Enable Hold Mode for Real-Time Signature Lookup
Focus
Focus
Advanced WildFire

Enable Hold Mode for Real-Time Signature Lookup

Table of Contents

Enable Hold Mode for Real-Time Signature Lookup

Hold mode enables you to hold file a sample transfer while the firewall queries the real-time signature cloud to perform a signature lookup.
Where Can I Use This?
What Do I Need?
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced WildFire License
You can configure the NGFW to hold the transfer of a sample while the real-time signature cloud performs a signature lookup. When the lookup is completed, the file is released to the requesting client (or blocked), based on your organization's security policy for specific WildFire verdicts, preventing the initial transfer of known malware. You can configure hold mode on a per antivirus profile basis and apply a global setting for the signature lookup timeout and the associated action.
This feature is available to all users with an active WildFire or Advanced WildFire license running PAN-OS 11.0.2 or later.
  1. To enable hold mode for WildFire real-time signature lookups, you must have either a WildFire or Advanced WildFire subscription service license. Make sure to activate the license on the firewall if you have not done so already. To verify subscriptions for which you have currently-active licenses, select
    Device
    Licenses
    and verify that the appropriate licenses display and are not expired. The example below shows the description for the standard WildFire license.
  2. Set the schedule for the firewall to retrieve WildFire signatures in real-time.
    Even when the firewall is configured to use real-time signatures, supplemental signature packages are still installed on a regular basis. This provides an up-to-date signature source when you experience connectivity issues, as well as a speed benefit, where signatures are available locally.
    1. Select
      Device
      Dynamic Updates
      .
    2. Select the
      Schedule
      for WildFire updates.
    3. Set the
      Recurrence
      (how often the firewall checks the Palo Alto Networks update server for new signatures) for
      Real-time
      updates.
    4. Click
      OK
      to save the WildFire update schedule and then
      Commit
      your changes.
  3. Configure the timeout setting and action when the request exceeds the timeout.
    You must enable hold mode globally before you enable hold mode for WildFire real-time signature lookups on a per-Antivirus profile basis.
    1. Select
      Device Setup
      ContentID
      Realtime Signature Lookup
    2. Enable
      Hold for WildFire Real Time Signature Look Up
      .
    3. Specify the
      WildFire Real Time Signature Lookup Timeout (ms)
      in milliseconds (the default value is 1000).
      Palo Alto Networks recommends using the default value of 1000ms unless you experience repeated timeouts during testing.
    4. Specify the
      Action On Real Time WildFire Signature Timeout
      . The default value is
      Allow
      , however, Palo Alto Networks recommends setting this to
      Reset-Both
      when hold mode is enabled. The options include the following:
      • Allow—The NGFW allows packets through when the hold timeout threshold is reached.
      • Reset Both—The NGFW resets the connection on both the client and server ends when the hold timeout threshold is reached.
    5. Select
      OK
      when finished.
  4. Update or create a new Antivirus Security profile to enable hold mode for WildFire real-time signature lookups.
    1. Select an existing antivirus security profile or
      Add
      a new one (
      Objects
      Security Profiles
      Antivirus
      ).
    2. Select your antivirus security profile and then go to
      Action
      .
    3. Select
      Hold for WildFire Real Time Signature Look Up
      .
    4. Repeat steps 4.1-4.3 for all active antivirus profiles for which you want to enable hold mode for WildFire real-time signature lookups.
  5. Commit
    your changes.
  6. (Optional) You can view a summary of your antivirus security profile settings, including hold mode enablement, on the antivirus summary view page.

Recommended For You