Custom Signature Pattern Requirements

Review the requirements for creating custom signature patterns.
The pattern requirements and available syntax for custom signatures depends on your firewall version. Firewalls running PAN-OS 10.0 (or a later version) have more flexible pattern requirements and a wider selection of regular expression (regex) syntax.
Refer to Syntax for Regular Expression Data Patterns for more details about the differences in syntax and pattern requirements between pre-PAN-OS 10.0 releases and PAN-OS 10.0 (and later) releases.
If you encounter any errors using your custom signatures, verify that they conform to the following requirements.
Custom Signature Pattern Requirements
All versions
  • You can enter hex-based patterns by surrounding the bytes with ‘
    \x
    ’.
  • The Pattern can contain a maximum of 127 characters.
    • If you need to use a pattern longer than 127 characters, create two separate conditions—one beginning where the other left off—and join them with ‘
      AND
      ’. You can still use
      Ordered Condition Match
      to require the firewall to consider one condition before the other to ensure a closer match to the full string.
  • Some application decoders may be case-sensitive for a given field, depending on the decoder the firewall uses. For this reason, you should define variations of the pattern. For example, \.CNN\.com and \.cnn\.com will ensure your signature functions properly regardless of case.
PAN-OS 9.1 and earlier versions
  • Every pattern you create must contain at least one 7-byte string with fixed values.
    • The 7 bytes cannot include a period (
      .
      ), an asterisk (
      *
      ), a plus sign (
      +
      ), or
      [a-z]
      (ranges).
    • The 7-byte string can be anywhere in your pattern.
  • The curly braces (repetition operator) has some limitations.
    • Curly braces must be preceded by a ‘
      .’
      (period).
    • You must have 7 static bytes after the braces.
  • If you have two strings that are both less than 7 bytes and that are separated by a regular expression wildcard element, you must increase the size of at least one of the strings to 7 or more bytes.

Recommended For You