12-10-2018 06:28 AM
Hi All,
I recently started applying wildfire profiles for most of my traffic to public cloud on all applications. This includes some senitive information for eg: user trying to print out a document that has some sensitive details.
I know wildfire provides great benfits against zero day malware but I have few concerns/questions around it.
1.Are the files uploaded in their original readable format if no hashes are found on wildfire cloud?
2.How secure is the upload process to the cloud?
3.How can I make sure this sensitive info doesn't get leaked out?
4.what are the cpu implications if use public cloud on a busy firewall (45,000 sessions/sec an average)?
TIA.
12-11-2018 11:11 AM
1)
The Wildfire portal (https://wildfire.paloaltonetworks.com) can be used to download uploaded files. You simply click on the Analysis Report details and click the 'Download File' hyperlink on the report. This works for Grayware, Malware, and Phishing files for analysis purposes, beniegn files to the best of my knowledge are not kept.
2)
I believe that wildfire encryption is actually handled by a key on your firewall and the Wildfire cloud, and the fact that it's sent through SSL transmission obviously. Once the data is in the WildFire Cloud it's encrypted at rest passes SOC 2 Type 2 certification (SOC 3 is a thing, but it's actually worse than SOC 2).
3)
You can enable MFA for your Palo Alto Support account, which is used to grant access to the Wildfire portal. Simply go to the Support portal and click on your My-Profile > Security Settings > Enable 2 Factor Authentication. This will enable MFA across your entire PA account when accessing PA cloud services.
12-11-2018 10:40 AM
1) For the purpose of analysis the file is uploaded in a usable state, and can be redownloaded from the wildfire portal by authorized admins.
2) Upload process is encrypted end-to-end. I wouldn't be terribly worried about that, but if you have a need to comply with certain standards it's definately something to think about.
3) Limit who has access to the wildfire portal if you have multiple people under your account. Otherwise, you are just as subseptive to security breaches due to using the SaaS apps as you are as someone breaching your WildFire account.
4) That I'm actually not sure. I don't think it's a big resource hit, I've certaintly never seen any increase directly related to wildfire forwarding.
Really if you are worried about sensitive files or certain files couldn't be forwarded to the public cloud due to regulatory concerns, you would utilize a Wildfire hybrid cloud setup. This would require you to purhcase a WF-500 for private cloud analysis of sensitive files, and then your non-sensitive stuff could still go to the public cloud.
12-11-2018 10:50 AM - edited 12-11-2018 10:50 AM
@BPry thank you so much for your response.
however I do have few questions here.
1.what is the process to get the original file extracted from wildfire portal? and
2.when you say end-to-end encrytped, do you mean ssl encrypted?
3.is there a way palo offers MFA to login into wildfire portal?
12-11-2018 11:11 AM
1)
The Wildfire portal (https://wildfire.paloaltonetworks.com) can be used to download uploaded files. You simply click on the Analysis Report details and click the 'Download File' hyperlink on the report. This works for Grayware, Malware, and Phishing files for analysis purposes, beniegn files to the best of my knowledge are not kept.
2)
I believe that wildfire encryption is actually handled by a key on your firewall and the Wildfire cloud, and the fact that it's sent through SSL transmission obviously. Once the data is in the WildFire Cloud it's encrypted at rest passes SOC 2 Type 2 certification (SOC 3 is a thing, but it's actually worse than SOC 2).
3)
You can enable MFA for your Palo Alto Support account, which is used to grant access to the Wildfire portal. Simply go to the Support portal and click on your My-Profile > Security Settings > Enable 2 Factor Authentication. This will enable MFA across your entire PA account when accessing PA cloud services.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
