08-01-2023 11:55 AM
We currently have the ability to use WildFire Inline ML via the Antivirus Profile settings on our PA-5220's. However, all models currently are set to ACTION = DISABLE. I do NOT know why other than either that is what it defaulted to on a previous upgrade or my predecessor had a reason to leave it off.
What is the best approach to activating this without potentially causing issues with false positives but NOT leaving us more vulnerable while we turn it up?
I assume setting the action to ALERT-ONLY (override more strict actions to alert) would be the option to choose but the I'm concerned by it overriding more strict options it is effectively going to turn OFF scanning/analysis that is already in effect.
I'd appreciate any insight from others with more experience.
Thank you.
08-02-2023 09:21 AM
Hi @TonyDeHart ,
The Advanced Wildfire Inline ML compliments your Threat Prevention License with basic Wildfire capabilities. Using the Wildfire Inline ML will not turn off scanning/analysis in security profiles that are attached to existing security policies.
Consider creating and placing your alert-only Wildfire Inline ML enhanced security policies below your existing security policies in select zones where you are able to test and monitor the new capability in your environment.
08-02-2023 09:21 AM
Hi @TonyDeHart ,
The Advanced Wildfire Inline ML compliments your Threat Prevention License with basic Wildfire capabilities. Using the Wildfire Inline ML will not turn off scanning/analysis in security profiles that are attached to existing security policies.
Consider creating and placing your alert-only Wildfire Inline ML enhanced security policies below your existing security policies in select zones where you are able to test and monitor the new capability in your environment.
08-02-2023 09:43 AM
Thanks for the suggestion. I'll see where they may be a place that is appropriate but I can't think off hand right now where there would be a place for it that traffic would ever reach since anything valid (outside of intrazone) would hit other rules above it. Perhaps I can also place a rule above somewhere with a very limited scope to see how it fairs before a wider application.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
