Hold Mode for WildFire Real-Time Signature Lookup
Expand all | Collapse all
Hold Mode for WildFire Real-Time Signature Lookup
Hold file transfers from completing while the WildFire cloud scans the file for malicious
content.
PAN-OS 11.0.2 now supports the option to hold file a sample transfer while the firewall queries
the real-time signature cloud to perform a signature lookup. When the lookup is
completed, the file is released to the requesting client, based on your
organization's security policy for specific WildFire verdicts - this prevents the
initial transfer of known malware; in other words, reduces the likelihood of a
patient zero outbreak from occurring. You can configure the hold mode on a per
antivirus profile basis and apply a global setting for the signature lookup timeout
and the associated action. This feature is available to all users with an active
WildFire or Advanced WildFire subscription.
To enable hold mode for WildFire real-time signature lookups, you must have
either a WildFire or Advanced WildFire subscription service license. Make sure
to
activate the license on the firewall
if you have not done so already. To verify subscriptions for which you have
currently-active licenses, select and verify that the appropriate licenses display and are not
expired. The example below shows the description for the standard WildFire
license.
Configure the timeout setting and action when the request exceeds the
timeout.
You must enable hold mode for WildFire real-time
signature lookups globally before you enable hold mode on a per-Antivirus
profile basis.
Enable
Hold for WildFire Real Time Signature Look
Up
.
Specify the
WildFire Real Time Signature Lookup Timeout
(ms)
in milliseconds (the default value is 1000).
Palo Alto Networks recommends using the
default value of 1000ms unless you experience repeated timeouts
during testing.
Specify the
Action on Real Time WildFire Signature
Timeout
. The default value is
Allow
, however, Palo Alto Networks recommends
setting this to
Reset-Both
when hold mode is
enabled. The options include the following:
Allow—Hold packets until the firewall completes a real-time
signature lookup against the real-time signature cloud.
Reset Both—Resets the connection on both the client and server
ends.
Update or create a new Antivirus Security profile to enable hold mode for
WildFire real-time signature lookups.
Select an existing antivirus security profile or
Add
a new one ().
Select your antivirus security profile and then go to
Action
.
Select
Hold for WildFire Real Time Signature Look
Up
.
Repeat steps 4a-4c for all active antivirus profiles for which you want
to enable hold mode for WildFire real-time signature lookups.
(Optional) You can view a summary of your antivirus security profile settings,
including hold mode enablement, on the antivirus summary view page.