Wildfire .docx

Reply
Highlighted
L2 Linker

Wildfire .docx

Hi,

 

i am testing wildfire at the moment for forwarding .doc, .docx and EXE Files to the wildfire cloud.

 

This is my rule:

 

WF Rule

 

But it seems, that only .doc and .exe Files are forwared to the cloud (first Forward but then upload skip because the cloud have already seen this file - that´s ok)

 

The .docx files are just in "alert" state and will not be forwarded to the cloud . Does anybody know why?

 

DF Log

 

 

Highlighted
Cyber Elite

Hello,

The most probable reason why it is just reporting 'Alert' is that the file has already been seen by wildfire at some point and it benign.

 

Try creating a custom DOCX and see what happens.

 

Regards,

Highlighted
L4 Transporter

Is the docx file downloaded inside a https connection? To upload decrypted to Wildfire there is an extra setting to enable this.

Highlighted
L2 Linker

Yes i have already configured "forwarding decrypted files". Decrypting policy is also configured. I will try this on monday with an own created docx file and see what happen. 

 

Highlighted
L2 Linker

Hi,

 

it does not work when i am using an own created .docx file. i can not see any upload in the logfile. just alert.

 

docx

 

detail log

Highlighted
L2 Linker

After changing the file blocking profile to "file typ: any" it seems that .docx are now forwarded to the wildfire cloud...maybe a problem with identifying .docx files ?


Highlighted
L5 Sessionator

Hi Iweltag,

 

I was going to respond to your message but than did not have firewall with lesser PAN-OS than 7.x to check if I am correct :/ sorry I didn't, I feel like coming late to the party now. Anyways:

 

I think you could either add zip filetype or ms-office (not sure if that exists as such in 6.x) along with .doc filetype; fact is that there is a big difference in fileformats where .doc is closed file format and if I remember well should have magic number "D0C F11E" - doc file; while docx is actually an archive containing more files and you can open office xlsx or docx and such files with unarchiver app.

 

I would try adding doc and zip filetypes to your file blocking profile to check if that will work, and if you have ms-office try that filetype as well instead of any. Otherwise, if docx was selectable but not working as expected I would open a case with TAC to check and to bring the issue to their attention.

 

Best regards


Luciano

Highlighted
L2 Linker

hi,

 

thanks for your respond. I will try that and give you a feedback :)...

Highlighted
L2 Linker

Hi,

 

when i am using "microsoft-office" as the filetype to be forwarded to the cloud it seems to work fine with .docx files.

 

 

I also find this hint on PAN Help:

 

[...]

If you want the firewall to block/forward MS Office files, it is recommended that you select this “msoffice” group to ensure all supported MS Office file types will be identified instead of selecting each file type individually.

[...]

 

When i am using "docx, gzip, zip" file type in the data blocking policy the docx files will not be forwarded to the cloud.

Highlighted
L5 Sessionator

Hi Iweltag,

 

I am glad advice still had some value :)

ok, so it will work with ms-office. I would think it should work with docx but "your mileage may wary" depending on the particular docx and perhaps of what it embeds, so I would still go for ms-office filetype. If this creates a problem for you (for example, you wanted exclusively docx forwarded but not the rest) you should still open the case with TAC.

 

Best regards


Luciano

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!