Enable Advanced WildFire Inline Cloud Analysis
Focus
Focus
Advanced WildFire Powered by Precision AI™

Enable Advanced WildFire Inline Cloud Analysis

Table of Contents

Enable Advanced WildFire Inline Cloud Analysis

Inline Cloud Analysis for Advanced WildFire provides real-time advanced malware protection by leveraging the analysis capabilities of the Advanced WildFire Cloud.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced WildFire License
Palo Alto Networks Advanced WildFire operates a series of cloud-based ML detection engines that provide inline analysis of PE (portable executable) files traversing your network to detect and prevent advanced malware in real-time. As with other malicious content that WildFire detects, threats detected by Advanced WildFire Inline Cloud Analysis generate a signature that is then disseminated to customers through an update package, providing a future defense for all Palo Alto Networks customers.
The cloud-based engines enable the detection of never-before-seen malware (e.g., a Palo Alto Networks zero-day - malware previously unseen in the wild or by Palo Alto Networks) and block it from entering your environment. Advanced WildFire Inline Cloud Analysis uses a lightweight forwarding mechanism on the firewall to minimize performance impact. The cloud-based ML models are updated seamlessly, to address the ever-changing threat landscape without requiring content updates or feature release support.
Advanced WildFire Inline Cloud Analysis is enabled and configured through the WildFire Analysis profile and requires PAN-OS 11.1 or later with an active Advanced WildFire license.
  1. Install an updated firewall device certificate used to authenticate to the Advanced WildFire cloud analysis service. Repeat for all firewalls enabled for inline cloud analysis.
    This step is not necessary if you already installed the current version of the device certificate on your firewall.
  2. To enable Advanced WildFire Inline Cloud Analysis, you must have an active Advanced WildFire subscription. For more information, refer to: Licensing, Registration, and Activation.
    To verify subscriptions for which you have currently-active licenses, select DeviceLicenses and verify that the appropriate licenses are available and have not expired.
    If your current WildFire license has expired and you are installing an Advanced WildFire license, you must first remove the WildFire license from the NGFW before installing the Advanced WildFire license.
  3. Update or create a new WildFire Analysis Security profile to enable Advanced WildFire Inline Cloud Analysis.
    1. Select an existing WildFire Analysis Profile or Add a new one (ObjectsSecurity ProfilesWildFire Analysis).
    2. Select your WildFire analysis profile and then go to Inline Cloud Analysis and Enable cloud inline analysis.
    3. Specify a rule defining an action to take when Advanced WildFire Inline Cloud Analysis detects advanced malware.
      • Name—Enter a descriptive Name for any rules you add to the profile (up to 31 characters).
      • Application—Add application traffic to match against for which the rules defining the Inline Cloud ML actions are governed.
      • File Type—Select a File Type to be analyzed at the defined analysis destination for the rule.
        Only PE (portable executable) are supported at this time.
      • Direction—Apply the rule to traffic depending on the transmission Direction. You can apply the rule to download traffic.
      • Action—Configure the action to take when a threat is detected using Advanced WildFire Inline Cloud Analysis. You can allow the application traffic to continue to the destination or block traffic from either a source or a source-destination.
        Palo Alto Networks recommends setting the action to block for optimal security.
    4. Click OK to exit the WildFire Analysis Profile configuration dialog.
  4. Review the maximum file size that can be forwarded for analysis using Advanced WildFire Inline Cloud Analysis.
    Advanced WildFire Inline Cloud Analysis provides a fast WildFire verdict, however, a full report for a malicious sample is only available after the sample undergoes full dynamic analysis, which can take up to 30 minutes.
    1. Select DeviceSetupWildFireInline Cloud Analysis Settings and review the file size limits.
    2. Click OK to confirm your changes.
  5. Specify the network session information that the firewall forwards about a given sample. Palo Alto Networks uses session information to learn more about the context of the suspicious network event, indicators of compromise related to the malware, affected hosts and clients, and applications used to deliver the malware. These options are enabled by default.
    1. Select DeviceSetupWildFireInline Session Information Settings and select or clear the options as necessary.
      • Source IP—Forward the source IP address that sent the unknown file.
      • Source Port—Forward the source port that sent the unknown file.
      • Destination IP—Forward the destination IP address for the unknown file.
      • Destination Port—Forward the destination port for the unknown file.
      • Virtual System—Forward the virtual system that detected the unknown file.
      • Application—Forward the user application that transmitted the unknown file.
      • User—Forward the targeted user.
      • URL—Forward the URL associated with the unknown file.
      • Filename—Forward the name of the unknown file.
      • Email sender—Forward the sender of an unknown email link (the name of the email sender also appears in WildFire logs and reports).
      • Email recipient—Forward the recipient of an unknown email link (the name of the email recipient also appears in WildFire logs and reports).
      • Email subject—Forward the subject of an unknown email link (the email subject also appears in WildFire logs and reports).
    2. Click OK to confirm your changes.
  6. Configure the timeout latency and action to take when the request exceeds the max latency.
    1. Specify the action to take when latency limits are reached for Advanced WildFire Inline Cloud Analysis requests:
      • Max Latency (ms)—Specify the maximum acceptable processing time, in seconds, for Advanced WildFire Inline Cloud Analysis to return a result.
      • Allow on Max Latency—Enables the firewall to take the action of allow, when the maximum latency is reached. De-selecting this option sets the firewall action to block.
      • Log Traffic Not Scanned— Enables the firewall to log Advanced WildFire Inline Cloud Analysis requests that exhibit the presence of advanced malware, but have not been processed by the Advanced WildFire cloud.
    2. Click OK to confirm your changes.
  7. (Required when the firewall is deployed with an explicit proxy server) Configure the proxy server used to access the servers that facilitate requests generated by all configured inline cloud analysis features. A single proxy server can be specified and applies to all Palo Alto Networks update services, including all configured inline cloud and logging services.
    1. (PAN-OS 11.2.3 and later) Configure the proxy server through PAN-OS.
      1. Select Device Setup Services and edit the Services details.
      2. Specify the Proxy Server settings and Enable proxy for Inline Cloud Services. You can provide either an IP address or FQDN in the Server field.
        The proxy server password must contain a minimum of seven characters.
      3. Click OK.
    2. (PAN-OS 11.1.5 and later) Configure the proxy server through the firewall CLI.
      1. Configure the base proxy server settings using the following CLI commands:
        set deviceconfig system secure-proxy-server <FQDN_or_IP>
        set deviceconfig system secure-proxy-port <1-65535>
        set deviceconfig system secure-proxy-user <value>
        set deviceconfig system secure-proxy-password <value>
        The proxy server password must contain a minimum of seven characters.
      2. Enable the proxy server to send requests to the inline cloud service servers using the following CLI command:
        debug dataplane mica set inline-cloud-proxy enable
      3. View the current operational status of proxy support for inline cloud services using the following CLI command:
        debug dataplane mica show inline-cloud-proxy
        For example:
        debug dataplane mica show inline-cloud-proxy
        
        Proxy for Advanced Services is Disabled
  8. (Recommended) Configure the firewall to disable the client from fetching part of a file and subsequently starting a new session to fetch the rest of a file after the firewall terminates the original session due to detected malicious activity. This occurs when a web browser implements the HTTP Range option. While enabling Allow HTTP partial response provides maximum availability, it can also increase the risk of a successful cyberattack. Palo Alto Networks recommends disabling Allow HTTP partial response for maximum security.
    Allow HTTP partial response is a global setting and affects HTTP-based data transfers which use the RANGE header, which may cause service anomalies for certain applications. After you disable Allow HTTP partial response, validate the operation of your business-critical applications.
    1. Select DeviceSetupContent-IDContent-ID Settings.
    2. De-select Allow HTTP partial response and click OK.
  9. Commit your changes.