SonicOS 7.0 Rules and Policies for Classic Mode
- SonicOS 7.0 Rules and Policies
- Access Rules
- Setting Firewall Access Rules
- About Connection Limiting
- Using Bandwidth Management with Access Rules
- Creating Access Rules
- Configuring Access Rules for IPv6
- Enabling and Disabling Access Rules
- Editing Access Rules
- Deleting Access Rules
- Restoring Access Rules to Default Settings
- Displaying Access Rules
- Displaying Access Rule Traffic Statistics
- Configuring Access Rules for NAT64
- Configuring Access Rules for a Zone
- Access Rules for DNS Proxy
- User Priority for Access Rules
- Access Rule Configuration Examples
- Setting Firewall Access Rules
- NAT Rules
- About NAT in SonicOS
- About NAT Load Balancing
- About NAT64
- About FQDN-based NAT
- About Source MAC Address Override
- Viewing NAT Policy Entries
- Adding or Editing NAT or NAT64 Rule Policies
- Deleting NAT Policies
- Creating NAT Rule Policies: Examples
- Creating a One-to-One NAT Policy for Inbound Traffic
- Creating a One-to-One NAT Policy for Outbound Traffic
- Inbound Port Address Translation via One-to-One NAT Policy
- Inbound Port Address Translation via WAN IP Address
- Creating a Many-to-One NAT Policy
- Creating a Many-to-Many NAT Policy
- Creating a One-to-Many NAT Load Balancing Policy
- Creating a NAT Load Balancing Policy for Two Web Servers
- Creating a WAN-to-WAN Access Rule for a NAT64 Policy
- DNS Doctoring
- Routing
- Content Filter Rules
- App Rules
- About App Rules
- Rules and Policies > App Rules
- Verifying App Rules Configuration
- App Rules Use Cases
- Creating a Regular Expression in a Match Object
- Policy-based Application Rules
- Logging Application Signature-based Policies
- Compliance Enforcement
- Server Protection
- Hosted Email Environments
- Email Control
- Web Browser Control
- HTTP Post Control
- Forbidden File Type Control
- ActiveX Control
- FTP Control
- Bandwidth Management
- Bypass DPI
- Custom Signature
- Reverse Shell Exploit Prevention
- Endpoint Rules
- SonicWall Support
Creating a Regular Expression in a Match Object
Predefined regular expressions can be selected during configuration, or you can configure a custom regular expression. This use case describes how to create a Regex Match object for a credit card number, while illustrating some common errors.
For example, a user creates a Regex Match object for a credit card number, with the following inefficient and also slightly erroneous construction:
[1-9][0-9]{3} ?[0-9]{4} ?[0-9]{4} ?[0-9]{4}
Using this object, the user attempts to build a policy. After the user clicks OK, the appliance displays a “Please wait…” message, but the management session is unresponsive for a very long time and the regular expression might eventually be rejected.
This behavior occurs because, in custom object and file content match objects, regular expressions are implicitly prefixed with a dot asterisk (.*)
. A dot matches any of the 256 ASCII characters except ‘\n’
. This fact, the match object type used, and the nature of the regular expression in combination causes the control plane to take a long time to compile the required data structures.
The fix for this is to prefix the regular expression with a '\D'
. This means that the credit card number is preceded by a non-digit character, which actually makes the regular expression more accurate.
Additionally, the regular expression shown above does not accurately represent the intended credit card number. The regular expression in its current form can match several false positives, such as 1234 12341234 1234
. A more accurate representation is the following:
\D[1-9][0-9]{3} [0-9]{4} [0-9]{4} [0-9]{4}
or
\D[1-9][0-9]{3}[0-9]{4}[0-9]{4}[0-9]{4}
which can be written more concisely as:
\D\z\d{3}( \d{4}){3}
or
\D\z\d{3}(\d{4}){3}
respectively.
These can be written as two regular expressions within one match object or can be further compressed into one regular expression such as:
\D\z\d{3}(( \d{4}){3}|(\d{12}))
You can also capture credit card numbers with digits separated by a '-'
with the following regular expression:
\D\z\d{3}(( \d{4}){3}|(-\d{4}){3}|(\d{12}))
The preceding ‘\D’
should be included in all of these regular expressions.
Was This Article Helpful?
Help us to improve our support portal