08-28-2015 01:15 PM
I thought there was a limited version of wildfire that you could use for PE files. But it isn't working, I do a test registration and it fails. Is there something that is missing in the instruction that I have
09-09-2015 06:13 AM
Didn't you say you were using the limited version as well? Did you have to select the benign file setting?
09-09-2015 06:41 AM
Hi
The benign setting allows for more reporting as this will also generate logs for any files that were uploaded and diagnosed as benign, but is not a necessary setting to enable the unlicensed version of WildFire.
It may come in handy when setting up WildFire for the first time to generate reports sooner, as waiting around for a malicious file can take a while.
regards
Tom
09-09-2015 07:27 AM
I have it all configured and I opened the wildfire test file on a test pc and nothing is showing up in the PA wildfire submissions or data filtering logs so I don't know if its really working
09-09-2015 08:00 AM
Hi!
Did you make sure to enable ssl decryption, and is this reflected in the session details:
you may need to allow the management interface of your device access out to the internet or finetune any serviceroutes you have set to allow the management plane to upload files to the cloud
here's a couple of commands you can use to verify everything is functioning as expected:
show wildfire status show wildfire statistics show wildfire cloud-info
regards
Tom
09-09-2015 08:28 AM
Doesn't it require a license to do decryption? Here are the results of running the commands you suggested-
Show wildfire status
Connection info:
Wildfire cloud: public cloud
Status: Idle
Best server: us-east-1.wildfire.paloaltonetworks.com
Device registered: yes
Valid wildfire license: no
Service route IP address: 136.176.190.223
Signature verification: enable
Server selection: enable
Through a proxy: no
File size limit info:
pe 2 MB
apk 10 MB
pdf 200 KB
ms-office 500 KB
jar 1 MB
flash 5 MB
Forwarding info:
file idle time out (second): 90
total file forwarded: 0
file forwarded in last minute: 0
concurrent files: 0
show wildfire statistics
Packet based counters:
Total files received from DP: 0
Counters for file cancellation:
Counters for file forwarding:
file type: apk
file type: pdf
file type: email-link
file type: ms-office
file type: pe
file type: flash
file type: jar
file type: unknown
file type: pdns
Error counters:
Reset counters:
DP receiver reset cnt: 113
File cache reset cnt: 5
Service connection reset cnt: 7
Log cache reset cnt: 1
Report cache reset cnt: 1
Resource meters:
data_buf_meter 0%
msg_buf_meter 0%
ctrl_msg_buf_meter 0%
File forwarding queues:
priority: 1, size: 0
priority: 2, size: 0
priority: 3, size: 0
show wildfire cloud-info
Cloud info:
Cloud server type: wildfire cloud
Supported file types:
jar
flash
ms-office
pe
pdf
apk
email-link
09-09-2015 01:24 PM
SSL decryption and quic disabled for chrome browsers enabled our free version of wildfire to work as well, one note was that I couldn't see WildFire entries in the WildFire logs on PAN-OS 5 but I could see it in the web portal(https://wildfire.paloaltonetworks.com/wildfire/reportlist)..after I upgraded to PAN-OS 6 I was able to see the wildfire entries in the firewall log as well.
09-09-2015 02:16 PM
I am already on OS 6.1 but I do not have decryption enabled because I thought it required a license and I did not know it was necessary for the limited version of wildfire
09-09-2015 11:21 PM
SSL Decryption is not necessary for a wildfire (free or licensed). It is necessary to analyze files that were downloaded via SSL. To test free Wildfire only you should download a test file from http://wildfire.paloaltonetworks.com/publicapi/test/pe. File will be downloaded in clear text, therefore no SSL decryption is required and you will be able to confirm that your Wildfire configuration is correct.
09-10-2015 05:33 AM
Yes I downloaded the file and nothing happened. I have a ticket in with PA TAC but they just keep blowing me off.
09-10-2015 06:14 AM
Is wildfire-test-pe-file.exe visible in Data Filtering logs? You should see two entries in that log: Forward and wildfire-upload-success.
09-10-2015 08:26 AM
Nope not visible in the monitor\wildfire submission, data filtering or threat log. I have the rule set to continure and forward.
09-10-2015 10:24 PM
In that case I would say it is one of the following:
Can you download testfile again via http and then paste details of the session from the traffic log?
09-11-2015 06:40 AM
This is the link I used so I am already using the non-encrypted with http
http://wildfire.paloaltonetworks.com/publicapi/test/
09-11-2015 06:51 AM
I didnt see it posted and we dont have visibility into your settings, however was the 'File Blocking' profile you created for wildfire set to the security poicy you have for clients to browse the web?
I know its a silly question, but if its not added to the security policy the clients use to download files, it wont catch anything. Check the logs to see which policy is being hit when you download the testpe file and make sure that the file blocking profile is applied to it.
09-11-2015 07:14 AM
I understand that my clients need web access in order to download and run the file. I was able to download and run the file but nothing showed up in the data filter, wildfire submissions or the threat log.
Early on I had the TAC remote in and verify that my configuration was correct, just like the licensed version without the license.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
