Free wildfire

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Free wildfire

L4 Transporter

I thought there was a limited version of wildfire that you could use for PE files. But it isn't working, I do a test registration and it fails. Is there something that is missing in the instruction that I have

 

https://live.paloaltonetworks.com/t5/Articles/Wildfire-Configuration-Testing-and-Monitoring/ta-p/577...

52 REPLIES 52

Didn't you say you were using the limited version as well? Did you have to select the benign file setting?

Hi

 

The benign setting allows for more reporting as this will also generate logs for any files that were uploaded and diagnosed as benign, but is not a necessary setting to enable the unlicensed version of WildFire.

It may come in handy when setting up WildFire for the first time to generate reports sooner, as waiting around for a malicious file can take a while.

 

 

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I have it all configured and I opened the wildfire test file on a test pc and nothing is showing up in the PA wildfire submissions or data filtering logs so I don't know if its really working

Hi!

 

Did you make sure to enable ssl decryption, and is this reflected in the session details: 

2015-09-09_16-54-07.png

 

you may need to allow the management interface of your device access out to the internet or finetune any serviceroutes you have set to allow the management plane to upload files to the cloud

 

here's a couple of commands you can use to verify everything is functioning as expected:

 

 

show wildfire status
show wildfire statistics
show wildfire cloud-info

 

regards

Tom

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Doesn't it require a license to do decryption? Here are the results of running the commands you suggested-

 

Show wildfire status

 

Connection info:
  Wildfire cloud:                public cloud
  Status:                        Idle
  Best server:                   us-east-1.wildfire.paloaltonetworks.com
  Device registered:             yes
  Valid wildfire license:        no
  Service route IP address:      136.176.190.223
  Signature verification:        enable
  Server selection:              enable
  Through a proxy:               no

File size limit info:
  pe                                           2 MB
  apk                                         10 MB
  pdf                                        200 KB
  ms-office                                  500 KB
  jar                                          1 MB
  flash                                        5 MB

Forwarding info:
  file idle time out (second):                          90
  total file forwarded:                                  0
  file forwarded in last minute:                         0
  concurrent files:                                      0

 

show wildfire statistics

 

Packet based counters:

Total files received from DP: 0

Counters for file cancellation:

Counters for file forwarding:

        file type: apk

        file type: pdf

        file type: email-link

        file type: ms-office

        file type: pe

        file type: flash

        file type: jar

        file type: unknown

        file type: pdns

Error counters:

Reset counters:
        DP receiver reset cnt:                     113
        File cache reset cnt:                        5
        Service connection reset cnt:                7
        Log cache reset cnt:                         1
        Report cache reset cnt:                      1

Resource meters:
        data_buf_meter                               0%
        msg_buf_meter                                0%
        ctrl_msg_buf_meter                           0%

File forwarding queues:
        priority: 1,  size: 0
        priority: 2,  size: 0
        priority: 3,  size: 0

 

show wildfire cloud-info

 

Cloud info:
  Cloud server type:             wildfire cloud
  Supported file types:
                                 jar
                                 flash
                                 ms-office
                                 pe
                                 pdf
                                 apk
                                 email-link

 

 

 

 

 

SSL decryption and quic disabled for chrome browsers enabled our free version of wildfire to work as well, one note was that I couldn't see WildFire entries in the WildFire logs on PAN-OS 5 but I could see it in the web portal(https://wildfire.paloaltonetworks.com/wildfire/reportlist)..after I upgraded to PAN-OS 6 I was able to see the wildfire entries in the firewall log as well.

I am already on OS 6.1 but I do not have decryption enabled because I thought it required a license and I did not know it was necessary for the limited version of wildfire

SSL Decryption is not necessary for a wildfire (free or licensed). It is necessary to analyze files that were downloaded via SSL. To test free Wildfire only you should download a test file from http://wildfire.paloaltonetworks.com/publicapi/test/pe. File will be downloaded in clear text, therefore no SSL decryption is required and you will be able to confirm that your Wildfire configuration is correct.

Yes I downloaded the file and nothing happened. I have a ticket in with PA TAC but they just keep blowing me off.

Is wildfire-test-pe-file.exe visible in Data Filtering logs? You should see two entries in that log: Forward and wildfire-upload-success.

Capture.JPG

Nope not visible in the monitor\wildfire submission, data filtering or threat log. I have the rule set to continure and forward.

In that case I would say it is one of the following:

  • Your File Blocking profile is configured incorrectly
  • Your File Blocking profile is not applied to the correct security rule
  • You are using SSL

 Can you download testfile again via http and then paste details of the session from the traffic log?

This is the link I used so I am already using the non-encrypted with http

 

http://wildfire.paloaltonetworks.com/publicapi/tes​t/

 

I didnt see it posted and we dont have visibility into your settings, however was the 'File Blocking' profile you created for wildfire set to the security poicy you have for clients to browse the web?

 

I know its a silly question, but if its not added to the security policy the clients use to download files, it wont catch anything. Check the logs to see which policy is being hit when you download the testpe file and make sure that the file blocking profile is applied to it.

I understand that my clients need web access in order to download and run the file. I was able to download and run the file but nothing showed up in the data filter, wildfire submissions or the threat log.

Early on I had the TAC remote in and verify that my configuration was correct, just like the licensed version without the license.

  • 14900 Views
  • 52 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!