wildfire and security policy - problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

wildfire and security policy - problem

L4 Transporter

I have enabled wilfdire protection on polisy for NAT (also antyvirus/antyspyware/Volnerability).

From time totime I get email with information that someone from my network downloaded some files infected ie. by malware.

Until now I think that this file was blocked by PAN.

Today I tryed (just for test) download file from link from that email (storagenl.info/v402/?affiliate_id=eb3)

and I downloaded file .... and I got a email.

File blocking profile is created with any any both forward settings. This profile is enabled in security policy.

Help me please

With regards

SLawek

5 REPLIES 5

L4 Transporter

Hi SLV,

Unless you have the new Wildfire subscription (PAN-OS 5.0) enabled you may need to wait a couple days for the actual virus signature to be pushed down to your device through the normal AV signature process.  With the Wildfire subscription you can get hourly updates.

Cheers,

Kelly

Hi SLV,

If you and file blocking profile with forward option. It will allow the files to be downloaded and the file will be sent to Wildfire for checking. This is default action it takes when the file blocking is set to forward.

Hopefully this helps.

Thank you

Numan

I thought that "forward" mean that PA200 will forward every file to WildFire cloud and after that if status recieved from WildFire Cloud is "clean" will allow to download to client workstation.

Is it possible to get such confoguration?

Cheers

Slawek

Hi Slawek,

Something like that would create a delay too great for most clients. Part of what WildFire does is execute the file and observe the behavior along with normal signature and heuristic-based scans. If a client had to wait for that they would likely time out. You may want to reach out to your account team to suggest that feature in case it hasn't been submitted already.

To answer the question about the "forward" action, it:

- Delivers the file to the client

- Forwards it to WildFire for review

If you have 5.0 and the additional license, you can download updates as often as every hour that will contain results of scans. If a file you (or another customer) has forwarded is malware, you'll have the signature for it within hours. Of course, as Kelly indicated you can still use the standard WildFire configuration to get updates every day so you'll have that signature within a day or two normally as well.

Hope this helps!

Greg

Forward does not mean that the file has been forwarded to the wildfire cloud !

Forward: The Wildfire cloud has already seen the file, thus no further action is taken on the file and no entry is seen on the wildfire portal.

Wildfire-upload-success: The Wildfire cloud has not seen the file and the file is uploaded to the cloud for a verdict.

Wildfire-upload-skip:  The Wildfire cloud has already seen the file and confirmed a verdict of "Malware" thus the file is skipped by the PA device, however a log is generated on the Wildfire portal


Cheers

Roland

  • 5874 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!