Review the requirements for creating custom signature
The pattern requirements and available syntax for custom signatures
depends on your firewall version. Firewalls running PAN-OS 10.0 (or a later version) have
more flexible pattern requirements and a wider selection of regular
expression (regex) syntax.
If you encounter any errors using your custom signatures, verify
that they conform to the following requirements.
Custom Signature Pattern Requirements
You can enter hex-based patterns
by surrounding the bytes with ‘
The Pattern can contain a maximum of 127 characters.
you need to use a pattern longer than 127 characters, create two
separate conditions—one beginning where the other left off—and join
them with ‘
’. You can still use
to require the firewall to consider one condition
before the other to ensure a closer match to the full string.
Some application decoders may be case-sensitive for a given
field, depending on the decoder the firewall uses. For this reason,
you should define variations of the pattern. For example, \.CNN\.com
and \.cnn\.com will ensure your signature functions properly regardless
PAN-OS 9.1 and earlier versions
Every pattern you create must contain
at least one 7-byte string with fixed values.
7 bytes cannot include a period (
an asterisk (
), a plus sign (
The 7-byte string can be anywhere in your pattern.
The curly braces (repetition operator) has some limitations.
Curly braces must be preceded by a ‘
You must have 7 static bytes after the braces.
If you have two strings that are both less than 7 bytes and that
are separated by a regular expression wildcard element, you must
increase the size of at least one of the strings to 7 or more bytes.