Saturday, October 12, 2019

Palo Alto Networks Firewall File Blocking and Data Filtering

You configure File Blocking on a Palo Alto Networks (PAN) Firewall to protect your network and endpoints from Malware infected files (exe, PDF, etc.). This is also used for Data Loss Prevention (DLP) strategy in order to protect the company's Intellectual Property (IP) and other sensitive files from leaving the network.

To create a File Blocking Security Profile, go to Objects > Security Profiles > File Blocking.

There are two File Blocking configured by default: basic file blocking and strict file blocking.

Click on basic file blocking > Clone (at the bottom).


Leave the default Name selected > click OK.


Click basic file blocking-1 to edit.


Type a Name (FILE-BLOCK-1).


Under File Types column > click on any file type > Add > type/search pdf.


Click OK.



To apply the File Blocking Security Profile, go to Policies > Security > Actions tab > Profile Setting > File Blocking > select FILE-BLOCK-1 created earlier > click OK.


Click Commit.


You'll need the SSL Decryption policy configured and CA Cert imported to client machine in order to enforce File Blocking for HTTPS traffic.

I tried to download an installer for TFTP server which is executable (.exe) file.


I got a File Transfer Blocked error. The PAN Firewall easily detected and blocked the executable file since it's an HTTP traffic.


I tried to download a PDF file via HTTPS. The PDF file was blocked since the PAN Firewall performed deep packet inspection (SSL Decryption) and enforced the File Blocking policy.
 


To view File Blocking logs, go to Monitor > Logs > Data Filtering


Click the magnifying glass icon to get a Detailed Log View. Notice the Flags for Decrypted and under Details the downloaded File Name cybersecurity-survival-guide-3rd-edition.pdf was detected
 

Notice the Source Port is 80 (HTTP) and under Details the File Name Tftpd32-4.52-setup.exe was detected.


To configure Data Filtering Security Profile, go to Objects > Security Profiles > Data Filtering > click Add (at the bottom).


Type a Name (DATA-FILTER-1) > under Data Pattern > click Add.


Click New > click on the double arrow icon > Data Pattern.


Type a Name (DATA-PATTERN-CCARD) > Pattern Type: Predefined Pattern.


Under Name > click Add > select Credit Card Numbers. Click OK.


Click OK.


Click OK.


For this lab, I modified the Alert Threshold and Block Threshold to a count of 1 > change Log Security to Critical > click OK.



To apply the Data Filtering Security Profile, go to Policies > Security > click Rule #1 (Allow-Inside-Out) > under Actions > Profile Setting > Data Filtering > select DATA-FILTER-1 created earlier > click OK.


Click Commit.


To test, I tried to download a list of credit card numbers (100 CC Records) from this site.


I got a Data Transfer Blocked error.


To monitor Data Filtering log, go to Monitor > Logs > Data Filtering.


Click the magnifying glass icon to get a Detailed Log View.

Notice under Details > Context > it matched the DATA-PATTERN-CCARD rule which is the Predefined Pattern for US Credit Card Numbers.
 

No comments:

Post a Comment