Enable Advanced WildFire Inline Cloud Analysis

Install an updated firewall device certificate used to authenticate to the Advanced WildFire cloud analysis service. Repeat for all firewalls enabled for inline cloud analysis.
This step is not necessary if you already installed the current version of the device certificate on your firewall.
Log in to the PAN-OS web interface.
To enable Advanced WildFire Inline Cloud Analysis, you must have an active Advanced WildFire subscription. For more information, refer to: Licensing, Registration, and Activation.
To verify subscriptions for which you have currently-active licenses, select
Device
Licenses
and verify that the appropriate licenses are available and have not expired.

If your current WildFire license has expired and you are installing an Advanced WildFire license, you must first remove the WildFire license from the NGFW before installing the Advanced WildFire license.
Update or create a new WildFire Analysis Security profile to enable Advanced WildFire Inline Cloud Analysis.
Select an existing
WildFire Analysis Profile
or
Add
a new one (
Objects
Security Profiles
WildFire Analysis
).
Select your WildFire analysis profile and then go to
Inline Cloud Analysis
and
Enable cloud inline analysis
.

Specify a rule defining an action to take when Advanced WildFire Inline Cloud Analysis detects advanced malware.

Name—Enter a descriptive Name for any rules you add to the profile (up to 31 characters).
Application—Add application traffic to match against for which the rules defining the Inline Cloud ML actions are governed.
File Type—Select a File Type to be analyzed at the defined analysis destination for the rule.
Only PE (portable executable) are supported at this time.
Direction—Apply the rule to traffic depending on the transmission Direction. You can apply the rule to
download
traffic.
Action—Configure the action to take when a threat is detected using Advanced WildFire Inline Cloud Analysis. You can
allow
the application traffic to continue to the destination or
block
traffic from either a source or a source-destination.
Palo Alto Networks recommends setting the action to block for optimal security.
Click
OK
to exit the WildFire Analysis Profile configuration dialog.
Review the maximum file size that can be forwarded for analysis using Advanced WildFire Inline Cloud Analysis.
Advanced WildFire Inline Cloud Analysis provides a fast WildFire verdict, however, a full report for a malicious sample is only available after the sample undergoes full dynamic analysis, which can take up to 30 minutes.

Select
Device
Setup
WildFire
Inline Cloud Analysis Settings
and review the file size limits.
Click
OK
to confirm your changes.
Specify the network session information that the firewall forwards about a given sample. Palo Alto Networks uses session information to learn more about the context of the suspicious network event, indicators of compromise related to the malware, affected hosts and clients, and applications used to deliver the malware. These options are enabled by default.

Select
Device
Setup
WildFire
Inline Session Information Settings
and select or clear the options as necessary.
Source IP
—Forward the source IP address that sent the unknown file.
Source Port
—Forward the source port that sent the unknown file.
Destination IP
—Forward the destination IP address for the unknown file.
Destination Port
—Forward the destination port for the unknown file.
Virtual System
—Forward the virtual system that detected the unknown file.
Application
—Forward the user application that transmitted the unknown file.
User
—Forward the targeted user.
URL
—Forward the URL associated with the unknown file.
Filename
—Forward the name of the unknown file.
Email sender
—Forward the sender of an unknown email link (the name of the email sender also appears in WildFire logs and reports).
Email recipient
—Forward the recipient of an unknown email link (the name of the email recipient also appears in WildFire logs and reports).
Email subject
—Forward the subject of an unknown email link (the email subject also appears in WildFire logs and reports).
Click
OK
to confirm your changes.
Configure the timeout latency and action to take when the request exceeds the max latency.

Specify the action to take when latency limits are reached for Advanced WildFire Inline Cloud Analysis requests:
Max Latency (ms)—Specify the maximum acceptable processing time, in seconds, for Advanced WildFire Inline Cloud Analysis to return a result.
Allow on Max Latency—Enables the firewall to take the action of allow, when the maximum latency is reached. De-selecting this option sets the firewall action to block.
Log Traffic Not Scanned— Enables the firewall to log Advanced WildFire Inline Cloud Analysis requests that exhibit the presence of advanced malware, but have not been processed by the Advanced WildFire cloud.
Click
OK
to confirm your changes.
(Recommended) Configure the firewall to disable the client from fetching part of a file and subsequently starting a new session to fetch the rest of a file after the firewall terminates the original session due to detected malicious activity. This occurs when a web browser implements the HTTP Range option. While enabling
Allow HTTP partial response
provides maximum availability, it can also increase the risk of a successful cyberattack. Palo Alto Networks recommends disabling
Allow HTTP partial response
for maximum security.
Allow HTTP partial response
is a global setting and affects HTTP-based data transfers which use the RANGE header, which may cause service anomalies for certain applications. After you disable
Allow HTTP partial response
, validate the operation of your business-critical applications.
Select
Device
Setup
Content-ID
Content-ID Settings
.
De-select
Allow HTTP partial response
and click
OK
.
Commit
your changes.
(Optional)
Configure the Content Cloud FQDN Settings.