Set Up Data Filtering

Use the following workflow to configure a Data Filtering profile. This example shows a Data Filtering profile for detecting Social Security Numbers and a custom pattern in .doc and .docx documents.
  1. Create a Data Filtering security profile.
    1. Select
      Objects
      Security Profiles
      Data Filtering
      and click
      Add
      .
    2. Enter a
      Name
      and a
      Description
      for the profile. In this example the name is
      DF_Profile1
      with the description
      Detect Social Security Numbers
      .
    3. (Optional) If you want to collect data that is blocked by the filter, select the
      Data Capture
      check box.
      You must set a password as described in the following step if you are using the data capture feature.
  2. (Optional) Secure access to the data filtering logs to prevent other administrators from viewing sensitive data.
    When you enable this option, you will be prompted for the password when you view logs in
    Monitor
    Logs
    Data Filtering
    .
    1. Select
      Device
      Setup
      Content-ID
      .
    2. Click
      Manage Data Protection
      in the Content-ID Features section.
    3. Set the password that will be required to view the data filtering logs.
  3. Define the data pattern that will be used in the Data Filtering Profile.
    In this example, we will use the keyword
    confidential
    and will set the option to search for SSN numbers with dashes (Example - 987-654-4320).
    It is helpful to set the appropriate thresholds and define keywords within documents to reduce false positives.
    1. From the Data Filtering Profile page click
      Add
      and select
      New
      from the
      Data Pattern
      drop-down. You can also configure data patterns from
      Objects
      Custom Signatures
      Data Patterns
      .
    2. For this example, name the Data Pattern signature Detect SS Numbers and add the description Data Pattern to detect Social Security numbers.
    3. In the
      Weight
      section for
      SSN#
      enter 3. See Weight and Threshold Values for more details.
      data-filtering-dp.png
    4. (Optional) You can also set
      Custom Patterns
      that will be subject to this profile. In this case, you specify a pattern in the custom patterns
      Regex
      field and set a weight. You can add multiple match expressions to the same data pattern profile. In this example, we will create a
      Custom Pattern
      named SSN_Custom with a custom pattern of confidential (the pattern is case sensitive) and use a weight of 20. The reason we use the term confidential in this example is because we know that our social security Word docs contain this term, so we define that specifically.
      data-filtering1.png
  4. Specify which applications to filter and set the file types.
    1. Set
      Applications
      to
      Any.
      This will detect any supported application such as: web-browsing, FTP, or SMTP. If you want to narrow down the application, you can select it from the list. For applications such as Microsoft Outlook Web App that uses SSL, you will need to enable decryption. Also make sure you understand the naming for each application. For example, Outlook Web App, which is the Microsoft name for this application is identified as the application outlook-web in the PAN-OS list of applications. You can check the logs for a given application to identify the name defined in PAN-OS.
    2. Set
      File Types
      to
      doc
      and
      docx
      to only scan doc and docx files.
  5. Specify the direction of traffic to filter and the threshold values.
    1. Set the
      Direction
      to
      Both
      . Files that are uploaded or downloaded will be scanned.
    2. Set the
      Alert Threshold
      to
      35.
      In this case, an alert will be triggered if 5 instances of Social Security Numbers exist and 1 instance of the term confidential exists. The formula is 5 SSN instances with a weight of 3 = 15 plus 1 instance of the term confidential with a weight of 20 = 35.
    3. Set the
      Block Threshold
      to
      50
      . The file will be blocked if the threshold of 50 instances of a SSN and/or the term confidential exists in the file. In this case, if the doc contained 1 instance of the word
      confidential
      with a weight of 20 that equals 20 toward the threshold, and the doc has 15 Social Security Numbers with a weight of 3 that equals 45. Add 20 and 45 and you have 65, which will exceed the block threshold of 50.
      data-filtering2.png
  6. Attach the Data Filtering profile to the security rule.
    1. Select
      Policies
      Security
      and select the security policy rule to which to apply the profile.
    2. Click the security policy rule to modify it and then click the
      Actions
      tab. In the
      Data Filtering
      drop-down, select the new data filtering profile you created and then click
      OK
      to save. In this example, the data filtering rule name is
      DF_Profile1
      .
    data-filtering3.png
  7. Commit
    the configuration.
  8. Test the data filtering configuration.
    If you have problems getting Data Filtering to work, you can check the Data Filtering log or the Traffic log to verify the application that you are testing with and make sure your test document has the appropriate number of unique Social Security Number instances. For example, an application such as Microsoft Outlook Web App may seem to be identified as web-browsing, but if you look at the logs, the application is
    outlook-web
    . Also increase the number of SSNs, or your custom pattern to make sure you are hitting the thresholds.
    When testing, you must use real Social Security Numbers and each number must be unique. Also, when defining Custom Patterns as we did in this example with the word
    confidential
    , the pattern is case sensitive. To keep your test simple, you may want to just test using a data pattern first, then test the SSNs.
    1. Access a client PC in the trust zone of the firewall and send an HTTP request to upload a .doc or .docx file that contains the exact information you defined for filtering.
    2. Create a Microsoft Word document with one instance of the term confidential and five Social Security numbers with dashes.
    3. Upload the file to a website. Use an HTTP site unless you have decryption configured, in which case you can use HTTPS.
    4. Select
      Monitoring
      Logs
      Data Filtering
      logs.
    5. Locate the log that corresponds to the file you just uploaded. To help filter the logs, use the source of your client PC and the destination of the web server. The action column in the log will show
      reset-both
      . You can now increase the number of Social Security Numbers in the document to test the block threshold.

Related Documentation