Test the performance impact of your custom signatures.
Firewalls running PAN-OS 10.0 or later have an enhanced
pattern-matching engine that loosens pattern requirements and offers
a richer selection of syntax. Used incorrectly, these features can
have consequences that range from higher latency to dropped packets.
To help you avoid performance degradation, the firewall enables
you to check the performance impact of your signatures before you
The firewall scores the performance impact of a signature on
a scale of 0 to 100%. A score of 0% means the signature severely
affects firewall performance and a score of 100% means it minimally
Use either of the following two commands to check the performance
impact of a signature:
test custom-signature-type pattern <pattern>
Calculates the performance impact of a signature without
a context and determines whether the pattern is not valid, is valid
but in only the new engine (lscan), or is valid in both the old
and new engine (pscan/AHO).
admin@VM-FW-75-252> test custom-signature-type pattern aaaa.
*The pattern is lscan pattern
Performance score: 68%
test custom-signature-perf context <context>
Calculates the performance impact of a signature with
a context and displays a warning if the performance score is below
admin@VM-FW-75-252> test custom-signature-perf context http-rsp-headers pattern aaaa.*
Performance score: 42%
This signature will have performance impact
When you test a custom signature without a context, the score
is a function of the literal parts of the pattern. The literal parts
are the characters in the string with fixed values, such as “pan” and
. The greater the number
and length of the literal parts, the higher the score of the pattern.
When you test a pattern with a context, the firewall performs
the above calculation and adjusts it based on the typical length
and frequency of the context. The firewall then divides the typical context
length by the shortest literal part of the pattern and multiplies
the base score of the pattern by this value. Finally, the firewall
lowers the score if the context appears frequently and raises the
score if the context appears infrequently.