Wildfire Configuration, Testing, and Monitoring
WildFire is a cloud-based service that integrates with the Palo Alto Firewall and provides detection and prevention of malware.
Pre PAN-OS 7.0
In PAN-OS version 6.0 and 6.1, WildFire is configured as a File Blocking Profile
PAN-OS 7.0 +
Starting with PAN-OS 7.0, WildFire is configured as a WildFire Analysis Profile and can then be applied to a security policy that matches the traffic that needs to be analysed.
In a security policy:
Please make sure if the security policy is more strict to verify if the application paloalto-wildfire-cloud will be allowed outbound from the management interface to the internet. The application may need to be added to the existing service policy containing paloalto-updates and such services, or an additional Service Route needs to be added to bind wildfire-cloud to the external interface
WildFire can be set up as a File Blocking profile with the following Actions
- Forward: The file is automatically sent to "WildFire" cloud.
- Continue and Forward: The user will get a "continue" action before the download and the information will be forwarded to the WildFire.
Since PAN-OS 7.0 the continue action can still be set in a File Blocking profile, the WildFire Analysis can simply be set to send to the public-cloud, or if a WF-500 appliance is available, to the private-cloud
A file type determined in the WildFire configuration is matched by the WildFire cloud.
Palo Alto Networks firewalls compute the hash of the file and send only the computed hash to the WildFire cloud; in the cloud the hash is compared with the hash on the firewall. If the hash does not match it is uploaded and inspected and the file details can be viewed on the WildFire portal (https://wildfire.paloaltonetworks.com/)
A file can also be manually uploaded to the WildFire portal for analysis.
In order to ensure the management port is able to communicate with the WildFire we can use the "test wildfire registration" command in the CLI.
> test wildfire registration This test may take a few minutes to finish. Do you want to continue? (y or n) Test wildfire wildfire registration: successful download server list: successful select the best server: va-s1.wildfire.paloaltonetworks.com
The device will only register to the WildFire cloud if a valid WildFire license is present.
The commands below can also be used to verify WildFire operation:
> show wildfire status Connection info: Signature verification: enable Server selection: enable File cache: enable WildFire Public Cloud: Server address: wildfire.paloaltonetworks.com Status: Idle Best server: eu-west-1.wildfire.paloaltonetworks.com Device registered: yes Through a proxy: no Valid wildfire license: yes Service route IP address: File size limit info: pe 2 MB apk 10 MB pdf 200 KB ms-office 500 KB jar 1 MB flash 5 MB
... cut for brevity
> show wildfire statistics Packet based counters: Total msg rcvd: 1310 Total bytes rcvd: 1424965 Total msg read: 1310 Total bytes read: 1393525
... cut for brevity
> show wildfire cloud-info Public Cloud channel info: Cloud server type: wildfire cloud Supported file types: jar flash ms-office pe pdf apk email-link
The WildFire Submissions logs provide details post a WildFire action:
- wildfire-upload-success: The file was succesfully uploaded to the WildFire cloud
- wildfire-upload-skip: The WildFire cloud has already seen the file, thus the file is not uploaded to the WildFire cloud. If the file is "Benign", no entry is seen on the WildFire portal.
Regardless if the file is uploaded or has already been analysed in the past and was not uploaded, the log entry will be populated with the WildFire report for this sha256. In case the file has recently been uploaded, the WildFire analysis may not have been completed yet in which case the report will not yet be available: