- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-20-2024 03:52 PM
I am having some trouble understanding the different wildfire options. Hoping someone can lead me to being able to understand.
First of all - the wildfire profile itself:
We have two sections - rules, and Inline Cloud analysis.
What is the difference between these two sections?
According to documentation:
"The Advanced WildFire cloud operates a series of inline cloud ML-based detection engines to analyze PE (portable executable) samples traversing through your network to detect and prevent unknown malware in real-time. This allows the Advanced WildFire cloud service to detect never-before seen malware (that does not have an existing WildFire signature or is detectable through the local Advanced WildFire inline cloud ML detectors) and block it from infecting the client."
I am just not understanding - Doesn't the Wildfire Analysis profile do this naturally? If file has not been seen before - send to wildfire for analysis. Isn't this literally the same explanation as regular wildfire operation?
Additionally, wildfire options are also present in other profiles:
Antivirus has "Wildfire signature action" and "Wildfire inline ML action"
Anti-Spyware has "Inline cloud analysis"
Vulnerability has "Inline Cloud analysis"
URL filtering has "Inline categorization"
What do these offer us?
The way I am currently understanding the wildfire stuff in, for example, Antivirus:
Signature action = Regular signatures downloaded via Antivirus dynamic updates
Wildfire signature action = These are signatures that are created by the collective wildfire database. This would be Palo customers using Wildfire Analysis profiles to submit files and generate a verdict which then gets fed down to everyone subscribed to these updates.
Wildfire Inline ML = Uses an engine to scan files currently have no regular signature and no wildfire signature.
Again - isn't Wildfire Inline ML doing exactly what regular Wildfire Analysis profile offers, and has offered us before? If it sees a file that has not been seen before, which I would assume has no signature yet, it gets sent out and eventually generates a verdict. So what is Wildfire Inline ML giving us that a normal Wildfire Analysis profile does not?
PLEASE help me!
Thanks everyone
10-20-2024 08:40 PM
After a few hours of research I have come to this understanding, please correct me if I am wrong.
Wildfire Analysis Profile:
Rules tab = traditional wildfire file submissions for verdict creation.
Inline cloud analysis = Applies only to PE as of 11.1 and is used for real-time analysis at line rate.
Antivirus profile:
Signature action applies to regular antivirus signatures via antivirus dynamic updates
Wildfire signature action applies to signatures that have been created by customers who submit files under a wildfire profile and then distributed to all other firewalls.
Wildfire Inline ML action applies to files (that have been turned on under the Wildfire Inline ML tab). These file types that do not have signatures will be scanned in real-time/line rate and can be acted upon immediately.
Basically, it seems the inline wildfire settings (URL/Antivirus) are real time and can PREVENT malicious files to enter the network, vs wildfire (aside from PE under inline cloud analysis in the wildfire profile) can only alert that a host has downloaded a malicious file after being submitted to wildfire and waiting for a verdict.
Additionally, the inline options under Vulnerability and Anti-Spyware profiles are tied to the ATP license, while URL and Antivirus are tied to Wildfire licensing.
10-22-2024 09:11 AM
This last part:
You're not wrong, in how WF has been marketed before, they touted their "cloud analysis" for files sent to WF.
Essentially Palo the past ~2 years has released "advanced" Threat, URL and WF subscriptions that as I understand perform analysis in their cloud differently than the standard subscriptions. I assume they use different ML models than the original subscriptions and are potentially tied into additional data sets that the "base" subscriptions are. Essentially there are new ML models than are leveraged in these new subs.
At the end of the day even if you don't have this new license the threat sigs will eventually get to all customers, it's just how quickly do you want them in your company?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!