Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-31-2020 07:46 AM - edited 12-31-2020 09:15 AM
Hi Experts,
I'm new to Palo Alto and I've seen documents where File blocking is used in addition with the WildFire analysis. So, any files which is blocked won't be forwarded to WildFire and the action which is set to 'continue/alert' will be continue forwarding.
But in my organization I've seen file blocking isn't applied to any security policy while wildfire analysis is set to application and files 'any' to the public cloud and its attached to the security policy.
1. My question is, what would the Wildfire achieve with/without the file blocking profile?
2. How does the AV profile works with the WildFire policy?
Can someone please assist? Thank you.
01-04-2021 02:50 AM
WildFire and file blocking are independent from eachother, so WildFire can function without a file blocking profile and vice versa.
The only caveat, as you mention, is that if you block a file WildFire won't be able to send it up for analysis.
Once WildFire finds a malicious file, a signature is immediately created for the WildFire dynamic updates. Every 24 hours the most prominent WildFire signatures are also rolled up into the daily AV update, so:
-all actions taken based on the outcome from a WildFire analysis are in fact performed by the AV/AS profiles
-the WildFire profile itself is only used for uploading, not prevention
- file blocking is an additional profile that simply decides which file types to allow or block (like opening/blocking a port or application)
hope this helps
01-04-2021 02:50 AM
WildFire and file blocking are independent from eachother, so WildFire can function without a file blocking profile and vice versa.
The only caveat, as you mention, is that if you block a file WildFire won't be able to send it up for analysis.
Once WildFire finds a malicious file, a signature is immediately created for the WildFire dynamic updates. Every 24 hours the most prominent WildFire signatures are also rolled up into the daily AV update, so:
-all actions taken based on the outcome from a WildFire analysis are in fact performed by the AV/AS profiles
-the WildFire profile itself is only used for uploading, not prevention
- file blocking is an additional profile that simply decides which file types to allow or block (like opening/blocking a port or application)
hope this helps
01-04-2021 07:43 AM - edited 01-04-2021 08:02 AM
Hi Tom,
First of all, I'd like to thank you for your wonderful book 'Mastering the Palo Alto networks' which is very informative and helpful for the beginners like me to nourish our skills on Palo Alto.
Under Monitor -> Wild fire submissions, I see Malicious is being marked as 'blocked'. From the below, I believe AV is the one which is going to block the viruses and not the Wild Fire. Please correct me if I'm wrong.
1. Assuming no wildfire license in place and through AV updates, will it be automatically blocked in next 24hours?
2. Will it block only if it's set to 'reset-both' under AV/Wildfire action or it'll block automatically if the action is set to 'default or alert' in the AV profile?
3. In AV profile, I see only HTTP, FTP, SMB, SMTP and POP3. What if any files which are malicious are transferred through SFTP and so on, which isn't part of the AV decoders?
01-04-2021 11:17 AM
Hello,
Let me try to explain. One thing to remember is that WildFire is the zero day file analysis. If you dont have a license, i would highly suggest you get one.
1. Assuming no wildfire license in place and through AV updates, will it be automatically blocked in next 24hours?
Correct, once WildFire flags it, it will eventually make its way into the AV definitions.
2. Will it block only if it's set to 'reset-both' under AV/Wildfire action or it'll block automatically if the action is set to 'default or alert' in the AV profile?
Make sure your profiles are set to reset-both, otherwise it will be allowed.
3. In AV profile, I see only HTTP, FTP, SMB, SMTP and POP3. What if any files which are malicious are transferred through SFTP and so on, which isn't part of the AV decoders?
So these are just protocols not file types.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZ5CAK
Hope that helps.
01-05-2021 06:22 AM
Hi,
Thanks for taking your time to reply to this conversation. Final one and sorry if it's dumb.
What if any malicious files are traversing through SFTP protocol will it be blocked as only FTP, HTTP, HTTPS application/protocols are specified?
01-05-2021 07:14 AM
Hello,
Not a bad question at all. Since in SFTP the traffic is encrypted, the PAN can only read the headers of the packet. So in this case, it is possible that the malicious file can be transferred past the PAN. However if you employ SSL decryption to the traffic, the PAN can see the whole file. If the file is password protected, you'll need to use another program at the OS layer to protect your environment.
Hope that helps.
08-17-2021 04:42 PM
Great question. SFTP actually uses SSH for encryption. App-ID recognizes it as SSH. However, it is not FTP over SSH. The protocol is different. If PANW added the SFTP protocol to AV, it could be scanned if SSH Proxy were configured.
11-23-2023 06:06 AM
So I can use file blocking profile without WF subscription?
11-29-2023 02:15 AM
@ramakrishnan.v05 yes you can
11-29-2023 02:22 AM
Thanks @reaper !
I thought I replied, but I guess I didn't.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
