Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Understanding Match Objects

05/11/2020 5 People found this article helpful 90,125 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Match objects represent the set of conditions which must be matched for actions to take place. This includes the object type, the match type (exact, partial, regex, prefix, or suffix), the input representation (text or hexadecimal), and the actual content to match. Match objects were referred to as application objects in previous releases.

    Hexadecimal input representation is used to match binary content such as executable files, while alphanumeric (text) input representation is used to match things like file or email content. You can also use hexadecimal input representation for binary content found in a graphic image. Text input representation could be used to match the same graphic if it contains a certain string in one of its properties’ fields. Regular expressions (regex) are used to match a pattern rather than a specific string or value and use alphanumeric input representation.

    The File Content match object type provides a way to match a pattern or keyword within a file. This type of match object can only be used with FTP Data Transfer, HTTP Server, or SMTP Client policies.

    Cause

    We have the following Supported Match Object Types:

    Object Type DescriptionMatch TypesNegative MatchingExtra Properties
    ActiveX ClassIDClass ID of an Active-X component. For example, ClassID of Gator Active-X component is “c1fb8842-5281-45ce-a 271-8fd5f117ba5f”ExactNoNone
    Application Category ListAllows specification of application categories, such as Multimedia., P2P, or Social NetworkingN/ANoNone
    Application ListAllows specification of individual applications within the application
    category that you select
    N/ANoNone
    Application Signature ListAllows specification of individual signatures for the application and
    category that you select
    N/ANoNone
    Custom ObjectAllows specification of an IPS-style custom set of conditionsExactNoThere are 4 additional, optional parameters that can be set: offset (describes from what byte in packet payload we should start matching the pattern – starts with 1; helps minimize false positives in matching), depth (describes at what byte in the packet payload we should stop matching the pattern – starts with 1), minimum payload size and maximum payload size.
    Email BodyAny content in the body of an email.PartialNoNone
    Email CC (MIME Header)Any content in the CC MIME Header.Exact, Partial, Prefix, SuffixYesNone
    Email From (MIME Header)Any content in the From MIME Header.Exact, Partial, Prefix, SuffixYesNone
    Email SizeAllows specification of the maximum email size that can be sent.N/ANoNone
    Email Subject (MIME Header)Any content in the Subject MIME Header.Exact, Partial, Prefix, SuffixYesNone
    Email To (MIME Header)Any content in the To MIME Header.Exact, Partial, Prefix, SuffixYesNone
    MIME Custom HeaderAllows for creation of MIME custom headers.Exact, Partial, Prefix, SuffixYesA Custom header name needs to be specified.
    File ContentAllows specification of a pattern to match in the content of a file. The pattern will be matched even if the file is compressed.PartialNo‘Disable attachment’ action should never be applied to this object.
    FilenameIn cases of email, this is an attachment name. In cases of HTTP, this is a filename of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename of an uploaded or downloaded file.Exact, Partial, Prefix, SuffixYesNone
    Filename ExtensionIn cases of email, this is an attachment filename extension. In cases of HTTP, this is a filename extension of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename extension of an uploaded or downloaded file.ExactYesNone
    FTP CommandAllows selection of specific FTP commands.N/ANoNone
    FTP Command + ValueAllows selection of specific FTP commands and their values.Exact, Partial, Prefix, SuffixYesNone
    HTTP Cookie HeaderAllows specification of a Cookie sent by a browser.Exact, Partial, Prefix, SuffixYesNone
    HTTP Host HeaderContent found inside of the HTTP Host header. Represents hostname of the destination server in the HTTP request, such 
    as www.google.com.
    Exact, Partial, Prefix, SuffixYesNone
    HTTP Referrer HeaderAllows specification of content of a Referrer header sent by a 
    browser – this can be useful to control or keep stats of which Web sites redirected a user to customer’s Web site.
    Exact, Partial, Prefix, SuffixYesNone
    HTTP Request Custom HeaderAllows handling of custom HTTP Request headers.Exact, Partial, Prefix, SuffixYesA Custom header name needs to be specified.
    HTTP Response Custom HeaderAllows handling of custom HTTP Response headers.Exact, Partial, Prefix, SuffixYesNone
    HTTP Set Cookie HeaderSet-Cookie headers. Provides a way to disallow certain cookies to be set in a browser.Exact, Partial, Prefix, SuffixYesNone
    HTTP URI ContentAny content found inside of the URI in the HTTP request.Exact, Partial, Prefix, SuffixNoNone
    HTTP User-Agent HeaderAny content inside of a User-Agent header. For example: User-Agent: Skype.Exact, Partial, Prefix, SuffixYesNone
    Web BrowserAllows selection of specific Web browsers (MSIE, Netscape, Firefox, Safari, Chrome).N/AYesNone
    IPS Signature Category ListAllows selection of one or more IPS signature groups. Each group
    contains multiple pre-defined IPS signatures.
    N/ANoNone
    IPS Signature ListAllows selection of one or more specific IPS signatures for enhanced granularity.N/ANoNone


    You can see the available types of Match objects from drop-down menu by navigating to Manage | Objects | Match objects and then clicking on the Add option and selecting Match object.

    Image

    You can use the LOAD FROM FILE button to import content from predefined text files that contain multiple entries for a match object to match. Each entry in the file must be on its own line. The Load From File feature allows you to easily move App Rules settings from one firewall to another.

    Multiple entries, either from a text file or entered manually, are displayed in the List area. List entries are matched using the logical OR, so if any item in the list is matched, the action for the policy is executed.

    A match object can include a total of no more than 8000 characters. If each element within a match object contains approximately 30 characters, then you can enter about 260 elements. The maximum element size is 8000 bytes.

    Regular Expressions:

    You can configure regular expressions in certain types of match objects for use in App Rules policies. The Match Object Settings options provide a way to configure custom regular expressions or to select from predefined regular expressions. The SonicWall implementation supports reassembly-free regular expression matching on network traffic. This means that no buffering of the input stream is required, and patterns are matched across packet boundaries.

    SonicOS provides the following predefined regular expressions:

    VISA CCVISA Credit Card Number
    US SSNUnited States Social Security Number
    CANADIAN SINCanadian Social Insurance Number
    ABA ROUTING NUMBERAmerican Bankers Association Routing Number
    AMEX CCAmerican Express Credit Card Number
    MASTERCARD CCMastercard Credit Card Number
    DISCOVER CCDiscover Credit Card Number


    Image

    Predefined regular expressions can be selected during configuration, or you can configure a custom regular expression.

    NOTE: For more details on the Regex syntax and custom regular expressions, please go through the SonicOS Admin guide for SonicOS Policies available at SonicOS Technical Documentation

    Negative Matching:

    Negative matching provides an alternate way to specify which content to block. You can enable negative matching in a match object when you want to block everything except content. When you use the object in a policy, the policy will execute actions based on the absence of the content specified in the match object. Multiple list entries in a negative matching object are matched using the logical AND, meaning that the policy action is executed only when all specified negative matching entries are matched.

    Although all App Rules policies are DENY policies, you can simulate an ALLOW policy by using negative matching. For instance, you can allow email .txt attachments and block attachments of all other file types. Or you can allow a few types and block all others.

    Not all match object types can utilize negative matching. For those that can, you will see the Enable Negative Matching checkbox on the Add/Edit Match Object dialog.

    Image

    NOTE: Match Objects are used in conjunction with Action Objects to create App rules. Please use the link Most common configurations for App rules to look at the way these Match Objects can be used for specific scenarios.


    Related Articles

    • Parserror on Event logs.
    • Switch from the Policy mode to classic mode on Gen 7 appliances
    • Analyzing TCP reset(RST)packets

    Categories

    • Firewalls > NSa Series > Application Firewall
    • Firewalls > TZ Series > Application Firewall

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:4ee82ce2006b54d95245027ae7978e4a-89