WildFire Counters Descriptions
22235
Created On 09/26/18 19:12 PM - Last Modified 08/05/19 19:48 PM
Resolution
Overview
This document describes the WildFire counters that are seen when running the commands, show wildfire statistics, and show wildfire status from the CLI.
Details
show wildfire statistics counter descriptions:
| Counter | Description |
|---|---|
| Total msg rcvd | Total number of packets received by the management plane from the data plane for the WildFire file forwarding function. |
| Total bytes rcvd | Total number of bytes received by the management plane from the data plane for the WildFire file forwarding function. |
| Total msg lost | Total number of packets received by the management plane from the data plane for the WildFire file forwarding function that have been dropped by the management plane due to full data buffers or an invalid packet header. |
| Total bytes lost | Total number of bytes received by the management plane from the data plane for the WildFire file forwarding function that have been dropped by the management plane due to full data buffers or an invalid packet header. |
| Total msg read | Total number of packets received from the data plane that have been processed by the management plane for the WildFire file forwarding function. |
| Total bytes read | Total number of bytes received from the data plane that have been processed by the management plane for the WildFire file forwarding function. |
| Total msg lost by read | Total number of packets received by the management plane from the data plane for the WildFire file forwarding function that experienced an error condition (such as incorrect packet header or data corruption) where the packet could not be processed. |
| DP receiver reset count | Number of times the WildFire file forwarding function of the data plane has been reset, either automatically (such as during device reset) or manually through the command line. |
| Total file count | Total number of files received by the management plane form the data plane for the WildFire file forwarding function. |
| CANCEL_BY_DP | Number of files being sent to the management plane by the data plane that were canceled by the data plane. This can happen if the file matches an AV signature and the action is to drop, or if any other policy in the firewall drops the session, or if the client or server cancels the transfer. |
| CANCEL_TIME_OUT | Number of files being sent to the management plane by the data plane that were canceled by the management plane due to a timeout in the data transfer. |
| CANCEL_OFFSET_NO_MATCH | Number of files being sent to the management plane by the data plane that were canceled by the management plane due to an unexpected packet (out-of-order or other error condition) in the file stream from the data plane. |
| CANCEL_NO_MEMORY | Number of files being sent to the management plane by the data plane that were canceled by the management plane due to an exhausted data buffer in the management plane. |
| CANCEL_FILE_DUP_EARLY | Number of files being sent to the management plane by the data plane that were canceled by the management plane due to a hit in the first cache level. This occurs when two file transfers occur nearly simultaneously, with one allowed to continue while the duplicates are canceled. |
| CANCEL_FILE_DUP | Number of files being sent to the management plane by the data plane that were canceled by the management plane due to a hit in the second cache level. This occurs when a file has been seen before on a device within a certain period of time. |
| CANCEL_FILESIZE_LIMIT | Number of files being sent to the management plane by the data plane that were canceled by the management plane due to the file growing past the user-defined maximum file size to be forwarded to the WildFire cloud. |
| CANCEL_FILENUM_LIMIT | Number of files being sent to the management plane by the data plane that were canceled by the management plane due to the number of concurrent file transfers exceeding a predefined maximum. |
| CANCEL_DISK_IO_FAIL | Number of times the management plane failed to write temporary files to the disk before sending them to the WildFire cloud. This can occur with a general disk fault, and can also occur when the disk buffer is near quota. |
| CANCEL_FWD_PIPE_FULL | Number of files being sent to the management plane by the data plane that were canceled by the management plane due to exhaustion of a buffer that maintains data on the files buffered on disk. |
| DROP_NO_MEMORY | Number of packets received by the management plane from the data plane for the WildFire file forwarding function that have been dropped by the management plane due to an exhausted data buffer in the management plane. |
| DROP_NO_MATCH_FILE | Number of packets received by the management plane from the data plane for the WildFire file forwarding function that have been dropped by the management plane because the packet does not appear to belong to a file that the management plane is currently buffering. |
| DROP_HASH_LIMIT_HIT | Number of packets received by the management plane from the data plane for the WildFire file forwarding function that have been dropped by the management plane due to the number of concurrent file transfers exceeding a predefined maximum. |
| DROP_DECODE_FAIL | Number of packets received by the management plane from the data plane for the WildFire file forwarding function that have been dropped by the management plane because the packet was malformed and could not be decoded successfully. |
| DROP_FWD_PIPE_FULL | Number of packets received by the management plane from the data plane for the WildFire file forwarding function that were dropped by the management plane due to exhaustion of a buffer that maintains data on the files buffered on disk. |
| DROP_CTLMSG_BUF_FULL | Number of file transfer cancellation messages to be sent from the management plane to the data plane that were dropped due to buffer exhaustion. |
| File caching reset cnt | Number of times the WildFire file hash cache has been reset, either automatically or manually through the command line. |
| FWD_CNT_LOCAL_FILE | Number of files received by the management plane for the WildFire file forwarding function that have been determined to be new based on the local device file hash cache. |
| FWD_CNT_LOCAL_DUP | Number of files received by the management plane for the WildFire file forwarding function that have been determined to be previously seen based on the local device file hash cache. |
| FWD_CNT_LOCAL_FILE_CLEAN | Number of files received by the management plane for the WildFire file forwarding function that have been determined to be benign based on local checks such as trusted file signer. |
| FWD_CNT_REMOTE_FILE | Number of files received by the management plane for the WildFire file forwarding function that have never been seen by the device, and have been determined to be new based on a query to the WildFire cloud. |
| FWD_CNT_REMOTE_DUP_CLEAN | Number of files received by the management plane for the WildFire file forwarding function that have never been seen by the device, and have been determined to be benign based on a query to the WildFire cloud. |
| FWD_CNT_REMOTE_DUP_TBD | Number of files received by the management plane for the WildFire file forwarding function that have never been seen by the device, and have not yet been assigned a verdict based on a query to the WildFire cloud. |
| FWD_CNT_REMOTE_DUP_MAL | Number of files received by the management plane for the WildFire file forwarding function that have never been seen by the device, and have been determined to be malware based on a query to the WildFire cloud. |
| FWD_CNT_CACHE_SYNC | Number of files received by the management plane for the WildFire file forwarding function that has been seen by the device, but the WildFire cloud has not seen the file. This can happen if a device caches a file hash but fails to send a file to the cloud because of lack of connectivity or other issues. When this occurs, the local cache entry is removed |
| LOG_CNT_CACHE_EXPIRED | Number of files received by the management plane for the WildFire file forwarding function that are in the device hash cache but the cache entry is expired and needs to be refreshed with a query to the WildFire cloud. Introduced in PAN-OS5.0. |
| LOG_CNT_DAILY_CAP_HIT | Number of times a file was received by the management plane to be sent to the WildFire cloud when the device was already over the daily upload limit for non-subscriber users of WildFire. The file is buffered while space is still available to be sent the following day. Introduced in PAN-OS 5.0. |
| FWD_ERR_UNKNOWN_QUERY_RESPONSE | Number of times the device queried the WildFire cloud for a verdict but received an unrecognized result. |
| FWD_ERR_CONN_FAIL | Number of times an attempt to establish an SSL tunnel between the device and the WildFire cloud has failed. A connection is either immediately retried or attempted at a 1 minute interval, depending on the function being performed. |
| FWD_ERR_CONN_TIMEOUT | Number of times a file has been dropped due to a timeout condition while attempting to upload the file to the WildFire cloud. |
| FWD_ERR_READ_FILE | Number of times a file has been dropped due to an unexpected corruption or deletion of the file in the on-disk file buffer. |
| FWD_ERR_SERVER_BUSY | Number of times a file has been queued because the upstream WildFire appliance is reaching it's queue low water mark. |
| LOG_ERR_REPORT_LOG_GEN_FAIL | Number of times a WildFire log entry failed to be created on the device due to a software communications error. Introduced in PAN-OS 5.0. |
| LOG_ERR_REPORT_CACHE_NOMATCH | Number of times the WildFire cloud provides report data for log events that have already been populated with report data from the cloud. This is not an error event. Introduced in PAN-OS 5.0. |
| CANCEL_NO_LICENSE | Number of advanced file types (APK, PDF, Microsoft Office, and Java Applet) not forwarded or the number of files not forwarded to WF500 due to no valid WF license. Introduced in PAN-OS 6.0. |
| CANCEL_CONCURRENT_LIMIT | Number of files that are cancelled due to reaching the concurrent limit which is the number of files saved on disk at any given moment, either in transition or complete. Introduced in PAN-OS 6.0. |
| Service connection reset cnt | Number of times the SSL tunnel between the device and the WildFire cloud has been reset, either automatically or manually through the command line. When the connection is reset, the disk buffer of files to be sent to the cloud is reset as well. |
| Log cache reset cnt | Number of times the WildFire log cache has been reset, either automatically or manually through the command line. Introduced in PAN-OS 5.0. |
| Report cache reset cnt | Number of times the WildFire report cache has been reset, either automatically or manually through the command line. Introduced in PAN-OS 5.0. |
| data_buf_meter | Percentage of utilization of memory buffer on the management plane used to collect packet payloads and reassemble files sent from the data plane for the WildFire file forwarding function. |
| msg_buf_meter | Percentage of utilization of memory buffer on the management plane used to collect packet headers and reassemble files sent from the data plane for the WildFire file forwarding function. |
| ctrl_msg_buf_meter | Percentage of utilization of memory buffer on the management plane used to buffer file cancellation messages to be sent from the management plane to the data plane. |
| fbf_buf_meter | Percentage of utilization of memory buffer on the management plane used to point to the buffered file locations on disk before the files are sent to the WildFire cloud. |
show wildfire status counter descriptions
| Counter | Description |
|---|---|
| Wildfire cloud: | Displays either "public cloud" or the ip address of the WF-500 |
| Status: | Displays "idle" when setup properly, or "Disabled due to configuration" if there is no file blocking profile with the action forward or continue-forward |
| Best server: | Displays the connected WildFire server or the ip address of the WF-500 |
| Device registered: | Displays "yes" when setup properly and registered with the WildFire cloud / WF-500, or "no" if the device has not been able to register with Wildfire |
| Valid wildfire license: | Displays if a valid Wildfire license is used |
| Service route IP address: | IP address used to initiate connection to WildFire |
| Signature verification | Displays signature verification info |
| Through a proxy | Displays if Wildfire connection is through a proxy |
| File size limit info | Describes the maximum file size upload limit |
| Forwarding info: | Describes idle timeout, total number of files forwarded, and the maximum number of files that can be uploaded per minute |
owner: sdarapuneni