topic Re: Why pdf file action is forward on wildfire? in General Topics

Why pdf file action is forward on wildfire?

KiCheon.Lee — Mon, 11 Nov 2013 07:33:37 GMT

Hello.

I am seeing data-filtering logs for wildfire and have found some logs.

It is pdf file log that action is forward.

Wildfire configuration is any application and action forward.

But PDF is not PE file.

I don't understand Why pdf file action is forward.

forward

Data plan detected a PE file on a WildFire-enabled policy. The PE file is buffered in management plane.

At this point, if you only see "forward" for a specific file, then that means it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent for previously seen benign files). This means that you will not see an entry in the WildFire web portal for these files.

I think reason that the data plan detected any file on a wildfre-enabled policy and the any file is buffered in management plan because wildfire configuration is any file. Right?

I know only PE file was forward when wildfire configuration is any file.

Thanks.

Re: Why pdf file action is forward on wildfire?

kadak — Mon, 11 Nov 2013 18:59:31 GMT

Hello Cheon,

Yes, you are right. Since you have configured 'any' file type in file blocking profile you would get a data-filtering log as 'forward' for all file downloads - atleast. PE is just a file format category which includes file types with extensions exe,zip..etc

If an AV profile is not enabled on a firewall policy for an existing session, the file is streamed from dataplane to management plane for Wildfire processing. That file is then received by the end user and buffered by the management plane. If the file is signed by a trusted signer, the file download gets logged in the data-filtering logs with action set to 'forward' and no entry is logged in wildfire web portal. If the file is not signed by the trusted signer, then the management plane creates a hash of file to send it to the Wildfire cloud to run a check against existing signatures in the database. From there on, depending upon whether the hash match exists in the database or not, the corresponding data-filtering log gets marked as 'wildfire-upload-skip' or 'wildfire-upload-success'.

Hope that addresses your concern!

Thanks and regards,
Kunal Adak

Re: Why pdf file action is forward on wildfire?

KiCheon.Lee — Tue, 12 Nov 2013 12:33:43 GMT

Hello Adak,

Thanks for your answer.

I have a more detail question.

I use wildfire configuration that action for all files is forward.

Are all files(ppt , jpg etc..) forwarded from data-plane to management-plane?

If it is true, I think management-plane buffer allocated wildfire will be very hard.

If buffer will be overflow what value on 'show wildfire statistics' will be increased??

I read manual that if buffer will be overflow cancel_disk_io_fail on 'show wildfire statistics' will be increased.

But I have found it on this cli output.

Thanks.

Re: Why pdf file action is forward on wildfire?

kadak — Tue, 12 Nov 2013 15:05:35 GMT

Hello Cheon,

Are all files(ppt , jpg etc..) forwarded from data-plane to management-plane?

- If a file download session matches an AV profile enabled to the security rule, then file will be streamed to Content-ID engine for AV scanning. If not, only then the file is is streamed from the dataplane to the management plane for wildfire processing.

cancel_disk_io_fail counter:

Number of times the management plane failed to write temporary files to the disk before sending them to the WildFire cloud. This can occur with a general disk fault, and can also occur when the disk buffer is near quota.

I did read in an internal document that apparently the counter would only show up in wildfire statistics if it is non-zero.

Thanks and regards,

Kunal Adak