02-21-2023 08:21 AM - edited 03-14-2023 12:11 AM
ICAP is a popular way to scan files on external sandbox systems, but slows down the performance — a lot. What are the new Palo Alto 10.x/11.x options that do similar stuff without performance issues? We'll discuss real-time retrieval of WildFire signatures, WildFire Inline ML and Advanced Wildfire that are available for Palo Alto NGFW and Prisma Access SASE.
ICAP can block the initial file downloads and tell the users to wait until the scan is done and a verdict was created. This inevitably comes with delay. Wildfire on the other hand may allow the first file through so as not to impact the performance.
This is where real-time retrieval of WildFire signatures and WildFire Inline ML come into play as the new features added in 10.x.
WildFire Inline ML is the option for Palo Alto NGFW with ML based models that have already been downloaded on the firewall to scan the files inline even when wildfire service still has not provided a verdict if the file is good or bad. This feature is enabled under the Antivirus profile.
The Palo Alto Networks PAN-OS 10.0 and later supports the real-time retrieval of WildFire signatures. That means when a new signature is created, the signature content is streamed down to the firewall in single-digit seconds. This allows access to the signatures as soon as they are generated, greatly minimizing the window in which malware can infiltrate the network.
Advanced WildFire is a new subscription offering from Palo Alto Networks that provides access to Intelligent Run-time Memory Analysis, a cloud-based advanced analysis engine that complements existing static and dynamic analysis engines to detect and prevent evasive malware threats.
With these options you can have similar features to the ICAP blocking the first bad packet without the performance and slowness issues of ICAP.
For more information about the most recent features I suggest the Nebula 10.2 deep dive sessions.
I am really happy that people find this helpful 🙂