DotW: Configuring WildFire

DotW: Configuring WildFire

0
Created On 09/25/18 19:03 PM - Last Modified 07/19/22 23:10 PM


Resolution


When configuing WildFire, it's sometimes difficult to know which options to configure, since WildFire offers an array of configurable options that include supported file types as well as various actions for these files.


User jprovine recently asked how to best configure WildFire in the discussion forum. Several community members responded, including our very own Solutions Engineer, Tom (reaper):

 

dotw 2016-03-28_1.png
https://live.paloaltonetworks.com/t5/General-Topics/Wildfire/m-p/75058#U75058

 

The question about configuring WildFire can be confusing at times. I will try to break down the options to make sense of it all and let you make an informed descision about how to configure WildFire.

 

The main options in WildFire are:


Supported file types:

  • PE files (EXE, DLL, and others)
  • All Microsoft® Office® file types
  • Portable Document Format (PDF) files
  • Java® applets (JAR and CLASS)
  • Android® application packages (APK)
  • Adobe® Flash® applets (SWF and SWC)
  • and Web pages

What to do with files:

  • alert
  • block
  • continue
  • forward
  • continue and forward

Steps

  1. All of this starts with a File Blocking policy, which is located in the WedGUI inside
    Objects > Security Profiles > File Blocking.
    Inside there, you need to have a profile to use. Most there will be read only, start with any profile and use the 'Clone' option.
    dotw 2016-03-28_2.png
  2. After you clone the file blocking profile, click on the name. For this example, we clicked on 'best-practice-1.'  You will see all the options for file blocking. Inside here, you will see the file blocking rules, where you can select certain file types, applications, direction and the action to take. This allows you to be very granular in the file blocking policy.

    Again, WildFire supports PE files, Microsoft® Office® file types, PDF files, JAR, CLASS, APK, SWF, SWC and web pages. You can choose to select one or all applications. If all is selected for the file type, only the supported file types will be uploaded to WildFire for analysis. 
    dotw 2016-03-28_3a.pngThe actions that you will have are:
    - alert
    - block
    - continue
    - forward
    - continue and forward

  3. The 'forward' option in fileblocking is an 'allow and log' option in the file blocking portion and a forward option in the WildFire portion. The file is allowed to pass through, and while it goes through the firewall, it collects all the packets that make up the file, and once complete, sends it off to WildFire for analysis. It has to be uploaded to WildFire for analysys. If the uploaded file is found to be malicious, a new signature is created for that file and the firewall will recieve updates the same day (paid subscription) or in a daily update (free version), in the form of an AV signature.

    When 'block' is selected as action, the fileblocking will kick in and halt any file that matches the policy, but the file will no longer be forwarded to WildFire (as it has been blocked). If your company security policy states to block files of certain types, you will want to use this option.

    The other options that you have that usually are not chosen when dealing with WildFire are:
    • alert — An entry is added to the threat log. No other WildFire actions are performed.
    • continue — A message to the user indicates that a download has been requested and asks the user to confirm whether to continue. The purpose is to warn the user of a possible unknown download (also known as a drive-by-download) and to give the user the option of continuing or stopping the download.
    • continue-and-forward — A continue page is presented, and the file is sent to WildFire (combines the continue and forward actions). This action only works with web-based traffic. This is due to the fact that a user must click continue before the file will be forward and the continue response page option is only available with http/https.

    Note: When you create a file blocking profile with the action continue or continue-and-forward (used for WildFire forwarding), you can only choose the application web-browsing. If you choose any other application, traffic that matches the security policy will not flow through the firewall due to the fact that the users will not be prompted with a continue page.

  4. The last step is to ensure that this file blocking policy is used in a security policy, and commit to make this active.

 

It is up to you to determine what matches your company security policy the best, which files to forward, and which files you need to block.

 

I hope this explains more about file blocking and WildFire.

 

See also

 

For more information on WildFire, please see this Video Tutorial:
Video Tutorial: What is WildFire?

For more information on configuring file blocking:
Tips from the Field: File blocking profile

Stay secure,
Joe Delio

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTYCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail