11-10-2013 11:33 PM
Hello.
I am seeing data-filtering logs for wildfire and have found some logs.
It is pdf file log that action is forward.
Wildfire configuration is any application and action forward.
But PDF is not PE file.
I don't understand Why pdf file action is forward.
forward
Data plan detected a PE file on a WildFire-enabled policy. The PE file is buffered in management plane.
At this point, if you only see "forward" for a specific file, then that means it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent for previously seen benign files). This means that you will not see an entry in the WildFire web portal for these files.
I think reason that the data plan detected any file on a wildfre-enabled policy and the any file is buffered in management plan because wildfire configuration is any file. Right?
I know only PE file was forward when wildfire configuration is any file.
Thanks.
11-11-2013 10:59 AM
Hello Cheon,
Yes, you are right. Since you have configured 'any' file type in file blocking profile you would get a data-filtering log as 'forward' for all file downloads - atleast. PE is just a file format category which includes file types with extensions exe,zip..etc
If an AV profile is not enabled on a firewall policy for an existing session, the file is streamed from dataplane to management plane for Wildfire processing. That file is then received by the end user and buffered by the management plane. If the file is signed by a trusted signer, the file download gets logged in the data-filtering logs with action set to 'forward' and no entry is logged in wildfire web portal. If the file is not signed by the trusted signer, then the management plane creates a hash of file to send it to the Wildfire cloud to run a check against existing signatures in the database. From there on, depending upon whether the hash match exists in the database or not, the corresponding data-filtering log gets marked as 'wildfire-upload-skip' or 'wildfire-upload-success'.
Hope that addresses your concern!
Thanks and regards,
Kunal Adak
11-12-2013 04:33 AM
Hello Adak,
Thanks for your answer.
I have a more detail question.
I use wildfire configuration that action for all files is forward.
Are all files(ppt , jpg etc..) forwarded from data-plane to management-plane?
If it is true, I think management-plane buffer allocated wildfire will be very hard.
If buffer will be overflow what value on 'show wildfire statistics' will be increased??
I read manual that if buffer will be overflow cancel_disk_io_fail on 'show wildfire statistics' will be increased.
But I have found it on this cli output.
Thanks.
11-12-2013 07:05 AM
Hello Cheon,
Are all files(ppt , jpg etc..) forwarded from data-plane to management-plane?
- If a file download session matches an AV profile enabled to the security rule, then file will be streamed to Content-ID engine for AV scanning. If not, only then the file is is streamed from the dataplane to the management plane for wildfire processing.
cancel_disk_io_fail counter:
Number of times the management plane failed to write temporary files to the disk before sending them to the WildFire cloud. This can occur with a general disk fault, and can also occur when the disk buffer is near quota.
I did read in an internal document that apparently the counter would only show up in wildfire statistics if it is non-zero.
Thanks and regards,
Kunal Adak
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
