I have a question regarding this new functionnality for PANOS 6.1.0 version.
One of my customer has tested, but he doesn't get an email when a suspicious link in an email is send/received by users.
So I tested on our lab, and I have the same behavior. I use the informations from WildFire Email Alerts: Subscribe or Add Additional Recipients
It seems to detect threat links as informational/low severity for smtp:
Even if the link I used for my test in the email, is known as malware by Wildfire:
And it's blocked when I use this link on my browser:
So, did anyone has successfully applied this functionality and received an email alert?
And which link do you use to test it? :smileyhappy:
Did you verify your wildfire portal that, above mentioned serial number is "checked" for notification.
I have check and enable notifications from WF portal, and it works.
But from my understanding, when a suspicious link is present in an email, the device is supposed to send an alert message through smtp, right?
That is a different option to send SYSTEM log messages (for different severity) to an email account.
Reference DOC: How to Configure Email Alerts for System Logs?
Hope this helps.
Wildfire email link analysis is no different compared to other file types you have in file blocking profile.
If any email contains a http or https link then firewall will forward that link to wildfire and gets an analysis report.
If the link in email is benign or malware then firewall will send an email report.
Yes, I do not see the Wildfire submission in the WF logs, neither in the portal for this activity.
Other WF threats are correctly send.
Maybe a missconfiguration?
I have just followed the KB: WildFire Email Alerts: Subscribe or Add Additional Recipients
@Hulk: I have tried, but not receiving email.
Hari is right, firewall is supposed to get logs. After that it forwards it to Email.
Now first thing is why firewall is not generating wildfire logs. Did you configure file blocking profile with "forward" or "Continue-forward".
You may need to check your firewall configuration once more. :smileyhappy:
- Need to check the wildfire action, data-filtering profile, security rule where it should be apply.
A KB document for your reference: How to Configure WildFire
FYI: WildFire CLI commands
Once the basic configuration is complete, the following commands provide the details of the best server selected. To test the Connectivity, follow the steps below:
> test wildfire registration
This test may take a few minutes to finish. Do you want to continue? (y or n)
wildfire registration: successful
download server list: successful
select the best server: va-s1.wildfire.paloaltonetworks.com
Initial registration can only be done on the active unit in an Active/Passive cluster.
Note: Do not use PING to test connectivity to the server. Ping requests are disabled on the WildFire server. Best practice to test connectivity is to Telnet to the server on port 443.
To verify, if any files have been forwarded to the server, use the following command:
> show wildfire status
Wildfire cloud: default cloud
Best server: va-s1.wildfire.paloaltonetworks.com
Device registered: yes
Service route IP address: 10.30.24.52
Signature verification: enable
Server selection: enable
Through a proxy: no
file size limit (MB): 2
file idle time out (second): 90
total file forwarded: 0
forwarding rate (per minute): 0
concurrent files: 0
The total file forwarded counter will provide the number of files being forwarded to the server.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!