How To Find The Hash Value Of A File Submitted To Wildfire

How To Find The Hash Value Of A File Submitted To Wildfire

33439
Created On 08/30/21 11:13 AM - Last Modified 03/07/25 18:28 PM


Objective


  • To guide the customer on how they can find the SHA256 hash of the file submitted to Wildfire.

Environment


  • Palo Alto Firewall

Procedure


You can find the SHA256 hash of the file submitted to Wildfire from the Firewall GUI or the Wildfire Portal.

From the Firewall:

  1. Go to the Monitor tab > Wildfire Submissions

      image.png

  1. Hover over any title column to bring up a drop-down arrow (1), then select Columns (2) > Click the checkbox for File Digest (3).

     image.png

  1. The File Digest column should now be visible in the log which will contain the hash of the submission.

     image.png

 

Please Note: By default, the Wildfire Submissions log will only show submissions with the verdict of Malware or Phishing. If you also want to see Grayware and Benign submissions from the firewall, you will need to ensure the 'Report Benign Files' and 'Report Grayware Files' checkboxes are selected in Device tab > Setup > Wildfire tab > General Settings: 

image.png

 

From the Wildfire Portal:

  1. Log into the Customer Support Portal.  
  2. From the left side menu, select your Wildfire cloud to go to the Wildfire portal.

     Select the Wildfire cloud you are using

  1. Once in the Wildfire portal, Click Reports to display the list of submissions.

     Report tab on the Wildfire Portal

  1. Filter out this list by the verdict, source (firewall serial number, PAN product, or manual submissions), and/or name/SHA256 hash of the file.
    Please Note: Currently when searching by hash or file name, the complete file name or SHA256 hash must entered (partial name or hash will not work)

     

  1. Find the desired submission from the filtered list and click on the Report View icon to bring up the Wildfire Analysis report of this submission.

     Click on the Report icon the view the submission information

  1. Under the File Information section, you should see the SHA256 of the submission displayed.

      WF-KB0-5.png
 

  • Note: You can obtain the SHA256 hash of the file by running the below commands for any file:

      To calculate the sha256 hash of a file in Windows use the PowerShell command:
        Get-FileHash <FILENAME>

       If you are using Linux or macOS, either of the following commands in the terminal:
        shasum -a 256 <FILENAME>

        sha256sum <FILENAME>

Additional Information


Use the WildFire Portal to Monitor Malware
WildFire PAN-OS Web Interface Reference
How to find the file submitted to WildFire?
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LicCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language