Management Articles

Featured Article
Issue In WF-500 version 7.1.x or earlier deployments, the Palo Alto Networks device will first establish TCP port 443 connection to WF-500. The WildFire will provide "<WF500-IP>:10443" as a server list and then Palo Alto Networks firewall will connect to the WildFire on TCP port 10443. TCP port 10443 is used to forward files and fetch report. When the WildFire appliance is configured with the host name, it then sends <WF_Hostname:10443> to the firewall. If the firewall’s DNS cannot resolve this hostname, registration will fail and no files are forwarded to the WF-500 appliance.   Starting from PAN-OS 8.0 TCP 443 will be used for all connections (10443 will no longer be commmunicated as a 'go-to'). Firewalls will still use 10443 to fetch signatures.   Resolution Configure host name, such that it is resolved with firewall’s DNS Delete the host name by using the following CLI command: admin@WF-500# delete deviceconfig system hostname admin@WF-500# commit   owner: ssharma
View full article
ssharma ‎07-13-2018 12:09 AM
6,596 Views
1 Reply
1 Like
When WF-500 appliance is configured to submit reports to the cloud using either commands   > set deviceconfig setting wildfire cloud-intelligence submit-report yes > set deviceconfig setting wildfire cloud-intelligence submit-sample yes   the WildFire portal will not show corresponding entries for the uploads on the wildfire portal.   The submitted data is used only internally to  contribute to WildFire statistics and threat intelligence.   On the WF-500,  the "show wildfire local statistics  day <1-31>" command can be used to verify the submissions.   > show wildfire local statistics day 7 ---------------------------------------------------------- | General Stats | +--------------------------------------------------------+ Total Disk Usage: 66/1283(GB) (5%) ||+---------------------------+----------+-+-----------+|| ||| Sample Queue ||| ||+-----------------+-------------------+--------------+|| ||| SUBMITTED | ANALYZED | PENDING ||| ||+---------------------------+----------+-+-----------+|| ||| 236 | 236 | 0 ||| ||+--------------------------+-----------+-+----------+||| |+--------------------------+---------------------------+| ||| Verdicts ||| ||+-------------------------+--------------------------+|| ||| Malware | Grayware | Benign | Error ||| ||+-----------------------------+----------------------+|| ||| 2 | 0 | 234 | 0 ||| |+--------------------------+---------------------------+| ||| Session and Upload Count ||| ||+------------------------+---------------------------+|| ||| Sessions | Uploads ||| ||+---------------------------+------------------------+|| ||| 313 | 3 ||| ||+---------------------------+------------------------+||   For WF-500 running PAN-OS 7.1 or earlier, use the "show wildfire statistics" command to verify the submissions.   > show wildfire statistics Last one hour statistics : Total sessions submitted :             456 Samples submitted         :             10   analyzed               :             10   pending                 :             0   malicious               :             6   benign                 :             4   error                   :             0   uploaded               :             1 0 How to Interpret the "show wildfire statistics" Command Output on WF-500
View full article
phrdlicka ‎05-09-2018 10:17 AM
2,558 Views
0 Replies
1 Like
Overview This document describes how to configure WildFire to block files that are given the "malicious" verdicts, as seen in the threat logs.   Requirements: Valid WildFire subscription license Enable WildFire file submission & signature update. Verify that it is function correctly. Steps From the WebGUI, go to Objects > Security Profiles > Antivirus Choose the appropriate profile (existing or new) Note: The "default' profile cannot be used for WildFire blocking For each appropriate protocol, modify the action to "reset-both" or "drop" as seen approrpriate (for PAN-OS 6.1 and earlier, set action to "block". Then, click OK.   Note: The protocol limitation of POP3/IMAP is not appropriate to set to reset/drop/block action.    4. Go to Policies > Security. Select the appropriate security rule (edit existing or create new), then apply Antivirus profile from Step 2 (Go to the Actions tab and look for Profile Setting). 5. Commit   Additional Notes WildFire is not meant to be a complete replacement of Antivirus, rather a compliment function for day-1 attack. WildFire may encounter more false positive due to its architecture and design nature. Use extra care when start blocking with WildFire. See Also WildFire Overview Fundamentals Guide: Security Policies owner: spiromruen
View full article
spiromruen ‎11-15-2017 12:28 PM
20,095 Views
5 Replies
1 Like
Details During the deployment of WildFire or WF-500 customers may want to test the download of malicious files. Since WildFire does not forward files that are known or signed by a trusted file signer, Palo Alto Networks provides a mechanism to easily test this setup.   Palo Alto Networks randomly generates a test file and provides it at the following URL: http://wildfire.paloaltonetworks.com/publicapi/test/pe   The purpose of this test file is strictly for testing file forwarding to the WildFire Cloud (public and private WF-500).  Note that there will be no signature created for these test PE files, therefore the test file will never be blocked as virus or wildifre-virus even if Antivirus Profile is configured for the policy.   owner: mdjeric
View full article
mdjeric ‎09-20-2017 06:25 AM
51,276 Views
5 Replies
1 Like
All communication between a WF-500 WildFire appliance and a Palo Alto Networks firewall is handled by the firewall. The WF-500 listens for requests and sends requested data to the firewall. When a Palo Alto Networks firewall sends files to the WF-500 for analysis, the firewall periodically checks the WF-500 for the status of the scan. When the file results are available, the firewall will be provided with the results the next time it requests status.   Here are some of the ports and direction the traffic heads in.  Direction Ports Used - TCP Firewall to WF-500  443 and 10443 Panorama to WF-500  443 and 10443 WF-500 to WildFire cloud  443 WF-500 to Content server  443   owner: pmak
View full article
pmak ‎07-17-2017 03:48 PM
5,507 Views
1 Reply
The Palo Alto Networks network security platform requires access to a few specific services in order to perform Dynamic Updates and WildFire functions.  When deployed behind existing firewalls or proxy servers, these external resources and services must be accessible from the management interface of the Palo Alto Networks platform.  If traffic flows are traversing a Palo Alto Networks platform, the following applications may need to be included in the security rulebase:  paloalto-updates, pan-db-cloud, paloalto-wildfire-cloud, and brightcloud.   Application, Threat and Anti-Virus database updates updates.paloaltonetworks.com:443 staticupdates.paloaltonetworks.com:443   PAN-DB URL filtering seed updates and cloud lookups *.urlcloud.paloaltonetworks.com:443   Brightcloud URL filtering database updates database.brightcloud.com:80,443 service.brightcloud.com:80   WildFire wildfire.paloaltonetworks.com:443 *.wildfire.paloaltonetworks.com:443 jp.wildfire.paloaltonetworks.com :443 (Japan) *. jp.wildfire.paloaltonetworks.com: 443 (Japan) sg.wildfire.paloaltonetworks.com :443 (Singapore) *.sg .wildfire.paloaltonetworks.com: 443 (Singapore) eu.wildfire.paloaltonetworks.com :443 (Europe) *.eu .wildfire.paloaltonetworks.com: 443 (Europe)   GlobalProtect database updates c733.r33.cf1.rackcdn.com :80     Note: The updates.paloaltonetworks.com FQDN resolve to CDN-based IP addresses. If static IP addresses are required, staticupdates.paloaltonetworks.com may be used instead.   owner: rhagen
View full article
rhagen ‎06-13-2017 03:35 PM
17,074 Views
9 Replies
1 Like
Overview This document describes the size limits managed by WF-500 to WildFire public cloud.   Details Shown below are the 5 formats supported by WF-500 with their file size limits: Format Max File Size Limit Default JARs (MB) 1 - 10 1 Executables (MB) 1 - 10         2 PDFs (KB) 100 - 200     200 MS Office Docs (KB) 200 - 10000  500   owner: kadak
View full article
kadak ‎06-12-2017 09:46 AM
9,588 Views
4 Replies
When Aperture analyzes a file, it will first query WildFire to check if the file has been seen before. If not, it will check its WildFire policy to determine whether or not to forward the file to WildFire for malware analysis.  When this happens, the WildFire cloud retention policies are still applicable. Note that it is a policy decision in Aperture to forward files to WildFire, not an “always on” function.   For data analysis, access, and exposure controls, Aperture examines files in memory only.  What this means is that no customer files are copied to Aperture's storage.  When the analysis queue is complete, the compute nodes that analyzed the files are destroyed and the memory is wiped in accordance with AWS data destruction terms and policies.  Aperture will retain metadata — information about the files (file size, creator, modification data, etc.), but not the files themselves.  Aperture doesn’t currently offer any SLA on  how long this this metadata is retained, but currently it is not capped and is held for up to 90 days following termination of service in case service is resumed.    
View full article
ntrubic ‎05-08-2017 05:25 AM
3,050 Views
0 Replies
Symptoms Firewall is not able to register to WF-500. Checking the status shows "Disabled by cloud server":   admin@PA-VM> show wildfire status channel private Connection info: Signature verification: enable Server selection: enable File cache: enable WildFire Private Cloud: Server address: 1.2.3.4 Status: Disabled by cloud server Best server: Device registered: no Through a proxy: no Valid wildfire license: yes Service route IP address: 1.2.3.3   Testing WF-500 registration immediately fails:   admin@PA-VM> test wildfire registration channel private This test may take a few minutes to finish. Do you want to continue? (y or n) Test wildfire Private Cloud WildFire is disabled   The following message is logged in varrcvr.log:   admin@PA-VM> less mp-log varrcvr.log (...) 2016-10-25 16:50:42.260 +0200 Cloud determines that wildfire is not supported on this device   Diagnosis WF-500 checks the PAN-OS version of the connecting firewalls, and rejects the connection if a firewall is running higher minor feature release than itself. For example, WF-500 running PAN-OS 7.0 will reject connections from firewalls running PAN-OS 7.1. Solution Upgrade WF-500 to the same minor feature release as the firewall, or higer. After upgrade is completed, reset the WF-500 connection on the firewall:   admin@PA-VM> debug wildfire reset forwarding channel private WildFire connection reset for Private Cloud is triggered   
View full article
mkrstic ‎04-03-2017 09:46 AM
3,675 Views
2 Replies
WildFire  is a cloud-based service that integrates with the Palo Alto Firewall and provides detection and prevention of malware. Pre PAN-OS 7.0 In PAN-OS version 6.0 and 6.1, WildFire is configured as a File Blocking Profile   PAN-OS 7.0 + Starting with PAN-OS 7.0, WildFire is configured as a WildFire Analysis Profile and can then be applied to a security policy that matches the traffic that needs to be analysed.     In a security policy: Security Policy Rule with WildFire configured. Please make sure if the security policy is more strict to verify if the application paloalto-wildfire-cloud will be allowed outbound from the management interface to the internet. The application may need to be added to the existing service policy containing paloalto-updates and such services, or an additional Service Route needs to be added to bind wildfire-cloud to the external interface     WildFire can be set up as a File Blocking profile with the following Actions Forward: The file is automatically sent to "WildFire" cloud. Continue and Forward: The user will get a "continue" action before the download and the information will be forwarded to the WildFire. Since PAN-OS 7.0 the continue action can still be set in a File Blocking profile, the WildFire Analysis can simply be set to send to the public-cloud, or if a WF-500 appliance is available, to the private-cloud   A file type determined in the WildFire configuration is matched by the WildFire cloud. Palo Alto Networks firewalls compute the hash of the file and send only the computed hash to the WildFire cloud; in the cloud the hash is compared with the hash on the firewall. If the hash does not match it is uploaded and inspected and the file details can be viewed on the WildFire portal (https://wildfire.paloaltonetworks.com/) A file can also be manually uploaded to the WildFire portal for analysis.   WildFire Testing/Monitoring: In order to ensure the management port is able to communicate with the WildFire we can use the "test wildfire registration" command in the CLI. > test wildfire registration This test may take a few minutes to finish. Do you want to continue? (y or n) Test wildfire         wildfire registration:        successful         download server list:          successful         select the best server:        va-s1.wildfire.paloaltonetworks.com The device will only register to the WildFire cloud if a valid WildFire license is present.   The commands below can also be used to verify WildFire operation:  > show wildfire status Connection info: Signature verification: enable Server selection: enable File cache: enable WildFire Public Cloud: Server address: wildfire.paloaltonetworks.com Status: Idle Best server: eu-west-1.wildfire.paloaltonetworks.com Device registered: yes Through a proxy: no Valid wildfire license: yes Service route IP address: File size limit info: pe 2 MB apk 10 MB pdf 200 KB ms-office 500 KB jar 1 MB flash 5 MB ... cut for brevity > show wildfire statistics Packet based counters: Total msg rcvd: 1310 Total bytes rcvd: 1424965 Total msg read: 1310 Total bytes read: 1393525 ... cut for brevity > show wildfire cloud-info Public Cloud channel info: Cloud server type: wildfire cloud Supported file types: jar flash ms-office pe pdf apk email-link   The WildFire Submissions logs provide details post a WildFire action: wildfire-upload-success: The file was succesfully uploaded to the WildFire cloud wildfire-upload-skip: The WildFire cloud has already seen the file, thus the file is not uploaded to the WildFire cloud. If the file is "Benign", no entry is seen on the WildFire portal.       Regardless if the file is uploaded or has already been analysed in the past and was not uploaded, the log entry will be populated with the WildFire report for this sha256. In case the file has recently been uploaded, the WildFire analysis may not have been completed yet in which case the report will not yet be available:                                      owner: tpiens  
View full article
nagarkar ‎10-17-2016 02:13 PM
122,617 Views
15 Replies
2 Likes
Even though the Palo Alto Networks firewall is not configured with the WildFire feature, it automatically does WildFire public cloud registration when passive DNS monitoring is enabled in the Anti-Spyware profile.
View full article
rashobana ‎05-11-2016 04:30 AM
1,973 Views
0 Replies
  WildFire may occasionally produce incorrect verdicts, these being false positives file deemed 'malware' when it's 'benign' or false negatives file deemed 'benign' when it's 'malware'.   If the verdict needs to be reconsidered by Palo Alto Networks, users can report these via the WildFire portal, or via the PAN-OS WebUI. This feature has been available since PAN-OS 6.0.   Reporting incorrect verdict from PAN-OS WebUI This method assumes that your firewall has connectivity to the internet. Go to the Monitor tab, then select 'WildFire Submissions' on the selection tree. Once the file has been found on the list, open the details by selecting the magnifying glass icon on the left.     The 'Detailed Log View' window will open. Click the VirusTotal link under 'Coverage Status', this will help validate if the file has been observed by third party vendors, and find what verdict they had for the very same file.     In our example, the file is not found in VirusTotal; on the previous window, select 'Download File' to obtain the sample file. We're going to submit the sample file to VirusTotal to find their verdict.   The file downloaded will look like [SHA-256].extension.samplenumber. Here is our example: 5a8207c2fcb904e1ef295fd61eb4c90c37e081acc6a18377a588b40079ce0553.exe.000. The .000 is preventing the file from being easily executable by mistake. Do not rename the file to .exe and execute it. If the file is malicious, it will infect your computer. On the VirusTotal page, select "Take me back to the main page" Choose the sample file and submit it to VirusTotal by selecting "Scan it!" VirusTotal will show the results of the scan. In this example, the file is a False Positive deemed malicious, though VirusTotal claims 0 deemed malicious out of 57 AV vendors.   Go back to the WildFire Analysis Report, and click on "report an incorrect verdict."   The "Report Incorrect Verdict" form will open, enter your e-mail address and add details that explain why you believe the WildFire Verdict to be incorrect. Substantiate your claim by adding the VirusTotal Detection ratio obtained from VirusTotal. Click OK to complete your submission.     Reporting incorrect verdict from WildFire Portal   Browse to: https://wildfire.paloaltonetworks.com/wildfire/dashboard Select the "Reports" tab.   Enter the SHA-256 in the search box:   Once the report is found, click on the square icon on the left:     Click the VirusTotal link under 'Coverage Status', this will help validate if the file has been observed by third party vendors, and find what verdict they had for the very same file.       In our example, the file is not found in VirusTotal. On the previous window, select 'Download File' to obtain the sample file. We're going to submit the sample file to VirusTotal to find their verdict.   The file downloaded will look like [SHA-256].extension.samplenumber. Here is our example: 5a8207c2fcb904e1ef295fd61eb4c90c37e081acc6a18377a588b40079ce0553.exe.000. The .000 is preventing the file from being easily executable by mistake. Do not rename the file to .exe and execute it. If the file is malicious, it will infect your computer.     On the VirusTotal page, select "Take me back to the main page." Choose the sample file and submit it to VirusTotal by selecting "Scan it!" VirusTotal will show the results of the scan. In this example, the file is a False Positive. It was deemed malicious, though VirusTotal claims 0 deemed malicious out of 57 AV vendors.   Go back to the WildFire Analysis Report, and click on "report an incorrect verdict."   The "Report Incorrect Verdict" form will open, enter your e-mail address and add details that explain why you believe the WildFire Verdict to be incorrect. Substantiate your claim by adding the VirusTotal Detection ratio obtained from VirusTotal. Click OK to complete your submission.     owner: mivaldi
View full article
mivaldi ‎12-10-2015 12:38 PM
32,553 Views
0 Replies
  Details Use the following commands to check content updates on the WildFire Appliance:   Login to the WildFire appliance CLI. List the content packages from disk by running the command: admin@WF-500> debug device content show wpc-8457-2015-04-21T19-15-50.pkg wpc-8464-2015-04-21T19-43-46.pkg wpc-8465-2015-04-21T19-43-49.pkg wpc-8466-2015-04-21T19-43-51.pkg wpc-8467-2015-04-21T19-43-53.pkg Remove all content files from disk by running the command: admin@WF-500> debug device content delete-all Create a new content by running the command: admin@WF-500> debug device content create   Use these commands to view supported VM images on the WildFire Appliance:   Login to the WildFire appliance CLI. admin@WF-500> show wildfire vm-images Supported VM images: vm-1 Windows XP, Adobe Reader 9.3.3, Flash 9, Office 2003. Support PE, PDF, Office 2003 and earlier vm-2 Windows XP, Adobe Reader 9.4.0, Flash 10n, Office 2007. Support PE, PDF, Office 2007 and earlier vm-3 Windows XP, Adobe Reader 11, Flash 11, Office 2010. Support PE, PDF, Office 2010 and earlier vm-4 Windows 7 32bit, Adobe Reader 11, Flash 11, Office 2010. Support PE, PDF, Office 2010 and earlier vm-5 Windows 7 64bit, Adobe Reader 11, Flash 11, Office 2010. Support PE, PDF, Office 2010 and earlier     owner: hlim
View full article
HLim ‎12-02-2015 12:40 PM
4,477 Views
0 Replies
Overview This document describes how to create a custom report on Panorama for WildFire threats that are sent to the cloud. Note: The Device Threat Summary database referenced in the steps below is is populated from logs collected from the Palo Alto Networks firewalls and is available in Panorama.   Steps To identify the WildFire threats sent to the cloud, Go to Monitor > Manage Custom Reports Add a new custom report and select Device Threat Summary for the Database Configure a filter under Query Builder for a Threat ID range from 3000000 to 4000000 Note: A current WildFire subscription license is required to produce this report.   The example below shows a report with the name, WildFire, and configuration as described in the above steps: The following screenshot shows an example of a report:   owner: ssunku
View full article
Phoenix ‎09-09-2015 01:48 PM
3,137 Views
0 Replies
2 Likes
PAN-OS 5.0, 6.0   Details There may be occasions where WildFire was enabled on the Palo Alto Networks firewall, but is no longer in use. After the WildFire subscription ends, the firewall still to attempts to upgrade the WildFire package. From the firewall's perspective, the WildFire license is no longer valid. However, it still attempts to obtain a new package. This is evident in the system log entries outlined below: 4/30/2014 3:14:00 PM Failed to upgrade Wildfire package to version <unknown version> 4/30/2014 3:14:00 PM Wildfire: No update is applied. No valid Wildfire license.   The WildFire update schedule can be disabled from the CLI. Run the following commands to disable the update schedule, and thereby avoiding the system log entries being written: > configure # delete deviceconfig system update-schedule wildfire # commit   Note: The WildFire update schedule is not accessible through the WebUI.   owner: jye
View full article
jye ‎09-08-2015 05:05 PM
3,251 Views
0 Replies
Issue When executing the show threat id CLI command, the output displays the following: > show threat id 3002499 unknown wildfire   Resolution The device may not have a WildFire license or the license has expired.   To verify if the licenses have expired check asset inventory on the Support Portal or execute this CLI command: > request license info   The following is an example output showing a valid license: > request license info   Current GMT Date: January 14, 2015   License entry:   Feature: WildFire License   Description: WildFire signature feed, integrated WildFire logs, WildFire API   Serial: 0000C000000   Issued: July 22, 2013   Expires: July 22, 2016   Expired?: no   owner: acamacho
View full article
acamacho ‎09-08-2015 06:22 AM
2,588 Views
0 Replies
Symptom A file cannot be manually uploaded to a WF-500 appliance.   Workaround It is not possible to upload a file directly to WF-500 manually through the web interface, but WildFire API can be used to manually upload samples and download reports.  For more information reference the following link: Use the WildFire API on a WF-500 Appliance   If the Palo Alto Networks firewall is configured to forward all types of files to WildFire, there should be no need to upload them manually through the web interface. Configure the Palo Alto Networks firewall to forward all files to WF-500, specify the WF-500 IP address in the WildFire configuration.   Go to Device > Setup > WildFire and edit the WildFire Server from default-cloud to the WF-500 IP address, as shown in the example below: This configuration will forward the files to the WF-500 appliance instead of the WildFire cloud.   owner: ukhapre
View full article
ukhapre ‎08-31-2015 10:04 AM
3,126 Views
0 Replies
Symptom On the passive HA peer, testing WildFire registration with the test wildfire registration CLI command will fail immediately with the following output: > test wildfire registration This test may take a few minutes to finish. Do you want to continue? (y or n) Test wildfire wildfire registration:         failed   To verify the vardata-receiver debug log, use the following CLI command: > less mp-log varrcvr.log   This command will not show any debug entries concerning attempts to register. Any packet captures taken will show the Palo Alto Networks firewall never attempts to connect to any WildFire server (no outbound TCP connection over port 443 to wildfire.paloaltonetworks.com).   Cause This occurs because WildFire registration will not take place on a passive HA peer. Failover the HA pair to make the system active and test registration again.   owner: nmassman
View full article
NoahMH ‎08-31-2015 08:48 AM
6,880 Views
1 Reply
2 Likes
Details PAN-OS 6.1 introduced the ability for WildFire to follow links seen in e-mails to proactively check for malicious content. WildFire users can now also manually submit links for inspection in the WildFire portal. Links can be submitted by navigating to Upload Sample > URL Upload and selecting the Webpage option: Note: Reports will only be generated for malicious links. Benign sites will not generate any reports.  For more information on enabling the automatic inspection of links contained in e-mail, see: How to Enable Email Link Forwarding with WildFire. owner: ggarrison
View full article
ggarrison ‎06-23-2015 08:34 PM
2,905 Views
0 Replies
1 Like
Overview The Palo Alto Networks firewall can be configured to allowed to only specific IP addresses for various services, including WildFire. In the case of WildFire, the firewall can be configured to only communicate to a single WildFire server and disable the automatic server selection. Details To disable the automatic server selection, run the following command on the CLI: PAN-OS 6.0 and below: # set deviceconfig setting wildfire disable-server-select yes PAN-OS 6.1 and above: > debug wildfire server-selection disable Go to Device > Setup > Wildfire tab on the web UI and specify a WildFire Server, as shown below: The configuration can be verified on the CLI with the following command: > show wildfire status Connection info:         Wildfire cloud:                jp-s1.wildfire.paloaltonetworks.com         Status:                        Idle         Best server:                   jp-s1.wildfire.paloaltonetworks.com         Device registered:             yes         Valid wildfire license:        yes         Service route IP address:      10.64.16.8         Signature verification:        enable         Server selection:              disable         Through a proxy:               no owner: apasupulati
View full article
apasupulati ‎10-03-2013 09:03 PM
3,042 Views
0 Replies
Issue WildFire registration fails even though the device has valid license and has configured for WildFire. Running test wildfire registration from CLI yields failed result: Looking at the var receiver logs does not provide much information on the issue: The WildFire status ( show wildfire status ) shows indications that the issue is with configuration: Resolution Create a file blocking profile with the action set to "Forward" or "Continue-Forward" and apply it to a security policy. The registration should then succeed: owner: sdarapuneni
View full article
zarina ‎03-04-2013 04:43 PM
13,789 Views
8 Replies
2 Likes
Overview This document describes the CLI commands to verify connectivity to the Wildfire cloud and the status of files being uploaded to it. Details Once the basic configuration is complete, the following command provides the details of the best server selected: > test wildfire registration This test may take a few minutes to finish. Do you want to continue? (y or n) Test wildfire wildfire registration: successful download server list: successful select the best server: va-s1.wildfire.paloaltonetworks.com Note: Do not use PING to test connectivity to the server. Ping requests are disabled on the Wildfire server.  Best practice to test connectivity is to Telnet to the server on port 443. To verify, if any files have been forwarded to the server, enter the following command: > show wildfire status Connection info: Wildfire cloud: default cloud Status: Idle Best server: va-s1.wildfire.paloaltonetworks.com Device registered: yes Service route IP address: 192.168.1.1 Signature verification: enable Server selection: enable Through a proxy: no Forwarding info: file size limit (MB): 2 file idle time out (second): 90 total file forwarded: 0 forwarding rate (per minute): 0 concurrent files: 0 The total file forwarded counter will provide the number of files being forwarded to the server.  Data filtering logs can be used to check the status of the file. Here are the three actions available: Forward but no wildfire-upload-success or wildfire-upload-skip, means the file is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen.  Below is an explanation of the different status possibilities. Forward - Data plane detected a PE (Potentially Executable) file on a WildFire-enabled policy.  The PE file is buffered in the management plane. If only forward is displayed for a specific file, it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen.  In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent for previously seen benign files).  There will not be  an entry in the WildFire Web portal for these files. To view the count of how many PE files have been checked, found to be clean or uploaded, issue the command: >show wildfire statistics wildfire-upload-success This means that the file wasn't signed by a trusted signer, and the file hasn't yet been seen by the cloud.  In this case, the file (and session info) was uploaded to the cloud for analysis. wildfire-upload-skip PAN-OS 5.0: The wildfire-upload-skip message will appear for all files identified and eligible to be sent to WildFire (i.e. they show the forward action), which are not sent because they have already been seen. This includes both benign and malware. You should see a 1-to-1 relationship between forward logs and one of: wildfire-upload-success or wildfire-upload-skip . Either of the two above Wildfire actions, should result in a corresponding report in the WildFire Web portal. See Also Uploading Multiple Files to Wildfire owner: mvenkatesan
View full article
mvenkatesan ‎03-09-2012 03:22 AM
19,562 Views
2 Replies
Ask Questions Get Answers Join the Live Community