: Custom Signature Pattern Requirements
Focus
Focus

Custom Signature Pattern Requirements

Table of Contents

Custom Signature Pattern Requirements

Review the requirements for creating custom signature patterns.
The pattern requirements and available syntax for custom signatures depends on your firewall version. Firewalls running PAN-OS 10.0 (or a later version) have more flexible pattern requirements and a wider selection of regular expression (regex) syntax.
Refer to Syntax for Regular Expression Data Patterns for more details about the differences in syntax and pattern requirements between pre-PAN-OS 10.0 releases and PAN-OS 10.0 (and later) releases. You can switch between documentation releases by using the version switcher located in the left navigation bar.
If you encounter any errors using your custom signatures, verify that they conform to the following requirements.
Custom Signature Pattern RequirementsAll versions
  • You can enter hex-based patterns by surrounding the bytes with ‘\x’.
  • Most signature patterns can contain a maximum of 127 characters.
    • If you need to use a pattern longer than 127 characters, create two separate conditions—one beginning where the other left off—and join them with ‘AND’. You can still use Ordered Condition Matchto require the firewall to consider one condition before the other to ensure a closer match to the full string.
    • PA-220 and PA-800 appliances running PAN-OS 10.2 and later support a maximum pattern length of 64 characters for the following contexts: tcp-context-free and udp-context-free.
      Signature compilation processes can cause other signatures to support a maximum pattern length of 64 characters, however, this is a rare occurrence.
      As noted above, you can also create a pattern that is longer that the maximum size of 64 characters by creating two separate conditions.
  • Some application decoders may be case-sensitive for a given field, depending on the decoder the firewall uses. For this reason, you should define variations of the pattern. For example, \.CNN\.com and \.cnn\.com will ensure your signature functions properly regardless of case.
PAN-OS 9.1 and earlier versions
  • Every pattern you create must contain at least one 7-byte string with fixed values.
    • The 7 bytes cannot include a period (.), an asterisk (*), a plus sign (+), or [a-z] (ranges).
    • The 7-byte string can be anywhere in your pattern.
  • The curly braces (repetition operator) has some limitations.
    • Curly braces must be preceded by a ‘.’ (period).
    • You must have 7 static bytes after the braces.
  • If you have two strings that are both less than 7 bytes and that are separated by a regular expression wildcard element, you must increase the size of at least one of the strings to 7 or more bytes.