Issue
What happens when the Palo Alto Networks firewall sends multiple files to the WildFire server at one time?
Resolution
In this case, firewall buffers those files and sends them sequentially. WildFire has a buffer, that derives it spaces from the traffic log storage partition on the firewall.
The following command can be used to check the number of buffered files.
Show wild fire disk-usage
Disk usage for wildfire:
Total disk usage: 9
Total temporary files: 13
Allow new files: yes
These are the storage limits on the device for buffering files on the MP before they make it to the cloud. This buffer starts to fill if the device encounters large numbers of unique files that must be uploaded, and/or when the device's connection to the cloud is too slow. WildfFre shares the same storage partition with the traffic logs. Currently, the WildFire buffer is not guaranteed to get that amount of space if the logs fill up the partition.
When buffered files fill the WildFire quota (or the disk is full), it favors old, so new files will not be buffered and sent to the cloud. As files get uploaded to the cloud, new files will be able to be buffered and sent to the cloud. Check whether the device is actually maxing out its device buffer by looking at these WildFire counters. If that happens, then some files that are supposed to be uploaded to the WildFire server won't be uploaded.
The "allow new files" will say "no" if the disk is currently full. Run show wildfire statistics and the counter "cancel_disk_io_fail" keeps track of how many WildFire samples failed to buffer due to a full disk partition. The counter shows up only if non-zero.
You can also manually upload files to the WildFire portal, but currently there is maximum upload limit of 5 files per day.
Currently only 32bit.exe files are supported, not 64-bit files.
See also
How to Check the Connectivity to Wildfire and Upload Status of Files
owner: sdurga