Enhanced Pattern-Matching Engine for Custom Signatures
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
Enhanced Pattern-Matching Engine for Custom Signatures
The new PAN-OS® pattern-matching engine lets
you create and use a wider variety of signatures.
The PAN-OS® pattern-matching engine now supports
a wider selection of regular expression
(regex) syntax and a shorter minimum pattern length. The
new regex syntax and pattern length requirements enable you to more
finely control application usage on your network with custom application signatures and
detect more malicious traffic by increasing the number of possible custom threat signatures that
you can create and ingest from third-party applications.
To maximize this new compatibility with third-party signatures,
you can install the IPS Signature Converter for Panorama,
which provides an automated solution to converting Snort and Suricata
signatures into custom Palo Alto Networks threat signatures.
If used incorrectly, a shorter minimum pattern length and a richer
selection of syntax can degrade firewall performance. Consequences
range from higher latency to dropped packets. To avoid performance
degradation, you can check the performance impact
of your signatures before you commit them.
The new engine also allows you to create context-free signatures
that can match anywhere after the TCP or UDP header. You can configure
this whole-packet matching by selecting tcp-context-free or udp-context-free,
depending on the kind of traffic for which you’re creating the signature.