How to Check the Connectivity to WildFire and Status of Upload Files

How to Check the Connectivity to WildFire and Status of Upload Files

59547
Created On 09/26/18 13:51 PM - Last Modified 02/28/22 08:24 AM


Environment


  • Palo Alto Firewall.
  • PAN-OS any.

Resolution


Overview

This document describes the methods to verify the connectivity to the WildFire cloud and the status of files being uploaded to it.

 

Details

Once the basic configuration is complete, the "show wildfire status" command shows the selected best server as well as the registration status.

admin@PA-VM> show wildfire status channel public

Connection info:
  Signature verification:        enable
  Server selection:              enable
  File cache:                    enable

WildFire Public Cloud:
  Server address:                wildfire.paloaltonetworks.com
  Best server:                   panos.wildfire.paloaltonetworks.com
  Device registered:             yes
  Through a proxy:               no
  Valid wildfire license:        yes
  Service route IP address:      10.137.102.77
  Global status:                 Idle
  Count of available workers:    10
  Available worker indices:      0 1 2 3 4 5 6 7 8 9
  Upload status Usage: 'I': Idle, 'U': Uploading, 'Q': Querying
    Upload worker index:           0    1    2    3    4    5    6    7    8    9
    Upload status:                 I    I    I    I    I    I    I    I    I    I
    Status time (seconds):         999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+

Forwarding info:
  file idle time out (second):                          90
  total bytes of concurrent files:                       0
  Public Cloud:
    total file fwded :                                   1
    total file failed:                                   0
    total session info. upload failed:                   0
    total file skipped:                                  0
    total cloud queries:                                 0
    total cloud queries failed:                          0
    file forwarded in last minute:                       0
    bytes of concurrent files:                           0


If the registration status is "no", then please refer to the following KB to fix the status.
Troubleshooting WildFire Registration Issues


The "total file fwded" counter should be incremented when a file is uploaded to the WildFire cloud.

See Also:

"Verify File Forwarding" section in the WildFire Administrator's Guide.
https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/submit-files-for-wildfire-analysis/verify-wildfire-submissions/verify-file-forwarding.html



The "ping" command can be used to check if the name resolution is working fine. When the DNS is working properly, an IP address is displayed.

admin@PA-VM> ping host wildfire.paloaltonetworks.com
PING wildfire.paloaltonetworks.com (34.84.44.247) 56(84) bytes of data.
64 bytes from 247.44.84.34.bc.googleusercontent.com (34.84.44.247): icmp_seq=1 ttl=110 time=7.66 ms
64 bytes from 247.44.84.34.bc.googleusercontent.com (34.84.44.247): icmp_seq=2 ttl=110 time=11.6 ms
^C
--- wildfire.paloaltonetworks.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 7.664/9.669/11.674/2.005 ms

Note: You may not see the ping response when it's disabled on the WildFire cloud side. That is not an issue.
 

 

To view the detail of the file forwarding statistics in each file types, issue the following command:

> show wildfire statistics


 

To view the history of the file uploads, check the wildfire-upload.log (or wildfire-upload.log.old):

admin@PA-VM> tail follow yes mp-log wildfire-upload.log
2022-02-28 12:08:40 +0900:     wildfire-test-pe-file.exe    pe    upload success    PUB    52126    465    55296    0x801c    allow
2022-02-28 12:38:41 +0900:     wildfire-test-pe-file.exe    pe    upload success    PUB    52242    466    55296    0x801c    allow
2022-02-28 13:08:41 +0900:     wildfire-test-pe-file.exe    pe    upload success    PUB    52340    467    55296    0x801c    allow

You can find the timestamp, file name, file type, upload status, etc. If the file is uploaded to the WildFire cloud, the log is generated with "upload success".


The "debug wildfire upload-log show" command also can be used.

admin@PA-VM> debug wildfire upload-log show

Upload Log disk log rotation size: 2.000 MB.
Public Cloud upload logs:

        log: 0, filename: wildfire-test-pe-file.exe
        processed 423 seconds ago, action: upload success
        vsys_id:  1, session_id: 53281, transaction_id: 474
        file_len:  55296, flag: 0x801c, file type: pe
        threat id: 52020, user_id: 0, app_id: 109
        from 172.16.130.143/3111 to 34.84.44.247/80
        SHA256: 0857efa969c3696b7ff95f38e2582161efc6ad03e5367fd4ce65ac9d8014af1f



You should be able to find the corresponding reports on the WildFire portal. If you are using a regional WildFire cloud, please make sure to visit the WildFire cloud that you configured on the firewall.
image.png
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltZCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language