Palo Alto Networks Knowledgebase: Wildfire Configuration, Testing, and Monitoring

Wildfire Configuration, Testing, and Monitoring

16941
Created On 08/05/19 19:57 PM - Last Updated 08/05/19 20:11 PM
WildFire
Resolution

WildFire is a cloud-based service that integrates with the Palo Alto Firewall and provides detection and prevention of malware.

Pre PAN-OS 7.0

In PAN-OS version 6.0 and 6.1, WildFire is configured as a File Blocking Profile

 

PAN-OS 7.0 +

Starting with PAN-OS 7.0, WildFire is configured as a WildFire Analysis Profile and can then be applied to a security policy that matches the traffic that needs to be analysed.

 

original.png

original2.png

 

In a security policy:

wildfire rule.pngSecurity Policy Rule with WildFire configured.

Please make sure if the security policy is more strict to verify if the application paloalto-wildfire-cloud will be allowed outbound from the management interface to the internet. The application may need to be added to the existing service policy containing paloalto-updates and such services, or an additional Service Route needs to be added to bind wildfire-cloud to the external interface

 

2015-09-21_21-06-14.png

 

WildFire can be set up as a File Blocking profile with the following Actions

  1. Forward: The file is automatically sent to "WildFire" cloud.
  2. Continue and Forward: The user will get a "continue" action before the download and the information will be forwarded to the WildFire.

Since PAN-OS 7.0 the continue action can still be set in a File Blocking profile, the WildFire Analysis can simply be set to send to the public-cloud, or if a WF-500 appliance is available, to the private-cloud

 

A file type determined in the WildFire configuration is matched by the WildFire cloud.

Palo Alto Networks firewalls compute the hash of the file and send only the computed hash to the WildFire cloud; in the cloud the hash is compared with the hash on the firewall. If the hash does not match it is uploaded and inspected and the file details can be viewed on the WildFire portal (https://wildfire.paloaltonetworks.com/)

A file can also be manually uploaded to the WildFire portal for analysis.

 

WildFire Testing/Monitoring:

In order to ensure the management port is able to communicate with the WildFire we can use the "test wildfire registration" command in the CLI.

> test wildfire registration
This test may take a few minutes to finish. Do you want to continue? (y or n)
Test wildfire
        wildfire registration:         successful
        download server list:          successful
        select the best server:        va-s1.wildfire.paloaltonetworks.com

The device will only register to the WildFire cloud if a valid WildFire license is present.

 

The commands below can also be used to verify WildFire operation: 

> show wildfire status 

Connection info: 
  Signature verification:        enable
  Server selection:              enable
  File cache:                    enable

WildFire Public Cloud:
  Server address:                wildfire.paloaltonetworks.com
  Status:                        Idle
  Best server:                   eu-west-1.wildfire.paloaltonetworks.com
  Device registered:             yes
  Through a proxy:               no
  Valid wildfire license:        yes
  Service route IP address:     

File size limit info: 
  pe                                           2 MB
  apk                                         10 MB
  pdf                                        200 KB
  ms-office                                  500 KB
  jar                                          1 MB
  flash                                        5 MB

... cut for brevity
> show wildfire statistics

Packet based counters:
        Total msg rcvd:                           1310
        Total bytes rcvd:                      1424965
        Total msg read:                           1310
        Total bytes read:                      1393525

... cut for brevity
> show wildfire cloud-info

Public Cloud channel info: 
  Cloud server type:             wildfire cloud
  Supported file types:         
                                 jar
                                 flash
                                 ms-office
                                 pe
                                 pdf
                                 apk
                                 email-link

 

The WildFire Submissions logs provide details post a WildFire action:

  • wildfire-upload-success: The file was succesfully uploaded to the WildFire cloud
  • wildfire-upload-skip: The WildFire cloud has already seen the file, thus the file is not uploaded to the WildFire cloud. If the file is "Benign", no entry is seen on the WildFire portal.

 wildfire log detail.png

 

 

Regardless if the file is uploaded or has already been analysed in the past and was not uploaded, the log entry will be populated with the WildFire report for this sha256. In case the file has recently been uploaded, the WildFire analysis may not have been completed yet in which case the report will not yet be available:

 

2015-09-21_19-22-27.png                             

 

  

owner: tpiens

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaHCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language