Palo Alto Networks Knowledgebase: How does WildFire handle links within emails?

How does WildFire handle links within emails?

Created On 09/26/18 19:13 PM - Last Updated 09/26/18 20:38 PM
Categories:  WildFire



After receiving an email link from a firewall, WildFire visits the links to determine if the corresponding web page is hosting malicious content (not just exploits). If WildFire determines that the page itself is benign, it will not generate a log.


However, if it detects malicious behavior on the page, it returns a malicious verdict and:

  • Generates a detailed analysis report and logs it to the WildFire Submissions log on the firewall that forwarded the links. This log now includes the session data: email header information—email sender, recipient, and subject—so that you can identify the message and delete it from the mail server and/or track down the recipient and mitigate the threat if the email has already been delivered and/or opened.
  • Adds the URL to PAN-DB and categorizes the URL as malware.

The firewall forwards email links in batches of 100 email links or every two minutes, whichever comes first. Each batch upload to WildFire counts as one upload toward the upload per-minute capacity for the given firewall platform


Does WildFire analyze the file downloaded from the email-link?

If the link corresponds to a file download, WildFire does not analyze the file. However, the firewall will forward the corresponding file to WildFire for analysis if the end user clicks the link to download it as long as the corresponding file type is enabled for forwarding.


How do I verify that the firewall is forwarding email links?

To determine if the firewall is forwarding email links, run the following command from the firewall that is configured to forward to WildFire.


admin@PA-200> show wildfire statistics


To view the file type go to the email-link counter section under Counters for file forwarding.


When email links are forwarded, the following counters will increment:

– FWD_CNT_APPENDED_BATCH—Indicates the number of email links added to a batch waiting for upload to WildFire.

– FWD_CNT_LOCAL_FILE— Indicates the total number of email links uploaded to WildFire.


The firewalls themselves do not send images to WildFire. However, in the case of delivering a URL to WildFire, the actual webpage will be analyzed dynamically. In the case of opening a webpage with malicious content triggered within the images, WildFire would dynamically analyze and derive a verdict from that content.


  • Print
  • Copy Link

Change Language: