The following topics describe data patterns.
What do you want to know? See:
Define data patterns. Data Pattern Settings
Rules for adding data patterns. Syntax for Data Patterns
Custom data pattern examples. Data Patterns Examples
Data Pattern Settings
Select Objects > Custom Objects > Data Patterns to define the categories of sensitive information that you may want to filter using data filtering security policies. For information on defining data filtering profiles, refer to Objects > Security Profiles > Data Filtering.
The following table describes the data pattern settings.
Data Pattern Setting Description
Name Enter the data pattern name (up to 31 characters). The name case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Description Enter a description for the data pattern (up to 255 characters).
Shared Select this option if you want the data pattern to be available to: Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the data pattern will be available only to the Virtual System selected in the Objects tab. Every device group on Panorama. If you clear this selection, the data pattern will be available only to the Device Group selected in the Objects tab.
Disable override ( Panorama only ) Select this option if you want to prevent administrators from creating local copies of the data pattern in descendant device groups by overriding its inherited values. This selection is cleared by default, which means overriding is enabled.
Weight Enter weights for pre-specified pattern types. The weight is a number between 1 and 255. Alert and Block thresholds specified in the Data Filtering Profile are a function of this weight. CC# —Specify a weight for the credit card field (range is 0-255). SSN# —Specify a weight for the social security number field, where the field includes dashes, such as 123-45-6789 (range is 0-255; 255 is highest weight). SSN# (without dash) —Specify a weight for the social security number field, where the entry is made without dashes, such as 123456789 (range is 0-255; 255 is highest weight).
Custom Patterns The pre-defined patterns include credit card number and social security number (with and without dashes). Click Add to add a new pattern. Specify a name for the pattern, enter the regular expression that defines the pattern, and enter a weight to assign to the pattern. Add additional patterns as needed. For more information, see Syntax for Data Patterns.
Syntax for Data Patterns
When adding a new pattern (regular expression), the following general requirements apply:
The pattern must have string of at least 7 bytes to match. It can contain more than 7 bytes, but not fewer. The string match may or may not be case-sensitive, depending on which decoder is being used. When case-sensitivity is required, you would need to define patterns for all of the possible strings in order to match all variations of a term. For example, if you wanted to match any documents designated as confidential, you would need to create a pattern for “confidential”, “Confidential”, and “CONFIDENTIAL”.
The regular expression syntax in PAN-OS is similar to traditional regular expression engines, but every engine is unique. The following table describes the syntax supported in PAN-OS.
Pattern Rules Syntax Description
. Match any single character.
? Match the preceding character or expression 0 or 1 time. The general expression MUST be inside a pair of parentheses. Example: (abc)?
* Match the preceding character or expression 0 or more times. The general expression MUST be inside a pair of parentheses. Example: (abc)*
+ Match the preceding character or regular expression one or more times. The general expression MUST be inside a pair of parentheses. Example: (abc)+
| Equivalent to “or”—alternative substrings must be in parentheses. Example: ((bif)|(scr)|(exe)) matches “bif”, “scr”, or “exe”.
- Used to create range expressions. Example: [c-z] matches any character between c and z, inclusive.
[ ] Match any. Example: [abz]: matches any of the characters a, b, or z.
^ Match any except. Example: [^abz] matches any character except a, b, or z.
{ } Min/Max number of bytes. Example: {10-20} matches any string that is between 10 and 20 bytes. This must be directly in front of a fixed string, and only supports “-”.
\ To perform a literal match on any one of the special characters above, it MUST be escaped by preceding them with a ‘\’ (backslash).
& & is a special character, so to look for the “&” in a string you must use “&” instead.
Data Patterns Examples
The following are examples of valid custom patterns:
.*((Confidential)|(CONFIDENTIAL)) Looks for the word “Confidential” or “CONFIDENTIAL” anywhere “.*” at the beginning specifies to look anywhere in the stream Depending on the case-sensitivity requirements of the decoder, this may not match “confidential” (all lower case) .*((Proprietary & Confidential)|(Proprietary and Confidential)) Looks for either “Proprietary & Confidential” or “Proprietary and Confidential” More precise than looking for “Confidential” .*(Press Release).*((Draft)|(DRAFT)|(draft)) Looks for “Press Release” followed by various forms of the word draft, which may indicate that the press release isn't ready to be sent outside the company .*(Trinidad) Looks for a project code name, such as “Trinidad”

Related Documentation