Wildfire not showing any files.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Wildfire not showing any files.

Not applicable

I have configured a PA500 to use Wildfire but in the dashboard I don't see any files being examined.

While downloading an .exe I get the page to continue and I see in the Data Filtering Log, action Forward.

Inspecting the system log doesn't show any info on Wildfire.

On the Wildfire dashboard nothing happens even after a few days.

Today I tried a manual upload and that is working.

Anyone got this working on a PA500?

9 REPLIES 9

L0 Member

Today I started with the wildfire configuration. The first files were uploaded properly. But since about 2 hours - nothing happens. I only see the logs "forward". But the files don't appear in the dashboard of the wildfire.paloaltoneworks.com server.

I'm not quite sure, but it seems my firewall is on a blacklist?

L4 Transporter

Same here although I see traffic log entries from time to time nothing showing up in the WildFire portal.

14.02.jpg

If you only see "forward" but no "wildfire-upload-success" or "wildfire-upload-skip", then that means it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen.  Below is an explanation of the different status types to clarify:

forward

Data plan detected a PE file on a WildFire-enabled policy.  The PE file is buffered in management plane.

At this point, if you only see "forward" for a specific file, then that means it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen.  In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent for previously seen benign files).  This means that you will not see an entry in the WildFire web portal for these files.

wildfire-upload-success

This means that the file wasn't signed by a trusted signer, and the file hasn't yet been seen by the cloud.  In this case, the file (and session info) was uploaded to the cloud for analysis.

wildfire-upload-skip

This means that the file was already seen by the cloud, but the file was confirmed to be malware, so the device skips the file but still sends session info for logging purposes.

If you see either of the above two wildfire actions, then you should see a corresponding report in the WildFire web portal.

Why is "signed by a trusted file signer" considered to be a good file by default?

I mean look at stuxnet and several other cases which uses stolen certificates to provide "signed by a trusted file signer" in order to bypass various antivirus functons.

I don't get it. Where would I see the mentioned wildfire actions on the firewall ?

Ok in the Data Filtering logs...

Yes, supporting any trusted certs will always carry some risk.  However, the trusted cert list on the devices for use by WildFire is extremely limited, and is only used to prevent the service from being inundated with every Microsoft patch, Google update, etc. that traverses the firewall.  A compromised cert from one of the vendors on this limited list would be a truly exceptional event.  In the event a cert is compromised, we are able to quickly respond with a content update to clear the stolen cert from customer devices, and reanalyze samples that used the cert in question.

I had another look in the data filtering log but all are "forward" and so no files are uploaded. To be honoust I'm not very wild nor on fire about this new feature.

For me this feature works as expected and advertised.

"...At this point, if you only see "forward" for a specific file, then that means it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen."

17.02.jpg

  • 10489 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!