PAN-OS ® New Features Guide
    : Hold Mode for WildFire Real-Time Signature Lookup
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. WildFire Features
    5. Hold Mode for WildFire Real-Time Signature Lookup
    Download PDF

    PAN-OS ® New Features Guide

    Hold Mode for WildFire Real-Time Signature Lookup

    Table of Contents

    Hold Mode for WildFire Real-Time Signature Lookup

    Hold file transfers from completing while the WildFire cloud scans the file for malicious content.
    PAN-OS 11.0.2 now supports the option to hold file a sample transfer while the firewall queries the real-time signature cloud to perform a signature lookup. When the lookup is completed, the file is released to the requesting client, based on your organization's security policy for specific WildFire verdicts - this prevents the initial transfer of known malware; in other words, reduces the likelihood of a patient zero outbreak from occurring. You can configure the hold mode on a per antivirus profile basis and apply a global setting for the signature lookup timeout and the associated action. This feature is available to all users with an active WildFire or Advanced WildFire subscription.
    1. To enable hold mode for WildFire real-time signature lookups, you must have either a WildFire or Advanced WildFire subscription service license. Make sure to activate the license on the firewall if you have not done so already. To verify subscriptions for which you have currently-active licenses, select
      Device
      Licenses
       and verify that the appropriate licenses display and are not expired. The example below shows the description for the standard WildFire license.
    3. Configure the timeout setting and action when the request exceeds the timeout.
      You must enable hold mode for WildFire real-time signature lookups globally before you enable hold mode on a per-Antivirus profile basis.
      1. Select
        Device Setup
        ContentID
        Realtime Signature Lookup
      2. Enable
        Hold for WildFire Real Time Signature Look Up
        .
      3. Specify the
        WildFire Real Time Signature Lookup Timeout (ms)
         in milliseconds (the default value is 1000).
        Palo Alto Networks recommends using the default value of 1000ms unless you experience repeated timeouts during testing.
      4. Specify the
        Action on Real Time WildFire Signature Timeout
        . The default value is
        Allow
        , however, Palo Alto Networks recommends setting this to
        Reset-Both
         when hold mode is enabled. The options include the following:
        • Allow—Hold packets until the firewall completes a real-time signature lookup against the real-time signature cloud.
        • Reset Both—Resets the connection on both the client and server ends.
      5. Select
        OK
         when finished.
    4. Update or create a new Antivirus Security profile to enable hold mode for WildFire real-time signature lookups.
      1. Select an existing antivirus security profile or
        Add
         a new one (
        Objects
        Security Profiles
        Antivirus
        ).
      2. Select your antivirus security profile and then go to
        Action
        .
      3. Select
        Hold for WildFire Real Time Signature Look Up
        .
      4. Repeat steps 4a-4c for all active antivirus profiles for which you want to enable hold mode for WildFire real-time signature lookups.
    5. Commit
       your changes.
    6. (Optional) You can view a summary of your antivirus security profile settings, including hold mode enablement, on the antivirus summary view page.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.