File Uploads to Wildfire

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

File Uploads to Wildfire

L1 Bithead

I have seen another thread on this issue in the KnowledgePoint database; however, there was no resolution or answer to the question.  I have setup the Wildfire configuration on all of my PA500's per the documentation provided.  When matching the file blocking rule I can see it in the Monitor interface for the file with a "forward" action, but it doesn't appear to be uploading to the Wildfire servers, or at least not showing up on the Wildfire portal.

The configuration was put in place about an hour ago, and the previous KnowledgePoint article I reviewed said they started seeing files in 15 minutes. Any ideas?

4 REPLIES 4

L3 Networker

Hi Steven

I too had the same problem. I ended up disabiling the feature as I could not see any files being sent to the web site.

Hope you get this resolved as it would be nice to get it working.

Rod

Some good news on this issue. I have three PA500's located at different campuses.  The PA located at our main campus uploaded the first file about 2 hours after I configured the firewall. Since then it has uploaded about 6 files, which seems a bit small in number considering I have 900+ student on campus; however, better than nothing.  As of yet, I have not had any uploads from  either of the other campuses, after almost 24 hours.

I have configured the PA's per the documentation and have not "tweaked" the configuration in any way. If I see any changes in this, I will post back.

Just as a sanity check. I just got done configuring my wildfire.

Objects > File Blocking > Configured a "rule" for any app and any file time in both directs and the action is 'forward'.

Then I applied that to a Security Profile Group which is being called by many different security policies. I see in the Data Logs themsevles on the Dashboard that it is seeing various files. Should I then expect to see that info forwarded to my wildfire account at wildfire.paloaltonetworks.com?

Thanks.

Not applicable

You will not see every single downloaded file in the WildFire Dashboard reports. If that would be the cause it would require a huge amount of cloud space.

The WildFire Dash reports will be blank at all times, unless there has been downloaded a file unknown by the PA WildFire database.

Once having a Data Filter in place with <forward> action, every file will be send to WildFire for a data file checksum check, if the file is already known it will not be reported in the WildFire report and will let the user to download the file. If the File is unknown by the DB, it will be checked, by executing the file in the cloud, looking at the results of the file execution, looking at the damage it can cause to a operation system, creating a report on it and later decide what to do , to allow the user to download the file or not.

So if you don’t see any reports on WildFire this is not a bad thing and it does not mean that your configurations did not work.

So think of a WilfFire as of a virtual computer somewhere in the cloud that would take a unknown executable file or a virus and will intentionally install it on it, just to check if the executable file is safe or not. And after it checks as safe file it will pass the file to your computer, if it is unsafe the file will never touch your computer.


But if you need to check on the files downloaded you can always refer to the PA GUI interface, Monitor->Logs->Data Filtering.

Here is some info and some tips how to know if the WildFire is working or not:

https://live.paloaltonetworks.com/docs/DOC-2670

Configuration instructions:

https://live.paloaltonetworks.com/docs/DOC-2029

Hope this helps.

  • 3510 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!