Set Up Data Filtering
Use Data Filtering Profiles to prevent sensitive, confidential, and proprietary information from leaving your network. Predefined patterns, built-in settings, and options to customize make it easy for you to protect files that contain certain file properties (such as a document title or author), credit card numbers, regulated information from different countries (like social security numbers), and third-party data loss prevention (DLP) labels.
- Predefined Data Patterns—Easily filter on commonly-used patterns, including credit card numbers. Predefined data filtering patterns also identify specific (regulated) information from different countries of the world, such as social security numbers (United States), INSEE Identification numbers (France), and New Zealand Internal Revenue Department Identification Numbers. Many of the predefined data filtering patterns enable compliance for standards such as HIPAA, GDPR, Gramm-Leach-Bliley Act.
- Built-In Support for Azure Information Protection and Titus Data Classification—Predefined file properties allow you to filter content based Azure Information Protection and Titus labels. Azure Information Protection labels are stored in metadata, so make sure that you know the GUID of the Azure Information Protect label that you want the firewall to filter.
- Custom Data Patterns for Data Loss Prevention (DLP) Solutions—If you’re using a third-party, endpoint DLP solution that populates file properties to indicate sensitive content, you can create a custom data pattern to identify the file properties and values tagged by your DLP solution and then log or block the files that your Data Filtering profile detects based on that pattern.
To get started, you’ll first create a data pattern that specifies that information types and fields that you want the firewall to filter. Then, you can use a data filtering profile to specify how you want to enforce content the firewall filters. Add the data filtering profile to a security policy rule to start filtering traffic matching the rule.
- Define a new data pattern object
to detect the information you want to filter.
- Select ObjectsCustom ObjectsData Patterns and Add a new object.
- Provide a descriptive Name for the new object.
- (Optional) Select Shared if you
want the data pattern to be available to:
- Every virtual system (vsys) on a multi-vsys firewall—If cleared (disabled), the data pattern is available only to the Virtual System selected in the Objects tab.
- Every device group on Panorama—If cleared (disabled), the data pattern is available only to the Device Group selected in the Objects tab.
- (Optional—Panorama only) Select Disable override to prevent administrators from overriding the settings of this data pattern object in device groups that inherit the object. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the object.
- (Optional—Panorama only) Select Data Capture to
automatically collect the data that is blocked by the filter.Specify a password for Manage Data Protection on the Settings page to view your captured data (DeviceSetupContent-IDManage Data Protection).
- Set the Pattern Type to one
of the following:
- Predefined—Filter for credit card and social security numbers.
- Regular Expression—Filter for custom data patterns.
- File Properties—Filter based on file properties and the associated values.
- Add a new rule to the data pattern object.
- Specify the data pattern according to the Pattern Type you
selected for this object:
- Predefined—Select the Name and choose the predefined data pattern on which to filter.
- Regular Expression—Specify a descriptive Name, select the File Type (or types) you want to scan, and then enter the specific Data Pattern you want the firewall to detect.
- File Properties—Specify a descriptive Name, select the File Type and File Property you want to scan, and enter the specific Property Value that you want the firewall to detect.
- To filter Titus classified documents: Select one of the non-AIP protected file types, and set the File Property to TITUS GUID. Enter the Titus label GUID as the Property Value.
- For Azure Information Protection labeled documents: Select any File Type except Rich Text Format. For the file type you choose, set the File Property to Microsoft MIP Label, and enter the Azure Informatin Protect label GUID as the Property Value.
- Click OK to save the data pattern.
- Add the
data pattern object to a data filtering profile.
- Select ObjectsSecurity ProfilesData Filtering and Add or modify a data filtering profile.
- Add a new profile rule and select the Data Pattern you created in Step 1.
- Specify Applications, File Types,
and what Direction of traffic (upload or download)
you want to filter based on the data pattern.The file type you select must be the same file type you defined for the data pattern in Step 1 or it must be a file type that includes the data pattern file type. For example, you could define both the data pattern object and the data filtering profile to scan all Microsoft Office documents. Or, you could define the data pattern object to match to only Microsoft PowerPoint Presentations while the data filtering profile scan all Microsoft Office documents.If a data pattern object is attached to a data filtering profile and the configured file types do not align between the two, the profile will not correctly filter documents matched to the data pattern object.
- Set the Alert Threshold to specify the number of times the data pattern must be detected in a file to trigger an alert.
- Set the Block Threshold to block files that contain at least this many instances of the data pattern.
- Set the Log Severity recorded for files that match this rule.
- Click OK to save the data filtering profile.
- Apply the data filtering settings to traffic.
- Select PoliciesSecurity and Add or modify a security policy rule.
- Select Actions and set the Profile Type to Profiles.
- Attach the Data Filtering profile you created earlier to the security policy rule.
- Click OK.
- (Recommended) Prevent web browsers from resuming sessions
that the firewall has terminated.This option ensures that when the firewall detects and then drops a sensitive file, a web browser cannot resume the session in an attempt to retrieve the file.
- Select DeviceSetupContent-ID and edit Content-ID Settings.
- Clear the Allow HTTP partial response.
- Click OK.
- Monitor files that the firewall is filtering.Select MonitorData Filtering to view the files that the firewall has detected and blocked based on your data filtering settings.
Data Pattern Settings
Data Pattern Settings Select Objects Custom Objects Data Patterns to define the categories of sensitive information that you may want to filter. For information on ...
Objects > Security Profiles > Data Filtering
Objects > Security Profiles > Data Filtering Data filtering enables the firewall to detect sensitive information—such as credit card or social security numbers or internal ...
Security Profiles While security policy rules enable you to allow or block traffic on your network, security profiles help you define an allow but scan ...
Monitor > Automated Correlation Engine > Correlation Object...
Monitor > Automated Correlation Engine > Correlation Objects To counter the advances in exploits and malware distribution methods, correlation objects extend the signature-based malware detection ...
Objects > Custom Objects > Data Patterns
Objects > Custom Objects > Data Patterns The following topics describe data patterns. What are you looking for? See: Create a data pattern. Data Pattern ...
Azure Security Center Integration
Forward firewall logs to the Azure Security Center dashboard for a consolidated view on the security of your Azure deployment. Use this view to assess ...
Enable Azure Application Insights on the VM-Series Firewall
Publish firewall performance metrics to Application Insights. ...
Create the Data Center Best Practice File Blocking Profile
Protect you data center from file types that you don’t use and that don’t belong there. ...
Determine URL Filtering Policy Requirements
Determine URL Filtering Policy Requirements The recommended practice for deploying URL filtering in your organization is to first start with a passive URL filtering profile ...