Create Custom Objects (PAN-OS & Panorama)
Focus
Focus
Network Security

Create Custom Objects (PAN-OS & Panorama)

Table of Contents


Create Custom Objects (PAN-OS & Panorama)

Create custom data patterns, vulnerability and spyware signatures, and URL categories to use with security rules.
Create custom data patterns, vulnerability and spyware signatures, and URL categories to use with security rules.

Custom Objects: Data Patterns

Select ObjectsCustom ObjectsData Patterns to define the categories of sensitive information that you may want to filter.
Also, be sure to learn about defining data filtering profiles
Add your custom data pattern and configure the settings in this table:
Data Pattern Settings
Description
Name
Enter the data pattern name (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Description
Enter a description for the data pattern (up to 255 characters).
Shared
Select this option if you want the data pattern to be available to:
  • Every virtual system (vsys) on a multi-vsys. If you clear this selection, the data pattern will be available only to the Virtual System selected in the Objects tab.
  • Every device group on Panorama. If you clear this selection, the data pattern will be available only to the Device Group selected in the Objects tab.
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this data pattern object in device groups that inherit the object. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the object.
Pattern Type
Select the type of data pattern you want to create:
  • Predefined—Use the predefined data patterns to scan files for social security and credit card numbers.
  • Regular Expression—Create custom data patterns using regular expressions.
  • File Properties—Scan files for specific file properties and values.
Predefined Pattern
Palo Alto Networks provides predefined data patterns to scan for certain types of information in files, for example, for credit card numbers or social security numbers. To configure data filtering based on a predefined pattern, Add a pattern and select the following:
  • Name—Select a predefined pattern to use to filter for sensitive data. When you pick a predefined pattern, the Description populates automatically.
  • Select the File Type in which you want to detect the predefined pattern.
Regular Expression
Add a custom data pattern. Give the pattern a descriptive Name, set the File Type you want to scan for the data pattern, and enter the regular expression that defines the Data Pattern.
For regular expression data pattern syntax details and examples, see:
File Properties
Build a data pattern to scan for file properties and the associated values. For example, Add a data pattern to filter for Microsoft Word documents and PDFs where the document title includes the words “sensitive”, “internal”, or “confidential”.
  • Give the data pattern a descriptive Name.
  • Select the File Type that you want to scan.
  • Select the File Property that you want to scan for a specific value.
  • Enter the Property Value for which you want to scan.

Custom Objects: Spyware/Vulnerability

Use the Custom Spyware Signature page to define signatures for Anti-Spyware profiles. ObjectsCustom ObjectsSpywareAdd
Use the Custom Vulnerability Signature page to define signatures for Vulnerability Protection profiles. ObjectsCustom ObjectsVulnerabilityAdd
Configure the settings in this table:
Custom Vulnerability and Spyware Signature Settings
Description
Configuration Tab
Threat ID
Enter a numeric identifier for the configuration (spyware signatures range is 15000-18000 and 6900001 - 7000000; vulnerability signatures range is 41000-45000 and 6800001-6900000).
Name
Specify the threat name.
Shared
Select this option if you want the custom signature to be available to:
  • Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the custom signature will be available only to the Virtual System selected in the Objects tab.
  • Every device group on Panorama. If you clear this selection, the custom signature will be available only to the Device Group selected in the Objects tab.
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this signature in device groups that inherit the signature. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the signature.
Comment
Enter an optional comment.
Severity
Assign a level that indicates the seriousness of the threat.
Default Action
Assign the default action to take if the threat conditions are met. For a list of actions, see Actions in Security Profiles.
Direction
Indicate whether the threat is assessed from the client to server, server to client, or both.
Affected System
Indicate whether the threat involves the client, server, either, or both. Applies to vulnerability signatures, but not spyware signatures.
CVE
Specify the common vulnerability enumeration (CVE) as an external reference for additional background and analysis.
Vendor
Specify the vendor identifier for the vulnerability as an external reference for additional background and analysis.
Bugtraq
Specify the bugtraq (similar to CVE) as an external reference for additional background and analysis.
Reference
Add any links to additional analysis or background information. The information is shown when a user clicks on the threat from the ACC, logs, or vulnerability profile.
Signatures Tab
Standard Signature
Select Standard and then Add a new signature. Specify the following information:
  • Standard—Enter a name to identify the signature.
  • Comment—Enter an optional description.
  • Ordered Condition Match—Select if the order in which signature conditions are defined is important.
  • Scope—Select whether to apply this signature only to the current transaction or to the full user session.
Add a condition by clicking Add Or Condition or Add And Condition. To add a condition within a group, select the group and then click Add Condition. Add a condition to a signature so that the signature is generated for traffic when the parameters you define for the condition are true. Select an Operator from the drop-down. The operator defines the type of condition that must be true for the custom signature to match to traffic. Choose from Less Than, Equal To, Greater Than, or Pattern Match operators.
  • When choosing a Pattern Match operator, specify for the following to be true for the signature to match to traffic:
    • Context—Select from the available contexts.
    • Pattern—Specify a regular expression. See Pattern Rules Syntax for pattern rules for regular expressions.
    • Qualifier and Value—Optionally, add qualifier/value pairs.
    • Negate—Select Negate so that the custom signature matches to traffic only when the defined Pattern Match condition isn't true. This allows you to ensure that the custom signature isn't triggered under certain conditions.
      A custom signature can't be created with only Negate conditions; at least one positive condition must be included for a negate condition to specified. Also, if the scope of the signature is set to session, a Negate condition can't be configured as the last condition to match to traffic.
      You can define exceptions for custom vulnerability or spyware signatures using the new option to negate signature generation when traffic matches both a signature and the exception to the signature. Use this option to allow certain traffic in your network that might otherwise be classified as spyware or a vulnerability exploit. In this case, the signature is generated for traffic that matches the pattern; traffic that matches the pattern but also matches the exception to the pattern is excluded from signature generation and any associated policy action (such as being blocked or dropped). For example, you can define a signature to be generated for redirected URLs; however, you can now also create an exception where the signature isn't generated for URLs that redirect to a trusted domain.
  • When choosing an Equal To, Less Than, or Greater Than operator, specify for the following to be true for the signature to match to traffic:
    • Context—Select from unknown requests and responses for TCP or UDP.
    • Position—Select between the first four or second four bytes in the payload.
    • Mask—Specify a 4-byte hex value, for example, 0xffffff00.
    • Value—Specify a 4-byte hex value, for example, 0xaabbccdd.
Combination Signature
Select Combination and specify the following information:
Select Combination Signatures to specify conditions that define signatures:
  • Add a condition by clicking Add AND Condition or Add OR Condition. To add a condition within a group, select the group and then click Add Condition.
  • To move a condition within a group, select the condition and click Move Up or Move Down. To move a group, select the group and click Move Up or Move Down. You can't move conditions from one group to another.
Select Time Attribute to specify the following information:
  • Number of Hits—Specify the threshold that will trigger any policy-based action as a number of hits (1-1000) in a specified number of seconds (1-3600).
  • Aggregation Criteria—Specify whether the hits are tracked by source IP address, destination IP address, or a combination of source and destination IP addresses.
  • To move a condition within a group, select the condition and click Move Up or Move Down. To move a group, select the group and click Move Up or Move Down. You can't move conditions from one group to another.

Custom Objects: URL Category

Go to ObjectsCustom ObjectsURL Category, and select Add to create your custom list of URLs and use it in a URL filtering profile or as match criteria in security rules. In a custom URL category, you can add URL entries individually or you can import a text file that contains a list of URLs.
URL entries added to custom categories are case insensitive.
Configure the settings in this table:
Custom URL Category Settings
Description
Name
Enter a name to identify the custom URL category (up to 31 characters). This name displays in the category list when defining URL filtering security rules and in the match criteria for URL categories in security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Description
Enter a description for the URL category (up to 255 characters).
Type
Select the category type:
  • Category Match—Select Category Match to define a new custom category containing URLs matching all of the specified URL categories (a URL has to match all categories in the list). Specify between 2-4 categories.
  • URL List—Select URL List to add or import a list of URLs for the category. This category type also contains URLs added before PAN-OS 9.0.
Shared
Select this option if you want the URL category to be available to:
  • Every virtual system (vsys) on a multi-vsys. If you disable (clear) this option, the URL category is available only to the Virtual System selected in the Objects tab.
  • Every device group on Panorama. If you disable (clear) this option, the URL category is available only to the Device Group selected in the Objects tab.
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this custom URL object in device groups that inherit the object. This selection is disabled by default, which means administrators can override the settings for any device group that inherits the object.
Sites
Manage sites for the custom URL category (each URL added or imported can have a maximum of 255 characters).
  • AddAdd URLs, only one per row. Each URL can be in the format “www.example.com” or can include wildcards, such as “*.example.com”.
  • ImportImport and browse to select the text file that contains the list of URLs. Enter only one URL per row. Each URL can be in the format “www.example.com” or can include wildcards, such as “*.example.com”.
  • ExportExport custom URL entries included in the list (exported as a text file).
  • DeleteDelete an entry to remove the URL from the list.
To delete a custom category that you used in a URL Filtering profile , you must set the action to None before you can delete the custom category.