Advanced WildFire Best Practices
Focus
Focus
Advanced WildFire

Advanced WildFire Best Practices

Table of Contents

Advanced WildFire Best Practices

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
  • VM-Series
  • CN-Series
  • Advanced WildFire License
    For
    Prisma Access
    , this is usually included with your
    Prisma Access
    license.
Prisma Access
users—Refer to the
Prisma Access
for product-specific information about the user-interface.
  • Follow the best practices to secure your network from Layer 4 and Layer 7 evasions to ensure reliable content identification and analysis. Specifically, make sure that you implement the best practices for TCP settings (
    Device
    Setup
    Session
    TCP Settings
    ) and Content-ID™ settings (
    Device
    Setup
    Content-ID
    Content-ID Settings
    ).
  • Also make sure that you have an active Threat Prevention subscription. Together, Advanced WildFire
    ®
    and Threat Prevention enable comprehensive threat detection and prevention.
  • Download and install content updates on a daily basis to receive the latest product updates and threat protections generated by Palo Alto Networks. Review the instructions for installing content and software updates for more information about what is included in the update packages.
  • If you are running PAN-OS 10.0 or later, configure your firewall to retrieve Advanced WildFire signatures in real-time. This provides access to newly-discovered malware signatures as soon as the Advanced WildFire public cloud can generate them, thereby preventing successful attacks by minimizing your exposure time to malicious activity.
  • If you configured your firewall to decrypt SSL traffic, then enable the firewall to Forward Decrypted SSL Traffic for WildFire Analysis. Only a superuser can enable this option.
  • Use the default WildFire Analysis profile to define the traffic that the firewall should forward for analysis (
    Objects
    Security Profiles
    WildFire Analysis
    ). The default WildFire Analysis profile ensures complete coverage for all traffic that your Security policy allows—it specifies that all supported file types across all applications are forwarded for Advanced WildFire analysis regardless whether the files are uploaded or downloaded.
    If you choose to create a custom WildFire Analysis profile, it is a best practice to still set the profile to forward
    any
    file type. This enables the firewall to automatically begin forwarding file types as they become supported for analysis.
    For details on applying a WildFire Analysis profile to firewall traffic, review how to Forward Files for Advanced WildFire Analysis.
    WildFire Action settings in the Antivirus profile may impact traffic if the traffic generates an Advanced WildFire signature that results in a reset or a drop action. You can exclude internal traffic, such as software distribution applications through which you deploy custom-built programs, to transition safely to best practicesbecause Advanced WildFire may identify custom-built programs as malicious and generate a signature for them. Check
    Monitor
    Logs
    WildFire Submissions
    to see if any internal custom-built programs trigger Advanced WildFire signatures.
  • While you are configuring the firewall to Forward Files for Advanced WildFire Analysis, review the file
    Size Limit
    for all supported file types. Set the
    Size Limit
    for all file types to the default limits. (Select
    Device
    Setup
    WildFire
    and edit the General Settings to adjust file size limits based on file type. You can view the Help information to find the default size limit for each file type).
    About the Default File Size Limits for WildFire Forwarding
    The default file size limits on the firewall are designed to include the majority of malware in the wild (which is smaller than the default size limits) and to exclude large files that are very unlikely to be malicious and that can impact WildFire file-forwarding capacity. Because the firewall has a specific capacity reserved to forward files for Advanced WildFire analysis, forwarding high numbers of large files can cause the firewall to skip forwarding of some files. This condition occurs when the maximum file size limits are configured for a file type that is traversing the firewall at a high rate. In this case, a potentially malicious file might not get forwarded for Advanced WildFire analysis. Consider this possible condition if you would like to increase the size limit for files other than PEs beyond their default size limit.
    The following graph is a representative illustration of the distribution of file sizes for malware as observed by the Palo Alto Networks threat research team. You can increase the firewall default file size settings to the maximum file size setting to gain a relatively small increase in the malware catch rate for each file type.
    Recommended File Size Limits to Catch Uncommonly Large Malicious Files
    If you are concerned specifically about uncommonly large malicious files, then you can increase file size limits beyond the default settings. In these cases, the following settings are recommended to catch rare, very large malicious files.
    Select
    Device
    Setup
    WildFire
    and edit General Settings to adjust the
    Size Limit
    for each file type:
    File Type
    PAN-OS 9.0 and later File-Forwarding Maximum Size Recommendations
    PAN-OS 8.1 File-Forwarding Maximum Size Recommendations
    pe
    16MB
    10MB
    apk
    10MB
    10MB
    pdf
    3,072KB
    1,000KB
    ms-office
    16,384KB
    2,000KB
    jar
    5MB
    5MB
    flash
    5MB
    5MB
    MacOSX
    10MB
    1MB
    archive
    50MB
    10MB
    linux
    50MB
    10MB
    script
    20KB
    20KB

Recommended For You