: Testing Pattern Performance Impact
Focus
Focus

Testing Pattern Performance Impact

Table of Contents

Testing Pattern Performance Impact

Test the performance impact of your custom signatures.
Firewalls running PAN-OS 10.0 or later have an enhanced pattern-matching engine that loosens pattern requirements and offers a richer selection of syntax. Used incorrectly, these features can have consequences that range from higher latency to dropped packets. To help you avoid performance degradation, the firewall enables you to check the performance impact of your signatures before you commit them.
The firewall scores the performance impact of a signature on a scale of 0 to 100%. A score of 0% means the signature severely affects firewall performance and a score of 100% means it minimally affects performance.
Use either of the following two commands to check the performance impact of a signature:
CommandDescription
test custom-signature-type pattern <pattern>
Calculates the performance impact of a signature without a context and determines whether the pattern is not valid, is valid but in only the new engine (lscan), or is valid in both the old and new engine (pscan/AHO).
Example:
admin@VM-FW-75-252> test custom-signature-type pattern aaaa.

*The pattern is lscan pattern
Performance score: 68%
test custom-signature-perf context <context> pattern <pattern>
Calculates the performance impact of a signature with a context and displays a warning if the performance score is below 55%.
Example:
admin@VM-FW-75-252> test custom-signature-perf context http-rsp-headers pattern aaaa.*
							
Performance score: 42%
This signature will have performance impact
When you test a custom signature without a context, the score is a function of the literal parts of the pattern. The literal parts are the characters in the string with fixed values, such as “pan” and “net” in pan.{4}net. The greater the number and length of the literal parts, the higher the score of the pattern.
When you test a pattern with a context, the firewall performs the above calculation and adjusts it based on the typical length and frequency of the context. The firewall then divides the typical context length by the shortest literal part of the pattern and multiplies the base score of the pattern by this value. Finally, the firewall lowers the score if the context appears frequently and raises the score if the context appears infrequently.