Can Wildfire engine detect & identify zero day or known threat if SSL decrption feature is off in Palo Alto firewall ?
WildFire can discover zero-day malware in web traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can quickly generate signatures to identify and protect against future infections from the malware it discovers.
But how it detects file types, malicious behaviour for SSL encrypted traffic ?
You need SSL Decryption to get the full benefit of WildFire for encrypted traffic, as you would expect. If you don't have visability into the traffic WildFire won't be able to identify the content being downloaded and therefore isn't able to fully protect your environment.
@BPry my organization dont want to turn SSL decryption ON due to user privacy issues. What other benefits I can get from WF ? How about email/ftp or any other traffic ?
@PS007 , please keep in mind that more and more applications and sites are being encrypted to be more secure.
So, if you are not decrypting SSL, then you are missing out on a big piece of the puzzle.
When you setup the decryption policy, you normally exclude Banking, Hospital/medical, and similar categories to respect personal privacy.
So if you don't decrypt traffic WildFire is only able to act on what it can actually see crossing the firewall, which at that point would be any unencrypted traffic. So while FTP traffic would get inspected SFTP would not, likewise HTTP downloads would be inspected but HTTPS downloads would not be. There is still a lot of benefit in catching the "low-hanging fruit" utilizing WildFire in a network while not utilizing SSL Decryption for external traffic. That being said, more and more traffic is switching to encrypted by default, so the effective percentage of your analyzed traffic would continue to go down as the percentage of your encrypted traffic goes up.
I would argue that with you falling under GDPR you actually have even more of a reason to gain insight into your traffic patterns, not less. As @jdelio mentioned you can exclude any category or domain that you don't want decrypted with ease, but choosing to go without decryption all-together is relatively risky if your org actually gets breached and would have to report it. IE: The cost of being fined under GDPR because customer or employee information was potentially exported/accessed under a network breach would be rather massive; and unless you decrypt traffic hitting a public resource you host on your network (inbound decryption) you don't really have that big of a GDPR risk with the right retentention policies in place.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!