5.4 Ensure all WildFire session information settings are enabled

Information

Enable all options under Session Information Settings for WildFire.

Rationale:

Permitting the firewall to send all of this information to WildFire creates more detailed reports, thereby making the process of tracking down potentially infected devices more efficient. This could prevent an infected system from further infecting the environment. Environments with security policies restricting sending this data to the WildFire cloud can instead utilize an on-premises WildFire appliance. In addition, risk can be analyzed in the context of the destination host and user account, either during analysis or during incident response.

Solution

Navigate to Device > Setup > WildFire > Session Information Settings.
Set every option to be enabled.

Default Value:

All Session Information Settings are enabled by default. These include:

Source IP

Source port

Destination IP

Destination port

Virtual System

Application

User

URL

File name

Email sender

Email recipient

Email subject

See Also

https://workbench.cisecurity.org/benchmarks/13792

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, CSCv7|6.2, CSCv7|8.6

Plugin: Palo_Alto

Control ID: e5e941e4d902d525e44e7f3e02f77d20682a2393a31030497f21bccbbb0876d8