WildFire Submission Not Showing Up for File Upload

WildFire Submission Not Showing Up for File Upload

19810
Created On 04/06/19 03:44 AM - Last Modified 04/16/19 22:09 PM


Symptom


The end user downloads a PDF file, but the Wildfire submission log is not showing up even though PDF is a supported file type.

 

Cause


Check the WildFire upload log from CLI as this information is not available from the web interface. 
admin@PA-VM> less mp-log wildfire-upload.log
 
Data and Time    filename file type    action  channel session_id   transaction_id   file_len flag    traffic_action
2019-04-06 10:46:28 +0800:    testpdf.pdf  pdf cancelled - file-size limit   PUB 30697   9   511896  0x4034    allow

The action indicates "cancelled - file-size limit." This means that the file has not been forwarded because the file size of the PDF is over the configured value. The default limit for a PDF is 500KB. You can see the file size limits by going to Device > Setup > WildFire > General Settings > File Size Limits.

"File_length" is in bytes in the above output, and 511896 (511.896 KB) is not the file size of the complete file. It will stop calculating once it hits the configured file limit.

User-added image

Resolution


Upon checking the Endpoint, we see the PDF file size is ~562 bytes and the PDF file allows a range from 100-1000KB in PAN-OS 8.1 and earlier. Since the default for PAN-OS 9.0 has been set to 1000KB, the range has increased to 100-51200.
User-added image


Increase the value to 700 (or more) and commit the change. A future download of the file gets forwarded to WildFire

admin@PA-VM> tail lines 100 mp-log wildfire-upload.log
 
Data and Time    filename file type    action  channel session_id   transaction_id   file_len flag    traffic_action
 
2019-04-06 10:51:10 +0800:    testpdf.pdf  pdf upload success   PUB 30699   10  562818  0x801c  allow

User-added image

Additional Information


The default file size limits on the firewall are designed to include the large majority of malware in WildFire, which is smaller than the default size limits and excludes large files that are unlikely to be malicious and can impact WildFire forwarding capacity.

If you are specifically concerned about uncommonly large malicious files, you might want to increase file size limits beyond the default settings. Please refer to this document for more information:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-deployment-best-practices/wildfire-best-practices.html


For information about supported file types, please refer to this document:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-file-type-support.html
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLQDCA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language