Commit error: Threat database handler failed, when using custom signatures

Commit error: Threat database handler failed, when using custom signatures

17588
Created On 05/07/20 23:46 PM - Last Modified 06/11/24 02:33 AM


Symptom


  • Commit failure observed when the config is pushed from panorama to firewall with custom signature.
  • A custom signature pattern repeated.
  • An error message is seen similar to below 
    Details:
Error: Threat database handler failed
(Module: device)
Configuration is invalid

Environment


  • Any Panorama.
  • Any Palo Alto Firewall.
  • Custom signatures configured.
  • PAN-OS 9.1 or below.

Cause


  • Repeating pattern is not supported and working as per design.
  • Example: The pattern ".\x0d0a\x.\x0d0a\xHost: " failed the compilation.
  • ".\x0d0a\xHost:" itself is fine. However looks like we have too many patterns that share ".\x0d0a\xHost:". - we have a limit of 8 for transition values with the same pattern and you can combine multiple patterns into a single one.
The workaround is to avoid repeating patterns in the regular expression.

Resolution


  1. Avoid using repeating patterns in the regular expression used in the custom signature.
  2. In the example above, The first "\x0d0a" is not really necessary.  Change the pattern to ".*\x0d0a\xHost: ".
  3. Commit again will work fine.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g0000008Tyt&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail

Choose Language