WildFire and File blocking

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

WildFire and File blocking

L2 Linker

Hi Experts,

 

I'm new to Palo Alto and I've seen documents where File blocking is used in addition with the WildFire analysis. So, any files which is blocked won't be forwarded to WildFire and the action which is set to 'continue/alert' will be continue forwarding.

 

But in my organization I've seen file blocking isn't applied to any security policy while wildfire analysis is set to application and files 'any' to the public cloud and its attached to the security policy.

 

1. My question is, what would the Wildfire achieve with/without the file blocking profile?

2. How does the AV profile works with the WildFire policy?

 

Can someone please assist? Thank you.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

WildFire and file blocking are independent from eachother, so WildFire can function without a file blocking profile and vice versa.

The only caveat, as you mention, is that if you block a file WildFire won't be able to send it up for analysis.

 

Once WildFire finds a malicious file, a signature is immediately created for the WildFire dynamic updates. Every 24 hours the most prominent WildFire signatures are also rolled up into the daily AV update, so:

 

-all actions taken based on the outcome from a WildFire analysis are in fact performed by the AV/AS profiles

-the WildFire profile itself is only used for uploading, not prevention

- file blocking is an additional profile that simply decides which file types to allow or block (like opening/blocking a port or application)

 

 

hope this helps

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

9 REPLIES 9

Cyber Elite
Cyber Elite

WildFire and file blocking are independent from eachother, so WildFire can function without a file blocking profile and vice versa.

The only caveat, as you mention, is that if you block a file WildFire won't be able to send it up for analysis.

 

Once WildFire finds a malicious file, a signature is immediately created for the WildFire dynamic updates. Every 24 hours the most prominent WildFire signatures are also rolled up into the daily AV update, so:

 

-all actions taken based on the outcome from a WildFire analysis are in fact performed by the AV/AS profiles

-the WildFire profile itself is only used for uploading, not prevention

- file blocking is an additional profile that simply decides which file types to allow or block (like opening/blocking a port or application)

 

 

hope this helps

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Tom,

 

First of all, I'd like to thank you for your wonderful book 'Mastering the Palo Alto networks' which is very informative and helpful for the beginners like me to nourish our skills on Palo Alto.

 

Under Monitor -> Wild fire submissions, I see Malicious is being marked as 'blocked'. From the below, I believe AV is the one which is going to block the viruses and not the Wild Fire. Please correct me if I'm wrong.

 

1. Assuming no wildfire license in place and through AV updates, will it be automatically blocked in next 24hours?

2. Will it block only if it's set to 'reset-both' under AV/Wildfire action or it'll block automatically if the action is set to 'default or alert' in the AV profile?

3. In AV profile, I see only HTTP, FTP, SMB, SMTP and POP3. What if any files which are malicious are transferred through SFTP and so on, which isn't part of the AV decoders?

 

 

 

Hello,

Let me try to explain. One thing to remember is that WildFire is the zero day file analysis. If you dont have a license, i would highly suggest you get one.

 

1. Assuming no wildfire license in place and through AV updates, will it be automatically blocked in next 24hours?

      Correct, once WildFire flags it, it will eventually make its way into the AV definitions.

2. Will it block only if it's set to 'reset-both' under AV/Wildfire action or it'll block automatically if the action is set to 'default or alert' in the AV profile?

     Make sure your profiles are set to reset-both, otherwise it will be allowed.

3. In AV profile, I see only HTTP, FTP, SMB, SMTP and POP3. What if any files which are malicious are transferred through SFTP and so on, which isn't part of the AV decoders?

     So these are just protocols not file types.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZ5CAK

 

Hope that helps.

Hi,

 

Thanks for taking your time to reply to this conversation. Final one and sorry if it's dumb.

 

What if any malicious files are traversing through SFTP protocol will it be blocked as only FTP, HTTP, HTTPS application/protocols are specified?

Hello,

Not a bad question at all. Since in SFTP the traffic is encrypted, the PAN can only read the headers of the packet. So in this case, it is possible that the malicious file can be transferred past the PAN. However if you employ SSL decryption to the traffic, the PAN can see the whole file. If the file is password protected, you'll need to use another program at the OS layer to protect your environment.

 

Hope that helps.

Great question.  SFTP actually uses SSH for encryption.  App-ID recognizes it as SSH.  However, it is not FTP over SSH.  The protocol is different.  If PANW added the SFTP protocol to AV, it could be scanned if SSH Proxy were configured.

Help the community: Like helpful comments and mark solutions.

So I can use file blocking profile without WF subscription?

Cyber Elite
Cyber Elite

@ramakrishnan.v05 yes you can

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

Thanks @reaper !

 

I thought I replied, but I guess I didn't.

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 6823 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!