Run tests to verify that your custom signature functions
properly and make improvements, if necessary.
Custom signatures are particularly at risk
for false positives and false negatives—the incorrect identification
of traffic or failed detection of applications or threats. You should
always test a custom signature after committing its configuration
to verify that it functions as expected. Poorly written or outdated
custom signatures may only be detected (and improved) through testing.
If left unexamined, your signatures can reduce the efficacy of the
For custom App-ID signatures, generate traffic matching
the application or application functions on a client system with
a firewall between it and the application. Then, check the Traffic
logs to verify that the generated sessions match the signatures
you wrote. Your signature is incomplete if any traffic from your
session does not match. Look at streams of sessions that do not
match your signature with a packet capture tool like Wireshark.
Identify unique patterns from those streams and add them to your
signature to improve the accuracy of your signature.
threat signatures, run penetration tests to detect system vulnerabilities.
Then, view the Threat logs to see threat activity and the actions
taken. Investigate any false positives or negatives. You may need
to modify your signature, change its default action, or examine
security profiles and policies.
Validate that traffic matches your signature as
Run application traffic/penetration testing.
Verify that you see traffic matching the custom application/threat
(and that it is being handled per your policy rule).
For example, if you wrote an application signature for
uploading on example.com, you would visit example.com and upload
a file. In the Traffic logs, you would verify that the session updated
from “web-browsing” to “uploading-example” after the file upload.
Fine-tune your signature by adding additional patterns
or conditions to the signature, if necessary.