- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-14-2012 03:02 AM
I have configured a PA500 to use Wildfire but in the dashboard I don't see any files being examined.
While downloading an .exe I get the page to continue and I see in the Data Filtering Log, action Forward.
Inspecting the system log doesn't show any info on Wildfire.
On the Wildfire dashboard nothing happens even after a few days.
Today I tried a manual upload and that is working.
Anyone got this working on a PA500?
02-14-2012 04:18 AM
Today I started with the wildfire configuration. The first files were uploaded properly. But since about 2 hours - nothing happens. I only see the logs "forward". But the files don't appear in the dashboard of the wildfire.paloaltoneworks.com server.
I'm not quite sure, but it seems my firewall is on a blacklist?
02-14-2012 07:33 PM
If you only see "forward" but no "wildfire-upload-success" or "wildfire-upload-skip", then that means it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. Below is an explanation of the different status types to clarify:
forward
Data plan detected a PE file on a WildFire-enabled policy. The PE file is buffered in management plane.
At this point, if you only see "forward" for a specific file, then that means it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent for previously seen benign files). This means that you will not see an entry in the WildFire web portal for these files.
wildfire-upload-success
This means that the file wasn't signed by a trusted signer, and the file hasn't yet been seen by the cloud. In this case, the file (and session info) was uploaded to the cloud for analysis.
wildfire-upload-skip
This means that the file was already seen by the cloud, but the file was confirmed to be malware, so the device skips the file but still sends session info for logging purposes.
If you see either of the above two wildfire actions, then you should see a corresponding report in the WildFire web portal.
02-15-2012 02:13 AM
Why is "signed by a trusted file signer" considered to be a good file by default?
I mean look at stuxnet and several other cases which uses stolen certificates to provide "signed by a trusted file signer" in order to bypass various antivirus functons.
02-15-2012 10:50 AM
I don't get it. Where would I see the mentioned wildfire actions on the firewall ?
02-15-2012 10:52 AM
Ok in the Data Filtering logs...
02-15-2012 03:41 PM
Yes, supporting any trusted certs will always carry some risk. However, the trusted cert list on the devices for use by WildFire is extremely limited, and is only used to prevent the service from being inundated with every Microsoft patch, Google update, etc. that traverses the firewall. A compromised cert from one of the vendors on this limited list would be a truly exceptional event. In the event a cert is compromised, we are able to quickly respond with a content update to clear the stolen cert from customer devices, and reanalyze samples that used the cert in question.
02-16-2012 01:59 AM
I had another look in the data filtering log but all are "forward" and so no files are uploaded. To be honoust I'm not very wild nor on fire about this new feature.
02-17-2012 02:44 AM
For me this feature works as expected and advertised.
"...At this point, if you only see "forward" for a specific file, then that means it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen."
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!