Compressed and Encoded File Analysis
Focus
Advanced WildFire Powered by Precision AI™

Compressed and Encoded File Analysis

Table of Contents

Compressed and Encoded File Analysis

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced WildFire License
    For Prisma Access, this is usually included with your Prisma Access license.
By default, the firewall decodes files that have been encoded or compressed up to 4 times, including files that have been compressed using the ZIP format. The firewall then inspects and enforces policy on the decoded file; if the file is unknown, the firewall forwards the decoded file for WildFire analysis. While the firewall cannot forward complete ZIP archive files for Advanced WildFire analysis, you can submit files directly to the Advanced WildFire public cloud using the WildFire portal or the WildFire API.
RAR and 7-Zip archive files are not decoded by the firewall. All processing of these files occurs in the Advanced WildFire public cloud.
(PAN-OS 11.0 and later) The compressed file level inspection can be configured from the default level of 4 to a maximum of 7 through the CLI. Every additional level of inspection that the NGFW is configured for can have significant performance impact. When enabling this setting, closely monitor the NGFW performance by checking the system logs for relevant alerts or messages, and follow the WildFire Best Practices. Additionally, Palo Alto Networks recommends incrementally increasing the compressed file level inspection, starting with the minimum value that meets the security requirements for inspecting compressed files. For example, consider increasing the value to 5 to assess viability before using a value of 6 or 7.
  1. View the currently configured compressed file level inspection value.
    admin@PA-3260> show system setting ctd state
    The output displays various configuration settings related to the Content and Threat Detection (CTD) engine; search for the following entry:
    Max Decode filter levels      : 4
  2. Update the compressed file level inspection value. In this example, the value is changed to 7.
    The following is a Configure mode command.
    admin@PA-3260# set deviceconfig setting ctd decode-filter-max-depth 7
  3. View the updated compressed file level inspection value.
    admin@PA-3260> show system setting ctd state
    The value for Max Decode filter levels should reflect the updated value used in the previous step. In this example, the value was changed to 7.
    Max Decode filter levels      : 7