So if you’re like me, you love poking around in your gear, seeing what you can make it do, and maybe even breaking things (just a little) to learn how they work. Today, I want to talk about something that’s both super useful and, honestly, kind of fun to mess with: data filtering in Palo Alto’s PAN-OS.
Now, if you’re new to the world of Palo Alto firewalls, PAN-OS is the operating system that runs on their devices. It’s got a ton of features, but one of the coolest (and sometimes overlooked) is data filtering. This isn’t just about blocking websites or stopping malware—this is about getting granular with the actual data that’s moving through your network.
So, let’s dive in. I’ll walk you through what data filtering is, why you might want to use it, and how to get started tinkering with it on your own Palo Alto box. You will need decryption enabled for this to work properly.
What the Heck is Data Filtering, Anyway?
Okay, so you’ve probably heard of URL filtering (blocking websites), and maybe even application filtering (blocking apps like BitTorrent or Skype). Data filtering is a little different. It’s all about looking at the actual content of the traffic—like files, credit card numbers, social security numbers, or even custom patterns you define—and deciding what to do with it.
Think of it like this: instead of just saying “no Facebook at work,” you can say “no one is allowed to send out files with sensitive info, even if they’re using email, Dropbox, or some weird file-sharing app I’ve never heard of.” Pretty neat, right?
Why Should You Care?
If you’re running a business, or even just a home lab with some important stuff on it, you probably don’t want sensitive data leaking out. Maybe you have compliance requirements (hello, PCI-DSS and HIPAA folks), or maybe you just don’t want your secret chili recipe getting out. Data filtering lets you set up rules to catch and stop that kind of thing.
Plus, it’s a great way to learn more about how traffic flows through your network. You’ll start to see all kinds of stuff you didn’t know was happening.
How Does Data Filtering Work in PAN-OS?
Palo Alto’s data filtering is part of their Data Filtering Profiles, which you can attach to security policies. Here’s the basic idea:
- Create a Data Filtering Profile: This is where you define what you’re looking for. PAN-OS comes with some built-in patterns (like credit card numbers), but you can also add your own custom patterns using regular expressions (regex).
- Attach the Profile to a Security Policy: This is how you tell the firewall to actually use your data filtering rules. You can apply it to inbound, outbound, or even internal traffic.
- Decide What to Do: When the firewall sees a match, you can have it alert you, block the file, or even quarantine it.
Let’s get our hands dirty and walk through a basic setup
Protip: dlptest.com has some pretty sick templates you can use once everything is setup. I typically use their Name/SSN/DOB templates for testing.
Step-by-Step: Setting Up Data Filtering
- Log into the web interface
- Go to Objects > Security Profiles > Data Filtering
- This is where the magic happens. You’ll see a list of existing profiles (if any). Click “Add” to create a new one.
- Name your profile
- Give it a name you’ll remember, like “Block-CC-Numbers” or “Secret-Recipe-Protector.”
- Add Data Patterns
- Predefined patterns
- PAN-OS has a collection of built-in patterns for things like SSNs, DOB, and more.
- Custom patterns
- Click “Add” and enter a regex pattern. For example, if you want to catch files with the word “confidential,” you could use
confidentialas your pattern.
- Click “Add” and enter a regex pattern. For example, if you want to catch files with the word “confidential,” you could use
- Predefined patterns
- Set the Action
- Decide what you want to happen when a match is found. The options are:
- Alert: Just log the event
- Block: Stop the file from being transferred
- Continue: Allow the user to proceed after a warning (good for less critical stuff)
- Decide what you want to happen when a match is found. The options are:
- Attach the Profile to a Security Policy
- Go to Policies > Security, find the rule that matches the traffic you want to filter, and edit it. Under the “Actions” tab, attach your new Data Filtering Profile.
- Commit your changes
Note: To avoid taking your network down, do not apply a Data Filtering Profile to your main internet egress rule if the filter is both broad (no source address/subnet) and restrictive. This totally didn’t happen to me the first time…
Final Thoughts & Rambling
I’ve found that Palo’s filtering is pretty good, but I imagine it can get pretty tedious ot manage at scale due to the potential for filter circumvention using basic encryption techniques.
For example, an encrypted .zip file could be used to move a PDF file across the network if the engineer in charge didn’t realize that encrypted .zip files can be filtered altogether.
And an encrypted .zip would probably be the main weapon if someone were trying to exfiltrate data in a company with a restrictive common operating environment.
Also, Palo’s documentation is pretty damn good. And the bar for me is set pretty high, as I grew up spending a lot of time reading OpenBSD’s manual, and eventually the Arch Wiki.
I’ll create another post soon that details my lab setup. Hope you enjoyed the read.
– S
Scottlabs 