topic wildfire and security policy - problem in General Topics

wildfire and security policy - problem

_slv_ — Fri, 14 Dec 2012 15:41:19 GMT

I have enabled wilfdire protection on polisy for NAT (also antyvirus/antyspyware/Volnerability).

From time totime I get email with information that someone from my network downloaded some files infected ie. by malware.

Until now I think that this file was blocked by PAN.

Today I tryed (just for test) download file from link from that email (storagenl.info/v402/?affiliate_id=eb3)

and I downloaded file .... and I got a email.

File blocking profile is created with any any both forward settings. This profile is enabled in security policy.

Help me please

With regards

SLawek

Re: wildfire and security policy - problem

kbrazil — Mon, 17 Dec 2012 03:42:09 GMT

Hi SLV,

Unless you have the new Wildfire subscription (PAN-OS 5.0) enabled you may need to wait a couple days for the actual virus signature to be pushed down to your device through the normal AV signature process. With the Wildfire subscription you can get hourly updates.

Cheers,

Kelly

Re: wildfire and security policy - problem

mbutt — Mon, 17 Dec 2012 18:23:10 GMT

Hi SLV,

If you and file blocking profile with forward option. It will allow the files to be downloaded and the file will be sent to Wildfire for checking. This is default action it takes when the file blocking is set to forward.

Hopefully this helps.

Thank you

Numan

Re: wildfire and security policy - problem

_slv_ — Tue, 18 Dec 2012 13:36:47 GMT

I thought that "forward" mean that PA200 will forward every file to WildFire cloud and after that if status recieved from WildFire Cloud is "clean" will allow to download to client workstation.

Is it possible to get such confoguration?

Cheers

Slawek

Re: wildfire and security policy - problem

gwesson — Tue, 18 Dec 2012 17:15:43 GMT

Hi Slawek,

Something like that would create a delay too great for most clients. Part of what WildFire does is execute the file and observe the behavior along with normal signature and heuristic-based scans. If a client had to wait for that they would likely time out. You may want to reach out to your account team to suggest that feature in case it hasn't been submitted already.

To answer the question about the "forward" action, it:

- Delivers the file to the client

- Forwards it to WildFire for review

If you have 5.0 and the additional license, you can download updates as often as every hour that will contain results of scans. If a file you (or another customer) has forwarded is malware, you'll have the signature for it within hours. Of course, as Kelly indicated you can still use the standard WildFire configuration to get updates every day so you'll have that signature within a day or two normally as well.

Hope this helps!

Greg

Re: wildfire and security policy - problem

gafrol — Tue, 26 Feb 2013 07:19:43 GMT

Forward does not mean that the file has been forwarded to the wildfire cloud !

Forward: The Wildfire cloud has already seen the file, thus no further action is taken on the file and no entry is seen on the wildfire portal.

Wildfire-upload-success: The Wildfire cloud has not seen the file and the file is uploaded to the cloud for a verdict.

Wildfire-upload-skip: The Wildfire cloud has already seen the file and confirmed a verdict of "Malware" thus the file is skipped by the PA device, however a log is generated on the Wildfire portal

Cheers

Roland