File Blocking process

What are the signatures based upon? 

The system is looking at the file header and MIME type which are determined at file creation.   This prevents the obfuscation of the the file by changing the extension to .txt.

Can someone please refer me to an official document (a technical one) by Palo Alto clearly explaining how the file types will be detected (signature in oppose to extension checks). Will greatly help when it comes to cutomers and references.

Binary files have signatures in the beginning of the file.

You can verify if you open file with HEX Editor.

Startingpoint might be here: https://en.wikipedia.org/wiki/List_of_file_signatures

I haven't seen a highly technical document that really dives into exactly how the file blocking engine works.  There's some mention of it in the official documentation.  I also found mention of it being based on the content/file type and not just on a file extention in this document:

 - https://www.paloaltonetworks.com/resources/techbriefs/content-id-tech-brief

It's easy to validate this functionality for yourself.  Configure a "file blocking" profile with action=alert for all applications and all file types.  Attach that to a security policy that permits a test machine to use FTP.  Take a pdf file and change the extension to .exe (or duplicate that file numerous times and also rename it to .bat, .jpg, .doc, .torrent, etc.).  Use FTP to transfer these files through the firewall.  Finally, look at the data filtering log to see the results.  

I took a copy of the PDF file linked above, duplicated it a few times, forged the extension on all but one of the samples, and then transferred it through the firewall using FTP.  The first snip is the directory with the duplicated/renamed files (all same date and file size).  The 2nd snip shows the firewall logging the forged filename while identifying the file type as actually being Adobe PDF.