PAN-OS: WildFire Supported File Types & Size Limits

Introduction: What WildFire Analyzes

The WildFire cloud analysis service is designed to inspect a wide variety of file types commonly used to deliver malware or conduct malicious activity. The firewall uses WildFire Analysis Profiles to determine which specific file types, seen traversing allowed sessions, should be forwarded for analysis if their verdict is unknown.

Furthermore, there are limits on the maximum size of files that can be submitted for analysis, both configurable on the firewall and inherent to the WildFire cloud/appliance infrastructure. Understanding these supported types and size limits is crucial for effective WildFire configuration.

WildFire supports analysis for a broad range of file types known to be vectors for threats. The specific list evolves, but key categories commonly configured for submission in WildFire Analysis Profiles ( Objects > Security Profiles > WildFire Analysis ) include:

File Type Category	Examples & Description	Common Threat Vector?
`PE`	Windows Portable Executables (.exe, .dll, .sys, .scr, etc.)	Very High (Primary malware delivery)
`PDF`	Adobe Portable Document Format (.pdf)	High (Can contain exploits, malicious scripts, phishing links)
`MS-Office`	Microsoft Office documents (.doc/x, .xls/x, .ppt/x, .rtf, etc.)	High (Commonly use macros or embedded exploits)
`APK`	Android Application Package (.apk)	High (Mobile malware delivery)
`Script`	Various script types (e.g., PowerShell .ps1, JavaScript .js, VBScript .vbs, HTML Application .hta)	High (Used for droppers, fileless malware, exploits)
`Archive`	Compressed files (.zip, .rar, .7z, .jar, etc.). WildFire attempts to analyze contents if not password-protected.	Medium/High (Often used to package malware)
`jar`	Java Archive (.jar). Subset of Archive, often listed separately.	Medium (Java exploits or malicious applets)
`Flash`	Adobe Flash files (.swf)	Medium (Historically high, decreasing as Flash is deprecated, but exploits still exist)
`MacOSX`	macOS specific executables and file types (.dmg, Mach-O files, etc.)	Medium (Increasing macOS malware)
`Linux`	ELF executables and potentially other Linux-specific formats.	Medium (Increasing Linux malware/IoT threats)
`Email Link`	Analyzes URLs found within email bodies (requires firewall visibility into email protocols like SMTP, IMAP, POP).	Very High (Primary phishing vector)
`any`	Forwards all unrecognized file types encountered.	Variable (Includes benign types. Generally NOT Recommended ).

This is not exhaustive and specific options may vary slightly by PAN-OS version. Always refer to the firewall GUI ( Objects > Security Profiles > WildFire Analysis > Add > Analysis Tab > File Types ) for the definitive list applicable to your version.

Configurable Limits on the Firewall

You can configure the maximum size for *each file type* that the firewall will attempt to forward to WildFire.

Location: Device > Setup > WildFire > General Settings (Edit the 'General Settings')
Mechanism: For each supported file type (PE, PDF, Office, etc.), there is a configurable `Size Limit (MB)` field.
Default Values: Palo Alto Networks sets default size limits for each file type. These defaults are designed to balance coverage (most malware is smaller than the defaults) with resource conservation (avoiding submission of excessively large, likely benign files).
Adjustment: You can increase or decrease these limits based on your specific needs and risk assessment, but be aware of the implications (see Best Practices and Caveats).

WildFire Cloud/Appliance Limits

The WildFire service itself (both public cloud and private appliance) has maximum file sizes it can accept and analyze. These limits may be higher than the firewall's default forwarding limits.

Public Cloud: Limits vary by file type and region but are generally quite large (e.g., potentially 100MB+ for PE files, lower for others like PDF/Office). Refer to the latest WildFire documentation for current cloud limits.
Private Appliance (WF-500/VM): Limits depend on the appliance model and configured resources. Generally lower than the public cloud limits. Refer to the WildFire Appliance documentation.

The effective maximum size for submission is the lower of the limit configured on the firewall and the limit supported by the WildFire destination (cloud or appliance).

Default vs. Recommended Maximums (Example based on provided text)

The provided text highlights that while defaults are generally good, increasing limits can catch uncommon, larger malware files, but at the cost of potentially higher bandwidth usage and forwarding load.

File Type	Typical Default Limit (Approx.)*	Example Recommended Max (PAN-OS 9.0+)*
pe	~10-16MB	16MB
apk	~10MB	10MB
pdf	~1-3MB	3MB (3,072KB)
ms-office	~2-16MB	16MB (16,384KB)
jar	~5MB	5MB
flash	~5MB	5MB
MacOSX	~1-10MB	10MB
archive	~10-50MB	50MB
linux	~10-50MB	50MB
script	~20KB	20KB

*Note: These values are illustrative based on the text provided and official documentation for specific PAN-OS versions should always be consulted for exact defaults and maximums. Default values can change between versions.

WildFire File Submission Limits

While you don't configure a specific "maximum number of files per day" limit directly on the firewall for automatic WildFire submissions, several factors effectively limit the volume:

Firewall Forwarding Capacity (Rate Limit):
- What it is: Each firewall model has a finite capacity for processing and forwarding unknown files to WildFire. This limit is based on the firewall's hardware resources (CPU, memory, internal queuing space). It's essentially a rate limit rather than a daily counter.
- Impact: If the firewall receives unknown files (matching the WildFire Analysis Profile) faster than it can forward them (due to high traffic volume, large file sizes, or network latency to WildFire), its internal queue may fill up.
- Result of Exceeding Capacity: When the forwarding queue is full, the firewall will start skipping the submission of subsequent unknown files until capacity becomes available. Skipped files will not be analyzed by WildFire unless encountered again later.
- Monitoring: You can monitor for skipped files using CLI commands (e.g., checking specific system counters or WildFire statistics) or potentially via SNMP, though direct "skipped count" visibility can vary by PAN-OS version. High skip counts indicate the firewall is potentially undersized for the submission load or that submission criteria (file types/sizes) are too broad.
Per-File Size Limits:
- What it is: As discussed previously, limits exist for the maximum size of individual files that can be forwarded. This is configured on the firewall ( Device > Setup > WildFire > General Settings ) and also limited by the WildFire cloud/appliance infrastructure.
- Impact: Files larger than the configured or supported limit for their type will not be submitted, regardless of daily volume.
Manual Portal Submission Limits:
- What it is: This applies when administrators or users manually upload files directly via the WildFire web portal ( wildfire.paloaltonetworks.com ).
- Limit: There *is* a defined daily limit per user account for manual submissions. For standard support accounts, this is typically 5 files per day . Premium WildFire subscriptions may offer higher manual submission limits.
- Impact: This limit restricts ad-hoc analysis via the portal but does *not* affect the automatic submissions from configured firewalls.
WildFire Subscription/Cloud Capacity:
- While not usually presented as a hard daily limit to the end-user firewall, the WildFire cloud infrastructure itself has enormous but ultimately finite processing capacity. In extremely widespread, high-volume submission events (like a massive global outbreak of a new variant), there could theoretically be processing delays, though the system is designed for high scale. Private WildFire appliances have capacity limits based on their model.

In summary: For automatic firewall submissions, the primary constraint is the firewall's forwarding rate capacity , not a fixed daily number. Monitor for skipped submissions if you suspect high volume is an issue. Manual portal submissions *do* have a defined daily limit per user account.

Best Practices

Prioritize High-Risk File Types: Ensure common malware vectors like PE, MS-Office, PDF, Scripts, APK, Archives are selected for forwarding in your WildFire Analysis Profile.
Avoid Forwarding `any` File Type: This generates excessive submissions of benign files (images, text, etc.), consumes bandwidth, impacts forwarding capacity, and increases privacy concerns. Be selective.
Start with Default Size Limits: The default firewall forwarding limits are generally a good starting point, designed to catch the vast majority of malware while conserving resources.
Increase Limits Cautiously: Only increase file size limits beyond the defaults if you have a specific concern about large malicious files for a particular type AND understand the potential impact on firewall forwarding capacity and bandwidth.
Align Firewall Limits with Cloud/Appliance Limits: There's no benefit to setting the firewall forwarding limit higher than what the destination WildFire service can actually accept.
Enable SSL Decryption: Crucial. The firewall cannot identify or forward files based on type if they are transferred within encrypted (SSL/TLS) sessions, unless decryption is enabled.

Caveats and Considerations

Forwarding Capacity: Firewalls have a limited capacity for how many files they can hold while waiting to forward them to WildFire. Forwarding too many large files or using `any` file type can exceed this capacity, causing some files to be skipped.
Bandwidth Consumption: Forwarding large files, even benign ones if `any` is selected or limits are high, consumes upload bandwidth.
Encrypted Traffic: File type identification and forwarding requires visibility. Files inside encrypted sessions are invisible without decryption.
Encrypted Archives: WildFire generally cannot analyze files inside password-protected archives.
Privacy: Forwarding `any` file type increases the chance of sending potentially sensitive but benign documents to the public cloud. Selecting specific types reduces this risk.

For the PCNSE exam, understand:

The purpose of selecting File Types in the WildFire Analysis Profile: To control which types of unknown files are submitted.
Common high-risk file types typically forwarded (PE, Office, PDF, Scripts, etc.).
The recommendation to avoid using `any` for File Types.
Where file size limits for forwarding are configured: Device > Setup > WildFire > General Settings .
The concept of default vs. maximum configurable size limits per file type.
The relationship between firewall limits and cloud/appliance limits (effective limit is the lower).
The impact of forwarding capacity and bandwidth on file submissions.
The absolute necessity of SSL Decryption for analyzing files transferred over HTTPS.

PAN-OS: WildFire Supported File Types & Size Limits

Introduction: What WildFire Analyzes

Supported File Types for WildFire Analysis

WildFire File Size Limits

Configurable Limits on the Firewall

WildFire Cloud/Appliance Limits

Default vs. Recommended Maximums (Example based on provided text)

WildFire File Submission Limits

Firewall Forwarding Capacity (Rate Limit):

Per-File Size Limits:

Manual Portal Submission Limits:

WildFire Subscription/Cloud Capacity:

Best Practices

Caveats and Considerations

PCNSE Exam Focus

WildFire File Types & Sizes Quiz