Compressed and Encoded File Analysis
Where Can I Use
This? | What Do I Need? |
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama) VM-Series CN-Series
|
Advanced WildFire License For Prisma Access, this is usually included with your
Prisma Access license.
|
By default, the firewall decodes files that have been encoded or compressed up to 4 times,
including files that have been compressed using the ZIP format. The firewall then
inspects and enforces policy on the decoded file; if the file is unknown, the firewall
forwards the decoded file for WildFire analysis. While the firewall cannot forward
complete ZIP archive files for Advanced WildFire analysis, you can submit files directly
to the Advanced WildFire public cloud using the WildFire portal or the WildFire API.
RAR and 7-Zip archive files are not decoded by the firewall.
All processing of these files occurs in the Advanced WildFire public cloud.
(
PAN-OS 11.0 and later) The compressed file level inspection can be configured
from the default level of 4 to a maximum of 7 through the CLI. Every additional level of
inspection that the NGFW is configured for can have significant performance impact. When
enabling this setting, closely
monitor the NGFW performance by checking the
system logs for relevant alerts or messages, and follow the
WildFire Best Practices. Additionally, Palo
Alto Networks recommends incrementally increasing the compressed file level inspection,
starting with the minimum value that meets the security requirements for inspecting
compressed files. For example, consider increasing the value to 5 to assess viability
before using a value of 6 or 7.
View the currently configured compressed file level inspection value.
admin@PA-3260> show system setting ctd state
The output displays various configuration settings related to the Content and
Threat Detection (CTD) engine; search for the following entry:
Max Decode filter levels : 4
Update the compressed file level inspection value. In this example, the value is
changed to 7.
The following is a Configure mode command.
admin@PA-3260# set deviceconfig setting ctd decode-filter-max-depth 7
View the updated compressed file level inspection value.
admin@PA-3260> show system setting ctd state
The value for Max Decode filter levels should reflect the
updated value used in the previous step. In this example, the value was changed
to 7.
Max Decode filter levels : 7