How can I check if WildFire is being used to its full potential?

How can I check if WildFire is being used to its full potential?

• Palo Alto Networks firewall
• Wildfire

1. Have a valid WildFire license implemented in the firewall.

2. Run PAN-OS 10.0 to take advantage of WildFire Inline ML and Real Time signatures.

3. Select your WildFire Dynamic Updates to happen Real-Time. If not in 10.0 yet, set them to download-and-install every minute.

4. Select all WildFire Actions to reset-both in the Antivirus profile.

5. Select all Inline ML Actions to reset-both in the Antivirus profile.

6. Enable the Inline ML module for the available Machine Learning models (currently there's a PE and two PowerShell ML Models).

7. Make sure that SSL Decryption (Forward Proxy) and HTTP/2 inspection is implemented.

8. Block application 'quic' in at the top of your security policy set.

9. With Decryption enabled, make sure to Forward data from Decrypted Content (You can find this in Content-ID settings under Setup in the Device tab), otherwise files extracted from a decrypted session won't be forwarded to the WildFire Cloud.

10. If you have an SMTP server, disable the STARTTLS extension in your mail server to prevent opportunistic TLS to bypass detection with encryption, or, extract the certificate and the private key from your mail server and import them to your firewall's certificate store to then set-up SSL Inbound inspection on incoming SMTP traffic.

11. The CTD inspection queue can be full at the time when inspection is required, and could cause skipped detections. To prevent this, the following options should be unchecked under Device > Setup > Content-ID > Content-ID Settings:

    1. Forward segments exceeding TCP content inspection queue (uncheck)

    2. Forward datagrams exceeding UDP content inspection queue (uncheck)

12. Set the WildFire file sizes to recommended best practice values.
13. Evaluate if there are file types that should not be forwarded to the public cloud and inhibit from forwarding them in the WildFire Analysis Profile.
14. Evaluate if you want to prevent HTTP Range (download resumption) to be allowed, otherwise disable it (although this can cause issues with http-video applications). You can disable this from Content-ID settings under Setup in the Device tab). The checkbox is called "Allow HTTP Partial Response". If a download is fetched to resume at an offset after blocked by the firewall, the client will complete the download undeterred. In general I advise against this as Antivirus in the firewall should be considered a best-effort solution, (and you may not want to impact http-video traffic).
15. If the daily volume of malicious detections is manageable, consider configuring Log Forwarding to Email alerts for malicious WildFire detections. A similar option is sourcing alerts from the WildFire portal.
16. Make sure that DSRI is not configured in the Security Policy.