>
    Strata Copilot
    Advanced File Handling for Explicit Proxy
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Mobile Users
    5. Mobile Users: Explicit Proxy
    6. Advanced File Handling for Explicit Proxy
    Download PDF
    Prisma Access

    Advanced File Handling for Explicit Proxy

    Table of Contents

    Advanced File Handling for Explicit Proxy

    Enable WildFire inline inspection of files downloaded through Explicit Proxy to block malware before it reaches user endpoints.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    If you'd like to use this feature in your Prisma Access environment, get in touch with your account team to learn more.
    • Prisma Access license
    • Mobile user license
    The explicit proxy Advanced File Handling feature provides inline cloud analysis for the pre-defined file types and larger file sizes within explicit proxy traffic. This capability prevents advanced malware threats by addressing evasion techniques such as those used by AI generated malware.
    The system relies on several core components that interact to provide this protection:
    • Explicit Proxy SPN: Acts as the initial connection point for user traffic. It decrypts traffic, forwards raw HTTP, headers, and payload data to the Content Scanner service for deep inspection. The Explicit Proxy also receives analysis verdicts and enforces actions, such as resetting connections for malicious content or streaming benign files to the client. Palo Alto Networks® Networks OS, detects file downloads within the traffic stream. It identifies if an inline WildFire® profile is configured for the security policy matching the traffic. PAN-OS communicates inspection requirements and designated profile actions (e.g., block or alert) to Explicit Proxy.
    WildFire/Cloud-Delivered Security Services (CDSS): Serves as the central threat intelligence platform. It provides hash verdicts for known files and performs static analysis (SA) for unknown or suspicious files.
    Without inline file inspection, Prisma Access explicit proxy delivers files to user endpoints before WildFire® generates a security verdict, leaving users exposed to malware during the analysis window. Advanced File Handling enables inline inspection of files during download, holding content while WildFire evaluates it and blocking confirmed malware before delivery to user endpoints.
    Inline inspection supports all file types that WildFire analyzes, including executables, scripts, PDF documents, Office files, and archives. To keep client connections alive during analysis, the inspection pipeline sends trickle bytes while a verdict is pending. Inline inspection applies to HTTP and HTTPS download traffic with a maximum supported file size of 100 MB.
    Real-Time Inline Cloud Analysis
    Security teams often face a gap between file download speeds and the time required for deep security inspection. Real-time inline cloud analysis addresses this by inspecting files as they traverse explicit proxy, ensuring that threats are blocked before they reach the endpoint.
    When you enable this feature, explicit proxy works with WildFire® to analyze files:
    • Instant Identification: The service identifies the file and checks its status against known threats.
    • Deep Analysis: If a file is unknown, the service performs static analysis in the cloud to determine a verdict.
    • Automated Blocking: If WildFire® identifies a file as malicious, the explicit proxy resets the connection to prevent the download.
    • Session Stability: To prevent your session from timing out during deep analysis, the service uses a byte-trickling mechanism. This delivers a steady stream of data to the client to keep the connection active while the inspection completes.
    Your traffic, specifically file contents, may transit different geographical regions for analysis by the WildFire CDSS service. However, analysis is expected to occur within the same region as Prisma Access to maintain data locality.
    To enable Advanced File Handling, configure WildFire inline cloud analysis settings, create a WildFire and Antivirus profile with inline inspection rules, apply the profile to your security policy rules, and then enable the feature toggle.

    Advanced File Handling for Explicit Proxy (Strata Cloud Manager)

    Configure Advanced File Handling in Strata Cloud Manager to enable WildFire inline inspection of files downloaded through Explicit Proxy.
    1. Configure the maximum latency for your WildFire Profile.
      1. Create a Wildfire profile.
      2. Go to ConfigurationNGFW and Prisma Access, set the Configuration Scope to Prisma Access, then select DeviceDevice.
      3. Select the Device tab, then select Content-ID.
      4. In the WildFire Inline Cloud Analysis section, configure the following settings:
        • Max Latency (ms) — Enter the maximum time, in milliseconds, to wait for a WildFire verdict before applying the max latency action. Configure Max latency to 300 seconds or 30000 ms.
        • Allow on Max Latency — Enable to allow files through when a verdict is not received within the max latency period. Disable to block files when the verdict is not received in time (fail-closed).
        • Log Traffic Not Scanned — Enable to generate log entries for files that the inspection pipeline does not analyze.
      1. Save to save the configuration changes.
    2. Enable inline cloud analysis.
      1. With the Configuration Scope set to Explicit Proxy, go to Security ServicesWildFire and Antivirus Profile, and select your Wildfire profile.
      2. Add a new profile or edit an existing one.
      3. Enable Inline Cloud Analysis. This activates the feature's core functionality.
      4. Attach your WildFire Profile to a Profile Group. Profile groups apply security profiles consistently across multiple security policies.
      5. Attach your WildFire Profile to a Security Policy. This defines which traffic is subject to advanced file handling. For Agent proxies, select specific users to enable the feature.
      6. Save to apply the configuration changes.
    3. Enable Advanced File Handling.
      1. Go to ConfigurationNGFW and Prisma Access, set the Configuration Scope to Explicit Proxy and select Setup.
      2. On the Setup tab, select Set Up Advanced Security Settings.
      3. Select the Enable Advanced File Handling checkbox to enable extended malware analysis to improve zero-day prevention.
      4. Save and Push Config to deploy your changes.
    4. Check your threat logs in Strata Cloud Manager.
      1. Select Incidents & AlertsLog Viewer.
      2. For Log Type, choose Threat.
      3. Review entries where the action is block and the threat category is wildfire-virus to confirm that inline inspection blocked malicious files before delivery.

    Advanced File Handling for Explicit Proxy (Panorama)

    Configure Advanced File Handling in Panorama to enable WildFire inline inspection of files downloaded through Explicit Proxy.
    1. Configure the maximum latency for your WildFire Profile.
      1. Create a Wildfire profile.
      2. On Panorama, go to TemplatesDeviceContent-ID, and select the settings icon of Wildfire Inline Cloud Analysis.
      3. In the WildFire Inline Cloud Analysis section, configure the following settings:
        • Max Latency (ms) — Enter the maximum time, in milliseconds, to wait for a WildFire verdict before applying the max latency action. Configure Max latency to 300 seconds or 30000 ms.
        • Allow on Max Latency — Enable to allow files through when a verdict is not received within the max latency period. Disable to block files when the verdict is not received in time (fail-closed).
        • Log Traffic Not Scanned — Enable to generate log entries for files that the inspection pipeline does not analyze.
      4. Select OK to save the configuration.
    2. Enable inline cloud analysis.
      1. Go to ObjectsSecurity ProfilesWildFire Analysis with the Device Group set to Explicit_Proxy_Device_Group.
      2. Add a new profile or edit an existing one.
      3. Select your Wildfire Profile, and the Inline Cloud Analysis tab and Enable cloud inline analysis. This activates the feature's core functionality. Configure the inline WildFire profile and select OK.
      4. Attach your WildFire Profile to a Profile Group. Profile groups apply security profiles consistently across multiple security policies.
      5. Attach your WildFire Profile to a Security Policy. This defines which traffic is subject to advanced file handling. For Agent proxies, select specific users to enable the feature.
      6. Save to apply the configuration changes.
    3. Enable Advanced File Handling.
      1. On Panorama, go to Cloud ServicesConfigurationMobile Users - Explicit Proxy, and then select the settings icon.
      2. Enable Advanced File Handling.
      3. Select the Advanced tab to enable the feature for extended malware analysis.
      4. Select the Enable Advance File Handling checkbox to enable extended malware analysis to improve zero-day prevention and select OK.
      5. Commit and Push to Explicit_Proxy_Device_Group.
    4. Check your threat logs in Panorama. Review entries where the action is block and the threat category is wildfire-virus to confirm that inline inspection blocked malicious files before delivery.

    © 2026 Palo Alto Networks, Inc. All rights reserved.