Wildfire Configuration, Testing, and Monitoring
Symptom
WildFire is a cloud-based service that integrates with the Palo Alto Firewall and provides detection and prevention of malware.
Environment
- PANOS 8.1 and higher
- WildFire
Resolution
WildFire is a cloud-based service that integrates with the Palo Alto Firewall and provides detection and prevention of malware.
PAN-OS 7.0 +
Starting with PAN-OS 7.0, WildFire is configured as a WildFire Analysis Profile and can then be applied to a security policy that matches the traffic that needs to be analysed.
In a security policy:
Security Policy Rule with WildFire configured.
Please make sure if the security policy is more strict to verify if the application paloalto-wildfire-cloud will be allowed outbound from the management interface to the internet. The application may need to be added to the existing service policy containing paloalto-updates and such services, or an additional Service Route needs to be added to bind wildfire-cloud to the external interface
The WildFire Analysis can simply be set to send to the public-cloud, or if a WF-500 appliance is available, to the private-cloud
A file type determined in the WildFire configuration is matched by the WildFire cloud.
Palo Alto Networks firewalls compute the hash of the file and send only the computed hash to the WildFire cloud; in the cloud the hash is compared with the hash on the firewall. If the hash does not match it is uploaded and inspected and the file details can be viewed on the WildFire portal (https://wildfire.paloaltonetworks.com/). Please refer to the Administration Guide to find the URLs of the other regional clouds.
A file can also be manually uploaded to the WildFire portal for analysis.
WildFire Testing/Monitoring:
In order to ensure the management port is able to communicate with the WildFire we can use the "request wildfire registration" command in the CLI.
> request wildfire registration
WildFire registration for Public Cloud is triggered
WildFire registration for Private Cloud is triggered
The commands below can also be used to verify WildFire operation:
> show wildfire status Connection info: Signature verification: enable Server selection: enable File cache: enable WildFire Public Cloud: Server address: wildfire.paloaltonetworks.com Status: Idle Best server: eu-west-1.wildfire.paloaltonetworks.com Device registered: yes Through a proxy: no Valid wildfire license: yes Service route IP address: File size limit info: pe 2 MB apk 10 MB pdf 200 KB ms-office 500 KB jar 1 MB flash 5 MB ... cut for brevity > show wildfire statistics Packet based counters: Total msg rcvd: 1310 Total bytes rcvd: 1424965 Total msg read: 1310 Total bytes read: 1393525 ... cut for brevity > show wildfire cloud-info Public Cloud channel info: Cloud server type: wildfire cloud Supported file types: jar flash ms-office pe pdf apk email-link
The WildFire Submissions logs provide details post a WildFire action:
In case the file has recently been uploaded, the WildFire analysis may not have been completed yet in which case the report will not yet be available:
wildfire-upload.log shows details about the file submissions. The log can be monitored on the CLI as follows.
> grep mp-log wildfire-upload.log pattern wildfire-test-pe
2021-08-02 12:04:48 +0900: wildfire-test-pe-file.exe pe cancelled - by DP PUB 122 1 55296 0x4034 allow
2021-08-02 12:06:35 +0900: wildfire-test-pe-file.exe pe upload success PUB 125 2 55296 0x801c allow
2021-08-02 12:10:30 +0900: wildfire-test-pe-file.exe pe skipped - remote malware dup PUB 128 3 1428 0x1040 allow
> tail follow yes mp-log wildfire-upload.log
Data and Time filename file type action channel session_id transaction_id file_len flag traffic_action
2021-08-02 12:04:48 +0900: wildfire-test-pe-file.exe pe cancelled - by DP PUB 122 1 55296 0x4034 allow
2021-08-02 12:06:35 +0900: wildfire-test-pe-file.exe pe upload success PUB 125 2 55296 0x801c allow
2021-08-02 12:10:30 +0900: wildfire-test-pe-file.exe pe skipped - remote malware dup PUB 128 3 1428 0x1040 allow