How to Check the Connectivity to WildFire and Status of Upload Files
Environment
- Palo Alto Firewall.
- PAN-OS any.
Resolution
Overview
This document describes the methods to verify the connectivity to the WildFire cloud and the status of files being uploaded to it.
Details
Once the basic configuration is complete, the "show wildfire status" command shows the selected best server as well as the registration status.
admin@PA-VM> show wildfire status channel public Connection info: Signature verification: enable Server selection: enable File cache: enable WildFire Public Cloud: Server address: wildfire.paloaltonetworks.com Best server: panos.wildfire.paloaltonetworks.com Device registered: yes Through a proxy: no Valid wildfire license: yes Service route IP address: 10.137.102.77 Global status: Idle Count of available workers: 10 Available worker indices: 0 1 2 3 4 5 6 7 8 9 Upload status Usage: 'I': Idle, 'U': Uploading, 'Q': Querying Upload worker index: 0 1 2 3 4 5 6 7 8 9 Upload status: I I I I I I I I I I Status time (seconds): 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ Forwarding info: file idle time out (second): 90 total bytes of concurrent files: 0 Public Cloud: total file fwded : 1 total file failed: 0 total session info. upload failed: 0 total file skipped: 0 total cloud queries: 0 total cloud queries failed: 0 file forwarded in last minute: 0 bytes of concurrent files: 0
If the registration status is "no", then please refer to the following KB to fix the status.
Troubleshooting WildFire Registration Issues
The "total file fwded" counter should be incremented when a file is uploaded to the WildFire cloud.
See Also:
"Verify File Forwarding" section in the WildFire Administrator's Guide.
https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/submit-files-for-wildfire-analysis/verify-wildfire-submissions/verify-file-forwarding.html
The "ping" command can be used to check if the name resolution is working fine. When the DNS is working properly, an IP address is displayed.
admin@PA-VM> ping host wildfire.paloaltonetworks.com PING wildfire.paloaltonetworks.com (34.84.44.247) 56(84) bytes of data. 64 bytes from 247.44.84.34.bc.googleusercontent.com (34.84.44.247): icmp_seq=1 ttl=110 time=7.66 ms 64 bytes from 247.44.84.34.bc.googleusercontent.com (34.84.44.247): icmp_seq=2 ttl=110 time=11.6 ms ^C --- wildfire.paloaltonetworks.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 7.664/9.669/11.674/2.005 ms
Note: You may not see the ping response when it's disabled on the WildFire cloud side. That is not an issue.
To view the detail of the file forwarding statistics in each file types, issue the following command:
> show wildfire statistics
To view the history of the file uploads, check the wildfire-upload.log (or wildfire-upload.log.old):
admin@PA-VM> tail follow yes mp-log wildfire-upload.log
2022-02-28 12:08:40 +0900: wildfire-test-pe-file.exe pe upload success PUB 52126 465 55296 0x801c allow
2022-02-28 12:38:41 +0900: wildfire-test-pe-file.exe pe upload success PUB 52242 466 55296 0x801c allow
2022-02-28 13:08:41 +0900: wildfire-test-pe-file.exe pe upload success PUB 52340 467 55296 0x801c allow
You can find the timestamp, file name, file type, upload status, etc. If the file is uploaded to the WildFire cloud, the log is generated with "upload success".
The "debug wildfire upload-log show" command also can be used.
admin@PA-VM> debug wildfire upload-log show Upload Log disk log rotation size: 2.000 MB. Public Cloud upload logs: log: 0, filename: wildfire-test-pe-file.exe processed 423 seconds ago, action: upload success vsys_id: 1, session_id: 53281, transaction_id: 474 file_len: 55296, flag: 0x801c, file type: pe threat id: 52020, user_id: 0, app_id: 109 from 172.16.130.143/3111 to 34.84.44.247/80 SHA256: 0857efa969c3696b7ff95f38e2582161efc6ad03e5367fd4ce65ac9d8014af1f
You should be able to find the corresponding reports on the WildFire portal. If you are using a regional WildFire cloud, please make sure to visit the WildFire cloud that you configured on the firewall.