Wildfire not showing any files.

hoplahoi · ‎02-14-2012

I have configured a PA500 to use Wildfire but in the dashboard I don't see any files being examined.

While downloading an .exe I get the page to continue and I see in the Data Filtering Log, action Forward.

Inspecting the system log doesn't show any info on Wildfire.

On the Wildfire dashboard nothing happens even after a few days.

Today I tried a manual upload and that is working.

Anyone got this working on a PA500?

gzauner · ‎02-14-2012

Today I started with the wildfire configuration. The first files were uploaded properly. But since about 2 hours - nothing happens. I only see the logs "forward". But the files don't appear in the dashboard of the wildfire.paloaltoneworks.com server.

I'm not quite sure, but it seems my firewall is on a blacklist?

gafrol · ‎02-14-2012

Same here although I see traffic log entries from time to time nothing showing up in the WildFire portal.

tettema · ‎02-14-2012

If you only see "forward" but no "wildfire-upload-success" or "wildfire-upload-skip", then that means it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. Below is an explanation of the different status types to clarify:

forward

Data plan detected a PE file on a WildFire-enabled policy. The PE file is buffered in management plane.

At this point, if you only see "forward" for a specific file, then that means it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent for previously seen benign files). This means that you will not see an entry in the WildFire web portal for these files.

wildfire-upload-success

This means that the file wasn't signed by a trusted signer, and the file hasn't yet been seen by the cloud. In this case, the file (and session info) was uploaded to the cloud for analysis.

wildfire-upload-skip

This means that the file was already seen by the cloud, but the file was confirmed to be malware, so the device skips the file but still sends session info for logging purposes.

If you see either of the above two wildfire actions, then you should see a corresponding report in the WildFire web portal.

mikand · ‎02-15-2012

Why is "signed by a trusted file signer" considered to be a good file by default?

I mean look at stuxnet and several other cases which uses stolen certificates to provide "signed by a trusted file signer" in order to bypass various antivirus functons.

gafrol · ‎02-15-2012

I don't get it. Where would I see the mentioned wildfire actions on the firewall ?

gafrol · ‎02-15-2012

Ok in the Data Filtering logs...

tettema · ‎02-15-2012

Yes, supporting any trusted certs will always carry some risk. However, the trusted cert list on the devices for use by WildFire is extremely limited, and is only used to prevent the service from being inundated with every Microsoft patch, Google update, etc. that traverses the firewall. A compromised cert from one of the vendors on this limited list would be a truly exceptional event. In the event a cert is compromised, we are able to quickly respond with a content update to clear the stolen cert from customer devices, and reanalyze samples that used the cert in question.

hoplahoi · ‎02-16-2012

I had another look in the data filtering log but all are "forward" and so no files are uploaded. To be honoust I'm not very wild nor on fire about this new feature.

gafrol · ‎02-17-2012

For me this feature works as expected and advertised.

"...At this point, if you only see "forward" for a specific file, then that means it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen."

Unlock your full community experience!

Wildfire not showing any files.

Wildfire not showing any files.

Show your appreciation!