Hold Mode for WildFire Real-Time Signature Lookup
Table of Contents
11.0
Expand all | Collapse all
-
- Mach-O Support for WildFire Inline ML
- Advanced WildFire Public Sector Cloud
- Advanced WildFire Government Cloud
- WildFire Spain Cloud
- WildFire Saudi Arabia Cloud
- WildFire Israel Cloud
- WildFire South Korea Cloud
- WildFire Qatar Cloud
- WildFire France Cloud
- WildFire Taiwan Cloud
- WildFire Indonesia Cloud
- WildFire Poland Cloud
- WildFire Switzerland Cloud
- Advanced WildFire Support for Intelligent Run-time Memory Analysis
- Shell Script Analysis Support for Wildfire Inline ML
- Standalone WildFire API Subscription
- WildFire India Cloud
- MSI, IQY, and SLK File Analysis
- MS Office Analysis Support for Wildfire Inline ML
- WildFire Germany Cloud
- WildFire Australia Cloud
- Executable and Linked Format (ELF) Analysis Support for WildFire Inline ML
- Global URL Analysis
- WildFire Canada Cloud
- WildFire UK Cloud
- HTML Application and Link File Analysis
- Recursive Analysis
- Perl Script Analysis
- WildFire U.S. Government Cloud
- Real Time WildFire Verdicts and Signatures for PDF and APK Files
- Batch File Analysis
- Real Time WildFire Verdicts and Signatures for PE and ELF Files
- Real Time WildFire Verdicts and Signatures for Documents
- Script Sample Analysis
- ELF Malware Test File
- Email Link Analysis Enhancements
- Sample Removal Request
- Updated WildFire Cloud Data Retention Period
- DEX File Analysis
- Network Traffic Profiling
- Additional Malware Test Files
- Dynamic Unpacking
- Windows 10 Analysis Environment
- Archive (RAR/7z) and ELF File Analysis
- WildFire Analysis of Blocked Files
- WildFire Phishing Verdict
Hold Mode for WildFire Real-Time Signature Lookup
Hold mode enables you to hold file a sample transfer while the firewall queries the
real-time signature cloud to perform a signature lookup.
PAN-OS 11.0.2 now supports the option to hold file a sample transfer while the NGFW
queries the real-time signature cloud to perform a signature lookup. When the lookup
is completed, the file is released to the requesting client, based on your
organization's security policy for specific WildFire verdicts - this prevents the
initial transfer of known malware; in other words, reduces the likelihood of a
patient zero outbreak from occurring. You can configure the hold mode on a per
antivirus profile basis and apply a global setting for the signature lookup timeout
and the associated action. This feature is available to all users with an active
WildFire or Advanced WildFire subscription.
- To enable hold mode for WildFire real-time signature lookups, you must have
either a WildFire or Advanced WildFire subscription service license. Make sure
to activate the license on the NGFW if
you have not done so already. To verify subscriptions for which you have
currently-active licenses, select Device Licenses and verify that the appropriate licenses display and are not
expired. The example below shows the description for the standard WildFire
license.
- Log in to the PAN-OS web interface.
- Configure the timeout setting and action when the request exceeds the
timeout.You must enable hold mode for WildFire real-time signature lookups globally before you enable hold mode on a per-Antivirus profile basis.
- Select Device Setup ContentIDRealtime Signature Lookup
- Enable Hold for WildFire Real Time Signature Look Up.
- Specify the WildFire Real Time Signature Lookup Timeout
(ms) in milliseconds (the default value is 1000). Palo Alto Networks recommends using the default value of 1000ms unless you experience repeated timeouts during testing.
- Specify the Action On Real Time WildFire Signature
Timeout. The default value is
Allow, however, Palo Alto Networks recommends
setting this to Reset-Both when hold mode is
enabled. The options include the following:
- Allow—The NGFW allows packets through when the hold timeout threshold is reached.
- Reset Both—The NGFW resets the connection on both the client and server ends when the hold timeout threshold is reached.
- Select OK when finished.
- Update or create a new Antivirus Security profile to enable hold mode for
WildFire real-time signature lookups.
- Select an existing antivirus security profile or Add a new one (Objects Security ProfilesAntivirus).
- Select your antivirus security profile and then go to Action.
- Select Hold for WildFire Real Time Signature Look Up.
- Repeat steps 4a-4c for all active antivirus profiles for which you want to enable hold mode for WildFire real-time signature lookups.
- Commit your changes.
- (Optional) You can view a summary of your antivirus security profile settings,
including hold mode enablement, on the antivirus summary view page.