https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8863#M6492 <HTML><HEAD></HEAD><BODY><P>Please take a look into PAN 5.0.10 fixes:</P><P>57763—When WildFire Action was configured as "default(Block)" in Antivirus profile, </P><P>block action didn't take effect as the default action was not configured internally. The </P><P>workaround is to configure WildFire Action as "Block" instead of "default(Block)". </P><P></P><P>Probalby your device didn't block any of the file...</P><P></P><P>Regards</P><P>SLawek</P></BODY></HTML> Thu, 02 Jan 2014 08:05:09 GMT _slv_ 2014-01-02T08:05:09Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8860#M6489 <HTML><HEAD></HEAD><BODY><P>Hopefully a quick question - is there any way to determine whether a executable has been blocked because it was a Wildfire derived signature (for paying customers).&nbsp; It may be obvious when it happens, but hard to know if it has etc.</P><P></P><P>Would like to be able to correlate the protection afforded by the service by providing a discrete count of executables blocked, and report them seperately from 'normal' AV blocks.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 31 Dec 2013 20:46:31 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8860#M6489 apackard 2013-12-31T20:46:31Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8861#M6490 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 12px;">Can you please try querying for (subtype eq wildfire) in the threat logs</SPAN></P></BODY></HTML> Tue, 31 Dec 2013 21:32:58 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8861#M6490 sraghunandan 2013-12-31T21:32:58Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8862#M6491 <HTML><HEAD></HEAD><BODY><P>Hi APackard,</P><P></P><P>Or you can go for an ID between 3 and 4 million in a report.&nbsp; Remembering that WildFire signatures will end up in the regular AV ID range (between 2 and 3 million - well 299999 to be precise) once processed for customers with a threat license.</P><P></P><P>Good Luck!</P></BODY></HTML> Wed, 01 Jan 2014 00:27:16 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8862#M6491 James 2014-01-01T00:27:16Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8863#M6492 <HTML><HEAD></HEAD><BODY><P>Please take a look into PAN 5.0.10 fixes:</P><P>57763—When WildFire Action was configured as "default(Block)" in Antivirus profile, </P><P>block action didn't take effect as the default action was not configured internally. The </P><P>workaround is to configure WildFire Action as "Block" instead of "default(Block)". </P><P></P><P>Probalby your device didn't block any of the file...</P><P></P><P>Regards</P><P>SLawek</P></BODY></HTML> Thu, 02 Jan 2014 08:05:09 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8863#M6492 _slv_ 2014-01-02T08:05:09Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8864#M6493 <HTML><HEAD></HEAD><BODY><P>Thanks all, I'll check these out once I've got enough historical data with a 'paid-for' WildFire service to validate the results.</P><P></P><P>One other related question - is there, or is there a plan, to annotate the WildFire report with an attribute (or similar) as to the resultant signature e.g. if I logon to my portal and check a report after a couple of hours it'll tell me which WildFire update will protect against a repeat download?</P><P></P><P>Thanks</P></BODY></HTML> Wed, 08 Jan 2014 16:37:52 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8864#M6493 apackard 2014-01-08T16:37:52Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8865#M6494 <HTML><HEAD></HEAD><BODY><P>Hello Apackard,</P><P></P><P>As soon as the threat is identified in wildfire with the subscription license in place on device and automatic scheduled updates are set ( lets say an hour ) then the firewall would get the new wildfire version in the next hour. Now any further attempt of such threat traffic on the device it is logged in Wildfire logs and Threat logs. A simple search for threats in the range ( 3 to 4 million ) would give the results of the new threats being controlled.</P><P>The same threat will be pushed in next day updates through Antivirus content for other users who do not have wildfire license. Now from here on no more of the wildfire threat logs would be seen as from now it would be filed as antivirus threat.</P><P></P><P>Hope this helps !</P><P>Thanks</P></BODY></HTML> Wed, 08 Jan 2014 17:25:02 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8865#M6494 Phoenix 2014-01-08T17:25:02Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8866#M6495 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"> <P>James@PANW wrote:</P> <P></P> <P>Hi APackard,</P> <P></P> <P>Or you can go for an ID between 3 and 4 million in a report.&nbsp; Remembering that WildFire signatures will end up in the regular AV ID range (between 2 and 3 million - well 299999 to be precise) once processed for customers with a threat license.</P> <P></P> <P>Good Luck!</P> </PRE><P></P><P>Just for clarification on my part.&nbsp; A threat ID'd by WildFire in the 3mil+ range is changed to a regular threat value after it's rolled into the standard 24-hour update?</P></BODY></HTML> Fri, 26 Sep 2014 16:45:38 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-signature-based-blocks/m-p/8866#M6495 mrsold 2014-09-26T16:45:38Z