How to Enable WildFire protection with signature sourcing from WildFire samples with malicious verdict

Overview

This document describes how to configure WildFire protection signature sourcing from WildFire samples with malicious verdict.

Requirements:

• Valid WildFire subscription license
• Enable WildFire file submission & signature update. Verify that it is function correctly.

Steps

1. From the WebGUI, go to Objects > Security Profiles > Antivirus
2. Choose the appropriate profile (existing or new). Note: The "default' profile cannot be used for WildFire blocking
3. For each appropriate protocol, modify the action to "reset-both". Then, click OK. Note: The protocol limitation of POP3/IMAP is not appropriate to set to reset-both/drop action. 
4. Go to Policies > Security. Select the appropriate security rule (edit existing or create new), then apply Antivirus profile from Step 2 (Go to the Actions tab and look for Profile Setting).
5. Commit

Additional Notes

• WildFire is not meant to be a complete replacement of Endpoint Antivirus, rather a compliment function for day-1 malicious files.
• Palo Alto Networks WildFire and Antivirus Protection Signature may encounter certain possible false positive due to its architecture and design nature. 
• There will be NO signature generated for WildFire test file, hence WildFire test file will NEVER be blocked, for more information please refer to this article. 

See Also

• WildFire Overview
• Fundamentals Guide: Security Policies
• How to test with a fake malicious WIldFire file

owner: spiromruen