Details
Ensure that all files traversing the firewall are inspected by WildFire by setting a Wildfire file blocking profile on all security policies.
Rationale:
Traffic matching security policies that do not include a WildFire file blocking profile will not utilize WildFire for file analysis. Wildfire analysis is one of the key security measures available on this platform. Without Wildfire analysis enabled, inbound malware can only be analyzed by signature – which industry wide is roughly 40-60% effective. In a targeted attack, the success of signature-based-only analysis drops even further.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To Set File Blocking Profile:
Navigate to Objects > Security Profiles > WildFire Analysis Profile.
Create a WildFire profile that has ‘Application Any’, ‘File Types Any’, and ‘Direction Both’
To Set WildFire Analysis Rules:
Navigate to Policies > Security.
For each Security Policy Rule where the action is ‘Allow’, Navigate to Actions > Profile Setting > WildFire Analysis and set a WildFire Analysis profile.
Group Profiles can also be used. To take this approach:
Navigate to Objects > Security Profile Groups. Create a Security Profile Group, and ensure that (among other settings) the Wildfire Analysis Profile is set to the created profile.
Navigate to Policies > Security. For each Security Policy Rule where the action is ‘Allow’, Navigate to Actions > Profile Setting. Modify the Profile Type to Group, and set the Group Profile to the created Security Profile Group.
Default Value:
Not Configured
References:
‘Wildfire Administrator’s Guide 9.0 (English)’ – https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin.html
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Palo_Alto.