I am not sure what your goal is, so there may be a much better way to accomplish what your are trying to accomplish.. That being said, here is a link to the admin guide for 5.0: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/4118-102-7-19329/PA-5.0_Administrators_Guide.pdf On pages 235 and 236 the "regex" rules are described. This is not full blown regex as you are likely used to. It is a very cut down version. Here are some "regex(s)" that I have come up with as an example. The rules state that your data pattern "regex" must be at least 7bytes long. This is constrained to the string you are searching for and not anything between brackets (so no tricking the system with logic (and, or, etc.). In these examples I am keying on HTML form post data - so, uploading a file via a web form. As you can see, the "string" here is "form-data": Any IP: .*(form\-data).*((([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).* RFC 1918 (10/8) IP: .*(form\-data).*(([10])\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).* RFC 1918 (172.16/12) IP: .*(form\-data).*(([172])\.((1[6-9])|(2[0-9])|(3[0-1]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).* RFC 1918 (192.168/16) IP: .*(form\-data).*(([192])\.([168])\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).* NOTE: For looking in email, you might use the string "subject" as a key word. The "regex" would then look like this: Any IP: .*(subject).*((([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).* !!!WARNING!!!: This will slow down your commit times, and if you use all of these at the same time, your commit may fail. This is because there is a limited memory space for compiling custom signatures. The more complex the signature, the more memory the compile takes. I tested these on a PA-200 and the commits failed for the most part. I was able to get the smaller ones to commit and work, but again, this is not recommended. I hope this helps. -chadd.
... View more