For Prisma Access, this is usually included with your
Prisma Access license.
Prisma Access users—Refer to the Prisma Access for
product-specific information about the user-interface.
Follow the best practices to secure
your network from Layer 4 and Layer 7 evasions to ensure reliable
content identification and analysis. Specifically, make sure that
you implement the best practices for TCP settings (DeviceSetupSessionTCP Settings) and Content-ID™
settings (DeviceSetupContent-IDContent-ID Settings).
Also make sure that you have an active Threat Prevention
subscription. Together, Advanced WildFire® and Threat Prevention
enable comprehensive threat detection and prevention.
Download and install content
updates on a daily basis to receive the latest product updates
and threat protections generated by Palo Alto Networks. Review the
instructions for installing content and software updates for more
information about what is included in the update packages.
If you are running PAN-OS 10.0 or later, configure your firewall to retrieve
Advanced WildFire signatures in real-time. This provides
access to newly-discovered malware signatures as soon as the Advanced
WildFire public cloud can generate them, thereby preventing successful
attacks by minimizing your exposure time to malicious activity.
Use the default WildFire Analysis profile to define the traffic
that the firewall should forward for analysis (ObjectsSecurity ProfilesWildFire Analysis).
The default WildFire Analysis profile ensures complete coverage
for all traffic that your Security policy allows—it specifies that
all supported file types across all applications are forwarded for
Advanced WildFire analysis regardless whether the files are uploaded
or downloaded.
If you choose to create a custom WildFire Analysis
profile, it is a best practice to still set the profile to forward any file
type. This enables the firewall to automatically begin forwarding
file types as they become supported for analysis.
WildFire
Action settings in the Antivirus profile may impact traffic if the
traffic generates an Advanced WildFire signature that results in
a reset or a drop action. You can exclude internal traffic, such
as software distribution applications through which you deploy custom-built
programs, to transition safely to best practicesbecause
Advanced WildFire may identify custom-built programs as malicious
and generate a signature for them. Check MonitorLogsWildFire Submissions to
see if any internal custom-built programs trigger Advanced WildFire
signatures.
While you are configuring the firewall to Forward Files for Advanced WildFire Analysis, review the
file Size Limit for all supported file types.
Set the Size Limit for all file types to
the default limits. (Select DeviceSetupWildFire and
edit the General Settings to adjust file size limits based on file
type. You can view the Help information to find the default
size limit for each file type).
About the Default File
Size Limits for WildFire Forwarding
The default file size
limits on the firewall are designed to include the majority of malware
in the wild (which is smaller than the default size limits) and
to exclude large files that are very unlikely to be malicious and
that can impact WildFire file-forwarding capacity. Because the firewall has
a specific capacity reserved to forward files for Advanced WildFire
analysis, forwarding high numbers of large files can cause the firewall
to skip forwarding of some files. This condition occurs when the
maximum file size limits are configured for a file type that is
traversing the firewall at a high rate. In this case, a potentially
malicious file might not get forwarded for Advanced WildFire analysis.
Consider this possible condition if you would like to increase the
size limit for files other than PEs beyond their default size limit.
The
following graph is a representative illustration of the distribution
of file sizes for malware as observed by the Palo Alto Networks
threat research team. You can increase the firewall default file
size settings to the maximum file size setting to gain a relatively
small increase in the malware catch rate for each file type.
If
you are concerned specifically about uncommonly large malicious
files, then you can increase file size limits beyond the default
settings. In these cases, the following settings are recommended
to catch rare, very large malicious files.
Select DeviceSetupWildFire and
edit General Settings to adjust the Size Limit for
each file type:
File Type
PAN-OS 9.0 and later File-Forwarding Maximum
Size Recommendations
PAN-OS 8.1 File-Forwarding Maximum Size Recommendations