Configuring Data Filtering

The data filtering profile determines the types of applications and files to be filtered. You must reference keyword groups in the data filtering profile.

Prerequisites

Configuring a Keyword Group

Context

Data filtering falls into file data filtering and application data filtering.

File data filtering filters the uploaded and downloaded files by keyword. Application data filtering filters application content by keyword.

The FW has a default data filtering profile named default. It references the default keyword group and alert is the action for the transfer of all types of files in the upload direction. You cannot modify or delete the default profile.

When you reference a profile in a security policy, you can view the name of the default profile in the drop-down list. To view the configuration result, choose System > Configuration File Management. In Current Configuration, you can view that the security policy references the default profile, but the configuration information about the default profile is not displayed.

You can run the display profile type data-filter name default command on the CLI to view the configuration information about the default profile. IF you use the CLI to reference the default profile in a security policy, you must enter the complete profile name (such as default). Otherwise, the profile fails to be referenced. To view the configuration result, run the display current-configuration command. Then you can view that the security policy references the default profile, but the configuration information about the default profile is not displayed.

The FW supports user-defined profiles. You can create keyword groups to specify different actions for the upload and download directions of each application or file type.

Procedure

Choose Object > Security Profiles > Data Filtering.
Click Add.

Set the name and description of the data filtering profile.

Parameter	Description
Name	Name of the data filtering profile. The name must be unique. It will be displayed in the Data Filtering parameter column when you configure a security policy.
Description	Description of the data filtering profile. A proper description helps you better understand the functions of profiles and facilitates profile selection, lookup, and maintenance. For example, set the description to "Blocks files containing keyword group 1 from uploading through FTP/SFTP".

Configure a data filtering rule.

In Data Filtering Profile List, click Add.
Set the name of the data filtering rule.

Parameter

Description

Name

Name of the data filtering rule. The name must be unique.

Parameter	Description
Name	Name of the data filtering rule. The name must be unique.

Configure keyword groups in data filtering rules.

If the traffic matches a data filtering rule, the device checks whether any keyword defined in the data filtering rule exists in the traffic content. If a keyword is identified, the device performs the specified action. If no keyword is identified, the device permits the traffic.

Parameter	Description
Keyword Group	The keyword group is a set of keywords, including predefined keywords and user-defined keywords. Predefined keywords include bank card numbers, credit card numbers, social security numbers, ID card numbers, mobile phone numbers, and confidentiality keywords. User-defined keywords refer to those that you define for data filtering. For details on how to configure the keyword group, see Configuring a Keyword Group.

Parameter

Description

Keyword Group

The keyword group is a set of keywords, including predefined keywords and user-defined keywords. Predefined keywords include bank card numbers, credit card numbers, social security numbers, ID card numbers, mobile phone numbers, and confidentiality keywords. User-defined keywords refer to those that you define for data filtering. For details on how to configure the keyword group, see Configuring a Keyword Group.

Configure the matching conditions of the data filtering rule to determine the files and applications to be filtered.

The device compares the traffic features with the conditions in the data filtering rule. If all conditions are matched, the traffic matches the data filtering rule. Otherwise, the next rule is compared. If no data filtering rule is matched, the device permits the traffic.

Parameter	Description
Application	Specify the protocol or application for data filtering of the files transmitted using the protocol or application.
File Type	Specify the types of files to implement data filtering.
Word Boundary	Enable search engine keyword-based exact match. If the function is disabled, the device performs the fuzzy match between the search keyword in the search engine and the keyword specified in the data filtering rule. For example, the search keyword mytest matches keyword test in the data filtering rule, and the action (such as alert and block) of the rule will be taken. After the function is enabled, the device performs the exact match between the search keyword in the search engine and the keyword specified in the data filtering rule. The action (such as alert and block) of the rule will be taken only when the search keyword exactly matches the keyword specified in the rule. NOTE: The function can be configured successfully only when the Search Engine Keywords option is selected in File Type.
Direction	Specify the file transfer direction to implement data filtering. Upload refers to the direction in which a user sends data from a source address to a destination address, and download refers to the direction in which a user gets data from a destination address to the source address.

Configure the action in the data filtering rule.

The device does not support blocking NFS. Therefore, in a scenario where Application is set to NFS, and Action is set to Block or the weight is no smaller than Block Threshold, the device takes the alert action.
In a scenario where Application is set to IMAP or POP3, and Action is set to Block or the weight is no smaller than Block Threshold:
- If the email attachment matches the keyword, the device deletes the body and attachment of the email.
- If the email body matches the keyword, the device deletes the body and attachment of the email.
- If the email subject matches the keyword, the device deletes the subject, body and attachment of the email.

Parameter	Description
Action	Action taken by the device when all conditions are matched and keywords are identified. Alert: The device permits the content and generates logs. This is the default action. Block: The device blocks the content and generates logs. By-Threshold: Each keyword has a weight. Weights of all keywords that appear in the detected content are accumulated by count. If the sum of weights is less than the Alert Threshold, the device permits the content. If the sum of weights is greater than or equal to the Alert Threshold and less than the Blocking Threshold, the device performs the alert action once. If the sum of weights is greater than or equal to the Blocking Threshold, the device blocks the content. During data filtering, if the data or application protocol contains the blocked field, the FW pushes a notification page while blocking the data. Push Information in the page can be edited on the FW.

Parameter

Description

Action

Action taken by the device when all conditions are matched and keywords are identified.

Alert: The device permits the content and generates logs. This is the default action.
Block: The device blocks the content and generates logs.
By-Threshold: Each keyword has a weight. Weights of all keywords that appear in the detected content are accumulated by count.
- If the sum of weights is less than the Alert Threshold, the device permits the content.
- If the sum of weights is greater than or equal to the Alert Threshold and less than the Blocking Threshold, the device performs the alert action once.
- If the sum of weights is greater than or equal to the Blocking Threshold, the device blocks the content.

During data filtering, if the data or application protocol contains the blocked field, the FW pushes a notification page while blocking the data. Push Information in the page can be edited on the FW.

Click OK.
Repeat steps 1 to 6 to create multiple data filtering rules.

Click OK to complete the configuration of the data filtering profile.
Reference the data filtering profile in the security policy. For details on how to configure the security policy, see Configuring a Security Policy Using the Web UI.
Click Commit on the upper right of the web page to commit the profile.
The created or modified security profile does not take effect immediately. You need to click Commit on the upper right of the web page to activate the configuration. To save time, commit the configuration after you complete all operations on the security profile.

Follow-up Procedure

Check or release the reference between the security policy and profile.

To check for profile that is referenced by security policies, click View under References in the list of profile.
To release the reference between the security policy and profile, choose the security policy and click Release.

Click Release All, you can release all the references.