12-14-2012 07:41 AM
I have enabled wilfdire protection on polisy for NAT (also antyvirus/antyspyware/Volnerability).
From time totime I get email with information that someone from my network downloaded some files infected ie. by malware.
Until now I think that this file was blocked by PAN.
Today I tryed (just for test) download file from link from that email (storagenl.info/v402/?affiliate_id=eb3)
and I downloaded file .... and I got a email.
File blocking profile is created with any any both forward settings. This profile is enabled in security policy.
Help me please
With regards
SLawek
12-16-2012 07:42 PM
Hi SLV,
Unless you have the new Wildfire subscription (PAN-OS 5.0) enabled you may need to wait a couple days for the actual virus signature to be pushed down to your device through the normal AV signature process. With the Wildfire subscription you can get hourly updates.
Cheers,
Kelly
12-17-2012 10:23 AM
Hi SLV,
If you and file blocking profile with forward option. It will allow the files to be downloaded and the file will be sent to Wildfire for checking. This is default action it takes when the file blocking is set to forward.
Hopefully this helps.
Thank you
Numan
12-18-2012 05:36 AM
I thought that "forward" mean that PA200 will forward every file to WildFire cloud and after that if status recieved from WildFire Cloud is "clean" will allow to download to client workstation.
Is it possible to get such confoguration?
Cheers
Slawek
12-18-2012 09:15 AM
Hi Slawek,
Something like that would create a delay too great for most clients. Part of what WildFire does is execute the file and observe the behavior along with normal signature and heuristic-based scans. If a client had to wait for that they would likely time out. You may want to reach out to your account team to suggest that feature in case it hasn't been submitted already.
To answer the question about the "forward" action, it:
- Delivers the file to the client
- Forwards it to WildFire for review
If you have 5.0 and the additional license, you can download updates as often as every hour that will contain results of scans. If a file you (or another customer) has forwarded is malware, you'll have the signature for it within hours. Of course, as Kelly indicated you can still use the standard WildFire configuration to get updates every day so you'll have that signature within a day or two normally as well.
Hope this helps!
Greg
02-25-2013 11:19 PM
Forward does not mean that the file has been forwarded to the wildfire cloud !
Forward: The Wildfire cloud has already seen the file, thus no further action is taken on the file and no entry is seen on the wildfire portal.
Wildfire-upload-success: The Wildfire cloud has not seen the file and the file is uploaded to the cloud for a verdict.
Wildfire-upload-skip: The Wildfire cloud has already seen the file and confirmed a verdict of "Malware" thus the file is skipped by the PA device, however a log is generated on the Wildfire portal
Cheers
Roland
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
