Palo Alto Networks Knowledgebase: How to Check the Connectivity to Wildfire and Status of Upload Files

How to Check the Connectivity to Wildfire and Status of Upload Files

10725
Created On 07/29/19 17:25 PM - Last Updated 07/29/19 17:52 PM
WildFire
Resolution

Overview

This document describes the CLI commands to verify connectivity to the Wildfire cloud and the status of files being uploaded to it.

Details

Once the basic configuration is complete, the following command provides the details of the best server selected:

> test wildfire registration

This test may take a few minutes to finish. Do you want to continue? (y or n)


Test wildfire

wildfire registration: successful

download server list: successful

select the best server: va-s1.wildfire.paloaltonetworks.com

Note: Do not use PING to test connectivity to the server. Ping requests are disabled on the Wildfire server.  Best practice to test connectivity is to Telnet to the server on port 443.

To verify, if any files have been forwarded to the server, enter the following command:

> show wildfire status


Connection info:
Wildfire cloud: default cloud
Status: Idle
Best server: va-s1.wildfire.paloaltonetworks.com
Device registered: yes
Service route IP address: 192.168.1.1
Signature verification: enable
Server selection: enable
Through a proxy: no


Forwarding info:
file size limit (MB): 2
file idle time out (second): 90
total file forwarded: 0
forwarding rate (per minute): 0
concurrent files: 0

The total file forwarded counter will provide the number of files being forwarded to the server.  Data filtering logs can be used to check the status of the file. Here are the three actions available:

  • Forward but no wildfire-upload-success or wildfire-upload-skip, means the file is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen.  Below is an explanation of the different status possibilities.
  • Forward - Data plane detected a PE (Potentially Executable) file on a WildFire-enabled policy.  The PE file is buffered in the management plane.
  • If only forward is displayed for a specific file, it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen.  In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent for previously seen benign files).  There will not be  an entry in the WildFire Web portal for these files.

To view the count of how many PE files have been checked, found to be clean or uploaded, issue the command:

>show wildfire statistics

wildfire-upload-success

This means that the file wasn't signed by a trusted signer, and the file hasn't yet been seen by the cloud.  In this case, the file (and session info) was uploaded to the cloud for analysis.

wildfire-upload-skip

PAN-OS 5.0:

The wildfire-upload-skip message will appear for all files identified and eligible to be sent to WildFire (i.e. they show the forward action), which are not sent because they have already been seen. This includes both benign and malware. You should see a 1-to-1 relationship between forward logs and one of: wildfire-upload-success or wildfire-upload-skip.

Either of the two above Wildfire actions, should result in a corresponding report in the WildFire Web portal.

See Also

Uploading Multiple Files to Wildfire

owner: mvenkatesan



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltZCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language