5.5 Ensure all WildFire session information settings are enabled

Information

Enable all options under Session Information Settings for WildFire.
Rationale:
Permitting the firewall to send all of this information to WildFire creates more detailed reports, thereby making the process of tracking down potentially infected devices more efficient. This could prevent an infected system from further infecting the environment. Environments with security policies restricting sending this data to the WildFire cloud can instead utilize an on-premises WildFire appliance. In addition, risk can be analyzed in the context of the destination host and user account, either during analysis or during incident response.

Solution

Navigate to Device > Setup > WildFire > Session Information Settings.
Set every option to be enabled.
Default Value:
All Session Information Settings are enabled by default. These include: Source IP Source port Destination IP Destination port Virtual System Application User URL File name Email sender Email recipient Email subject

See Also

https://workbench.cisecurity.org/files/2104

Item Details

Category: AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AU-3, 800-53|AU-12, 800-53|SI-3, CSCv6|6.5, CSCv6|8.5, CSCv7|6.2, CSCv7|8

Plugin: Palo_Alto

Control ID: 9e7f9a7c9777ceb4711de23bd11535970d2dbbc4a26c8b2a8d3d3b5cdb17a8bb