when a user clicks on
the threat from the ACC, logs, or vulnerability profile.
|
Signatures Tab
| |
Standard Signature
|
Select Standard and then
Add a new signature. Specify the
following information:
Add a condition by clicking Add Or
Condition or Add And
Condition. To add a condition within a
group, select the group and then click Add
Condition. Add a condition to a signature so
that the signature is generated for traffic when the
parameters you define for the condition are true. Select an
Operator from the drop-down. The
operator defines the type of condition that must be true for
the custom signature to match to traffic. Choose from
Less Than, Equal
To, Greater Than, or
Pattern Match operators.
|
| |
Combination Signature
|
Select Combination and specify the
following information:
Select Combination Signatures to
specify conditions that define signatures:
Select Time Attribute to specify the
following information:
|
Custom Objects: URL Category
Go to ObjectsCustom ObjectsURL Category, and select Add to create your custom
list of URLs and use it in a URL filtering profile or
as match criteria in security rules. In a custom URL category, you can add URL
entries individually or you can import a text file that contains a list of
URLs.
URL entries added to custom categories are case insensitive.
Configure the settings in this table:
Custom URL Category Settings
|
Description
|
---|---|
Name
|
Enter a name to identify the custom URL category (up to 31
characters). This name displays in the category list when
defining URL filtering security rules and in the match
criteria for URL categories in security rules. The name is
case-sensitive and must be unique. Use only letters,
numbers, spaces, hyphens, and underscores.
|
Description
|
Enter a description for the URL category (up to 255
characters).
|
Type
|
Select the category type:
|
Shared
|
Select this option if you want the URL category to be
available to:
|
Disable override (Panorama only)
|
Select this option to prevent administrators from overriding
the settings of this custom URL object in device groups that
inherit the object. This selection is disabled by default,
which means administrators can override the settings for any
device group that inherits the object.
|
Sites
|
Manage sites for the custom URL category (each URL added or
imported can have a maximum of 255 characters).
To delete a custom category that you used in a URL
Filtering profile , you must set the action to
None before you can delete
the custom category. |