Transition WildFire Profiles Safely to Best Practices
Apply WildFire Analysis profiles to allow rules to protect
against unknown threats without risking application availability.
The following guidance helps define the initial configuration of WildFire Analysis
profiles.
Palo Alto Networks Next-Generation Firewalls include the basic WildFire service and don't require
an Advanced WildFire (or active legacy WildFire) subscription. The basic service enables
the firewall to forward PE files for analysis and retrieves Advanced WildFire signatures
only with an antivirus and/or Threat Prevention update every 24-48 hours. An
Advanced WildFire subscription (PAN-OS 10.0 or
later) or legacy WildFire subscription includes many more features, such as receiving
updates in real-time, support for more file types, and an API.
To identify and prevent threats, the firewall must have
visibility into application traffic.
Decrypt as much traffic
as local regulations, business considerations, privacy considerations,
and technical ability allow. If you don’t decrypt traffic, the firewall
can’t analyze encrypted headers and payload information.
WildFire signature generation is highly accurate and false positives are rare. Deploying the
default WildFire Analysis profile (which is the best practices profile) does not impact
network traffic. (However, WildFire Action settings in the
Antivirus profile might impact
traffic if the traffic generates a WildFire signature that results in a reset or drop
action.)
When you have the initial profiles in place, monitor the WildFire Submissions logs () for enough time to gain confidence that you understand whether any
business-critical applications cause alerts or blocks due to the Antivirus profile
WildFire Action. Create exceptions (open a support ticket if necessary) in the Antivirus
profile as needed to remediate any confirmed false positives.