Syntax for Regular Expression Data Patterns
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT > DHCP Server
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Syntax for Regular Expression Data Patterns
The general pattern requirements and syntax for creating
data patterns depends on the pattern-matching engine that you enable: classic
or enhanced (default).
Pattern Requirements | Classic | Enhanced |
---|---|---|
Pattern length | Requires 7 literal characters, which cannot
include a period (.), an asterisk (*),
a plus sign (+), or a range ([a-z]). | Requires two literal characters. |
Case-insensitivity | Requires you to define patterns for all
possible strings to match all variations of a term. Example:
To match any documents designated as confidential, you must create
a pattern that includes “confidential,” “Confidential,” and “CONFIDENTIAL.” | Allows you to use the i option on
a sub-pattern. Example: ((?i)\bconfidential\b) matches ConfiDential |
The regular expression syntax in PAN-OS® is similar
to traditional regular expression engines but every engine is unique.
The Classic Syntax and Enhanced Syntax tables
describe the syntax supported in the PAN-OS pattern-matching engines.
Classic Syntax
Pattern Syntax | Description |
---|---|
. | Match any single character. |
? | Match the preceding character or expression
0 or one time. You must include the general expression inside parentheses. Example: (abc)? |
* | Match the preceding character or expression
0 or more times. You must include the general expression inside parentheses. Example: (abc)* |
+ | Match the preceding character or regular
expression one or more times. You must include the general expression
inside parentheses. Example: (abc)+ |
| | Specify one “OR” another. You
must include alternative substrings in parentheses. Example: ((bif)|(scr)|(exe)) matches bif, scr,
or exe. |
- | Specify a range. Example: [c-z] matches
any character between c and z inclusive. |
[ ] | Match any specified character. Example: [abz] matches
any of the specified characters—a, b,
or z. |
^ | Match any character except those specified. Example: [^abz] matches
any character except the specified characters—a, b,
or z. |
{ } | Match a string that contains minimum and
maximum. Example: {10-20} matches any string
that is between 10 and 20 bytes inclusive. You must specify this
directly in front of a fixed string and you can use only a hyphen
(-). |
\ | Perform a literal match on any character.
You must precede the specified character with a backslash (\). |
& | The ampersand (& )
is a special character so, to look for & in
a string, you must use &. |
Enhanced Syntax
The enhanced pattern-matching engine supports all of the Classic Syntax as
well as the following syntax:
Pattern Syntax | Description |
---|---|
Shorthand character classes Symbols
that stand for a character of a specific type, such as a digit or
white space. You can negate any of these shorthand character classes
by using uppercase characters. | |
\s | Match any whitespace character. Example: \s matches
a space, tab, line break, or form feed. |
\d | Match a character that is a digit [0-9]. Example: \d matches 0. |
\w | Matches an ASCII character [A-Za-z0-9_]. Example: \w\w\w matches PAN. |
\v | Match a vertical white space character,
which includes all unicode line break characters. Example: \v matches
a vertical white space character. |
\h | Match horizontal white space, which includes the
tab and all of the “space separator” unicode characters. Example: \h matches
a horizontal white space character. |
Bounded repeat quantifiers Specify
how many times to repeat the previous item. | |
{n} | Match exactly a number (n) of times. Example: a{2} matches aa. |
{n,m} | {n,m} matches from n to m times. Example: a{2,4} matches aa, aaa,
and aaaa |
{n, } | {n,} matches at least n times. Example: a{2,} matches aaaaa in aaaaab. |
Anchor characters Specify
where to match an expression. | |
^ | Match at the beginning of a string. Also matches
after every line break when multi-line mode (m)
is enabled. Example: Given the string abc, ^a matches a,
but ^b doesn’t match anything because b doesn’t occur
at the start of the string. |
$ | Match at the end of a string or before a newline
character at the end of a string. Also matches before every line
break when multi-line mode (m) is enabled. Example:
Given the string abc, c$ matches c,
but a$ doesn’t match anything because a doesn’t occur
at the end of the string. |
\A | Match at the beginning of a string. Doesn’t match
after line breaks, even when multi-line mode (m)
is enabled. |
\Z | Match at the end of a string and before
the final line break. Doesn’t match before other line breaks even
when multi-line mode (m) is enabled. |
\z | Match at the absolute end of a string. Doesn’t match
before line breaks. |
Option modifiers Change
the behavior of a sub-pattern. Enter (?<option>) to enable
or (?-<option>) to disable. | |
i | Enable case-insensitivity. Example: ((?i)\bconfidential\b) matches ConfiDential. |
m | Make ^ and $ match
at the beginning and end of lines. |
s | Make . match anything,
including line break characters. |
x | Ignore whitespace between regex tokens. |