Create a Data Filtering Profile

Follow these steps to create a Data Filtering profile that ensures confidential information stays in your network.
Data Filtering profiles can keep sensitive information from leaving your network.
To get started, you’ll first create a data pattern that specifies the information types and fields that you want the firewall to filter. Then, you attach that pattern to a data filtering profile, which specifies how you want to enforce the content that the firewall filters. Add the data filtering profile to a security policy rule to start filtering traffic matching the rule.
  1. Define a new data pattern object to detect the information you want to filter.
    1. Select
      Objects
      Custom Objects
      Data Patterns
      and
      Add
      a new object.
    2. Provide a descriptive
      Name
      for the new object.
    3. (
      Optional
      ) Select
      Shared
      if you want the data pattern to be available to:
      • Every virtual system (vsys) on a multi-vsys firewall
        —If cleared (disabled), the data pattern is available only to the Virtual System selected in the
        Objects
        tab.
      • Every device group on Panorama
        —If cleared (disabled), the data pattern is available only to the Device Group selected in the
        Objects
        tab.
    4. (
      Optional—Panorama only
      ) Select
      Disable override
      to prevent administrators from overriding the settings of this data pattern object in device groups that inherit the object. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the object.
    5. (
      Optional—Panorama only
      ) Select
      Data Capture
      to automatically collect the data that is blocked by the filter.
      Specify a password for Manage Data Protection on the Settings page to view your captured data (
      Device
      Setup
      Content-ID
      Manage Data Protection
      ).
    6. Set the
      Pattern Type
      to one of the following:
      • Predefined Pattern
        —Filter for credit card, social security numbers, and personally identifiable information for several compliance standards including HIPAA, GDPR, Gramm-Leach-Bliley Act.
      • Regular Expression
        —Filter for custom data patterns.
      • File Properties
        —Filter based on file properties and the associated values.
    7. Add
      a new rule to the data pattern object.
    8. Specify the data pattern according to the
      Pattern Type
      you selected for this object:
      • Predefined
        —Select the
        Name
        and choose the predefined data pattern on which to filter.
      • Regular Expression
        —Specify a descriptive
        Name
        , select the
        File Type
        (or types) you want to scan, and then enter the specific
        Data Pattern
        you want the firewall to detect.
      • File Properties
        —Specify a descriptive
        Name
        , select the
        File Type
        and
        File Property
        you want to scan, and enter the specific
        Property Value
        that you want the firewall to detect.
        • To filter Titus classified documents
          : Select one of the non-AIP protected file types, and set the
          File Property
          to TITUS GUID. Enter the Titus label GUID as the
          Property Value
          .
        • For Azure Information Protection labeled documents
          : Select any
          File Type
          except Rich Text Format. For the file type you choose, set the
          File Property
          to Microsoft MIP Label, and enter the Azure Informatin Protect label GUID as the
          Property Value
          .
          data-filtering-aip-labels.png
    9. Click
      OK
      to save the data pattern.
  2. Add the data pattern object to a data filtering profile.
    1. Select
      Objects
      Security Profiles
      Data Filtering
      and
      Add
      or modify a data filtering profile.
    2. Provide a descriptive
      Name
      for the new profile.
    3. Add
      a new profile rule and select the Data Pattern you created in Step .
    4. Specify
      Applications
      ,
      File Types
      , and what
      Direction
      of traffic (upload or download) you want to filter based on the data pattern.
      The file type you select must be the same file type you defined for the data pattern earlier, or it must be a file type that includes the data pattern file type. For example, you could define both the data pattern object and the data filtering profile to scan all Microsoft Office documents. Or, you could define the data pattern object to match to only Microsoft PowerPoint Presentations while the data filtering profile scans all Microsoft Office documents.
      If a data pattern object is attached to a data filtering profile and the configured file types do not align between the two, the profile will not correctly filter documents matched to the data pattern object.
    5. Set the
      Alert Threshold
      to specify the number of times the data pattern must be detected in a file to trigger an alert.
    6. Set the
      Block Threshold
      to block files that contain at least this many instances of the data pattern.
    7. Set the
      Log Severity
      recorded for files that match this rule.
    8. Click
      OK
      to save the data filtering profile.
  3. Apply the data filtering settings to traffic.
    1. Select
      Policies
      Security
      and
      Add
      or modify a security policy rule.
    2. Select
      Actions
      and set the Profile Type to
      Profiles
      .
    3. Attach the Data Filtering profile you created in Step 2 to the security policy rule.
    4. Click
      OK
      .
  4. (
    Recommended
    ) Prevent web browsers from resuming sessions that the firewall has terminated.
    This option ensures that when the firewall detects and then drops a sensitive file, a web browser cannot resume the session in an attempt to retrieve the file.
    1. Select
      Device
      Setup
      Content-ID
      and edit Content-ID Settings.
    2. Clear the
      Allow HTTP partial response
      .
    3. Click
      OK
      .
  5. Monitor files that the firewall is filtering.
    Select
    Monitor
    Data Filtering
    to view the files that the firewall has detected and blocked based on your data filtering settings.

Related Documentation