Use Data Filtering profiles to prevent sensitive,
confidential, and proprietary information—such as credit card or social security numbers
or internal corporate documents—from leaving your network. Predefined patterns, built-in
settings, and customizable options make it easy for you to protect files that contain
certain file properties (such as a document title or author), credit card numbers,
regulated information from different countries (like social security numbers), and
third-party data loss prevention (DLP) labels.
Predefined Data Filtering Patterns
Predefined data filtering patterns serve as predefined sets of rules
and signatures designed to identify and categorize various types of data based
on patterns, content, or metadata. These patterns encompass a wide range of
data, including personally identifiable information (PII), financial data,
healthcare records, intellectual property, and more. By applying these patterns,
your configuration can enforce specific security rules based on the
identified data categories.
You can leverage data filtering patterns to meet your unique compliance
requirements and organizational needs.
To comply with standards such as HIPAA, GDPR, and the Gramm-Leach-Bliley Act,
predefined data patterns are available. You can use these patterns to prevent
common types of sensitive information, like credit cards and social security
numbers, from leaving your network.
The following is a list of available data patterns:
Pattern
Description
Credit Card Numbers
16-digit credit card numbers
Social Security Numbers
9-digit social security numbers with
dashes
Social Security Numbers (without dash
separator)
9-digit social security numbers without
dashes
ABA Routing Number
The American Banking Association Routing
Number
AHV Identification Number
Swiss Alters und
Hinterlassenenversicherungsnummer
Codice Fiscale Identification Number
Italian Fiscal Tax Code Card Identification
Number
CorporateNumber Identification Number
Japanese National Tax Agency Corporate
Number
CUSIP Identification Number
Committee on Uniform Security Identification
Procedures Identification Number
DEA Registration Number
U.S. Drug Enforcement Administration Registration
Number
DNI Identification Number
Spanish Documento nacional de identidad
Identification Number number
HK Identification Number
Hong Kong Residents Identification Number
INSEE Identification Number
French National Institute of Statistics and
Economic Studies identification number
IRD Identification Number
New Zealand Internal Revenue Department
Identification Number
MyKad Identification Number
Malaysia MyKad Identity Card Identification
Number
MyNumber Identification Number
Japanese Social Security and Tax Number System
Identification Number
NHI Identification Number
New Zealand National Health Index Number
NIF Identification Number
Spanish Tax Identification Number
NIN Identification Number
Taiwan Identification Card Number
NRIC Identification Number
Singapore National Registration Identity Card
Identification Number
Permanent Account Identification Number
India Permanent Account Number of Indian
nationals
PRC Identification Number
People's Republic of China Resident
Identification Number
PRN Identification Number
Republic of South Korea Resident Registration
Number
Republic of South Korea Resident Registration
Republic of South Korea Resident Registration
Number
Predefined Data Filtering Patterns (PAN-OS & Panorama)
Use data filtering to prevent common types of sensitive information, like credit
cards and social security numbers, from leaving your network.
You can find predefined data patterns by selecting Objects > Custom Objects > Data
Patterns and clicking Add a new object. Then, set the Pattern
Type to Predefined Pattern and Add a new rule to the data
pattern object. Select a data pattern from the list that appears under
Name.
If the type of information you want to protect isn't covered in the list of
predefined patterns, you can use regular expressions to create custom
patterns.
The following is a list of available data patterns:
Pattern
Description
Credit Card Numbers
16-digit credit card numbers
Social Security Numbers
9-digit social security numbers with
dashes
Social Security Numbers (without dash
separator)
9-digit social security numbers without
dashes
ABA Routing Number
The American Banking Association Routing
Number
AHV Identification Number
Swiss Alters und
Hinterlassenenversicherungsnummer
Codice Fiscale Identification Number
Italian Fiscal Tax Code Card Identification
Number
CorporateNumber Identification Number
Japanese National Tax Agency Corporate
Number
CUSIP Identification Number
Committee on Uniform Security Identification
Procedures Identification Number
DEA Registration Number
U.S. Drug Enforcement Administration Registration
Number
DNI Identification Number
Spanish Documento nacional de identidad
Identification Number number
HK Identification Number
Hong Kong Residents Identification Number
INSEE Identification Number
French National Institute of Statistics and
Economic Studies identification number
IRD Identification Number
New Zealand Internal Revenue Department
Identification Number
MyKad Identification Number
Malaysia MyKad Identity Card Identification
Number
MyNumber Identification Number
Japanese Social Security and Tax Number System
Identification Number
NHI Identification Number
New Zealand National Health Index Number
NIF Identification Number
Spanish Tax Identification Number
NIN Identification Number
Taiwan Identification Card Number
NRIC Identification Number
Singapore National Registration Identity Card
Identification Number
Permanent Account Identification Number
India Permanent Account Number of Indian
nationals
PRC Identification Number
People's Republic of China Resident
Identification Number
PRN Identification Number
Republic of South Korea Resident Registration
Number
Republic of South Korea Resident Registration
Republic of South Korea Resident Registration
Number
Create a Data Filtering Profile
Use Data Filtering profiles to prevent
sensitive, confidential, and proprietary information from leaving your network.
Predefined patterns, built-in settings, and customizable options make it easy
for you to protect files that contain certain file properties (such as a
document title or author), credit card numbers, regulated information from
different countries (like social security numbers), and third-party data loss
prevention (DLP) labels.
Predefined Data Patterns—Easily filter common patterns, including
credit card numbers. Predefined data filtering patterns also identify
specific (regulated) information from different countries of the world,
such as social security numbers (United States), INSEE Identification
numbers (France), and New Zealand Internal Revenue Department
Identification Numbers. Many of the predefined data filtering patterns
enable compliance for standards such as HIPAA, GDPR, Gramm-Leach-Bliley
Act.
Built-In Support for Azure Information Protection and Titus Data
Classification—Predefined file properties allow you to filter
content based on Azure Information Protection
and Titus labels. Azure Information Protection labels are stored in
metadata, so make sure that you know the GUID of the Azure
Information Protect label that you want to filter.
Custom Data Patterns for Data Loss Prevention (DLP) Solutions—If
you’re using a third-party, endpoint DLP solution that populates file
properties to indicate sensitive content, you can create a custom data
pattern to identify the file properties and values tagged by your DLP
solution and then log or block the files that your Data Filtering
profile detects based on that pattern.
To get started, you’ll first create a data pattern that specifies the information
types and fields that you want your environment to filter. Then, you attach that
pattern to a data filtering profile, which specifies how you want to enforce the
content that gets filtered. Add the data filtering profile to a security rule to
start filtering traffic matching the rule.
Create a Data Filtering Profile (Strata Cloud Manager)
Create a Data Filtering profile that ensures confidential information stays in your
network.
After you create a data pattern on Cloud Management,
create a data profile to add multiple data patterns and specify match criteria and
confidence levels. All predefined and custom data profiles are available across all
device groups.
Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesData Loss PreventionData Profiles and Add Data ProfileClassic Data Profile.
You can also create a new data profile by copying an existing data profile.
This allows you to quickly modify an existing data profile with additional
match criteria while preserving the original data profile from which the new
data profile was copied.
Data profiles created by copying an existing data profile are appended with
Copy - <name_of_original_data_profile>.
This name can be edited as needed.
Adding an EDM
data set to a copied data profile is supported only if the original data
profile had an EDM data set to begin with. Adding an EDM data set to a
data profile that doesn’t already have an EDM data set isn’t
supported.
Configure the Primary Rule for the data profile.
Data pattern match criteria for traffic that you want to allow must be
added to the Primary Rule. Data pattern match criteria for traffic that
you want to block can be added to either Primary Rule or Secondary
Rule.
Verify that the data profile you created.
Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesData Loss Prevention and search for the data profile you created.
A Data Filtering profile is only active when it’s included in a profile
group that a Security policy rule references. Follow the steps to activate a Data Filtering profile (and any
Security profile).
Create a Data Filtering Profile (PAN-OS & Panorama)
Create a Data Filtering profile that ensures confidential information stays in your
network.
Define a new data pattern object to detect the information you want to
filter.
Select ObjectsCustom ObjectsData Patterns and Add a new object.
Provide a descriptive Name for the new
object.
(Optional) Select Shared if you want
the data pattern to be available to:
Every virtual system (vsys) on a multi-vsys
firewall—If cleared (disabled), the data pattern is
available only to the Virtual System selected in the
Objects tab.
Every device group on Panorama—If cleared (disabled),
the data pattern is available only to the Device Group
selected in the Objects tab.
(Optional—Panorama only) Select Disable
override to prevent administrators from overriding the
settings of this data pattern object in device groups that inherit the
object. This selection is cleared by default, which means administrators
can override the settings for any device group that inherits the
object.
(Optional—Panorama only) Select Data
Capture to automatically collect the data that is
blocked by the filter.
Specify a password for Manage Data Protection on the Settings
page to view your captured data (DeviceSetupContent-IDManage Data Protection).
Set the Pattern Type to one of the
following:
Predefined Pattern—Filter for credit
card, social security numbers, and personally identifiable
information for several compliance standards including
HIPAA, GDPR, Gramm-Leach-Bliley Act.
Regular Expression—Filter for custom
data patterns.
File Properties—Filter based on file
properties and the associated values.
Add a new rule to the data pattern object.
Specify the data pattern according to the Pattern
Type you selected for this object:
Predefined—Select the Name and
choose the predefined data pattern on which to filter.
Regular Expression—Specify a descriptive
Name, select the File
Type (or types) you want to scan, and then
enter the specific Data Pattern you
want the firewall to detect.
File Properties—Specify a descriptive
Name, select the File
Type and File
Property you want to scan, and enter the
specific Property Value that you want
the firewall to detect.
To filter Titus classified documents: Select
one of the non-AIP protected file types, and set the
File Property to TITUS
GUID. Enter the Titus label GUID as the
Property Value.
For Azure Information Protection labeled
documents: Select any File
Type except Rich Text Format. For the
file type you choose, set the File
Property to Microsoft MIP Label, and
enter the Azure Information
Protect label GUID as the
Property Value.
Click OK to save the data pattern.
Add the data pattern object to a data filtering profile.
Select ObjectsSecurity ProfilesData Filtering and Add or modify a data filtering
profile.
Provide a descriptive Name for the new
profile.
Add a new profile rule and select the Data
Pattern you created in Step .
Specify Applications, File
Types, and what Direction of
traffic (upload or download) you want to filter based on the data
pattern.
The file type you select must be the same file type you defined
for the data pattern earlier, or it must be a file type that
includes the data pattern file type. For example, you could
define both the data pattern object and the data filtering
profile to scan all Microsoft Office documents. Or, you could
define the data pattern object to match to only Microsoft
PowerPoint Presentations while the data filtering profile scans
all Microsoft Office documents.
If a data pattern object is attached to a data filtering profile and
the configured file types don't align between the two, the profile
won't correctly filter documents matched to the data pattern
object.
Set the Alert Threshold to specify the number of
times the data pattern must be detected in a file to trigger an
alert.
Set the Block Threshold to block files that
contain at least this many instances of the data pattern.
Set the Log Severity recorded for files that
match this rule.
Click OK to save the data filtering
profile.
Apply the data filtering settings to traffic.
Select PoliciesSecurity and Add or modify a security
security rule.
Select Actions and set the Profile Type to
Profiles.
Attach the Data Filtering profile you created in Step 2 to the security
security rule.
Click OK.
(Recommended) Prevent web browsers from resuming sessions that the
firewall has terminated.
This option ensures that when the firewall detects and then drops a
sensitive file, a web browser can't resume the session in an attempt to
retrieve the file.
Select DeviceSetupContent-ID and edit Content-ID Settings.
Clear the Allow HTTP partial response.
Click OK.
Monitor files that the firewall is filtering.
Select MonitorData Filtering to view the files that the firewall has detected and blocked
based on your data filtering settings.
