Enhanced Pattern-Matching Engine for Custom Signatures

The new PAN-OS
®
pattern-matching engine lets you create and use a wider variety of signatures.
The PAN-OS
®
pattern-matching engine now supports a wider selection of regular expression (regex) syntax and a shorter minimum pattern length. The new regex syntax and pattern length requirements enable you to more finely control application usage on your network with custom application signatures and detect more malicious traffic by increasing the number of possible custom threat signatures that you can create and ingest from third-party applications.
To maximize this new compatibility with third-party signatures, you can install the IPS Signature Converter for Panorama, which provides an automated solution to converting Snort and Suricata signatures into custom Palo Alto Networks threat signatures.
If used incorrectly, a shorter minimum pattern length and a richer selection of syntax can degrade firewall performance. Consequences range from higher latency to dropped packets. To avoid performance degradation, you can check the performance impact of your signatures before you commit them.
The new engine also allows you to create
context-free
signatures that can match anywhere after the TCP or UDP header. You can configure this whole-packet matching by selecting
tcp-context-free
or
udp-context-free
, depending on the kind of traffic for which you’re creating the signature.

Recommended For You