topic Re: WildFire and File blocking in General Topics

WildFire and File blocking

nsrini1991 — Thu, 31 Dec 2020 17:15:03 GMT

Hi Experts,

I'm new to Palo Alto and I've seen documents where File blocking is used in addition with the WildFire analysis. So, any files which is blocked won't be forwarded to WildFire and the action which is set to 'continue/alert' will be continue forwarding.

But in my organization I've seen file blocking isn't applied to any security policy while wildfire analysis is set to application and files 'any' to the public cloud and its attached to the security policy.

1. My question is, what would the Wildfire achieve with/without the file blocking profile?

2. How does the AV profile works with the WildFire policy?

Can someone please assist? Thank you.

Re: WildFire and File blocking

reaper — Mon, 04 Jan 2021 10:50:30 GMT

WildFire and file blocking are independent from eachother, so WildFire can function without a file blocking profile and vice versa.

The only caveat, as you mention, is that if you block a file WildFire won't be able to send it up for analysis.

Once WildFire finds a malicious file, a signature is immediately created for the WildFire dynamic updates. Every 24 hours the most prominent WildFire signatures are also rolled up into the daily AV update, so:

-all actions taken based on the outcome from a WildFire analysis are in fact performed by the AV/AS profiles

-the WildFire profile itself is only used for uploading, not prevention

- file blocking is an additional profile that simply decides which file types to allow or block (like opening/blocking a port or application)

hope this helps

Re: WildFire and File blocking

nsrini1991 — Mon, 04 Jan 2021 16:02:25 GMT

Hi Tom,

First of all, I'd like to thank you for your wonderful book 'Mastering the Palo Alto networks' which is very informative and helpful for the beginners like me to nourish our skills on Palo Alto.

Under Monitor -> Wild fire submissions, I see Malicious is being marked as 'blocked'. From the below, I believe AV is the one which is going to block the viruses and not the Wild Fire. Please correct me if I'm wrong.

1. Assuming no wildfire license in place and through AV updates, will it be automatically blocked in next 24hours?

2. Will it block only if it's set to 'reset-both' under AV/Wildfire action or it'll block automatically if the action is set to 'default or alert' in the AV profile?

3. In AV profile, I see only HTTP, FTP, SMB, SMTP and POP3. What if any files which are malicious are transferred through SFTP and so on, which isn't part of the AV decoders?

Re: WildFire and File blocking

OtakarKlier — Mon, 04 Jan 2021 19:17:23 GMT

Hello,

Let me try to explain. One thing to remember is that WildFire is the zero day file analysis. If you dont have a license, i would highly suggest you get one.

1. Assuming no wildfire license in place and through AV updates, will it be automatically blocked in next 24hours?

Correct, once WildFire flags it, it will eventually make its way into the AV definitions.

2. Will it block only if it's set to 'reset-both' under AV/Wildfire action or it'll block automatically if the action is set to 'default or alert' in the AV profile?

Make sure your profiles are set to reset-both, otherwise it will be allowed.

3. In AV profile, I see only HTTP, FTP, SMB, SMTP and POP3. What if any files which are malicious are transferred through SFTP and so on, which isn't part of the AV decoders?

So these are just protocols not file types.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZ5CAK

Hope that helps.

Re: WildFire and File blocking

nsrini1991 — Tue, 05 Jan 2021 14:22:29 GMT

Hi,

Thanks for taking your time to reply to this conversation. Final one and sorry if it's dumb.

What if any malicious files are traversing through SFTP protocol will it be blocked as only FTP, HTTP, HTTPS application/protocols are specified?

Re: WildFire and File blocking

OtakarKlier — Tue, 05 Jan 2021 15:14:14 GMT

Hello,

Not a bad question at all. Since in SFTP the traffic is encrypted, the PAN can only read the headers of the packet. So in this case, it is possible that the malicious file can be transferred past the PAN. However if you employ SSL decryption to the traffic, the PAN can see the whole file. If the file is password protected, you'll need to use another program at the OS layer to protect your environment.

Hope that helps.

Re: WildFire and File blocking

TomYoung — Tue, 17 Aug 2021 23:42:30 GMT

Great question. SFTP actually uses SSH for encryption. App-ID recognizes it as SSH. However, it is not FTP over SSH. The protocol is different. If PANW added the SFTP protocol to AV, it could be scanned if SSH Proxy were configured.

Re: WildFire and File blocking

ramakrishnan.v05 — Thu, 23 Nov 2023 14:06:51 GMT

So I can use file blocking profile without WF subscription?

Re: WildFire and File blocking

reaper — Wed, 29 Nov 2023 10:15:23 GMT

@ramakrishnan.v05 yes you can

Re: WildFire and File blocking

TomYoung — Wed, 29 Nov 2023 10:22:37 GMT

Thanks @reaper !

I thought I replied, but I guess I didn't.