Configuration Articles

Featured Article
Overview This document describes how to set the maximum file sizes for WildFire.   On PAN-OS 6.1, WildFire supports the following file types and sizes:      File Type         Size Range Default Size pe 1-10 MB 10 MB apk 1-50 MB 10 MB pdf 100-1000 KB 500 KB ms-office 200-10000 KB  500 KB jar 1-10 MB 1 MB  On PAN-OS 7.1 and above,  WildFire supports the following  file types and sizes:        File Type         Size Range Default Size pe 1-10 MB 10 MB apk 1-50 MB 10 MB pdf 100-1000 KB 500 KB ms-office 200-10000 KB  500 KB jar 1-10 MB 1 MB flash 1-10 MB 5 MB MacOSX 1-50 MB 1 MB  Content version 741 added support for .7zip and .rar as 'archive' (PAN-OS 7.1 and above):      File Type         Size Range Default Size archive 1-50 MB 10 MB    Content version 745 added support for 'linux' file type  (PAN-OS 8.0 and above) :       File Type         Size Range Default Size linux 1-10 MB 2 MB   Details Go to Device > Setup > WildFire > General Settings and enter the values for each of the supported file types:   PAN-OS 6.1:   PAN-OS 7.1:   PAN-OS 8.0: Content version 745 added the 'Linux' file type to PAN-OS 8.0 Note: When the default size limit is changed by a new content release and if the maximum size limit is increased by the change, you will need to perform following steps in order to reflect the change to the internal queue size that the firewall has. (Details below.)   Review and change desired file size limits in the WildFire setting. (Device > Setup > WildFire) Config commit   Caveat: Before files are uploaded to WildFire cloud, they are stored in an internal queue on the firewall. The capacity size varies depending on the firewall platform and the number of files that the firewall can store is calculated based on the maximum size limit among all the file types except APK. Please take note of this and change the value with care when you increase the size limit.   Take note of max size among all file types except APK. Check the capacity by model: https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/submit-files-for-wildfire-analysis/firewall-file-forwarding-capacity-by-model Calculate your queue usage. [capacity] / [max size] Run "show wildfire disk-usage" command and compare the File Limit with the value of step 3 above. For example, the capacity of PA-200 platform is 100MB, and when the max size is 10MB, the File limit becomes 100 / 10 = 10.   admin@PA-200> show wildfire disk-usage   Disk usage for wildfire: Total disk usage:                             0 Total temporary files:                       0 File limit:           10 (Global), 10 (Channel)    If the command shows different value, please follow the steps above (1 & 2) to reflect the change.
View full article
rvanderveken ‎01-04-2018 02:16 AM
37,793 Views
5 Replies
2 Likes
Overview   WildFire allows users to submit files to the Palo Alto Networks secure, cloud-based, virtualized environment where they are automatically analyzed for malicious activity. Palo Alto Networks lets the file run in a vulnerable environment and watches for specific malicious behaviors and techniques, such as modifying system files, disabling security features, or using a variety of methods to evade detection. Zipped and compressed HTTP (GZIP) files are inspected and any internal EXE and DLL files can be submitted for analysis. The WildFire portal can be used to view the detailed analysis of the analyzed files to see which users were targeted, applications used, and malicious behavior observed. The WildFire portal can also be configured to send email notifications when results are available for review.   Topology   How to configure: Go to Device > Setup > WildFire tab. Choose the default-cloud, maximum file size of 2MB. Specify the information to be forwarded to the WildFire server. Source IP—Source IP address that sent the suspected file. Source Port—Source port that sent the suspected file. Destination IP—Destination IP address for the suspected file. Destination Port—Destination port for the suspected file. Vsys—Firewall virtual system that identified the possible malware. Application—User application that was used to transmit the file. User—Targeted user. URL—URL associated with the suspected file. Filename—Name of the file that was sent.   By default, all the options are selected but they are not required for WildFire to work. Deselect any information that shouldn't be sent to the WildFire cloud.   If a Decryption policy is used, WildFire can be enabled to upload the decrypted files. Go to Device > Setup > Content-ID > Enable “Allow Forwarding of Decrypted Content.”                     By default, files that are decrypted will not be forwarded to the WildFire cloud, so adjusting this value in PAN-OS 6.0 will change the behavior. Go to Objects > Security Profiles > File Blocking. Add a rule, by Name. Enter a rule name (up to 31 characters). • Applications— select any. • File Types—Select the file types exe, dll. • Direction—Select the direction of the file transfer (Upload, Download, or Both). • Action—Select the action taken when the selected file types are detected: forward (The file is automatically sent to WildFire).     Apply the File Blocking profile in Policies > Security > to the rule on which WildFire protection should be applied. Click OK. Commit the configuration.     WildFire CLI commands After the basic configuration is complete, the following commands provide the details of the best server selected. To test the connectivity: > test wildfire registration This test may take a few minutes to finish. Do you want to continue? (y or n) Test wildfire         wildfire registration:        successful         download server list:        successful         select the best server:      va-s1.wildfire.paloaltonetworks.com   Initial registration can be done only on the active unit in an Active/Passive cluster.   Note: Do not use PING to test connectivity to the server. Ping requests are disabled on the WildFire server. Best practice to test connectivity is to Telnet to the server on port 443.   To verify, if any files have been forwarded to the server, use the following command: > show wildfire status Connection info:         Wildfire cloud:                default cloud         Status:                        Idle         Best server:                  va-s1.wildfire.paloaltonetworks.com         Device registered:            yes         Service route IP address:      10.30.24.52         Signature verification:        enable         Server selection:              enable         Through a proxy:              no Forwarding info:         file size limit (MB):                  2         file idle time out (second):            90         total file forwarded:                  0         forwarding rate (per minute):          0         concurrent files:                      0   The total file forwarded counter will provide the number of files being forwarded to the server.   To view WildFire Logs Go to the Monitor > Logs > Data Filtering page:   Use data filtering logs to check the status of the file. If you see only “forward” with no “wildfire-upload-success” or “wildfire-upload-skip,” then the file is either signed by a trusted file signer, or a benign sample the cloud has already seen.   Below is an explanation of the possible actions:   Forward Data plane detected a Potentially Executable file on a WildFire-enabled policy.  The file is buffered in the management plane. If only “forward” is displayed for a specific file, then the file is either signed by a trusted file signer, or a benign sample that the cloud has already seen.  In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information for previously seen benign files).  There will not be an entry in the WildFire Web portal for these files.   To view the count of how many PE files have been checked, found to be clean or uploaded, issue the command: > show wildfire statistics statistics for wildfire DP receiver reset count:                  12 File caching reset cnt:                  12 FWD_ERR_CONN_FAIL                        1 data_buf_meter                            0% msg_buf_meter                            0% ctrl_msg_buf_meter                        0% fbf_buf_meter                            0%   wildfire-upload-success This means that the file wasn't signed by a trusted signer, and the file hasn't yet been seen by the cloud.  In this case, the file (and session info) was uploaded to the cloud for analysis.   wildfire-upload-skip This means the file was already seen by the cloud. If the file had been previously determined to be malicious, then the report, previously generated when the verdict was made, appears on the WildFire server. If the file was not malicious and was determined to be benign, then the report is not shown on the WildFire server.   WildFire Portal To access the WildFire portal, go to https://wildfire.paloaltonetworks.com and log in using your Palo Alto Networks support credentials or your WildFire account. The portal opens to display the dashboard, which lists summary report information for all of the firewalls associated with the specific WildFire account or support account, as well as any files that have been uploaded manually. The display includes the number of analyzed files and indicates how many are infected with malware, benign, or pending analysis.     Other useful commands are show wildfire disk-usage debug wildfire dp-status   See Also Not All Files Appear on the WildFire Portal When Logs Show the Wildfire-Upload-Skip Message   owner: rhirannaiah
View full article
rhirannaiah ‎10-28-2015 12:24 AM
80,241 Views
18 Replies
1 Like
Overview This document describes how to create a custom URL Content Type whenever the Wildfire Submission log entry detail does not display a value for User-Agent.   With the release of PAN-OS 6.1, HTTP header fields have been added for fields that assist with forensics and troubleshooting tasks. The primary use cases are for threat analysis, such as the following: A user is alerted of malicious C2 traffic in the threat log from a client behind a web proxy and wants to identify the infected client. The XFF field in the threat log can be used to identify the infected client. A user may be actively investigating the traffic and URL logs of a compromised host. Reviewing the user-agent strings used by the client can help to identify illegitimate user agents or possibly data exfiltration (or data exrusion), the unauthorized transfer of data from a computer. Malware is identified during the investigation of the traffic and URL logs entries associated with a compromised host a malicious drive-by page used to serve up. What is needed, however, is the page performing the redirect such as the referrer to block the referrer, alert the referrer owner, or find other possibly compromised hosts, etc. There is a WildFire report for a malicious file, which makes it necessary to identify the infected host behind a web proxy. The X-Forward-For value in the WildFire report can identify the host.   The logging of these fields is visible in the Detailed Log view of a session in the URL Filtering, Threat, and Wildfire Submission logs. When viewing in the Detailed Log view, it will display related logs at the bottom. When selecting one of the related logs, the contents of the view changes. This allows one to view the details between related logs without having to leave this dialogue window. For example, a URL Filtering log entry reveals the URL from which a file was retrieved. The detail of this log may show the Wildfire Submission log associated with the forwarding of the retrieved file to Wildfire for analysis. The detail of the Wildfire Submission log can now display HTTP header information associated with this event.   Details Logging HTTP Header Information   Before PAN-OS 6.1 Prior to the release of PAN-OS 6.1, users could choose to use the Source User column in the URL Filtering log to display the X-Forwarded-For value. This would be enabled in Device > Setup > Content-ID.   Once the gear to edit the properties is selected, check the x-forwarded-for box to display the contents of this field in the Source User column. This setting is NOT a prerequisite for, nor is it associated with, the PAN-OS 6.1 HTTP Header logging feature and should be considered separately. In PAN-OS 6.1 and later, it may be considered to be a legacy setting.   PAN-OS 6.1 and Later The URL Filtering log now has a separate column for the X-FORWARDED-FOR value from the HTTP header. Note: The HTTP header logging is enabled on the Settings tab in a URL Filtering Profile. The HTTP Header logging is visible in the log detail of a Wildfire Submissions log entry.   In order for this detail to show up in the Wildfire log, remove the check in the "Log container page only" in the URL Filtering security profile. When this box is checked only the main page that matches a URL category is logged, not any subsequent pages that may be loaded within the main page. Unchecking this box will populate the log detail HTTP Header fields, but the amount of logging could overwhelm the firewall. Instead, it is recommended to create a custom URL Content Type.   Adding HTTP Header Columns to the URL Filtering Log In Monitor > URL Filtering, add the new columns to the table by highlighting a column next to where the new ones will be placed. Select the downward triangle to expose the contextual menu. Slide over Columns to display the list of columns. The order of the column choices in the list will vary.   It may be useful to have URL, X-Forwarded-For, Referrer, and/or User-Agent displayed as column headers. This is how it will now look:   Selecting the magnifying glass icon in the left-most column of the log table will open the detailed log view window, where there is a section for the HTTP headers Notice in the HTTP Headers section in the image not all of the fields will appear filled out with information. Sometimes, the application that is making the network connection is not known to PAN-OS.   Defining A Custom URL Content Type If "Log Container Pages Only" is disabled, the amount of logging on the firewall increases, which can lead to undesirable effects. Alternatively, the HTTP Header Fields section can be populated in the detailed log view of a Wildfire URL Submission entry by creating a custom URL content type. First, identify the content type. One good way to do this is create a packet capture of a session. In the picture above, the Content-type associated with the GET of /public/api/test/pe is "application/octet-stream". Go to Device > Setup > Content ID > Container Pages. Click Add to create a new container page object. Clicking Add will open the Custom URL Content Type window below. Select Add again to enter "application/octet-stream". When creating a Custom URL Content Type object, include the predefined objects. Select Add multiple times to add them all. This results in predefined objects in addition to the ones added. Repeat this process whenever the Wildfire Submission log entry detail does not display a value for User-Agent.   owner: jjosephs
View full article
jjosephs ‎09-07-2015 05:42 AM
10,482 Views
1 Reply
2 Likes
For virus or malware infected files to be uploaded to Wildfire, the following needs to be in place: A file blocking policy set to forward or continue forward Direction should be set to both Application set to any File type is at the discretion of the firewall administrator   owner: shasnain
View full article
npare ‎09-04-2015 05:01 AM
1,772 Views
0 Replies
Issue By default, the WildFire WF-500 WildFire appliance will use the management interface IP address when creating the certificate used for the firewalls connecting to it. This can be an issue if a Fully Qualified Domain Name (FQDN) is desired instead of the IP address.   Resolution To configure the FQDN and regenerate the certificate on a WF-500 WildFire appliance, enter the following commands: > configure # set deviceconfig system hostname your-wf-500-hostname # set deviceconfig system domain example.com # commit   Once the commit is finished, the certificate will be generated with both the FQDN specified (your-wf-500-hostname.example.com) and the IP address. Thus, a connection to either can be made successfully.   owner: pmak
View full article
pmak ‎09-04-2015 04:34 AM
2,932 Views
0 Replies
PAN-OS 6.0   Details This document demonstrates how to configure the Palo Alto Networks firewall running PAN-OS 6.0 to send SNMPv2 traps for WildFire logs.   Steps Configure an SNMP Trap Server Profile under Device > Server Profiles > SNMP Trap and click Add Server - Specify a name for the SNMP trap destination name (up to 31) Manager - Specify the IP address of the trap destination Community - Specify the community string required to send traps to the specified destination (default public) Configure Physical Location and Email address under Device > Setup > Operations > SNMP Setup for version V2c Physical - Location that will specify the physical location of the firewall Contact -  Enter the name or email address of the person responsible for maintaining the firewall Configure the Log Forwarding Profile for WildFire Settings under Objects > Log Forwarding Under the WildFire Settings, select the SNMP trap server profile created above for both Benig n and Malicious verdicts Click OK and commit owner: kadak
View full article
kadak ‎08-21-2015 08:54 AM
4,046 Views
0 Replies
Overview In custom reports, the WildFire reports can be generated from the data filtering log and the device threat summary using actions as wildfire-upload-skip and wildfire-upload-success. Steps Go to Monitor > Manage Custom Reports and add a new report Select "Data filtering log" for the Database Columns can be selected as desired. In the example screenshot below, the selected column fields are Filename, Threat/ Content Name, Action and Repeat Count: Under Query Builder, configure the query as "(action eq wildfire-upload-skip) or (action eq wildfire-upload-success)", as shown in the example above. Applying the above template will produce a report similar to the following: Note: This report can be exported in PDF, CSV and XML format. owner: kadak
View full article
kadak ‎12-24-2013 06:16 PM
3,944 Views
0 Replies
If the action in the logs is Allow file that came through on a WildFire-enabled policy, it means that the Forward action was changed to Allow by the data plane because the App-ID was identified as an application that is exempted from sending files to the cloud, such as Microsoft updates for example. owner: kprakash
View full article
kprakash ‎08-13-2012 07:01 PM
1,868 Views
0 Replies
Ask Questions Get Answers Join the Live Community