Compressed and Encoded File Analysis

Table of Contents

Compressed and Encoded File Analysis

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama) VM-Series CN-Series	Advanced WildFire License For Prisma Access, this is usually included with your Prisma Access license.

By default, the firewall decodes files that have been encoded or compressed up to 4 times, including files that have been compressed using the ZIP format. The firewall then inspects and enforces policy on the decoded file; if the file is unknown, the firewall forwards the decoded file for WildFire analysis. While the firewall cannot forward complete ZIP archive files for Advanced WildFire analysis, you can submit files directly to the Advanced WildFire public cloud using the WildFire portal or the WildFire API.

RAR and 7-Zip archive files are not decoded by the firewall. All processing of these files occurs in the Advanced WildFire public cloud.

The compressed file level inspection can be configured from the default level of 4 to a maximum of 7 through the CLI. Every additional level of inspection that the NGFW is configured for can have significant performance impact on NGFWs. When enabling this setting, closely monitor the NGFW performance by checking the system logs for relevant alerts or messages, and follow the WildFire Best Practices. Additionally, Palo Alto Networks recommends incrementally increasing the compressed file level inspection, starting with the minimum value that meets the security requirements for inspecting compressed files. For example, consider increasing the value to 5 to assess viability before using a value of 6 or 7.

Compressed and Encoded File Analysis (PAN-OS & Panorama)

The compressed file level inspection can be adjusted only on PAN-OS 11.0 and later releases.

Access the firewall CLI.
View the currently configured compressed file level inspection value.
```
admin@PA-3260> show system setting ctd state
```
The output displays various configuration settings related to the Content and Threat Detection (CTD) engine; search for the following entry:
```
Max Decode filter levels      : 4
```
Update the compressed file level inspection value. In this example, the value is changed to 7.
The following is a Configure mode command.
```
admin@PA-3260# set deviceconfig setting ctd decode-filter-max-depth 7
```
Commit Configuration Changes.
View the updated compressed file level inspection value.
```
admin@PA-3260> show system setting ctd state
```
The value for Max Decode filter levels should reflect the updated value used in the previous step. In this example, the value was changed to 7.
```
Max Decode filter levels      : 7
```

Compressed and Encoded File Analysis (Cloud Management)

If you’re using Panorama to manage Prisma Access:

Toggle over to the PAN-OS tab and follow the guidance there.

If you’re using Prisma Access Cloud Management, continue here.

Prisma Access does not have a user-accessible CLI from which to make adjustments to the compressed and encoded file analysis values.

To configure the compressed file level inspection; reach out to your Palo Alto Networks account team.

URL Analysis

Advanced WildFire Signatures

Advanced WildFire

Compressed and Encoded File Analysis

Advanced WildFire

Compressed and Encoded File Analysis

Compressed and Encoded File Analysis (PAN-OS & Panorama)

Compressed and Encoded File Analysis (Cloud Management)

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring