How to Check the Connectivity to Wildfire and Status of Upload Files
This document describes the CLI commands to verify connectivity to the Wildfire cloud and the status of files being uploaded to it.
Once the basic configuration is complete, the following command provides the details of the best server selected:
> test wildfire registration
This test may take a few minutes to finish. Do you want to continue? (y or n)
wildfire registration: successful
download server list: successful
select the best server: va-s1.wildfire.paloaltonetworks.com
Note: Do not use PING to test connectivity to the server. Ping requests are disabled on the Wildfire server. Best practice to test connectivity is to Telnet to the server on port 443.
To verify, if any files have been forwarded to the server, enter the following command:
> show wildfire status
Wildfire cloud: default cloud
Best server: va-s1.wildfire.paloaltonetworks.com
Device registered: yes
Service route IP address: 192.168.1.1
Signature verification: enable
Server selection: enable
Through a proxy: no
file size limit (MB): 2
file idle time out (second): 90
total file forwarded: 0
forwarding rate (per minute): 0
concurrent files: 0
The total file forwarded counter will provide the number of files being forwarded to the server. Data filtering logs can be used to check the status of the file. Here are the three actions available:
- Forward but no wildfire-upload-success or wildfire-upload-skip, means the file is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. Below is an explanation of the different status possibilities.
- Forward - Data plane detected a PE (Potentially Executable) file on a WildFire-enabled policy. The PE file is buffered in the management plane.
- If only forward is displayed for a specific file, it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent for previously seen benign files). There will not be an entry in the WildFire Web portal for these files.
To view the count of how many PE files have been checked, found to be clean or uploaded, issue the command:
>show wildfire statistics
This means that the file wasn't signed by a trusted signer, and the file hasn't yet been seen by the cloud. In this case, the file (and session info) was uploaded to the cloud for analysis.
The wildfire-upload-skip message will appear for all files identified and eligible to be sent to WildFire (i.e. they show the forward action), which are not sent because they have already been seen. This includes both benign and malware. You should see a 1-to-1 relationship between forward logs and one of: wildfire-upload-success or wildfire-upload-skip.
Either of the two above Wildfire actions, should result in a corresponding report in the WildFire Web portal.