Using file blocking and wildfire profiles together

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using file blocking and wildfire profiles together

L3 Networker

Hi Guys,

 

Please can someone explain me why we would use the file blocking profile as well as the wildfire profile on the same security rule.

What i understand is that once the file is blocked then no need to send it for the wildfire analysis..Please correct me.

 

Now what will happen if the file is allowed,will it be sent for analysis and meanwhile what will happen,will the user recieve the file or it wait for the verdict and the required action is taken.

 

Thanks

15 REPLIES 15

Cyber Elite
Cyber Elite

I think you are confusing two different things, and not really aiming for a best practice here. 

1) File Blocking would generally be used if you want to block a type of file completely. No need for Wildfire to check a PE file if you are blocking PE files through file-blocking on that specific rule. 

2) Wildfire will analyze the files hash and perform a hash check with Wildfire. If the file is already known it will take the known action, if the hash isn't known then it will forward the file to be analyzed. 

 

If you are blocking the files that WildFire can perform analysis on, I'm not sure why you would include a WildFire policy on that. The files are already going to get blocked, why would you need WildFire at that point?

Where WildFire comes in handy is if you have a business need to allow a certain function, such as MS Office documents, you can block anything that is known bad. Even if it does make it to WildFire and the user gets the document, WildFire will provide you an alert and tell you that the file was allowed, who it was destined for, and what exactly it did. So you can quickly tell your helpdesk that such and such got installed, here's what it did, and here's how to get rid of it. 

Hi BPry,

 

Thanks a lot for your response,kindly can you please clarify further the below.

2) Wildfire will analyze the files hash and perform a hash check with Wildfire. If the file is already known it will take the known action, if the hash isn't known then it will forward the file to be analyzed. (What will happen to the unknown file while we wait for the results,will it be delivered to the user..?.)

 

So to understand and make it clear for myself is that its not recommended to have file blocking and wildfire profile at the sametime on security rule or it depends upon u r requirement.May they can be applied in a scenario where we want to block some files unsing FB profile and allow some files but only after WF analysis.

 

Thanks

 

Okay so this really depends on what your policy is actually going to look like. Say for instance I have a basic rule that looks like this. 

LTSB-Users {
  option {
    disable-server-response-inspection no;
  }
  from inside;
  to outside;
  source 10.191.0.0/16;
  destination any;
  source-user cn=ltsb-users,ou=groups,ou=ltsb,dc=wisleg,dc=root,dc=local;
  category any;
  application any;
  service [ quic service-http service-https];
  hip-profiles any;
  log-start yes;
  log-end yes;
  negate-source no;
  negate-destination no;
  action allow;
  disabled no;
  tag [ "User Focused" INSIDE];
  description "Allow Web browsing to anywhere";
  profile-setting {
    group LTSB-Profile;
  }
  log-setting Solarwinds-Email;

So that rule could potentially allow all any files to be download, what I might want to do is apply a file-blocking profile that says they can't download things like jar, apk, flash, and the like. However, I still need to allow these users to download ms-office, pdf, pe and the like. In this scenario I actually would have a file-blocking profile assigned for the files that I know I don't want them to download, but then I would assign a WildFire Analysis profile so that it can catch everything else that is still allowed to pass through that policy. 

Hi BPry,

 

Thanks for the response and i really appreciate your efforts.

So when and how the wildfire action will be taken as in new version the wildfire action has been removed from the file blocking profile.

 

Another question with regards to file blocking is how can we block files accessed to/from shared folders in windows.

Today i applied a file blocking profile to a server n client and blocked .xls,exe etc but the files were able to accessed,please can u guide me in this.

@mahmoodm,

Look in the AntiVirus profile, you'll find WildFire action there. 

 

Does your firewall actively see the traffic from your server to the client? 

WildFire 'action' in regards to files being uploaded works in tandem with file blocking profile: any filles that are blocked in the same security policy as the WildFire profile will not be uploaded. Uploads can only performed on extensions that are allowed to pass through the firewall

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi,

I cans see sometimes n sometimes not,i am not sure y this is happening.

I think when i access the shared folder on the server n try to copy any file from my pc into the shared folder i am assuming that the FB rules should take action as defined but this is not happening not sure why.

 

Thanks

@mahmoodm,

It sounds like you may have interzone communication, the firewall will only take action on intrazone communication; in most scenarios interzone traffic never passes through your firewall. 

Hi,

No the traffic is between user zone and server zone,but still the file blocking doesnt work.

Please confrim can we block files transfer between the systems which are using SMB because i read today that SMB3 is encrypted hence PA is not able to identify the fiiles.

 

Thanks

With file blocking profile you can specify what files are permitted through the firewall.

It is also useful to look into "continue" option where response page is presented to the user (like captive portal) asking "do you really intended to download this file or it is drive by download by malicious website".

 

If file passes firewall then hash is taken and checked against wildfire cloud to check if this file has already been scanned.

If yes then decision is taken based on wildfire action configuration in antivirus security profile.

If file has not been checked then file is passed on to the user - yes user gets the file (Palo does not proxy traffic) and copy of the file is sent to wildfire sandbox to be analyzed.

 

Palo commits to give verdict in 5 minutes.

If file was malicious and it came in through email then there is good chanche that firewall gets protection before this file reaches out to internet to fetch additional malware content (Office documents usually contain macros that download malware payload when executed).

If this was web browsing then all other security profiles come into play. If firewall is well configured then URL filtering might block it if additional payload is downloaded from known malware site, vulnerability profile might block it when it sees known exploit or file blocking profile should block download of executables for standard users in organization.

If user gets infected then antispyware profile should catch command and control traffic also command and control URL category should be blocked.

 

So best practice is to use all capabilities Palo gives you to protect your network.

 

And with verdict wildfire gives you full report what malicious file did so if you can't reimage pc you can go and revert all changes in file system and registry.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi Raido,

Thanks for the response and really thankful to you guys for sharing your knowledge.

 

If file passes firewall then hash is taken and checked against wildfire cloud to check if this file has already been scanned.

If yes then decision is taken based on wildfire action configuration in antivirus security profile.(WHAT COULD BE THE AV ACTION PLAYS THE ROLE HERE,I MEAN WHY WOULD WE NEED AV ACTION HERE IF WE ARE GOING TO HAVE WF ACTION,MAY BE I AM CONFUSED OR NOT GETTING THE POINT,PLEASE CLARIFY.

 

Thanks

 

Antivirus database is updated once a day.

Wildfire database is updated all the time as files are scanned by wildfire cloud.

If you have wildfire subscription then you can configure your firewall to update wildfire database as often as every 1 minute so you if anyone in the world sees this zero day virus before you then your firewall already takes action based on wildfire verdict and will block this file passing firewall if configured so.

 

If you don't have wildfire subscription then you get those signatures next day with antivirus database updates.

 

So you should use both databases.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi Raido,

Thanks for the response.

 

So this means that the reason for having the wildfire action with AV action is take action if AV database missed this signature and wildfire categorized the file as malacious and based on the verdict the action is taken.

 

For the above to work do i need to have WF profile as well on the same security rule or AV profile will be enough as AV profile also has WF action.

 

Thanks

AV profile is to check files either against AV or wildfire virus database.

Wildfire profile is to send files to cloud or not.

 

I don't see a reason why not to use all profiles always.

Palo uses parallel processing of profiles so it does not affect performance if you have one profile or all assigned to policy.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 6632 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!