Wildfire Activity?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Wildfire Activity?

L4 Transporter

Hi folks,

 

We have a Wildfire public cloud subscription, dynamic updates, and security profile configured.

I've been asked, "How do we know it's doing anything?".

 

When I look at Wildfire submissions, the last submissions are from January and end of last year.

I am looking at this article and our settings, I don't think our's looks correct.  Our File Blocking rule is empty and the Wildfile analysis does not look linked to the File blocking profile either.

 

So while we are enabled for Wildfire, I don't think it is doing anything because not configured right.

 

We should at least have a File Blocking rule in place for it to do anything right?

 

wildfire2.jpg

 

wildfire1.jpg

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

Check your wildfire config and see if its se to report greyware and benign files. When I fileted my logs to remove the benign files, there was not much shown.

 

Device tab -> Setup -> Wildfire

 

image.png

 

That could be why you dont see any activity in the Monitor Logs.

 

Hope that helps.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

Check your wildfire config and see if its se to report greyware and benign files. When I fileted my logs to remove the benign files, there was not much shown.

 

Device tab -> Setup -> Wildfire

 

image.png

 

That could be why you dont see any activity in the Monitor Logs.

 

Hope that helps.

Thank you!

 

Yep, your right.  I do not have those options checked, and I suppose that there must not be a lot of unknown file types downloaded in our environment.

 

Seems like File Blocking and Wildfire work separately?

Don't need File Blocking configured for Wildfire to be in use, correct?

 

Hello,

They work together kinda. You need the file blocking rule so WF can be applied to a polic. The Wildfire analysis is needed to actually grab the files and send them to the cloud.

 

Hope that makes sense.

 

Regards,

Thank you!

 

Ok, getting close, but still a little confused.  This text from my 7.0 training seems to indicate that they may operate and detect separately?  Meaning I could have no File Blocking rule (like my company has here) and just a Wildfire rule for PE and those files would be shipped off to Wildfire Cloud?

 

However, this Wildfire test PE URL: http://wildfire.paloaltonetworks.com/publicapi/test/pe does not show up as uploaded to Wildfire when I run command:  debug wildfire upload-log show.

 

I may need to call support to get all this cleared up.

 

 

wildfire3.jpg

  • 1 accepted solution
  • 2228 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!