1. Home
    2. WildFire
    3. WildFire® Administrator's Guide
    4. WildFire Deployment Best Practices
    5. WildFire Best Practices

    WildFire Best Practices

    • Follow the best practices to secure your network from Layer 4 and Layer 7 evasions to ensure reliable content identification and analysis. Specifically, make sure to implement the best practices for TCP settings (
      Device
      Setup
      Session
      TCP Settings
      ) and Content-ID™ settings (
      Device
      Setup
      Content-ID
      Content-ID Settings
      ).
    • Make sure that you also have an active Threat Prevention subscription. Together, WildFire® and Threat Prevention enable comprehensive threat detection and prevention.
    • Download and install content updates on a daily basis to receive the latest product updates and threat protections generated by Palo Alto Networks. Refer to Install Content and Software Updates for more information about what is included in the update packages.
    • If the firewall is configured to decrypt SSL traffic, enable the firewall to
      Forward Decrypted SSL Traffic for WildFire Analysis
       (PAN-OS 8.1, PAN-OS 9.0, PAN-OS 9.1). Only a superuser can enable this option.
    • Use the default WildFire Analysis profile to define the traffic that the firewall should forward for WildFire analysis (
      Objects
      Security Profiles
      WildFire Analysis
      ). The default WildFire Analysis profile ensures complete WildFire coverage for all traffic that your Security policy allows—it specifies that all supported file types across all applications are forwarded for WildFire analysis regardless whether the files are uploaded or downloaded.
      If you choose to create a custom WildFire Analysis profile, it is a best practice to still set the profile to forward
      any
       file type. This enables the firewall to automatically begin forwarding file types as they become supported for WildFire analysis.
      For details on applying a WildFire Analysis profile to firewall traffic, review how to
      Forward Files for WildFire Analysis
       (PAN-OS 8.1, PAN-OS 9.0, PAN-OS 9.1).
      WildFire Action settings in the Antivirus profile may impact traffic if the traffic generates a WildFire signature that results in a reset or a drop action. You can exclude internal traffic, such as software distribution applications through which you deploy custom-built programs, to transition safely to best practices because WildFire may identify custom-built programs as malicious and generate a signature for them. Check
      Monitor
      Logs
      WildFire Submissions
       to see if any internal custom-built programs trigger WildFire signatures.
    • While you are configuring the firewall to forward files for WildFire analysis (PAN-OS 8.1, PAN-OS 9.0, PAN-OS 9.1), review the file
      Size Limit
       for all supported file types. Set the
      Size Limit
       for all file types to the default limits. (Select
      Device
      Setup
      WildFire
       and edit the General Settings to adjust file size limits based on file type. You can view the Help information to find the default size limit for each file type).
      About the Default File Size Limits for WildFire Forwarding
      The default file size limits on the firewall are designed to include the large majority of malware in the wild (which is smaller than the default size limits) and to exclude large files that are very unlikely to be malicious and can impact WildFire file-forwarding capacity. Because the firewall has a specific capacity reserved to forward files for WildFire analysis, forwarding high numbers of large files might cause the firewall to skip forwarding some files. This condition can occur when the maximum file size limits are configured for a file type that is traversing the firewall at a high rate. In this case, a potentially malicious file might not be forwarded for WildFire analysis. Consider this possible condition if you would like to increase the size limit for files other than PEs beyond their default size limit.
      The following graph is a representative illustration of the distribution of file sizes for malware as observed by the Palo Alto Networks threat research team. The firewall default file size settings can be increased to the maximum file size setting to gain a relatively small increase in the malware catch rate for each file type.
      Recommended File Size Limits to Catch Uncommonly Large Malicious Files
      malware-count-versus-file-size.png
      If you are concerned specifically about uncommonly large malicious files, then you can increase file size limits beyond the default settings. In these cases, the following settings are recommended to catch rare, very large malicious files.
      Select
      Device
      Setup
      WildFire
       and edit General Settings to adjust the
      Size Limit
       for each file type:
      File Type
      PAN-OS 9.0/9.1 File-Forwarding Maximum Size Recommendations
      PAN-OS 8.1 File-Forwarding Maximum Size Recommendations
      PAN-OS 8.0 File-Forwarding Maximum Size Recommendations
      pe
      16MB
      10MB
      10MB
      apk
      10MB
      10MB
      10MB
      pdf
      3,072KB
      500KB
      500KB
      ms-office
      16,384KB
      500KB
      500KB
      jar
      5MB
      5MB
      5MB
      flash
      5MB
      5MB
      5MB
      MacOSX
      10MB
      1MB
      1MB
      archive
      50MB
      10MB
      10MB
      linux
      50MB
      10MB
      10MB
      script
      20KB
      20KB

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo