5.4 Ensure forwarding of decrypted content to WildFire is enabled

Information

Allow the firewall to forward decrypted content to WildFire. Note that SSL Forward-Proxy must also be enabled and configured for this setting to take effect on inside-to-outside traffic flows.
Rationale:
As encrypted Internet traffic continues to proliferate, WildFire becomes less effective unless it is allowed to act on decrypted content. For example, if a user downloads a malicious pdf over SSL, WildFire can only provide analysis if 1) the session is decrypted by the firewall and 2) forwarding of decrypted content is enabled. In today's internet, roughly 70-80% of all user traffic is encrypted. If Wildfire is not configured to analyze encrypted content, the effectiveness of Wildfire is drastically reduced.

Solution

Navigate to Device > Setup > Content-ID > Content-ID Settings.
Set Allow forwarding of decrypted content to be checked.
or
Execute the following CLI command to set the ssl-decryption configuration:
username@hostname#configure
username@hostname#set setting ssl-decrypt allow-forward-decrypted-content yes
username@hostname#commit
Default Value:
Not Configured

See Also

https://workbench.cisecurity.org/files/1780

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4(10), CSCv6|12.5

Plugin: Palo_Alto

Control ID: e22d2f480fc976d90d88cbf349df708e8715c5bba7972fc6d144088ae809e7a6