Wildfire Activity?

Reply
Highlighted
L4 Transporter

Wildfire Activity?

Hi folks,

 

We have a Wildfire public cloud subscription, dynamic updates, and security profile configured.

I've been asked, "How do we know it's doing anything?".

 

When I look at Wildfire submissions, the last submissions are from January and end of last year.

I am looking at this article and our settings, I don't think our's looks correct.  Our File Blocking rule is empty and the Wildfile analysis does not look linked to the File blocking profile either.

 

So while we are enabled for Wildfire, I don't think it is doing anything because not configured right.

 

We should at least have a File Blocking rule in place for it to do anything right?

 

wildfire2.jpg

 

wildfire1.jpg


Accepted Solutions
Highlighted
Cyber Elite

Re: Wildfire Activity?

Hello,

Check your wildfire config and see if its se to report greyware and benign files. When I fileted my logs to remove the benign files, there was not much shown.

 

Device tab -> Setup -> Wildfire

 

image.png

 

That could be why you dont see any activity in the Monitor Logs.

 

Hope that helps.

View solution in original post


All Replies
Highlighted
Cyber Elite

Re: Wildfire Activity?

Hello,

Check your wildfire config and see if its se to report greyware and benign files. When I fileted my logs to remove the benign files, there was not much shown.

 

Device tab -> Setup -> Wildfire

 

image.png

 

That could be why you dont see any activity in the Monitor Logs.

 

Hope that helps.

View solution in original post

Highlighted
L4 Transporter

Re: Wildfire Activity?

Thank you!

 

Yep, your right.  I do not have those options checked, and I suppose that there must not be a lot of unknown file types downloaded in our environment.

 

Seems like File Blocking and Wildfire work separately?

Don't need File Blocking configured for Wildfire to be in use, correct?

 

Highlighted
Cyber Elite

Re: Wildfire Activity?

Hello,

They work together kinda. You need the file blocking rule so WF can be applied to a polic. The Wildfire analysis is needed to actually grab the files and send them to the cloud.

 

Hope that makes sense.

 

Regards,

Highlighted
L4 Transporter

Re: Wildfire Activity?

Thank you!

 

Ok, getting close, but still a little confused.  This text from my 7.0 training seems to indicate that they may operate and detect separately?  Meaning I could have no File Blocking rule (like my company has here) and just a Wildfire rule for PE and those files would be shipped off to Wildfire Cloud?

 

However, this Wildfire test PE URL: http://wildfire.paloaltonetworks.com/publicapi/test/pe does not show up as uploaded to Wildfire when I run command:  debug wildfire upload-log show.

 

I may need to call support to get all this cleared up.

 

 

wildfire3.jpg

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!