03-20-2019 09:24 AM
Hello Everyone,
I note that when I view the Monitor -> Wildfire Submissions activity on my Palo Alto PA-3020 8.1.6, all the detections with a verdict of "phishing" with a Severity of "high" are allowed.
However, the other verdict I can see, which is "malicious" with a severity of "Informational" is successfully blocked.
Is this the behaviour that others see, or have I not configured WildFire correctly?
Is there anything I can do to set the "phishing" emails to be blocked?
Thanks,
Steve
03-20-2019 01:11 PM
@Steve-Phillips wrote:Is the above a reasonable summary of the events as detailed above?
Yes, it is. Only one point: the might be a little delay between wildfire setting the verdict until every paloalto firewall receives the update
@Steve-Phillips wrote:Can I further conclude that if I have only seen WildFire phishing verdict as "allow", that all of our detected phishing emails are "first seen" phishing emails, otherwise I would have seen a blocked phishing email?
Exactly (or if another firewall already uploaded the url but wildfire was still processing it when your firewall received the email)
03-20-2019 11:30 AM - edited 03-20-2019 11:48 AM
From your description it sounds like already configured it correctly. These events that are allowed are normal because these links were not known as phishing links by wildfire. With that email the url was forwarded to wildfire and the verdict was received by the firewall afterwards. The firewall allows the url/attachment if it is unknown at that time and the reason is that the firewall only does flow-based checks and does not operate in store-and-forward mode like a mailgateway.
Hope this helps,
Remo
03-20-2019 12:14 PM - edited 03-20-2019 12:31 PM
Hi @Remo,
Many thanks for your reply.
Following on from what you have said, and so I and perhaps others can understand this a bit better, an example phishing email I have received is as follows:
Receive Time | 2019/03/18 14:44:58 |
WildFire Analysis Summary
Receive Time | 2019/03/18 14:48:21 |
Details:
Threat/Content Type | wildfire |
ID | 1238713750 |
Severity | high |
Repeat Count | 1 |
File Type | email-link |
Would this sequence of events demonstrate the following was true:
- Our Palo Alto firewall recieved the phishing email at 14:44:58 and sent the email to WildFire. As the email phishing URL was not currently known, the email was allowed.
- From the WildFire Analysis Summary, WildFire accepted the email for processing at 14:45:46, and our Palo Alto firewall was the first WildFire Palo Alto to see this particular phishing URL.
- After several minutes of processing, at 14:48:21, the email was determined to be a phishing email and set as such in WildFire.
- Any other Palo Alto firewall using WildFire would block that phishing email from that point in time onwards.
Is the above a reasonable summary of the events as detailed above?
Can I further conclude that if I have only seen WildFire phishing verdict as "allow", that all of our detected phishing emails are "first seen" phishing emails, otherwise I would have seen a blocked phishing email?
Thanks,
Steve
Reason for editing: Obsfucation of malicious URL's
03-20-2019 01:11 PM
@Steve-Phillips wrote:Is the above a reasonable summary of the events as detailed above?
Yes, it is. Only one point: the might be a little delay between wildfire setting the verdict until every paloalto firewall receives the update
@Steve-Phillips wrote:Can I further conclude that if I have only seen WildFire phishing verdict as "allow", that all of our detected phishing emails are "first seen" phishing emails, otherwise I would have seen a blocked phishing email?
Exactly (or if another firewall already uploaded the url but wildfire was still processing it when your firewall received the email)
03-20-2019 01:27 PM
Great, many thanks for that explanation, most useful in increasing my knowledge of the Palo Alto firewall.
Cheers,
Steve
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
