01-25-2023 09:06 PM
Hi,
PAN OS Version 10.2 support Advanced threat protection and its seems like , for any unknowns the metadata will be forwarded to cloud for deep learning mechanism (Correct me if i am wrong). My coroners are
Also regarding the wildfire inspection, if the verdict is unknown to the firewall, the data will be uploaded to cloud for further analysis, until the verdict is returned back to the firewall, how does the firewall will treat that particular flow ( block or hold or allow)?
01-31-2023 12:20 PM
By default the Palo Alto firewall will alow traffic while waiting for verdict as to not cause performance issues that ICAP causes. You can use dynamic tags to quarantine source ip/user when the verdict is returned https://www.youtube.com/watch?v=WgG6Hi0T73g or also enable the inline ML learning on the firewall that can block the attack even without verdict from the cloud as extra security https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-100/con... .
Also you have reports on the firewall https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004N9oCAE&lang=en_US%E2%80%A... and a GUI portal https://docs.paloaltonetworks.com/advanced-wildfire/administration/monitor-wildfire-activity/use-the... where you can see what happened.
I have forgoten this but if the connection to the cloud is impacted I think that the files will be allowed if not blocked by the other Antivirus, Spyware or Vunrability profiles.
01-31-2023 12:20 PM
By default the Palo Alto firewall will alow traffic while waiting for verdict as to not cause performance issues that ICAP causes. You can use dynamic tags to quarantine source ip/user when the verdict is returned https://www.youtube.com/watch?v=WgG6Hi0T73g or also enable the inline ML learning on the firewall that can block the attack even without verdict from the cloud as extra security https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-100/con... .
Also you have reports on the firewall https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004N9oCAE&lang=en_US%E2%80%A... and a GUI portal https://docs.paloaltonetworks.com/advanced-wildfire/administration/monitor-wildfire-activity/use-the... where you can see what happened.
I have forgoten this but if the connection to the cloud is impacted I think that the files will be allowed if not blocked by the other Antivirus, Spyware or Vunrability profiles.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
