What does the WildFire Submission Log severity fields "informational" or "high" mean?
11639
Created On 01/19/21 07:38 AM - Last Modified 10/02/24 13:25 PM
Question
What are the WildFire Submission Log severity fields "informational" or "high" mean?
Environment
- All PAN-OS
- Threat Prevention License
- (Optional) WildFire License
Answer
WildFire Submission Logs are after-the-fact reports coming back from the WildFire Cloud once the sandboxing of samples has been completed.
The severities informed in the WildFire Submission Logs for malicious samples are to be interpreted as follows:
- Informational: The sample was blocked by a Threat Prevention feature while traversing the firewall.
- High: The sample traversed the firewall undeterred. It was later found via WildFire sandboxing that it was malicious, however, at the time it made it through the firewall undeterred either because there were no Antivirus signatures present for this sample in the firewall at the time, or no other threat Prevention feature (like File Blocking) was configured to enact a block or the AV profile is set to alert not block
Additional Information
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/threat-logs#id5cea1511-a153-4005-9d5f-ab2482e838ae