: Test a Custom Signature
Focus
Focus

Test a Custom Signature

Table of Contents

Test a Custom Signature

Run tests to verify that your custom signature functions properly and make improvements, if necessary.
Custom signatures are particularly at risk for false positives and false negatives—the incorrect identification of traffic or failed detection of applications or threats. You should always test a custom signature after committing its configuration to verify that it functions as expected. Poorly written or outdated custom signatures may only be detected (and improved) through testing. If left unexamined, your signatures can reduce the efficacy of the firewall.
For custom App-ID signatures, generate traffic matching the application or application functions on a client system with a firewall between it and the application. Then, check the Traffic logs to verify that the generated sessions match the signatures you wrote. Your signature is incomplete if any traffic from your session does not match. Look at streams of sessions that do not match your signature with a packet capture tool like Wireshark. Identify unique patterns from those streams and add them to your signature to improve the accuracy of your signature.
For custom threat signatures, run penetration tests to detect system vulnerabilities. Then, view the Threat logs to see threat activity and the actions taken. Investigate any false positives or negatives. You may need to modify your signature, change its default action, or examine security profiles and policies.
  1. Validate that traffic matches your signature as expected.
    1. Run application traffic/penetration testing.
    2. Navigate to MonitorLogsTraffic/Threat. Verify that you see traffic matching the custom application/threat (and that it is being handled per your policy rule).
      For example, if you wrote an application signature for uploading on example.com, you would visit example.com and upload a file. In the Traffic logs, you would verify that the session updated from “web-browsing” to “uploading-example” after the file upload.
    3. Fine-tune your signature by adding additional patterns or conditions to the signature, if necessary.
    4. Repeat.