>
    Strata Copilot
    Test a Custom Signature
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced Threat Prevention Powered by Precision AI®
    3. Custom Application IDs and Signatures
    4. Custom Application and Threat Signatures
    5. Test a Custom Signature
    Download PDF
    Advanced Threat Prevention Powered by Precision AI®

    Test a Custom Signature

    Table of Contents

    Test a Custom Signature

    Run tests to verify that your custom signature functions properly and make improvements, if necessary.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • VM-Series
    • CN-Series
    • Advanced Threat Prevention (for enhanced feature support) or Threat Prevention License
    Custom signatures are particularly at risk for false positives and false negatives—the incorrect identification of traffic or failed detection of applications or threats. You should always test a custom signature after committing its configuration to verify that it functions as expected. Poorly written or outdated custom signatures may only be detected (and improved) through testing. If left unexamined, your signatures can reduce the efficacy of the firewall.
    For custom App-ID signatures, generate traffic matching the application or application functions on a client system with a firewall between it and the application. Then, check the Traffic logs to verify that the generated sessions match the signatures you wrote. Your signature is incomplete if any traffic from your session does not match. Look at streams of sessions that do not match your signature with a packet capture tool like Wireshark. Identify unique patterns from those streams and add them to your signature to improve the accuracy of your signature.
    For custom threat signatures, run penetration tests to detect system vulnerabilities. Then, view the Threat logs to see threat activity and the actions taken. Investigate any false positives or negatives. You may need to modify your signature, change its default action, or examine security profiles and policies.
    1. Validate that traffic matches your signature as expected.
      1. Run application traffic/penetration testing.
      2. Navigate to MonitorLogsTraffic/Threat. Verify that you see traffic matching the custom application/threat (and that it is being handled per your policy rule).
        For example, if you wrote an application signature for uploading on example.com, you would visit example.com and upload a file. In the Traffic logs, you would verify that the session updated from “web-browsing” to “uploading-example” after the file upload.
      3. Fine-tune your signature by adding additional patterns or conditions to the signature, if necessary.
      4. Repeat.

    © 2026 Palo Alto Networks, Inc. All rights reserved.