Wildfire Configuration, Testing, and Monitoring

Printer Friendly Page

WildFire is a cloud-based service that integrates with the Palo Alto Firewall and provides detection and prevention of malware.

Pre PAN-OS 7.0

In PAN-OS version 6.0 and 6.1, WildFire is configured as a File Blocking Profile

 

PAN-OS 7.0 +

Starting with PAN-OS 7.0, WildFire is configured as a WildFire Analysis Profile and can then be applied to a security policy that matches the traffic that needs to be analysed.

 

original.png

original2.png

 

In a security policy:

wildfire rule.pngSecurity Policy Rule with WildFire configured.

Please make sure if the security policy is more strict to verify if the application paloalto-wildfire-cloud will be allowed outbound from the management interface to the internet. The application may need to be added to the existing service policy containing paloalto-updates and such services, or an additional Service Route needs to be added to bind wildfire-cloud to the external interface

 

2015-09-21_21-06-14.png

 

WildFire can be set up as a File Blocking profile with the following Actions

  1. Forward: The file is automatically sent to "WildFire" cloud.
  2. Continue and Forward: The user will get a "continue" action before the download and the information will be forwarded to the WildFire.

Since PAN-OS 7.0 the continue action can still be set in a File Blocking profile, the WildFire Analysis can simply be set to send to the public-cloud, or if a WF-500 appliance is available, to the private-cloud

 

A file type determined in the WildFire configuration is matched by the WildFire cloud.

Palo Alto Networks firewalls compute the hash of the file and send only the computed hash to the WildFire cloud; in the cloud the hash is compared with the hash on the firewall. If the hash does not match it is uploaded and inspected and the file details can be viewed on the WildFire portal (https://wildfire.paloaltonetworks.com/)

A file can also be manually uploaded to the WildFire portal for analysis.

 

WildFire Testing/Monitoring:

In order to ensure the management port is able to communicate with the WildFire we can use the "test wildfire registration" command in the CLI.

> test wildfire registration
This test may take a few minutes to finish. Do you want to continue? (y or n)
Test wildfire
        wildfire registration:         successful
        download server list:          successful
        select the best server:        va-s1.wildfire.paloaltonetworks.com

The device will only register to the WildFire cloud if a valid WildFire license is present.

 

The commands below can also be used to verify WildFire operation: 

> show wildfire status 

Connection info: 
  Signature verification:        enable
  Server selection:              enable
  File cache:                    enable

WildFire Public Cloud:
  Server address:                wildfire.paloaltonetworks.com
  Status:                        Idle
  Best server:                   eu-west-1.wildfire.paloaltonetworks.com
  Device registered:             yes
  Through a proxy:               no
  Valid wildfire license:        yes
  Service route IP address:     

File size limit info: 
  pe                                           2 MB
  apk                                         10 MB
  pdf                                        200 KB
  ms-office                                  500 KB
  jar                                          1 MB
  flash                                        5 MB

... cut for brevity
> show wildfire statistics

Packet based counters:
        Total msg rcvd:                           1310
        Total bytes rcvd:                      1424965
        Total msg read:                           1310
        Total bytes read:                      1393525

... cut for brevity
> show wildfire cloud-info

Public Cloud channel info: 
  Cloud server type:             wildfire cloud
  Supported file types:         
                                 jar
                                 flash
                                 ms-office
                                 pe
                                 pdf
                                 apk
                                 email-link

 

The WildFire Submissions logs provide details post a WildFire action:

  • wildfire-upload-success: The file was succesfully uploaded to the WildFire cloud
  • wildfire-upload-skip: The WildFire cloud has already seen the file, thus the file is not uploaded to the WildFire cloud. If the file is "Benign", no entry is seen on the WildFire portal.

 wildfire log detail.png

 

 

Regardless if the file is uploaded or has already been analysed in the past and was not uploaded, the log entry will be populated with the WildFire report for this sha256. In case the file has recently been uploaded, the WildFire analysis may not have been completed yet in which case the report will not yet be available:

 

2015-09-21_19-22-27.png                             

 

  

owner: tpiens

 

Comments

There is no clear explanation as to why there could be a forward message for a download only to be followed a few seconds later by a wildfire-upload-skip message for the same file.  The documentation is horrendous for explaining logging.  I have not been able to find a doc that clearly explains the logs anywhere.

wildfire-upload-skip is because the wildfire cloud known this file, because the palo device created a signature like a md5 signature and attempt to compare on the wildfire cloud.

the upload don't have to be if you have match the signature on the cloud.

what is, if the action forward cannot take action (e.g. file types is set to any at the profile and action is set to forward. Some file types are not supported by wildfire)? Will the action be "alert" in monitoring?

I have the same question:

what is, if the action forward cannot take action (e.g. file types is set to any at the profile and action is set to forward. Some file types are not supported by wildfire)? Will the action be "alert" in monitoring?

Make sure "disable server response inspection" is unchecked on security policy when testing the fake malicious file.

If it is checked ,it will not be inspected for file blocking.

Still no good explanation on how WIldfire works.

We daily see several samples of the same file (same name, same SHA-256 and MD5 checksum) passing thru Wildfire check, only to be uploaded and categorized as 'malicious'. Time after time.
This is not how Wildfire shoulød work; can anyone at PAN bring the one and only correct manual on Wildfire?
the

We are close to stop using WIldfire....

We have the same problem. Same file is repeatedly marked as malicious and never blocked (we have WF action set to block, valid WF licence, updating every 15 minutes). Even after 2 days it's still not blocked. We opened the case.

hey

i have seen that those counters are increasing:

        Total msg lost by read:                1273038

        Total DROP_NO_MATCH_FILE  1273038

          CANCEL_FILE_DUP                          43112

we have problem that we stopped getting wildfire submissions logs for a month for some reason

someone has an idea ?

Widfire does not block files. It is a notification system. Your user downloaded a file. The Firewall did an MD5 checksum and sent this to the wildfire cloud. The cloud then rated this checksum as "benign, malicious, or unknown". Unknown files will be uploaded to Wildfire. 

 

If a file is flagged as Malicious, signatures get created in the sandbox and downloaded to PAID users at 15 or 30 minute intervals. FREE users get the signatures in the next threat/av update (24-48 hours later). Make sure your firewall is checking for updates daily and installing the updates. You may also need to create a file blocking profile to take advantage of the new signatures. 

 

Wildfire is more like a global honeypot. PAN users all over the world and in all business sectors are contributing samples to the database for signature creation.

 

SK

This document should also include this URL for testing.

 

wildfire.paloaltonetworks.com/publicapi/test/pe

 

That URL is located in a separate document.

live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-WildFire-with-a-Fake-Malicious-File/ta-...

 

 

When I do the following:
test wildfire registration = WildFire is disabled

show wildfire status = Device registered: no

 

I guess it is a known issue with 7.0.8 and lower

Here is the fix form support:

>debug software restart process vardata-receiver

>request wildfire registration

>test wildfire registration

>show wildfire status

>show wildfire statistics

Hi All,

 

I have enabled WF public cloud on my firewall. However, files are not getting uploaded.

 

WF registration is successful.

Enabled Benign and Grayware files to be uploaded.

License looks good.

Enabled on specific rule which allows mails, tried sending benign attachments. Its not uploading to WF cloud. 

 

Any suggestions.

 

Thanks in advance.

 

Regards,

Raghav

hi @RbadigerCY

 

Is your mail perhaps encrypted? Did you set the appropriate filetypes and application? Did you make sure the file is not larger than the maximum file size permitted by WildFire

Yes my mails are encrypted. I created a decryption policy, created certificate on firewall, imported that to my end-point and checked.

 

My mail traffic is decrypted now, but still files are not getting uploaded to WF.

Bit of an old question, but I was browsing this KB and noticed no-one responded to you Rbadiger.

Beside the Decryption Policy, you also have to explicitly allow the sending of decrypted content to Wildfire. This is an additional layer to avoid unwanted upload of sensitive documents to the cloud.

This setting can be found on the firewall under Device/Setup/Content-ID/Content-ID Settings in the top checkbox.

If you are decrypting correctly and files that match your wildfire profile are now visible, checking this box will also send them to your preferred Wildfire cloud.

 

hope it helps,

 

R