WildFire Submission Not Showing Up for File Upload
19810
Created On 04/06/19 03:44 AM - Last Modified 04/16/19 22:09 PM
Symptom
The end user downloads a PDF file, but the Wildfire submission log is not showing up even though PDF is a supported file type.
Cause
Check the WildFire upload log from CLI as this information is not available from the web interface.
admin@PA-VM> less mp-log wildfire-upload.log
Data and Time filename file type action channel session_id transaction_id file_len flag traffic_action
2019-04-06 10:46:28 +0800: testpdf.pdf pdf cancelled - file-size limit PUB 30697 9 511896 0x4034 allow
The action indicates "cancelled - file-size limit." This means that the file has not been forwarded because the file size of the PDF is over the configured value. The default limit for a PDF is 500KB. You can see the file size limits by going to Device > Setup > WildFire > General Settings > File Size Limits.
"File_length" is in bytes in the above output, and 511896 (511.896 KB) is not the file size of the complete file. It will stop calculating once it hits the configured file limit.
Resolution
Upon checking the Endpoint, we see the PDF file size is ~562 bytes and the PDF file allows a range from 100-1000KB in PAN-OS 8.1 and earlier. Since the default for PAN-OS 9.0 has been set to 1000KB, the range has increased to 100-51200.
Increase the value to 700 (or more) and commit the change. A future download of the file gets forwarded to WildFire
admin@PA-VM> tail lines 100 mp-log wildfire-upload.log
Data and Time filename file type action channel session_id transaction_id file_len flag traffic_action
2019-04-06 10:51:10 +0800: testpdf.pdf pdf upload success PUB 30699 10 562818 0x801c allow
Additional Information
The default file size limits on the firewall are designed to include the large majority of malware in WildFire, which is smaller than the default size limits and excludes large files that are unlikely to be malicious and can impact WildFire forwarding capacity.
If you are specifically concerned about uncommonly large malicious files, you might want to increase file size limits beyond the default settings. Please refer to this document for more information:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-deployment-best-practices/wildfire-best-practices.html
For information about supported file types, please refer to this document:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-file-type-support.html