- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-04-2016 01:57 AM
Hi,
i am testing wildfire at the moment for forwarding .doc, .docx and EXE Files to the wildfire cloud.
This is my rule:
But it seems, that only .doc and .exe Files are forwared to the cloud (first Forward but then upload skip because the cloud have already seen this file - that´s ok)
The .docx files are just in "alert" state and will not be forwarded to the cloud . Does anybody know why?
03-04-2016 06:18 AM
Hello,
The most probable reason why it is just reporting 'Alert' is that the file has already been seen by wildfire at some point and it benign.
Try creating a custom DOCX and see what happens.
Regards,
03-04-2016 10:19 AM - edited 03-04-2016 10:19 AM
Is the docx file downloaded inside a https connection? To upload decrypted to Wildfire there is an extra setting to enable this.
03-05-2016 04:11 AM
Yes i have already configured "forwarding decrypted files". Decrypting policy is also configured. I will try this on monday with an own created docx file and see what happen.
03-07-2016 07:33 AM - edited 03-07-2016 07:34 AM
After changing the file blocking profile to "file typ: any" it seems that .docx are now forwarded to the wildfire cloud...maybe a problem with identifying .docx files ?
03-08-2016 11:54 AM
Hi Iweltag,
I was going to respond to your message but than did not have firewall with lesser PAN-OS than 7.x to check if I am correct 😕 sorry I didn't, I feel like coming late to the party now. Anyways:
I think you could either add zip filetype or ms-office (not sure if that exists as such in 6.x) along with .doc filetype; fact is that there is a big difference in fileformats where .doc is closed file format and if I remember well should have magic number "D0C F11E" - doc file; while docx is actually an archive containing more files and you can open office xlsx or docx and such files with unarchiver app.
I would try adding doc and zip filetypes to your file blocking profile to check if that will work, and if you have ms-office try that filetype as well instead of any. Otherwise, if docx was selectable but not working as expected I would open a case with TAC to check and to bring the issue to their attention.
Best regards
Luciano
03-09-2016 12:25 AM
hi,
thanks for your respond. I will try that and give you a feedback :)...
03-09-2016 05:00 AM
Hi,
when i am using "microsoft-office" as the filetype to be forwarded to the cloud it seems to work fine with .docx files.
I also find this hint on PAN Help:
[...]
If you want the firewall to block/forward MS Office files, it is recommended that you select this “msoffice” group to ensure all supported MS Office file types will be identified instead of selecting each file type individually.
[...]
When i am using "docx, gzip, zip" file type in the data blocking policy the docx files will not be forwarded to the cloud.
03-09-2016 10:08 AM
Hi Iweltag,
I am glad advice still had some value 🙂
ok, so it will work with ms-office. I would think it should work with docx but "your mileage may wary" depending on the particular docx and perhaps of what it embeds, so I would still go for ms-office filetype. If this creates a problem for you (for example, you wanted exclusively docx forwarded but not the rest) you should still open the case with TAC.
Best regards
Luciano
11-07-2016 08:46 AM
I ran into this issue as well and found that we had an old file blocking profile that alerted on ZIP file downloads. This was making the Palo tag them as ZIP instead of MS-Office files. I removed that from the file blocking profile and now they get detected as MS-Office and now get submitted to Wild Fire.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!