Device > Setup > Content-ID
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Device > Setup > Content-ID
Configure the Content-ID settings on your firewall.
Use the Content-ID™ tab to define
settings for URL filtering, data protection, and container pages.
Content-ID Settings | Description |
---|---|
URL Filtering | |
URL Continue Timeout | Specify the interval following a user's Continue action
before the user must press continue again for URLs in the same category
(range is 1 to 86,400 minutes; default is 15). |
URL Admin Override Timeout | Specify the interval after the user enters
the Admin Override password before the user
must re-enter that password for URLs in the same category (range
is 1 to 86,400 minutes; default is 15). |
Hold Client Request for Category Lookup | Enable this option to specify that when
the firewall cannot find category information for a URL in its local
cache, it holds the web request as it queries PAN-DB. This option is disabled by default. Enable it as part
of a best practice URL Filtering
profile. |
Append Trailing Slash | Enable the firewall to append a trailing
slash (/) to domain entries (for example, paloaltonetworks.com)
in custom URL categories and external dynamic lists of URL List
type that do not end in a trailing slash or asterisk wildcard
(*). The trailing slash limits the URLs that the firewall
considers a match to the entry and on which it can enforce URL filtering
policy rules.
URL Category Exceptions
describes the trailing slash in more detail and includes URL list
formatting guidelines. This option is enabled by default. |
Category Lookup Timeout (sec) | Specify the amount of time, in seconds,
that the firewall will try to look up the category for a URL before
determining that the category is not-resolved (range
is 1 to 60 seconds; default is 2). |
URL Admin Lockout Timeout | Specify the period of time that a user is
locked out from attempting to use the URL Admin Override password
after three unsuccessful attempts (range is 1 to 86,400 minutes;
default is 30). |
PAN-DB Server (Required for connecting
to a private PAN-DB server) | Specify the IPv4 address, IPv6 address,
or FQDN for the private PAN-DB servers on your network. You can
add up to 20 entries. The firewall connects to the public
PAN-DB cloud by default. The private PAN-DB solution is for enterprises
that do not allow firewalls to directly access the PAN-DB servers
in the public cloud. The firewalls access the servers included in
this PAN-DB server list for the URL database, URL updates, and URL
lookups for categorizing web pages. |
URL Admin Override | |
Settings for URL Admin Override | For each virtual system that you want to
configure for URL admin override, Add and
specify the settings that apply when a URL Filtering profile blocks
a page and the Override action is specified.
For details, see Objects
> Security Profiles > URL Filtering.
You can also Delete an
entry. |
HTTP/2 Settings | |
Connection Logging | Enables the firewall to log HTTP/2 connection
sessions as tunnel inspection log entries. |
Content Cloud Settings | |
Service URL | The Cloud-Delivered Security Services server
URL.
Various Palo Alto Networks cloud-based services operating on the NGFW
use the specified FQDN to facilitate service requests. The default
FQDN connects to hawkeye.services-edge.paloaltonetworks.com and then
resolves to the nearest cloud services server. You can override the
automatic server selection by specifying a regional content cloud
server that best meets your data residency and performance
requirements. Keep in mind, the content cloud FQDN is a globally
used resource and affects how other services that rely on this
connection sends traffic payloads.
Refer to the documentation for specific products for more information
on available regional cloud content server options. |
URL Inline Cloud Categorization | |
Max Latency (sec) | Specify the maximum acceptable processing
time, in seconds, for Inline Cloud Categorization to return a result. |
Allow on Max Latency | Enables the firewall to take the action
of allow, when the maximum latency is reached. De-selecting this
option sets the firewall action to block. |
Log Traffic Not Scanned | Enables the firewall to log URL categorization
requests that exhibit the presence of certain advanced webpage threats,
but have not been processed by Inline Cloud Categorization. |
WildFire Inline Cloud Analysis
| |
Max Latency (ms)
|
Specify the maximum acceptable processing time, in milliseconds, for
Advanced WildFire Inline Cloud Analysis to return a result. The
range is 1 to 240,000 ms; the default is 30,000 ms.
|
Allow on Max Latency
|
Enables the firewall to take the action of allow, when the maximum
latency is reached. De-selecting this option sets the firewall
action to block.
|
Log Traffic Not Scanned
|
Enables the firewall to log Advanced WildFire Inline Cloud Analysis
requests that exhibit the appearance of malware, but have not yet
been processed.
|
Content-ID Settings | |
Allow Forwarding of Decrypted Content | Enable this option to configure the firewall
to forward decrypted content to an outside service when port mirroring
or sending WildFire® files for analysis. Enable
this option and send all unknown files in decrypted traffic to WildFire
for analysis. For a firewall with multiple virtual
system (multi-vsys) capability, you enable this option individually
for each virtual system. Select DeviceVirtual Systems and select
the virtual system on which you want to enable forwarding of decrypted
content. This option is available in the Virtual System dialog. |
Extended Packet Capture Length | Set the number of packets to capture when
the extended-capture option is enabled in Anti-Spyware and Vulnerability Protection
profiles (range is 1 to 50; default is 5). |
Forward Segments Exceeding TCP App-ID™ Inspection Queue | Enable this option to forward segments and
classify an application as unknown-tcp when
the App-ID queue exceeds the 64-segment limit. Use the following
global counter to view the number of segments exceeding the queue
limit, regardless of whether you enabled or disabled this option: appid_exceed_queue_limit Disable
this option to prevent the firewall from forwarding TCP segments
and skipping App-ID inspection when the App-ID inspection queue
is full. This option is disabled by
default and should remain disabled for maximum security. When
you disable this option, you may notice increased latency on streams
where more than 64 segments await App-ID processing. |
Forward Segments Exceeding TCP Content Inspection Queue | Enable this option to forward TCP segments
and skip content inspection when the TCP content inspection queue
is full. The firewall can queue up to 64 segments while waiting
for the content engine. When the firewall forwards a segment and
skips content inspection due to a full content inspection queue,
it increments the following global counter: ctd_exceed_queue_limit Disable
this option to prevent the firewall from forwarding TCP segments
and skipping content inspection when the content inspection queue
is full. When you disable this option, the firewall drops any segments
that exceed the queue limit and increments the following global
counter: ctd_exceed_queue_limit_drop This
pair of global counters applies to both TCP and UDP packets. If,
after viewing the global counters, you decide to change the setting,
you can modify it from within your CLI using the following command: set
deviceconfig setting ctd tcp-bypass-exceed-queue This option is enabled by default, but Palo
Alto Networks recommends that you disable this option for maximum
security. However, due to TCP retransmissions for dropped traffic,
disabling this option can result in performance degradation and loss
of functionality for some applications—particularly in high-volume traffic
environments. |
Forward Datagrams Exceeding UDP Content
Inspection Queue | Enable this option to forward UDP datagrams
and skip content inspection when the UDP content inspection queue
is full. The firewall can queue up to 64 datagrams while waiting
for a response from the content engine. When the firewall forwards
a datagram and skips content inspection due to a UDP content inspection
queue overflow, it increments the following global counter: ctd_exceed_queue_limit Disable
this option to prevent the firewall from forwarding datagrams and
skipping content inspection when the UDP content inspection queue
is full. With this option disabled, the firewall drops any datagrams
that exceed the queue limit and increments the following global
counter: ctd_exceed_queue_limit_drop This
pair of global counters applies to both TCP and UDP packets. If,
after viewing the global counters, you decide to change the setting,
you can modify it from within the CLI using the following command: set
deviceconfig setting ctd udp-bypass-exceed-queue This option is enabled by default, but Palo
Alto Networks recommends that you disable this option for maximum
security. However, due to dropped packets, disabling this option
can result in performance degradation and loss of functionality for
some applications—particularly in high-volume traffic environments. |
Allow HTTP partial response | Enable this HTTP partial response option
to enable a client to fetch only part of a file. When a next-generation
firewall in the path of a transfer identifies and drops a malicious
file, it terminates the TCP session with an RST packet. If the web
browser implements the HTTP Range option, it can start a new session
to fetch only the remaining part of the file. This prevents the
firewall from triggering the same signature again due to the lack
of context into the initial session while, at the same time, allows
the web browser to reassemble the file and deliver the malicious
content; to prevent this, make sure to disable this option. Allow HTTP partial response is
enabled on the firewall by default. This provides maximum availability
but increases the risk of a successful cyberattack. For maximum
security, disable this option to prevent the web browser from starting
a new session to fetch the rest of a file after the firewall terminates
the original session due to malicious activity. Disabling HTTP partial
response affects HTTP-based data transfers which use the RANGE header,
which may cause service anomalies for certain applications. After
you disable HTTP partial response, validate the operation of your
business-critical applications. If you experience HTTP data
transfer disruption on a business-critical application, you can
create an Application Override policy for that specific application.
Because Application Override bypasses App-ID (including threat and
content inspection), create an Application Override policy for only
the specific business-critical application, and specify sources
and destinations to limit the rule (principle of least privilege
access). Do not create Application Override policy unless you must.
For information about Application Override policies, refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0. |
Real-Time Signature Lookup | |
DNS Signature Lookup Timeout (ms) | Specify the duration of time, in milliseconds,
for the firewall to query the DNS Security service. If the cloud
does not respond before the end of the specified period, the firewall
releases the associated DNS response to the requesting client (range
is 0 to 60,000; default is 100). |
Hold for WildFire Real Time Signature Look Up
|
Enables the option to use WildFire real time signature lookup hold
mode on a per-antivirus profile basis.
This option alone does not enable WildFire
real time signature lookup hold mode; you must additionally enable
Hold for WildFire Real Time Signature Look
Up within a specific antivirus security
profile. |
WildFire Real Time Signature Lookup Timeout (ms) | Specify the duration of time, in milliseconds, for the firewall to query the real time signature
cloud for real time signature lookups. If the real time signature
cloud does not respond before the end of the specified period, the
firewall applies the user-specified Action On Real Time
WildFire Signature Timeout to the requesting client
(range is 1000 to 5000; default is 1000). |
Action On Real Time WildFire Signature Timeout | Specify the action to take when the signature lookup exceeds the configured WildFire
Real Time Signature Lookup Timeout setting:
|
X-Forwarded-For Headers | |
Use X-Forwarded-For Header | You cannot enable X-Forwarded-For
for User-ID and Security Policy at the same time.
|
Strip-X-Forwarded-For Header | Enable this option to remove the X-Forwarded-For
(XFF) header, which contains the IP address of a client requesting
a web service when the firewall is deployed between the internet
and a proxy server. The firewall zeroes out the header value before
forwarding the request: the forwarded packets don’t contain internal
source IP information. Enabling this option does not
disable the use of XFF headers for user attribution in policies;
the firewall zeroes out the XFF value only after using it for user
attribution. When you enable
the use of XFF headers in User-ID, also enable stripping the XFF
header before forwarding the packet to protect user privacy without
losing the ability to track users. Enabling both options allows
you to log and track original user IP addresses while at the same
time protecting user privacy by not forwarding their original IP
address. |
Content-ID Features | |
Manage Data Protection | Add additional protection for access to
logs that may contain sensitive information, such as credit card
or social security numbers. Click Manage Data Protection to perform
the following tasks:
|
Container Pages | Use these settings to specify the types
of URLs that the firewall tracks or logs based on content type,
such as application/pdf, application/soap+xml, application/xhtml+,
text/html, text/plain, and text/xml. Container pages are set per
virtual system, which you select from the Location drop-down.
If a virtual system does not have an explicit container page defined,
the firewall uses the default content types. Add and
enter a content type or select an existing content type. Adding
new content types for a virtual system overrides the default list
of content types. If there are no content types associated with
a virtual system, the default list of content types is used. |
Threat Prevention Inline Cloud
Analysis | |
Max Latency (ms) | Specify the maximum processing time, in milliseconds, for Advanced Threat Prevention Inline Cloud
Analysis to return a result. |
Allow on Max Latency | Enables the firewall to take the action
of allow, when the maximum latency is reached. De-selecting this
option sets the firewall action to block. |
Log Traffic Not Scanned | Enables the firewall to log traffic requests
that exhibit anomalous traits indicating the presence of advanced
and evasive command-and-control (C2) threats, but have not been
processed by Threat Prevention Inline Cloud analyzers. |
Advanced DNS Security
| |
Max Latency (ms)
|
Specify the maximum processing time, in milliseconds, for Advanced
DNS Security to return a result. The range is 0 to 15,000 ms; the
default is 100 ms.
If the Advanced DNS Security cloud does not respond before
the end of the specified period, the firewall releases the
associated DNS response to the requesting client. |