- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
Wildfire Email Link Analysis
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Re: Wildfire Email Link Analysis
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Wildfire Email Link Analysis
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-31-2014 04:21 AM
Hello,
I have a question regarding this new functionnality for PANOS 6.1.0 version.
One of my customer has tested, but he doesn't get an email when a suspicious link in an email is send/received by users.
So I tested on our lab, and I have the same behavior. I use the informations from WildFire Email Alerts: Subscribe or Add Additional Recipients
It seems to detect threat links as informational/low severity for smtp:
Even if the link I used for my test in the email, is known as malware by Wildfire:
And it's blocked when I use this link on my browser:
So, did anyone has successfully applied this functionality and received an email alert?
And which link do you use to test it? 
Regards,
Renan
- Labels:
-
Configuration
-
Content-ID
-
Troubleshooting
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-31-2014 09:15 AM
Hello Renan,
And also another point to note if we already have the signature in our Virus database firewall won't even forward to wildfire.
Regards,
Hari Yadavalli
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-31-2014 09:29 AM
Hello
my configuration is fine, other suspect files are send to WF, and on this specific function in the screnshot, you can see that "wildfire-upload-success" is the action.
For other questions:
> show wildfire status
Connection info:
Wildfire cloud: public cloud
Status: Idle
Best server: eu-s1.wildfire.paloaltonetworks.com
Device registered: yes
Valid wildfire license: yes
Service route IP address: 62.23.197.100
Signature verification: enable
Server selection: enable
Through a proxy: no
File size limit info:
pe 2 MB
apk 10 MB
pdf 400 KB
ms-office 500 KB
jar 1 MB
flash 5 MB
Forwarding info:
file idle time out (second): 90
total file forwarded: 647
file forwarded in last minute: 0
concurrent files: 0
> show wildfire statistics
Packet based counters:
Total msg rcvd: 269318
Total bytes rcvd: 224453980
Total msg read: 241801
Total bytes read: 197836829
Total msg lost by read: 27517
Total DROP_NO_MATCH_FILE 27517
Total files received from DP: 2155
Counters for file cancellation:
CANCEL_BY_DP 31
CANCEL_TIME_OUT 4
CANCEL_FILE_DUP_EARLY 32
CANCEL_FILE_DUP 647
CANCEL_FILESIZE_LIMIT 93
CANCEL_CONCURRENT_LIMIT 15
Counters for file forwarding:
file type: apk
FWD_CNT_LOCAL_FILE 1
FWD_CNT_REMOTE_DUP_CLEAN 1
file type: pdf
FWD_CNT_LOCAL_FILE 64
FWD_CNT_LOCAL_DUP 12
FWD_CNT_REMOTE_FILE 55
FWD_CNT_REMOTE_DUP_CLEAN 13
FWD_CNT_REMOTE_DUP_TBD 3
file type: email-link
FWD_CNT_LOCAL_FILE 48
FWD_CNT_APPENDED_BATCH 49
file type: ms-office
FWD_CNT_LOCAL_FILE 28
FWD_CNT_LOCAL_DUP 22
FWD_CNT_REMOTE_FILE 27
FWD_CNT_REMOTE_DUP_CLEAN 9
FWD_CNT_REMOTE_DUP_TBD 10
file type: pe
FWD_CNT_LOCAL_FILE 46
FWD_CNT_LOCAL_DUP 15
FWD_CNT_LOCAL_FILE_CLEAN 25
FWD_CNT_REMOTE_FILE 3
FWD_CNT_REMOTE_DUP_CLEAN 55
FWD_CNT_CACHE_SYNC 1
file type: flash
FWD_CNT_LOCAL_FILE 1120
FWD_CNT_LOCAL_DUP 598
FWD_CNT_REMOTE_FILE 519
FWD_CNT_REMOTE_DUP_CLEAN 907
FWD_CNT_REMOTE_DUP_TBD 39
FWD_CNT_REMOTE_DUP_MAL 9
FWD_CNT_CACHE_SYNC 4
file type: jar
file type: unknown
file type: pdns
Error counters:
FWD_ERR_CONN_FAIL 4
LOG_ERR_REPORT_CACHE_NOMATCH 198237
Reset counters:
DP receiver reset cnt: 1
File cache reset cnt: 1
Service connection reset cnt: 1
Log cache reset cnt: 1
Report cache reset cnt: 1
Resource meters:
data_buf_meter 0%
msg_buf_meter 0%
ctrl_msg_buf_meter 0%
File forwarding queues:
priority: 1, size: 0
priority: 2, size: 0
priority: 3, size: 0
@Hardik: The file blocking profile is set to "forward"
@Hari:that's an interesting point, so this is relevant only to unknown applications not seen by WildFire?
Because what I have understood, and also my customer, is for every suspect application, we will get an email alert from device with this.
Regards,
Renan
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-31-2014 09:44 AM
Hi Renan,
By defualt benign files are not logged. You have to enable it by following command. May be files are benign and not malicious.
> configure
# set deviceconfig setting wildfire report-benign-file yes
# commit
Regards,
Hardik Shah
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-31-2014 10:01 AM
Hello Renan,
My apologies, I stand corrected.
For any http or https links in an email body firewall does not check virus database because firewall cannot hash links and so it has to send any links to wildfire and should get a report.
Once the firewall receives a report then you will receive wildfire report via email.
Regards,
Hari Yadavalli
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-31-2014 01:34 PM
Hello Renan
Could you please run the below command and check for the "Wildfire logs written"
> debug log-receiver statistics
Now try to download an exe file . You can use the link " http://wildfire.paloaltonetworks.com/publicapi/test/pe"
Check if the counter increases. This will let us know if the counter will indicate if the wildfire logs are written.
Restart var-data receiver, management server and device server one at a time to see if it fixes the issue
> debug software restart vardata-receiver
>debug software restart management-server
> debug software restart device-server
If this does not resolve the issue please turn ON the debug for the the following daemon
> debug vardata-receiver on debug
> debug device-server on debug
>debug log-receiver on debug
Run the test again and turn off the above debugs. Then download a tech support file and contact TAC for further assistance.
Regards
Khan
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-31-2014 01:39 PM
Once test is over, disable the debugs.
> debug vardata-receiver on info
> debug device-server on info
>debug log-receiver on info
- Getting system alert-high for Wildfire update failure, failed to extract file in Panorama Discussions
- Modify Alerts Going to An Endpoint Group in Cortex XDR Discussions
- How most decisions are made by Cortex XDR ? in Cortex XDR Discussions
- Cortex XDR and windows Install folder in Cortex XDR Discussions
- Automatic deletion of files suspected/confirmed as malware in Cortex XDR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
