topic Re: Wildfire in General Topics

Wildfire

jdprovine — Tue, 22 Mar 2016 18:18:49 GMT

So currently I am using wildfire but only choosing to forward the file. Is anyone using the block option? If so are what are the pros and cons?

Re: Wildfire

Brandon_Wertz — Tue, 22 Mar 2016 18:24:31 GMT

Block?

Isn't that only an option for a "file blocking" policy?

I thought it was in version 7.0.X where the decoupled fileblocking with WF. So in 7.0.X on WF has it's own policy and the only options I see really are upload/download directionality and where the WF analysis would be.

Re: Wildfire

reaper — Wed, 23 Mar 2016 08:36:43 GMT

The forward option in fileblocking (i'm assuming you're on 6.1) is technically an 'allow and log' option in the fileblocking portion and a forward option in the WildFire portion: The file is allowed to pass through and while it goes through the firewall, it collects all the packets that make up the file and once complete sends it off to WildFire for analysis. (if it is found to be malicious a signature is created that is then send to the firewall in the form of an AV signature)

When 'block' is selected as action, the fileblocking will kick in and halt any file that matches the policy, but the file will no longer be forwarded to WildFire (as it has been blocked)

hope this helps

Re: Wildfire

jdprovine — Wed, 23 Mar 2016 12:43:20 GMT

Well its seems like you loose the longterm benefit of the information coming back to you in the threat prevention but get an immediate gain of it being blocked. Hard to decide which way to go

Re: Wildfire

jdprovine — Wed, 23 Mar 2016 12:44:01 GMT

Yup you can choose block instead of forward

Re: Wildfire

reaper — Wed, 23 Mar 2016 13:17:37 GMT

Both options have their merits

The block option will block all files of a certain type; filetypes that are unwanted in an organization can simply all be blocked, no matter what the content

The forward option allows for users to download files while you get the files scanned for nasties. Once a nasty has been identified further downloads will be blocked by AV and you will be informed about an infection

Re: Wildfire

jdprovine — Wed, 23 Mar 2016 14:28:37 GMT

Very hard to choose though the best practices from PA for os 6.1 suggest blocking for wildfire on the PE. I am using the "free" version of wild fire that only works for PE's

Re: Wildfire

reaper — Wed, 23 Mar 2016 14:37:38 GMT

the big question: are your users supposed to download executables (PE), which means they could be installing software on their computers

if no: block

if yes: all of them, or just the IT guys?

you can still create policy that blocks PE downloads for most users but allows, and forwards, it for the IT group for example

I'd personally prefer my userbase not to be downloading random software from the internet and provide them with the tools they need through my IT system, but that is not always an option (policy may contradict my wishes, or resource restrictions may prevent this mode of operation)