How to Check if Email Link Forwarding is Happening in the Firewall
11346
Created On 04/06/19 09:54 AM - Last Modified 10/22/24 12:37 PM
Objective
An email link that WildFire finds to be malicious or phishing is recorded on the firewall as a WildFire submission log entry. Logs will not be generated if the page is detected as benign even if Device > Setup > WildFire > General Settings > Report Benign Files is Enabled. This is the expected behavior.
How do we verify that the firewall is forwarding email links to WildFire for analysis?
Environment
Procedure
Step 1: Confirm that an email with a link has passed through the firewall and verify that email link forwarding is happening by using the below command from CLI (this output is not present in the web interface)
admin@PA-VM> grep pattern email-link mp-log wildfire-upload.log 2019-04-06 17:27:57 +0800: https://www.paloaltonetworks.com/products/secure-the-cloud email-link upload success PUB 62 11 58 0x10001c allow 2019-04-06 17:27:57 +0800: https://en.wikipedia.org/wiki/cloud email-link upload success PUB 52 9 53 0x10001c allow admin@PA-VM>
Step 2: The count next to FWD_CNT_LOCAL_FILE_PUB also increment with every email link forwarded
admin@PA-VM> show wildfire statistics | match FWD_CNT_LOCAL_FILE FWD_CNT_LOCAL_FILE_PUB 6
Additional Information
For additional information about the feature, please refer to the article below.
https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/email-link-analysis.html