After receiving an email link from a firewall, WildFire visits the links to determine if the corresponding web page is hosting malicious content (not just exploits). If WildFire determines that the page itself is benign, it will not generate a log.
However, if it detects malicious behavior on the page, it returns a malicious verdict and:
The firewall forwards email links in batches of 100 email links or every two minutes, whichever comes first. Each batch upload to WildFire counts as one upload toward the upload per-minute capacity for the given firewall platform
If the link corresponds to a file download, WildFire does not analyze the file. However, the firewall will forward the corresponding file to WildFire for analysis if the end user clicks the link to download it as long as the corresponding file type is enabled for forwarding.
To determine if the firewall is forwarding email links, run the following command from the firewall that is configured to forward to WildFire.
admin@PA-200> show wildfire statistics
To view the file type go to the email-link counter section under Counters for file forwarding.
When email links are forwarded, the following counters will increment:
– FWD_CNT_APPENDED_BATCH—Indicates the number of email links added to a batch waiting for upload to WildFire.
– FWD_CNT_LOCAL_FILE— Indicates the total number of email links uploaded to WildFire.
The firewalls themselves do not send images to WildFire. However, in the case of delivering a URL to WildFire, the actual webpage will be analyzed dynamically. In the case of opening a webpage with malicious content triggered within the images, WildFire would dynamically analyze and derive a verdict from that content.