Create Custom Objects (Strata Cloud Manager)
Focus
Focus
Network Security

Create Custom Objects (Strata Cloud Manager)

Table of Contents


Create Custom Objects (Strata Cloud Manager)

Create custom data patterns, vulnerability and spyware signatures, and URL categories to use with security rules.
Create custom data patterns, vulnerability and spyware signatures, and URL categories to use with security rules.

Custom Objects: Data Patterns

Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesData Loss PreventionDetection MethodsData Patterns to define the categories of sensitive information that you may want to filter.
Also, be sure to learn about defining data filtering profiles
Select Add Data PatternsCustom and configure the settings in this table to add your custom data pattern:
Data Pattern Settings
Description
Name
Enter the data pattern name (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Description
Enter a description for the data pattern (up to 255 characters).
Pattern Type
Select the type of data pattern you want to create:
  • Predefined—Use the predefined data patterns to scan files for social security and credit card numbers.
  • Regular Expression—Create custom data patterns using regular expressions.
  • File Properties—Scan files for specific file properties and values.
Predefined Pattern
Palo Alto Networks provides predefined data patterns to scan for certain types of information in files, for example, for credit card numbers or social security numbers. To configure data filtering based on a predefined pattern, Add a pattern and select the following:
  • Name—Select a predefined pattern to use to filter for sensitive data. When you pick a predefined pattern, the Description populates automatically.
  • Select the File Type in which you want to detect the predefined pattern.
Regular Expression
Add a custom data pattern. Give the pattern a descriptive Name, set the File Type you want to scan for the data pattern, and enter the regular expression that defines the Data Pattern.
For regular expression data pattern syntax details and examples, see:
File Properties
Build a data pattern to scan for file properties and the associated values. For example, Add a data pattern to filter for Microsoft Word documents and PDFs where the document title includes the words “sensitive”, “internal”, or “confidential”.
  • Give the data pattern a descriptive Name.
  • Select the File Type that you want to scan.
  • Select the File Property that you want to scan for a specific value.
  • Enter the Property Value for which you want to scan.

Custom Objects: Spyware/Vulnerability

Use the Custom Spyware Signature page to define signatures for Anti-Spyware profiles. ManageConfigurationNGFW and Prisma AccessSecurity ServicesAnti-Spyware
Use the Custom Vulnerability Signature page to define signatures for Vulnerability Protection profiles. ManageConfigurationNGFW and Prisma AccessSecurity ServicesURL Access Management
Select the Custom Signatures tab, Add Custom Signature, and Configure the settings in this table:
Custom Vulnerability and Spyware Signature Settings
Description
Configuration Tab
Threat ID
Enter a numeric identifier for the configuration (spyware signatures range is 15000-18000 and 6900001 - 7000000; vulnerability signatures range is 41000-45000 and 6800001-6900000).
Name
Specify the threat name.
Comment
Enter an optional comment.
Severity
Assign a level that indicates the seriousness of the threat.
Default Action
Assign the default action to take if the threat conditions are met. For a list of actions, see Actions in Security Profiles.
Direction
Indicate whether the threat is assessed from the client to server, server to client, or both.
Affected System
Indicate whether the threat involves the client, server, either, or both. Applies to vulnerability signatures, but not spyware signatures.
CVE
Specify the common vulnerability enumeration (CVE) as an external reference for additional background and analysis.
Vendor
Specify the vendor identifier for the vulnerability as an external reference for additional background and analysis.
Bugtraq
Specify the bugtraq (similar to CVE) as an external reference for additional background and analysis.
Reference
Add any links to additional analysis or background information. The information is shown when a user clicks on the threat from the ACC, logs, or vulnerability profile.
Signatures Tab
Standard Signature
Select Standard and then Add a new signature. Specify the following information:
  • Standard—Enter a name to identify the signature.
  • Comment—Enter an optional description.
  • Ordered Condition Match—Select if the order in which signature conditions are defined is important.
  • Scope—Select whether to apply this signature only to the current transaction or to the full user session.
Add a condition by clicking Add Or Condition or Add And Condition. To add a condition within a group, select the group and then click Add Condition. Add a condition to a signature so that the signature is generated for traffic when the parameters you define for the condition are true. Select an Operator from the drop-down. The operator defines the type of condition that must be true for the custom signature to match to traffic. Choose from Less Than, Equal To, Greater Than, or Pattern Match operators.
  • When choosing a Pattern Match operator, specify for the following to be true for the signature to match to traffic:
    • Context—Select from the available contexts.
    • Pattern—Specify a regular expression. See Pattern Rules Syntax for pattern rules for regular expressions.
    • Qualifier and Value—Optionally, add qualifier/value pairs.
    • Negate—Select Negate so that the custom signature matches to traffic only when the defined Pattern Match condition isn't true. This allows you to ensure that the custom signature isn't triggered under certain conditions.
      A custom signature can't be created with only Negate conditions; at least one positive condition must be included for a negate condition to be specified. Also, if the scope of the signature is set to session, a Negate condition can't be configured as the last condition to match to traffic.
      You can define exceptions for custom vulnerability or spyware signatures using the new option to negate signature generation when traffic matches both a signature and the exception to the signature. Use this option to allow certain traffic in your network that might otherwise be classified as spyware or a vulnerability exploit. In this case, the signature is generated for traffic that matches the pattern; traffic that matches the pattern but also matches the exception to the pattern is excluded from signature generation and any associated policy action (such as being blocked or dropped). For example, you can define a signature to be generated for redirected URLs; however, you can now also create an exception where the signature isn't generated for URLs that redirect to a trusted domain.
  • When choosing an Equal To, Less Than, or Greater Than operator, specify for the following to be true for the signature to match to traffic:
    • Context—Select from unknown requests and responses for TCP or UDP.
    • Position—Select between the first four or second four bytes in the payload.
    • Mask—Specify a 4-byte hex value, for example, 0xffffff00.
    • Value—Specify a 4-byte hex value, for example, 0xaabbccdd.
Combination Signature
Select Combination and specify the following information:
Select Combination Signatures to specify conditions that define signatures:
  • Add a condition by clicking Add AND Condition or Add OR Condition. To add a condition within a group, select the group and then click Add Condition.
  • To move a condition within a group, select the condition and click Move Up or Move Down. To move a group, select the group and click Move Up or Move Down. You can't move conditions from one group to another.
Select Time Attribute to specify the following information:
  • Number of Hits—Specify the threshold that will trigger any policy-based action as a number of hits (1-1000) in a specified number of seconds (1-3600).
  • Aggregation Criteria—Specify whether the hits are tracked by source IP address, destination IP address, or a combination of source and destination IP addresses.
  • To move a condition within a group, select the condition and click Move Up or Move Down. To move a group, select the group and click Move Up or Move Down. You can't move conditions from one group to another.

Custom Objects: URL Category

Go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesURL Access Management, and Add Category to create your custom list of URLs and use it in a URL filtering profile or as match criteria in security rules. In a custom URL category, you can add URL entries individually or you can import a text file that contains a list of URLs.
URL entries added to custom categories are case insensitive.
Configure the settings in this table:
Custom URL Category Settings
Description
Name
Enter a name to identify the custom URL category (up to 31 characters). This name displays in the category list when defining URL filtering security rules and in the match criteria for URL categories in security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Description
Enter a description for the URL category (up to 255 characters).
Type
Select the category type:
  • Category Match—Select Category Match to define a new custom category containing URLs matching all of the specified URL categories (a URL has to match all categories in the list). Specify between 2-4 categories.
  • URL List—Select URL List to add or import a list of URLs for the category. This category type also contains URLs added before PAN-OS 9.0.
Sites
Manage sites for the custom URL category (each URL added or imported can have a maximum of 255 characters).
  • AddAdd URLs, only one per row. Each URL can be in the format “www.example.com” or can include wildcards, such as “*.example.com”.
  • ImportImport and browse to select the text file that contains the list of URLs. Enter only one URL per row. Each URL can be in the format “www.example.com” or can include wildcards, such as “*.example.com”.
  • ExportExport custom URL entries included in the list (exported as a text file).
  • DeleteDelete an entry to remove the URL from the list.
To delete a custom category that you used in a URL Filtering profile , you must set the action to None before you can delete the custom category.