Advanced Wildfire as an ICAP Alternative

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L6 Presenter
100% helpful (2/2)

ICAP is a popular way to scan files on external sandbox systems, but slows down the performance — a lot. What are the new Palo Alto 10.x/11.x options that do similar stuff without performance issues? We'll discuss real-time retrieval of WildFire signatures, WildFire Inline ML and Advanced Wildfire that are available for Palo Alto NGFW and Prisma Access SASE.

 

ICAP can block the initial file downloads and tell the users to wait until the scan is done and a verdict was created. This inevitably comes with delay. Wildfire on the other hand may allow the first file through so as not to impact the performance. 

 

This is where real-time retrieval of WildFire signatures and WildFire Inline ML come into play as the new features added in 10.x.

 

 WildFire Inline ML is the option for Palo Alto NGFW with ML based models that have already been downloaded on the firewall to scan the files inline even when wildfire service still has not provided a verdict if the file is good or bad. This feature is enabled under the Antivirus profile.

 

new-wildfire.PNG

 

 

new-wildfire3.PNG

 

 

The Palo Alto Networks PAN-OS 10.0 and later supports the real-time retrieval of WildFire signatures. That means when a new signature is created, the signature content is streamed down to the firewall in single-digit seconds. This allows access to the signatures as soon as they are generated, greatly minimizing the window in which malware can infiltrate the network.

 

 

new-wildfire2.PNG

 

 

Advanced WildFire is a new subscription offering from Palo Alto Networks that provides access to Intelligent Run-time Memory Analysis, a cloud-based advanced analysis engine that complements existing static and dynamic analysis engines to detect and prevent evasive malware threats.

 

With these options you can have similar features to the ICAP blocking the first bad packet without the performance and slowness issues of ICAP.

 

For more information about the most recent features I suggest the Nebula 10.2 deep dive sessions.

 
Rate this article:
Comments
Community Team Member

Thanks for sharing @nikoolayy1 !

Community Manager
Community Manager

Great info - thanks for sharing! @nikoolayy1 

Community Team Member

love it! @nikoolayy1 

L6 Presenter

I am really happy that people find this helpful 🙂

 

  • 5474 Views
  • 4 comments
  • 5 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎03-14-2023 12:11 AM
Updated by: