Prisma Cloud Compute: WildFire errors in CI Image scans

Prisma Cloud Compute: WildFire errors in CI Image scans

844
Created On 03/10/22 23:04 PM - Last Modified 01/14/26 21:37 PM


Symptom


The following errors are present in either the console output from twistcli images scan or defender logs from registry scans:
  1. "failed to query wildfire for file /..: wildfire client exceeds the maximum pending capacity 20, dropped query" 
  2. "failed to query wildfire for file /...: query expired". 

These indicate the image has:
  1. Many custom compiled binaries are not connected to packages and thus will be sent to WildFire for analysis
  2. A file sent to WildFire for analysis took more than the 15-minute timeout to reach a verdict so the query expired.

Environment


  • Prisma Cloud Compute (SaaS) 
  • Prisma Cloud Compute Edition (Self Hosted) 21.04 or later

Cause


  • The WildFire service limit to the number of files that can be pending a verdict is 20 files, when this limit is exceeded the query is dropped.
  • The WildFire service has a 15 minute timeout in place when waiting for a verdict for a single file, afterwards the query is expired.

Resolution


Following are some options:
  1. Disable "Upload files with unknown verdicts to WildFire" from Manage > System > WildFire under the Advanced Configuration section. This will not upload any files to WildFire for verdict while still retaining some of the benefits for instant verdicts from known files.
Wildfire Settings.png
  1. Disable "Enable CI compliance checks" under Manage > System > WildFire. This will disable all WildFire scanning for CI images. 

Additional Information


Documentation on WildFire

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NYtCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language