Detections
Analytics

5.1 Ensure that WildFire file size upload limits are maximized

Information

Increase WildFire file size limits to the maximum file size supported by the environment. An organization with bandwidth constraints or heavy usage of unique files under a supported file type may require lower settings. The recommendations account for the CPU load on smaller platforms. If an organization consistently has CPU to spare, it's recommended to set some or all of these values to the maximum.
Rationale:
Increasing file size limits allows the devices to forward more files for WildFire analysis. This increases the chances of identifying, and later preventing, threats in larger files. The default values are configured for files small enough that the majority of files are not assessed by Wildfire.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Navigate to Device > Setup > WildFire.
Click the General Settings edit icon.
Set the maximum size for each file type are larger than the defaults, to a size that is as large enough to account for "large" files, but not large enough to affect performance of the hardware. The maximum values (best case) and the Palo Alto recommendations that take performance into account are listed below:
pe (Portable Executable) - Range is 1 to 10MB; default is 2MB, Palo Alto recommends 10MB.
apk (Android Application)- Range is 1 to 50MB; default 10MB, Palo Alto recommends 30MB.
pdf (Portable Document Format) - Range is 100KB to 1,000KB; default is 200KB, Palo Alto recommends 1,000KB.
ms-office (Microsoft Office) Range is 200KB to 10,000KB; default is 500KB, Palo Alto recommends 2,000KB.
jar (Packaged Java class file) Range is 1 to 10MB; default is 1MB, Palo Alto recommends 5MB.
flash (Adobe Flash) Range is 1 to 10MB; default is 5MB, Palo Alto recommends 5MB.
MacOSX (DMG/MAC-APP/MACH-O PKG files) Range is 1 to 50MB; default is 1MB, Palo Alto recommends 1MB.
archive (RAR and 7z files) Range is 1 to 50MB; default is 1MB, Palo Alto recommends 10MB.
linux (ELF files) Range is 1 to 10MB; default is 2MB, Palo Alto recommends 2MB.
Impact:
With the default values known, an attacker has only to send an infected file slightly over the "maximum" size for that filetype to evade detection at the perimeter. Many of the values are significantly lower than is typical for each file size.
Default Value:
Default sizes are: pe 2MB (Portable Executable) apk 10MB pdf 200KB ms-office 500KB jar 1MB flash 5MB MacOSX 1MB

See Also

https://workbench.cisecurity.org/files/2104

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, CSCv6|8.5, CSCv7|8

Plugin: Palo_Alto

Control ID: 88c762f3a7e62eb2e985ffdbacef84b42c7ac042a42d2cb421cf452f0cbe3587