>
    Strata Copilot
    Device Setup (Content-ID)
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Getting Started
    4. Configuration: Strata Cloud Manager
    5. Configuration: NGFW and Prisma Access
    6. Configuration: Device Settings
    7. Device Settings: Device Setup
    8. Device Setup (Content-ID)
    Download PDF
    Strata Cloud Manager

    Device Setup (Content-ID)

    Table of Contents

    Device Setup (Content-ID)

    Learn about device setup Content-ID settings.
    In Strata Cloud Manager, select ConfigurationNGFW and Prisma Access and set the Configuration Scope to the folder or NGFW you wish to configure. From the scope of your folder or NGFW, select Device Settings > Device Setup > Content-ID.

    Content-ID Settings

    Content-ID SettingsDescription
    Extended Packet Capture Length (packets)Set the number of packets to capture when the extended-capture option is enabled in Anti-Spyware and Vulnerability Protection profiles (range is 1 to 50; default is 5).
    Forward Segments Exceeding TCP App-ID Inspection QueueEnable this option to forward segments and classify an application as unknown-tcp when the App-ID queue exceeds the 64-segment limit. Use the following global counter to view the number of segments exceeding the queue limit, regardless of whether you enabled or disabled this option:
    Forward Segments Exceeding TCP Content Inspection QueueEnable this option to forward TCP segments and skip content inspection when the TCP content inspection queue is full. The NGFW can queue up to 64 segments while waiting for the content engine. When the NGFW forwards a segment and skips content inspection due to a full content inspection queue, it increments the following global counter:
    Forward Datagrams Exceeding UDP Content Inspection QueueEnable this option to forward UDP datagrams and skip content inspection when the UDP content inspection queue is full. The NGFW can queue up to 64 datagrams while waiting for a response from the content engine. When the NGFW forwards a datagram and skips content inspection due to a UDP content inspection queue overflow, it increments the following global counter:
    Allow HTTP Partial ResponseEnable this HTTP partial response option to enable a client to fetch only part of a file. When a next-generation NGFW in the path of a transfer identifies and drops a malicious file, it terminates the TCP session with an RST packet. If the web browser implements the HTTP Range option, it can start a new session to fetch only the remaining part of the file. This prevents the NGFW from triggering the same signature again due to the lack of context into the initial session while, at the same time, allows the web browser to reassemble the file and deliver the malicious content; to prevent this, make sure to disable this option.
    Use X-Forwarded-For Header
    • Disabled—When disabled, the NGFW does not read the IP addresses from X-Forwarded-For (XFF) header in client requests.
    • Enable for User-ID—Enable this option to specify that User-ID reads IP addresses from the X-Forwarded-For (XFF) header in client requests for web services when the NGFW is deployed between the internet and a proxy server that would otherwise hide client IP addresses. User-ID matches the IP addresses it reads with usernames that your policies reference so that those policies can control and log access for the associated users and groups. If the header has multiple IP addresses, User-ID uses the first entry from the left.
    In some cases, the header value is a character string instead of an IP address. If the string matches a username that User-ID mapped to an IP address, the NGFW uses that username for group mapping references in policies. If no IP address-mapping exists for the string, the NGFW invokes the policy rules in which the source user is set to any or unknown.
    URL Filtering logs display the matched usernames in the Source User field. If User-ID cannot perform the matching or is not enabled for the zone associated with the IP address, the Source User field displays the XFF IP address with the prefix x-fwd-for.
    • Enable for Security Policy—Enable this option to specify that the NGFW reads the IP addresses from the X-Forwarded-For (XFF) header in client requests for web services when an upstream device, such as proxy server or load balancer, is deployed between the client and the NGFW. The proxy server or load balancer IP address replaces the client IP address as the request source IP. The NGFW can then use the IP addresses in the XFF header to enforce policy.
    Strip X-Forwarded-For Header
    Enable this option to remove the X-Forwarded-For (XFF) header, which contains the IP address of a client requesting a web service when the NGFW is deployed between the internet and a proxy server. The NGFW zeroes out the header value before forwarding the request: the forwarded packets don’t contain internal source IP information.

    HTTP/2 Settings

    HTTP/2 SettingsDescription
    Connection LoggingEnables the NGFW to log HTTP/2 connection sessions as tunnel inspection log entries.

    Content Cloud Settings

    Content Cloud SettingsDescription
    Service URLVarious Palo Alto Networks cloud-based services operating on the NGFW use the specified FQDN to facilitate service requests. The default FQDN connects to hawkeye.services-edge.paloaltonetworks.com and then resolves to the nearest cloud services server. You can override the automatic server selection by specifying a regional content cloud server that best meets your data residency and performance requirements. Keep in mind, the content cloud FQDN is a globally used resource and affects how other services that rely on this connection send traffic payloads.

    URL Inline Cloud Categorization

    URL Inline Cloud CategorizationDescription
    Max Latency (ms)Specify the maximum acceptable processing time, in seconds, for Inline Cloud Categorization to return a result.
    Allow on Max LatencyEnables the NGFW to take the action of allow, when the maximum latency is reached. De-selecting this option sets the NGFW action to block.
    Log Traffic Not ScannedEnables the NGFW to log URL categorization requests that exhibit the presence of certain advanced webpage threats, but have not been processed by Inline Cloud Categorization.

    WildFire Inline Cloud Analysis

    WildFire Inline Cloud AnalysisDescription
    Max Latency (ms)Specify the maximum acceptable processing time, in milliseconds, for Advanced WildFire Inline Cloud Analysis to return a result. The range is 1 to 240,000 ms; the default is 30,000 ms.
    Allow on Max LatencyEnables the NGFW to take the action of allow, when the maximum latency is reached. De-selecting this option sets the NGFW action to block.
    Log Traffic Not ScannedEnables the NGFW to log Advanced WildFire Inline Cloud Analysis requests that exhibit the appearance of malware, but have not yet been processed.

    Threat Prevention Inline Cloud Analysis

    WildFire Inline Cloud AnalysisDescription
    Max Latency (ms)Specify the maximum processing time, in milliseconds, for Advanced Threat Prevention Inline Cloud Analysis to return a result.
    Allow on Max LatencyEnables the NGFW to take the action of allow, when the maximum latency is reached. De-selecting this option sets the NGFW action to block.
    Log Traffic Not ScannedEnables the NGFW to log traffic requests that exhibit anomalous traits indicating the presence of advanced and evasive command-and-control (C2) threats, but have not been processed by Threat Prevention Inline Cloud analyzers.

    Realtime Signature Lookup

    Realtime Signature LookupDescription
    Enable DNS Signature Lookup Health MonitorYou can enable the DNS Signature Lookup Health Monitor to monitor whether the DNS server is responding to client requests.
    DNS Signature Lookup Timeout (ms)Specify the duration of time, in milliseconds, for the NGFW to query the DNS Security service. If the cloud does not respond before the end of the specified period, the NGFW releases the associated DNS response to the requesting client (range is 0 to 60,000; default is 100).
    Hold for WildFire Real-Time Signature LookupEnables the option to use WildFire real time signature lookup hold mode on a per-antivirus profile basis.
    WildFire Real-Time Signature Lookup Timeout (ms)Specify the duration of time, in milliseconds, for the NGFW to query the real time signature cloud for real time signature lookups. If the real time signature cloud does not respond before the end of the specified period, the NGFW applies the user-specified Action On Real Time WildFire Signature Timeout to the requesting client (range is 1000 to 5000; default is 1000).
    Action on Real-Time WildFire Signature Timeout
    Specify the action to take when the signature lookup exceeds the configured WildFire Real Time Signature Lookup Timeout setting:
    • Allow—The packets are released and the file continues transmission to the client.
    • Reset Both—Resets the connection on both client and server ends.

    Container Pages

    Container PagesDescription
    Custom URL Content Types
    Use these settings to specify the types of URLs that the NGFW tracks or logs based on content type, such as application/pdf, application/soap+xml, application/xhtml+, text/html, text/plain, and text/xml. Container pages are set per virtual system, which you select from the Location drop-down. If a virtual system does not have an explicit container page defined, the NGFW uses the default content types.
    Add and enter a content type or select an existing content type.
    Adding new content types for a virtual system overrides the default list of content types. If there are no content types associated with a virtual system, the default list of content types is used.

    © 2026 Palo Alto Networks, Inc. All rights reserved.