Wildfire Email Link Analysis

Hello Hulk,

I have check and enable notifications from WF portal, and it works.

But from my understanding, when a suspicious link is present in an email, the device is supposed to send an alert message through smtp, right?

Regards,

Renan

Hello Renan,

That is a different option to send SYSTEM log messages (for different severity) to an email account.

Reference DOC: How to Configure Email Alerts for System Logs?

Hope this helps.

Thanks

Hello Renan,

Wildfire email link analysis is no different compared to other file types you have in file blocking profile.

If any email contains a http or https link then firewall will forward that link to wildfire and gets an analysis report.

If the link in email is benign or malware then firewall will send an email report.

Regards,

Hari Yadavalli

Hello Hari,

Yes, I do not see the Wildfire submission in the WF logs, neither in the portal for this activity.

Other WF threats are correctly send.

Maybe a missconfiguration?

I have just followed the KB: WildFire Email Alerts: Subscribe or Add Additional Recipients

@Hulk: I have tried, but not receiving email.

Regards,

Renan

Hi Renan,

Hari is right, firewall is supposed to get logs. After that it forwards it to Email.

Now first thing is why firewall is not generating wildfire logs. Did you configure file blocking profile with "forward" or "Continue-forward".

Regards,

Hardik Shah

Hello Renan,

You may need to check your firewall configuration once more.

- Need to check the wildfire action, data-filtering profile, security rule where it should be apply.

A KB document for your reference: How to Configure WildFire

FYI: WildFire CLI commands

Once the basic configuration is complete, the following commands provide the details of the best server selected. To test the Connectivity, follow the steps below:

> test wildfire registration

This test may take a few minutes to finish. Do you want to continue? (y or n)

Test wildfire

        wildfire registration:        successful

        download server list:        successful

        select the best server:      va-s1.wildfire.paloaltonetworks.com

Initial registration can only be done on the active unit in an Active/Passive cluster.

Note: Do not use PING to test connectivity to the server. Ping requests are disabled on the WildFire server. Best practice to test connectivity is to Telnet to the server on port 443.

To verify, if any files have been forwarded to the server, use the following command:

> show wildfire status

Connection info:

        Wildfire cloud:                default cloud

        Status:                        Idle

        Best server:                  va-s1.wildfire.paloaltonetworks.com

        Device registered:            yes

        Service route IP address:      10.30.24.52

        Signature verification:        enable

        Server selection:              enable

        Through a proxy:              no

Forwarding info:

        file size limit (MB):                  2

        file idle time out (second):            90

        total file forwarded:                  0

        forwarding rate (per minute):          0

        concurrent files:                      0

The total file forwarded counter will provide the number of files being forwarded to the server.

Thanks

Hello Renan,

Share the output of below command:

>show wildfire statistics

Regards,

Hari Yadavalli