Subscription Options
Where Can I Use
This? | What Do I Need? |
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama) VM-Series CN-Series
|
Advanced WildFire License For Prisma Access, this is usually included with your
Prisma Access license.
|
The basic WildFire service is included as part of the Palo Alto
Networks next generation firewall and does not require an Advanced
WildFire or WildFire subscription. With the basic WildFire service,
the firewall can forward portable executable (PE) files for analysis,
and can retrieve Advanced WildFire signatures only with antivirus
and/or Threat Prevention updates which are made available every
24-48 hours.
Palo Alto Networks offers several subscription options:
WildFire—The WildFire subscription provides protection
from malware by forwarding samples to the Advanced WildFire cloud,
where a series of analysis environments are used to detect and prevent
unknown malware threats by generating protections that to block
further instances of the threat. As part of your subscription, you
get access to regular Advanced WildFire signature updates, advanced
file type forwarding, as well as the ability to upload files using
the WildFire API. If you are operating an environment that requires
an on-prem solution, the WildFire subscription can be used to forward
files to a local WildFire appliance.
Advanced WildFire—(PAN-OS 10.0 and later) The
Advanced WildFire subscription includes all of the features found
in the standard WildFire subscription, and improves upon it by providing
sample analysis through an advanced cloud-based detector. The advanced
detection system analyzes samples using intelligent real-time runtime
memory analysis, runtime DLL emulation, automated unpacking, family
classification, stealth observation, and other techniques to target
highly-evasive malware.
Standalone WildFire API—Palo Alto Networks customers
operating SOAR tools, custom security applications, and other threat
assessment software can access the advanced file analysis capabilities
of the WildFire cloud with a standalone subscription that provides API-only
access. This allows you to leverage WildFire-based analytics without
relying on the Palo Alto Networks firewall as a forwarding mechanism.
The WildFire Standalone API subscription allows you to make direct
queries to the WildFire cloud threat database for information about potentially
malicious content, and submit files for analysis using the advanced
threat analysis capabilities of WildFire, based on your organization’s
specific requirements. The enhanced access limits of the subscription
allow organizations of various sizes to customize their access limits according
to their usage - this includes scalable licenses that allow a specific
number of file/report queries, sample submissions (for Advanced WildFire
analysis), or a combination of the two. For more information, refer
to the
WildFire API Reference.
The standard WildFire subscription unlocks the following features:
Real-Time Updates—(PAN-OS 10.0 and later) The
firewall can retrieve Advanced WildFire signatures for newly-discovered
malware as soon as the Advanced WildFire public cloud can generate
them. Signatures that are downloaded during a sample check are saved
in the firewall cache, and are available for fast (local) look-ups.
In addition, to maximize coverage, the firewall also automatically downloads
a signature package on a regular basis when real-time signatures
is enabled. These supplemental signatures are added to the firewall cache
and remain available until they become stale and are refreshed or
are overwritten by new signatures. Using real-time Advanced WildFire updates
is a recommended best practice setting.
Five-Minute Updates—(All PAN-OS versions) The
Advanced WildFire public cloud can generate and distribute Advanced
WildFire signatures for newly-discovered malware every five minutes,
and you can set the firewall to retrieve and install these signatures
every minute (this allows the firewall to get the latest signatures
within a minute of availability).
If you are running
PAN-OS 10.0 or later, it is a best practice to use real-time Advanced
WildFire updates instead of scheduling recurring updates.
Advanced WildFire Inline ML—
(PAN-OS 10.0 and later) Prevent
malicious variants of portable executables, executable and linked
format (ELF) files, and PowerShell scripts from entering your network
in real-time using machine learning (ML) on the firewall dataplane.
By utilizing Advanced WildFire Cloud analysis technology on the
firewall,
Advanced WildFire Inline ML dynamically
detects malicious files of a specific type by evaluating various
file details, including decoder fields and patterns, to formulate
a high probability classification of a file. This protection extends
to currently unknown as well as future variants of threats that
match characteristics that Palo Alto Networks identified as malicious.
Advanced WildFire inline ML complements your existing Antivirus
profile protection configuration. Additionally, you can specify
file hash exceptions to exclude any false-positives that you encounter,
which enables you to create more granular rules in your profiles
to support your specific security needs.
File Type Support—In addition to PEs, forward advanced
file types for Advanced WildFire analysis, including APKs, Flash files,
PDFs, Microsoft Office files, Java Applets, Java files (.jar and
.class), and HTTP/HTTPS email links contained in SMTP and POP3 email messages.
(WildFire private cloud analysis does not support APK, Mac OS X,
Linux (ELF), archive (RAR/7-Zip), and script (JS, BAT, VBS, Shell Script,
PS1, and HTA) files).
Advanced WildFire API—Access to the
WildFire API, which
enables direct programmatic access to the Advanced WildFire public
cloud or a WildFire private cloud. Use the API to submit files for
analysis and to retrieve the subsequent Advanced WildFire analysis
reports. As part of the Advanced WildFire or WildFire subscription,
you can submit up to 150 sample submissions and up to 1,050 sample
queries a day. These daily sample submission limits can be extended,
based on your organization’s specific needs. Please contact your
Palo Alto Networks sales representative for more information.
WildFire Private and Hybrid Cloud Support—
Forward Files for Advanced WildFire Analysis. WildFire private
cloud and WildFire hybrid cloud deployments both require the firewall
to be able to submit samples to a WildFire appliance. Enabling a WildFire
appliance requires only a support license.
If you have purchased a Advanced WildFire subscription, you must
activate the license before
you can take advantage of the subscription-only WildFire features.
The Advanced WildFire subscription unlocks the following feature:
Intelligent Run-time Memory Analysis—Intelligent
Run-time Memory Analysis is a cloud-based, advanced analysis engine
that complements the static and dynamic analysis engines, to detect
and prevent evasive malware threats. These evasive techniques used
by advanced threats include, but are not limited to, malware using
cloaking strategies, displaying signs of bespoke design / ephemeral behaviors,
created using sophisticated tools, and exhibit fast-spreading qualities.
By leveraging a cloud-based detection infrastructure, introspective
analysis detectors operate a wide array of detection mechanisms
that are updated and deployed automatically without requiring the user
to download content update packages or run resource intensive, appliance-based
analyzers. The cloud-based detection engines are continuously monitored
and updated using based on ML-based datasets used to analyze Advanced
WildFire samples, with additional support from Palo Alto Networks
threat researchers, who provide human intervention for highly accurized
detection enhancements.
Intelligent Run-time Memory Analysis
relies on the existing WildFire analysis profile settings and does
not require any additional configuration; however, you must have
an active Advanced WildFire license. Samples that display or otherwise
indicate evasive and/or advanced malware qualities are automatically
forwarded to the appropriate analysis environments.