https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74277#M41650 <P>After changing the file blocking profile to "file typ: any" it seems that .docx are now forwarded to the wildfire cloud...maybe a problem with identifying .docx files ?<BR /><BR /><BR /></P> Mon, 07 Mar 2016 15:34:03 GMT iweltag 2016-03-07T15:34:03Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74122#M41614 <P>Hi,</P> <P>&nbsp;</P> <P>i am testing wildfire at the moment for forwarding .doc, .docx and EXE Files to the wildfire cloud.</P> <P>&nbsp;</P> <P>This is my rule:</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2925i58294C4B6AB88C3E/image-size/original?v=mpbl-1&amp;px=-1" alt="WF Rule" title="WF Rule" border="0" /></P> <P>&nbsp;</P> <P>But it seems, that only .doc and .exe Files are forwared to the cloud (first Forward but then upload skip because the cloud have already seen this file - that´s ok)</P> <P>&nbsp;</P> <P>The .docx files are just in "alert" state and will not be forwarded to the cloud . Does anybody know why?</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2926i20D29AD998F66FE9/image-size/original?v=mpbl-1&amp;px=-1" alt="DF Log" title="DF Log" border="0" /></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 04 Mar 2016 09:57:11 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74122#M41614 iweltag 2016-03-04T09:57:11Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74145#M41620 <P>Hello,</P> <P>The most probable reason why it is just reporting 'Alert' is that the file has already been seen by wildfire at some point and it benign.</P> <P>&nbsp;</P> <P>Try creating a custom DOCX and see what happens.</P> <P>&nbsp;</P> <P>Regards,</P> Fri, 04 Mar 2016 14:18:30 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74145#M41620 OtakarKlier 2016-03-04T14:18:30Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74158#M41624 <P>Is the docx file downloaded inside a https connection? To upload decrypted to Wildfire there is an extra setting to enable this.</P> Fri, 04 Mar 2016 18:19:58 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74158#M41624 Anon1 2016-03-04T18:19:58Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74207#M41635 <P>Yes i have already configured "forwarding decrypted files". Decrypting policy is also configured. I will try this on monday with an own created docx file and see what happen.&nbsp;</P> <P>&nbsp;</P> Sat, 05 Mar 2016 12:11:41 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74207#M41635 iweltag 2016-03-05T12:11:41Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74269#M41648 <P>Hi,</P> <P>&nbsp;</P> <P>it does not work when i am using an own created .docx file. i can not see any upload in the logfile. just alert.</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2977i2771A35F21670715/image-size/original?v=mpbl-1&amp;px=-1" alt="docx" title="docx" border="0" /></P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2978iD46B4E827617D3D4/image-size/original?v=mpbl-1&amp;px=-1" alt="detail log" title="detail log" border="0" /></P> Mon, 07 Mar 2016 11:01:53 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74269#M41648 iweltag 2016-03-07T11:01:53Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74277#M41650 <P>After changing the file blocking profile to "file typ: any" it seems that .docx are now forwarded to the wildfire cloud...maybe a problem with identifying .docx files ?<BR /><BR /><BR /></P> Mon, 07 Mar 2016 15:34:03 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74277#M41650 iweltag 2016-03-07T15:34:03Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74395#M41679 <P>Hi Iweltag,</P> <P>&nbsp;</P> <P>I was going to respond to your message but than did not have firewall with lesser PAN-OS than 7.x to check if I am correct <span class="lia-unicode-emoji" title=":confused_face:">😕</span> sorry I didn't, I feel like coming late to the party now. Anyways:</P> <P>&nbsp;</P> <P>I think you could either add zip filetype or ms-office (not sure if that exists as such in 6.x) along with .doc filetype; fact is that there is a big difference in fileformats where .doc is closed file format and if I remember well should have magic number "D0C F11E" - doc file; while docx is actually an archive containing more files and you can open office xlsx or docx and such files with unarchiver app.</P> <P>&nbsp;</P> <P>I would try adding doc and zip filetypes to your file blocking profile to check if that will work, and if you have ms-office try that filetype as well instead of any. Otherwise, if docx was selectable but not working as expected I would open a case with TAC to check and to bring the issue to their attention.</P> <P>&nbsp;</P> <P>Best regards</P> <P><BR />Luciano</P> Tue, 08 Mar 2016 19:54:40 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74395#M41679 Lucky 2016-03-08T19:54:40Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74425#M41683 <P>hi,</P> <P>&nbsp;</P> <P>thanks for your respond. I will try that and give you a feedback :)...</P> Wed, 09 Mar 2016 08:25:15 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74425#M41683 iweltag 2016-03-09T08:25:15Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74444#M41690 <P>Hi,</P> <P>&nbsp;</P> <P>when i am using "microsoft-office" as the filetype to be forwarded to the cloud it seems to work fine with .docx files.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I also find this hint on PAN Help:</P> <P>&nbsp;</P> <P>[...]</P> <P>If you want the firewall to block/forward MS Office files, it is recommended that you select this “msoffice” group to ensure all supported MS Office file types will be identified instead of selecting each file type individually.</P> <P>[...]</P> <P>&nbsp;</P> <P>When i am using "docx, gzip, zip" file type in the data blocking policy the docx files will not be forwarded to the cloud.</P> Wed, 09 Mar 2016 13:00:50 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74444#M41690 iweltag 2016-03-09T13:00:50Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74468#M41701 <P>Hi Iweltag,</P> <P>&nbsp;</P> <P>I am glad advice still had some value <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>ok, so it will work with ms-office. I would think it should work with docx but "your mileage may wary" depending on the particular docx and perhaps of what it embeds, so I would still go for ms-office filetype. If this creates a problem for you (for example, you wanted exclusively docx forwarded but not the rest) you should still open the case with TAC.</P> <P>&nbsp;</P> <P>Best regards</P> <P><BR />Luciano</P> Wed, 09 Mar 2016 18:08:14 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/74468#M41701 Lucky 2016-03-09T18:08:14Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/124685#M46355 <P>I ran into this issue as well and found that we had an old file blocking profile that alerted on ZIP file downloads.&nbsp; This was making the Palo tag them as ZIP instead of MS-Office files.&nbsp; I removed that from the file blocking profile and now they get detected as MS-Office and now get submitted to Wild Fire.</P> Mon, 07 Nov 2016 16:46:40 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-docx/m-p/124685#M46355 Rich_G 2016-11-07T16:46:40Z