topic Re: Wildfire Signatures vs Threat Prevention Signatures in General Topics

Wildfire Signatures vs Threat Prevention Signatures

mike_lutgen — Sat, 22 Mar 2014 17:10:38 GMT

Hey Guys,

Looking for a little help here, trying to provide some proof to management of the value that the Wildfire subscription is providing to us vs just having the Threat Prevention subscription. I've looked in the Wildfire logs, but that only shows threats that were uploaded to the Wildfire cloud for investigation and were still allowed through the firewall (basically it's a log of all the stuff that got through and whether or not it was malware). That is helpful for the desktop team, because they can focus a PC cleaning on the machines that are listed in the logs, but I'd like to go to management with a list of threats that were blocked by Wildfire signatures to show all of the stuff that is being prevented from entering our network and therefore proving the value of the Wildfire subscription. The problem with that is, as far as I know, all threats blocked by Wildfire signatures still just go into the Threat log and are indistinguishable from threats blocked by Threat Prevention signatures. Does anyone know of a way to identify one vs the other?

Thanks!

Re: Wildfire Signatures vs Threat Prevention Signatures

HULK — Sat, 22 Mar 2014 18:38:29 GMT

Wildfire functionality: WildFire combines the abilities of a customer's on-premise firewalls with the scalability and accessibility of the cloud to ensure the best combination of visibility, analysis and enforcement. The next-generation firewall provides full inspection of all traffic across all ports, and can identify unknown files at a rate of up to 10Gbps. When an unknown file is encountered is copied and delivered over an encrypted connection to Palo Alto Networks malware analysis cloud. In the cloud, the suspect sample is executed in a virtual environment and observed for more than 100 malicious behaviors to determine if the file is a risk. If the file is determined to be a risk, WildFire automatically generates new protections, which are then delivered back to ALL customer firewalls worldwide. New malware infections as well as malware communications are blocked by the firewall, again at a rate of up to 10 Gbps.

Re: Wildfire Signatures vs Threat Prevention Signatures

mike_lutgen — Sat, 22 Mar 2014 23:11:31 GMT

I understand what the technology does, that is not what my question was. My question was about identifying which threats have been mitigated by the Wildfire signatures vs the Threat Prevention signatures.

Re: Wildfire Signatures vs Threat Prevention Signatures

Retired Member — Thu, 25 Dec 2014 11:03:14 GMT

Hello Mike,

You can identify them by the Threat ID. Check these two documents and let me know if that's what you are looking for:

Threat ID Ranges in the Palo Alto Networks Content Database

How to Create a Report on Panorama for WildFire Threats Sent to the Cloud

Regards,

Guillermo.

Re: Wildfire Signatures vs Threat Prevention Signatures

parmas — Fri, 26 Dec 2014 14:42:19 GMT

You can also log into your account and visit your Wildfire portal and get a report on the malware that has been detected in the traffic that was uploaded by your firewall.

Re: Wildfire Signatures vs Threat Prevention Signatures

jkim2 — Thu, 08 Jan 2015 15:38:13 GMT

have your SE run a WF coverage report its much more comprehenisve similar to what you can do with a AVR