WildFire Best Practices
- Follow the best practices to secure your network from Layer 4 and Layer 7 evasions to ensure reliable content identification and analysis. Specifically make sure to implement the best practices for TCP settings (DeviceSetupSessionTCP Settings) and Content-ID settings (DeviceSetupContent-IDContent-ID Settings).
- Make sure that you also have an active Threat Prevention subscription. Together, WildFire and Threat Prevention enable comprehensive threat detection and prevention.
- If the firewall is configured to decrypt SSL traffic, enable the firewall to Forward Decrypted SSL Traffic for WildFire Analysis. Only a superuser can enable this option.
- Use the default WildFire Analysis profile to define the traffic the firewall should forward for WildFire analysis (ObjectsSecurity ProfilesWildFire Analysis). The default WildFire Analysis profile ensures complete WildFire coverage for all traffic your security policy allows—it specifies that all supported file types across all applications are forwarded for WildFire analysis, regardless of whether the files are uploaded or downloaded.If you choose to create a custom WildFire Analysis profile, it is a best practice to still set the profile to forward any file type. This allows the firewall to automatically begin forwarding file types as they become supported for WildFire analysis.For details on applying a WildFire Analysis profile to firewall traffic, review how to Forward Files for WildFire Analysis.
- While you are configuring the firewall to forward files for WildFire analysis, review the file Size Limit for all supported file types. Set the Size Limit for portable executables (PEs) to the maximum supported file size limit: 10 MB. Leave the Size Limit for all other file types set to the default limit. (Select DeviceSetupWildFire and edit the General Settings to adjust file size limits based on file type. Click the Help icon to find the default size limit for each file type).About the Default File Size Limits for WildFire ForwardingThe default file size limits on the firewall are designed to include the large majority of malware in the wild (which is smaller than the default size limits) and exclude large files that are very unlikely to be malicious and can impact WildFire forwarding capacity. Because the firewall has a specific capacity reserved to forward files for WildFire analysis, forwarding high numbers of large files might cause the firewall to skip forwarding some files. This condition might occur when the maximum file size limits are configured for a file type that is traversing the firewall at a high rate. In this case, a potentially malicious file might not be forwarded for WildFire analysis. Consider this possible condition if you would like to increase the size limit for files other than PEs beyond the default size limit.The following graph is a representative illustration of the distribution of file sizes for malware, as observed by the Palo Alto Networks threat research team. The firewall default file sizes settings can be increased to the maximum file size setting to gain a relatively small increase in the malware catch rate for each file type.If you are specifically concerned about uncommonly large malicious files might want to increase file size limits beyond the default settings. In these cases, the following settings are recommended to catch rare, very large malicious files.Select DeviceSetupWildFire, and edit General Settings to adjust the Size Limit for each file type:
- pe—10 MB
- apk—30 MB
- pdf—1,000 KB
- ms-office—2,000 KB
- jar—5 MB
- flash—5 MB
- MacOSX—1 MB
- archive—10 MB
- linux—2 MB
Get Started with WildFire
Get Started with WildFire The following steps provide a quick workflow to get started with WildFire™. If you’d like to learn more about WildFire before ...
Forward Files for WildFire Analysis
Forward Files for WildFire Analysis Configure Palo Alto Networks firewalls to forward unknown files or email links and blocked files that match existing antivirus signatures ...
Submit Files for WildFire Analysis
Submit Files for WildFire Analysis The following topics describe how to submit files for WildFire™ analysis. You can set up Palo Alto Networks firewalls to ...
Enable Basic WildFire Forwarding
Enable Basic WildFire Forwarding WildFire is a cloud-based virtual environment that analyzes and executes unknown samples (files and email links) and determines the samples to ...
Verify File Forwarding
Verify File Forwarding After the firewall is set up to Forward Files for WildFire Analysis , use the following options to verify the connection between ...
Device > Setup > WildFire
Device > Setup > WildFire Select Device Setup WildFire to configure WildFire settings on the firewall and Panorama. You can enable both the WildFire cloud ...
Forward Decrypted SSL Traffic for WildFire Analysis
Forward Decrypted SSL Traffic for WildFire Analysis Enable the firewall to forward decrypted SSL traffic for WildFire analysis. Traffic that the firewall decrypts is evaluated ...
Security Profiles While security policy rules enable you to allow or block traffic on your network, security profiles help you define an allow but scan ...
WildFire Concepts Samples Firewall Forwarding Session Information Sharing Analysis Environment Verdicts File Analysis Email Link Analysis Compressed and Encoded File Analysis WildFire Signatures ...