Palo Alto Networks 7-byte Custom Signature Minimum Removed in Newer Versions and Why it Matters!

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Articles
1 min read
L6 Presenter
No ratings

Palo Alto Networks 7-byte Custom Signature Minimum Removed in Newer Versions and Why it Matters!

 

In the newer versions after 9.1, Palo Alto Networks now does not have 7-byte minimum length limit and is really useful, as an example, to make a signature that will block traffic to a web page if too many times the login parameter "user" is seen in the HTTP requests query or body parameters from a source IP address. 

 

Before the "user" parameter will not be allowed as it was to small below 7 bytes, so the web app needed to be changed to use something like "username" for example.

 

In this article, I will show the how using the below match condition with combination match (it adds the number of the signature is triggered before taking an action) will trigger brute force protection of a web page login page.

 

nikoolayy1_0-1746792158016.png

 

This is also really useful for Layer 3 and Layer 4 signatures that are supported at 11.x and newer as TCP or UDP flags could be less than the previous limit!

 

Reference Materials:

 

Rate this article:
Comments
Community Team Member

Hi @nikoolayy1 ,

 

Great use-case ! Thanks for putting this together !

Community Team Member

Great post @nikoolayy1! The removal of the 7-byte minimum length requirement after PAN-OS 9.1 is a real game-changer for creating more precise signatures. Thanks for sharing this practical insight!

Community Manager
Community Manager

@nikoolayy1 - 3 great helpful technical articles in one month!  WOW!

  • 379 Views
  • 3 comments
  • 2 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎05-30-2025 10:28 AM
Updated by: