Does WildFire work in "Tap" mode?

cancel
Showing results for 
Search instead for 
Did you mean: 

Does WildFire work in "Tap" mode?

L4 Transporter

We have had WildFire turned on for almost a week.  In the Data Filtering logs, it has "forwarded" numerous "PE" files and only 1 "PE" file was logged as "wildfire-upload-success".  That 1 file happened to be coming through the interfaces that are set to Virtual Wire.  All of the other files that say "Forward" are coming through "Tap" mode.

1) Can Palo Alto send files to WildFire if it's seeing the file traverse the network via Tap mode?

2) What exactly is the difference between the actions "Forward" and "wildfire-upload-success"?

1 ACCEPTED SOLUTION

Accepted Solutions

L3 Networker

Yes, there is no difference in WildFire behavior in tap mode vs. inline, other than the fact that in tap, you can't later us signatures generated by WildFire to block future instances of the malware, because you're not inline.

The wildfire-upload-success means the file was actually uploaded to the cloud because the cloud had not seen the file before, and it wasn't signed by a trusted signer.  In this case, the file is uploaded to be analyzed.  A "forward" action simply means that the WildFire action was taken for the file, but didn't result in an actual file upload (because it was a trusted file, or WildFire has already seen the file).

View solution in original post

3 REPLIES 3

L3 Networker

Yes, there is no difference in WildFire behavior in tap mode vs. inline, other than the fact that in tap, you can't later us signatures generated by WildFire to block future instances of the malware, because you're not inline.

The wildfire-upload-success means the file was actually uploaded to the cloud because the cloud had not seen the file before, and it wasn't signed by a trusted signer.  In this case, the file is uploaded to be analyzed.  A "forward" action simply means that the WildFire action was taken for the file, but didn't result in an actual file upload (because it was a trusted file, or WildFire has already seen the file).

View solution in original post

Hello,

My Palo Alto is configured in two modes: Layer 3 and TAP.

I turn WildFire on.

The feature is working in Layer 3 mode (two net interfaces - one IN, the other OUT) but not in TAP mode (one dedicated net interface).

I use the same File blocking profile for the two policies.

Can you confirm WildFire is working the same way in Layer 3 and TAP mode?

Thanks for your answer.

Yes, WildFire works the same in L3 and tap mode. I'm not sure why your setup isn't working only in tap mode.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!