WildFire is a cloud-based service that integrates with the Palo Alto Firewall and provides detection and prevention of malware.
Pre PAN-OS 7.0
In PAN-OS version 6.0 and 6.1, WildFire is configured as a File Blocking Profile
PAN-OS 7.0 +
Starting with PAN-OS 7.0, WildFire is configured as a WildFire Analysis Profile and can then be applied to a security policy that matches the traffic that needs to be analysed.
In a security policy:
Security Policy Rule with WildFire configured.
Please make sure if the security policy is more strict to verify if the application paloalto-wildfire-cloud will be allowed outbound from the management interface to the internet. The application may need to be added to the existing service policy containing paloalto-updates and such services, or an additional Service Route needs to be added to bind wildfire-cloud to the external interface
WildFire can be set up as a File Blocking profile with the following Actions
Forward: The file is automatically sent to "WildFire" cloud.
Continue and Forward: The user will get a "continue" action before the download and the information will be forwarded to the WildFire.
Since PAN-OS 7.0 the continue action can still be set in a File Blocking profile, the WildFire Analysis can simply be set to send to the public-cloud, or if a WF-500 appliance is available, to the private-cloud
A file type determined in the WildFire configuration is matched by the WildFire cloud.
Palo Alto Networks firewalls compute the hash of the file and send only the computed hash to the WildFire cloud; in the cloud the hash is compared with the hash on the firewall. If the hash does not match it is uploaded and inspected and the file details can be viewed on the WildFire portal (https://wildfire.paloaltonetworks.com/)
A file can also be manually uploaded to the WildFire portal for analysis.
In order to ensure the management port is able to communicate with the WildFire we can use the "test wildfire registration" command in the CLI.
> test wildfire registrationThis test may take a few minutes to finish. Do you want to continue? (y or n)Test wildfire wildfire registration: successful download server list: successful select the best server: va-s1.wildfire.paloaltonetworks.com
The device will only register to the WildFire cloud if a valid WildFire license is present.
The commands below can also be used to verify WildFire operation:
> show wildfire status
Signature verification: enable
Server selection: enable
File cache: enable
WildFire Public Cloud:
Server address: wildfire.paloaltonetworks.com
Best server: eu-west-1.wildfire.paloaltonetworks.com
Device registered: yes
Through a proxy: no
Valid wildfire license: yes
Service route IP address:
File size limit info:
pe 2 MB
apk 10 MB
pdf 200 KB
ms-office 500 KB
jar 1 MB
flash 5 MB
... cut for brevity
> show wildfire statistics
Packet based counters:
Total msg rcvd: 1310
Total bytes rcvd: 1424965
Total msg read: 1310
Total bytes read: 1393525
... cut for brevity
> show wildfire cloud-info
Public Cloud channel info:
Cloud server type: wildfire cloud
Supported file types:
The WildFire Submissions logs provide details post a WildFire action:
wildfire-upload-success: The file was succesfully uploaded to the WildFire cloud
wildfire-upload-skip: The WildFire cloud has already seen the file, thus the file is not uploaded to the WildFire cloud. If the file is "Benign", no entry is seen on the WildFire portal.
Regardless if the file is uploaded or has already been analysed in the past and was not uploaded, the log entry will be populated with the WildFire report for this sha256. In case the file has recently been uploaded, the WildFire analysis may not have been completed yet in which case the report will not yet be available: