Wildfire - is the full subscription worth it?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Wildfire - is the full subscription worth it?

L4 Transporter

Apologies for the somewhat blunt title but it really is as simple as that Smiley Happy

I've been using the bundled WildFire service for some time and did begin to wonder if it was working until it pinged on a couple of zero day Zeus trojans - seems our folks are just too well behaved by and large.

Anyway, I'm on the 30 day trial license and I wanted peoples views on whether they find the full subscription to be worthwhile?

On the Monitor/Wildfire tab it seems to take an age to update the logs and also it only shows malicious files - is there a way to show benign files as well like it does on the portal?

12 REPLIES 12

L7 Applicator

(Biased response, I work for Palo Alto Networks).  I think it's worth it.  The real interesting comparison is looking at the price of another vendor's malware analysis solution vs. the cost of a WildFire license.  It's usually night and day in favor of WildFire - and that's just the cost.  The functionality comparison is even better.

Yes, you can log benign files.  It's disabled by default, here's how to turn it on:

admin@pa0(active)# set deviceconfig setting wildfire report-benign-file yes

admin@pa0(active)# commit

Jared, thanks, appreciate the disclosure too Smiley Happy

Do you guys have a best practise document or guide on how to get the best out of WildFire?

I'm interested in are how to deal with SSL based downloads and how to deal with URL filtering.

We do SSL decryption already but of course there's a significant overhead the wider you case the net.

With URL filtering I guess the obvious option is to set block or continue on the "Unknown" category but I'm curious what Palo Alto would tell someone doing a POC to do to get the most out of the unit.

I should add we have a PA-500 so the solution may differ from if it was a 4050 Smiley Happy

Have you had a look at the new PAN-OS 6.0 WildFire administrator's guide?

- WildFire Administrator's Guide 6.0 (English)

By performing SSL decryption for unknown URL categories, you're already one step ahead in the "game".  From a best-practices standpoint, you should be doing as much SSL decryption as possible - whether it be search engines, social networking, web-based e-mail, etc.  What if someone hacks www.example.com (which may be categorized as business) and uses it to serve-up malware?

When I first started using WildFire, I looked for opportunities to get malware "hits".  It was cool to see reports, see what the malware does, etc.  But when it comes time to deploy in production, you don't need more alerts.  Look at the recent breach at a well-known retailer...  from what I've read they had malware analysis systems doing their job - and the alerts didn't help.  It seems like the case of the boy who cried wolf. 

That's when it clicked that your policy shouldn't be "send everything to WildFire".  Your policy should take more control about what content is permitted to traverse the firewall in the first place, and then send to WildFire only what you explicitly allow through.  Let me explain:

In the past you may have denied your users access to their personal Gmail accounts because of the potential risks involved.  Using SSL Decryption allows you to see what your users are doing inside of Gmail - so now you can use IPS, AntiSpyware, AntiVirus.  You can even use WildFire to scan files (such as executables) sent through Gmail.  My question is this: Should a user ever be downloading .exe files through their personal Gmail account?  No.  (at least not in my network).  What about through Facebook?  Nope, not that either.  So instead of permitting exe files through Gmail and sending them out to WildFire for analysis, why not just block them outright using a file blocking policy?  Lather, rinse, repeat for other applications that are permitted through your environment. 

Most environments can't block all risky files (pdfs|exe|apk|java|office).  There will be situations where you must permit them through.  That's where WildFire shines.  Now, when you receive a WildFire report with a malicious verdict, you can do something about it.  It means more because you're not sick of hearing "wolf!!!". 

From a security functionality standpoint, it doesn't matter whether it's a PA-200, a PA-7050 chassis, or the VM-Series firewalls in the datacenter - they all have these same features.  The main difference is just how it scales.  If your PA-500 isn't up to the task of doing more SSL decryption in your environment, then I would highly recommend an upgrade!  (repeat bias alert).

That all makes total sense Jared.  Where I'm struggling a little is with current best practises on what URL categories to decrypt.  For example yes, it makes sense to decrypt "Unknown", and maybe to even consider setting "Continue" as the URL Filtering action, but there seems to be articles on the KB here saying not to decrypt unknown like the PDF here Controlling SSL Decryption

Who is right i.e. what is a sensible decryption policy in terms of URL categories (lets ignore privacy for a moment and concentrate on not breaking any application)? Smiley Happy

Everyone's situation is different - but I'm happy to give my opinion.  Some environments may not require any SSL decryption at all (guest wireless with BYOD, for example).  Other environments should use it extensively.  Smiley Happy  For the sake of argument, let's ignore privacy AND breaking applications. 

I believe that you should decrypt anything and everything, even to the point of breaking applications.  Anything not decrypted becomes a liability/risk.  If you're unable to decrypt something because it breaks (ie: Dropbox which uses a hard-coded client certificate), then that becomes a business decision on whether to permit that application understanding the limitation, to block the application outright because of that limitation, or to find a different solution that can be decrypted. 

Thankfully, decryption policies can be done by user, IP address, URL category, zones, etc.  Start small and test it out, slowly spread the net, and roll with the punches. 

Again, just one person's opinion. 

L4 Transporter

Once you start seeing malicious Office documents getting into your network  via email or start looking at the source of some of your spyware (botnet traffic) and realize that the only files they pulled down were java you will understand the value of the wildfire subscription service under PAN OS 6.0.  We are waiting for 6.0.3 to come out before making the jump.  We will be getting the wildfire subscription service primarily for it's coverage of Office, PDF and java files. (we already block downloading of APK files).

Phil

PDF and Office Documents would be a challenge simply due to privacy concerns - nothing against Palo Alto here but a Word document is in a different league to an executable when it comes to being happy submitting it outside the company Smiley Happy

Java is interesting as we do have to install it for some business apps and we all know how fabulously secure and pleasant Java is.

Jared, that's a fair take on it and of course in an ideal world you'd just flick a switch and decrypt the lot.  Is there a current list of stuff (be it sites or applications) that does not work well with decryption?

Not applicable

Interesting question in deed. I just purchased the subscription and haven not fully enabled it yet. Please forgive me if this is not the correct place to ask some simple question. If not kindly point me in the right direction. I am new to using this type if forum. If I set wildfire to Block, does it block all the files or just the malicious files?

Block is just that.  It would block all of the specified file types.  Action = Forward is the action that would forward the file types to Wildfire.

Phil

There are 2 settings. There is a file blocking profile which can be setup to alert, continue, block, or forward to WildFire for sandboxing based on file type. There is another setting for WildFire signatures under the AV profile. This setting is used to decide what you would like to do with WildFire malware signatures. If you set WildFire signatures to block, it will block on malicious files based on the WildFire signatures. WildFire signatures are updated every 30 minutes based on malware detected from all devices sending files to WildFire.

Interesting - as I'm only trialling the subscription I hadn't dove in too deeply - I didn't realise you could set to block based just on Wildfire - thanks.

Thank you for the reply this was very helpful.

  • 4903 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!