06-19-2014 09:00 AM
I'm interested in 6.0 mainly for the Wildfire improvements as it can now process PDF and Office documents.
I've read the PDF on how Palo Alto handle file security, I guess I'm interested in peoples "comfort levels" at submitting documents which are potentially confidential in nature to something like WildFire.
At some point it's basically a judgement call - love to know which way you've called it and why 
06-19-2014 09:16 AM
Hello Networkadmin,
The PAN firewall will not send the actual file to the Wildfire cloud, instead , it will calculate the MD5 hash of the file and send to wildfire to analysis. Hence, there is no risk factor from "confidentiality" point of view.
For more detail info, please refer WildFire Administrator's Guide 6.0 (English) ---- Page No-6 (How Does WildFire Work?)
Thanks
06-19-2014 09:22 AM
But surely as with executables if it hasn't been seen it will upload it to check?
06-19-2014 09:33 AM
Well it has to upload it to test it if the checksum returns unknown surely? That's how it works with executables so I'm assuming the process would be the same with Office docs and PDFs else how can it test stuff it hasn't seen?
06-19-2014 09:35 AM
This is not correct. The file will be uploaded to the WildFire service if the MD5/SHA256 hash has not been previously analyzed. The process is the same for all supported file types.
06-19-2014 09:35 AM
Whenever a file is transferred over a session that matches the security rule, the firewall
performs a file hash check with WildFire to see if the file has been previously analyzed. If the file is new, it is
forwarded for analyses, even if it is contained within a ZIP file or over compressed HTTP
From the WF Admin Guide. The file will be transferred to the WF Cloud if it has not seen before by WF.
06-19-2014 09:41 AM
The hash is used to determine whether or not the entire file needs to be sent for analysis. If the WildFire cloud already has a copy of the file - other firewalls don't need to send additional copies, consuming bandwidth and processing power. However, if the WildFire cloud has not yet seen the file, then your firewall (if configured) will forward the entire file to the cloud for full analysis/detonation.
For customers concerned with security/privacy, here are some of the options:
- Read Palo Alto Networks privacy and security statement concerning file retention & security measures taken in the WildFire Cloud
- Limit the files to be analyzed, ie: internally generated PDF files going out to the Internet do not get analyzed, but any file coming from the Internet into the environment are sent to WildFire.
- Use the WF-500 as a "private WildFire cloud" If you have a WF-500, all of the analysis occurs in your own environment. Further, you have the option of sharing nothing with Palo Alto Networks, or only the files with a "malicious" verdict.
06-19-2014 09:48 AM
Yes I've certainly read that guide, it wasn't so much a black and white "What do Palo Alto do?" question, rather that I wanted to check peoples comfort levels/paranoia about what is submitted.
06-19-2014 11:00 AM
I'm working in the National Cancer Institute, and we must, by law, prevent the transfer any file with "protected health information" in it.
Since we can't know beforehand which file might possibly contain protected health information, we have to prohibit the transfer of any file to the WildFire cloud.
06-19-2014 03:17 PM
Being subject to restrictions in both PCI and PHI handling, we also are looking to test deploy of the internal WF-500.
Basic Wildfire shipping of executable is no issue. But the document formats pose too much of a compliance risk to automatically ship off-site.
06-20-2014 06:14 AM
We would normally be more interested in the office and pdf documents coming down from public web sites or being sent inbound via email. In both cases there should not be confidential info. We have secure file transfer technologies for the secure transmission of documents so anyone sending confidential info inbound via standard email is in violation of policy. You could selectively not forward those potentially sensitive documents if the communication was internal (and crossing a firewall boundry). The other option is the WF-500 as mentioned above.
Phil
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
