Wildfire .docx

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Wildfire .docx

L2 Linker

Hi,

 

i am testing wildfire at the moment for forwarding .doc, .docx and EXE Files to the wildfire cloud.

 

This is my rule:

 

WF Rule

 

But it seems, that only .doc and .exe Files are forwared to the cloud (first Forward but then upload skip because the cloud have already seen this file - that´s ok)

 

The .docx files are just in "alert" state and will not be forwarded to the cloud . Does anybody know why?

 

DF Log

 

 

10 REPLIES 10

Cyber Elite
Cyber Elite

Hello,

The most probable reason why it is just reporting 'Alert' is that the file has already been seen by wildfire at some point and it benign.

 

Try creating a custom DOCX and see what happens.

 

Regards,

Is the docx file downloaded inside a https connection? To upload decrypted to Wildfire there is an extra setting to enable this.

Yes i have already configured "forwarding decrypted files". Decrypting policy is also configured. I will try this on monday with an own created docx file and see what happen. 

 

L2 Linker

Hi,

 

it does not work when i am using an own created .docx file. i can not see any upload in the logfile. just alert.

 

docx

 

detail log

After changing the file blocking profile to "file typ: any" it seems that .docx are now forwarded to the wildfire cloud...maybe a problem with identifying .docx files ?


Hi Iweltag,

 

I was going to respond to your message but than did not have firewall with lesser PAN-OS than 7.x to check if I am correct 😕 sorry I didn't, I feel like coming late to the party now. Anyways:

 

I think you could either add zip filetype or ms-office (not sure if that exists as such in 6.x) along with .doc filetype; fact is that there is a big difference in fileformats where .doc is closed file format and if I remember well should have magic number "D0C F11E" - doc file; while docx is actually an archive containing more files and you can open office xlsx or docx and such files with unarchiver app.

 

I would try adding doc and zip filetypes to your file blocking profile to check if that will work, and if you have ms-office try that filetype as well instead of any. Otherwise, if docx was selectable but not working as expected I would open a case with TAC to check and to bring the issue to their attention.

 

Best regards


Luciano

hi,

 

thanks for your respond. I will try that and give you a feedback :)...

Hi,

 

when i am using "microsoft-office" as the filetype to be forwarded to the cloud it seems to work fine with .docx files.

 

 

I also find this hint on PAN Help:

 

[...]

If you want the firewall to block/forward MS Office files, it is recommended that you select this “msoffice” group to ensure all supported MS Office file types will be identified instead of selecting each file type individually.

[...]

 

When i am using "docx, gzip, zip" file type in the data blocking policy the docx files will not be forwarded to the cloud.

Hi Iweltag,

 

I am glad advice still had some value 🙂

ok, so it will work with ms-office. I would think it should work with docx but "your mileage may wary" depending on the particular docx and perhaps of what it embeds, so I would still go for ms-office filetype. If this creates a problem for you (for example, you wanted exclusively docx forwarded but not the rest) you should still open the case with TAC.

 

Best regards


Luciano

I ran into this issue as well and found that we had an old file blocking profile that alerted on ZIP file downloads.  This was making the Palo tag them as ZIP instead of MS-Office files.  I removed that from the file blocking profile and now they get detected as MS-Office and now get submitted to Wild Fire.

  • 4298 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!