Transition WildFire Profiles Safely to Best Practices

Apply WildFire Analysis profiles to allow rules to protect against unknown threats without risking application availability.
Use the following guidance to help define the initial configuration of WildFire Analysis profiles.
PAN-OS includes basic WildFire service, which enables forwarding portable executable (PE) files for WildFire analysis and retrieving WildFire signatures with antivirus or Threat Prevention updates every 24-48 hours. A WildFire subscription includes many more features, such as receiving updates every five minutes, support for more file types, and an API.
  • WildFire signature generation is highly accurate and false positives are rare. Deploying the best practice WildFire Analysis profile from the start does not impact network traffic. However, WildFire Action settings in the Antivirus profile may impact traffic if the traffic generates a WildFire signature that results in a reset or drop action.
  • Exclude internal traffic such as software distribution applications if you deploy custom-built programs through these applications because WildFire may identify custom-built programs as malicious and generate a signature for them.
The default WildFire Analysis profile is the recommended best practice profile, including at the internet gateway and in the data center.
When you have the initial profiles in place, monitor the WildFire Submissions logs (MonitorLogsWildFire Submissions) for enough time to gain confidence you understand whether any business-critical applications cause alerts or blocks due to the Antivirus profile WildFire Action. Create exceptions (open a support ticket if necessary) in the Antivirus profile as needed to remediate any confirmed false positives.

Related Documentation