Wildfire Signatures vs Threat Prevention Signatures

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Wildfire Signatures vs Threat Prevention Signatures

Not applicable

Hey Guys,

Looking for a little help here, trying to provide some proof to management of the value that the Wildfire subscription is providing to us vs just having the Threat Prevention subscription.  I've looked in the Wildfire logs, but that only shows threats that were uploaded to the Wildfire cloud for investigation and were still allowed through the firewall (basically it's a log of all the stuff that got through and whether or not it was malware). That is helpful for the desktop team, because they can focus a PC cleaning on the machines that are listed in the logs, but I'd like to go to management with a list of threats that were blocked by Wildfire signatures to show all of the stuff that is being prevented from entering our network and therefore proving the value of the Wildfire subscription.  The problem with that is, as far as I know, all threats blocked by Wildfire signatures still just go into the Threat log and are indistinguishable from threats blocked by Threat Prevention signatures.  Does anyone know of a way to identify one vs the other?



L7 Applicator

Wildfire functionality: WildFire combines the abilities of a customer's on-premise firewalls with the scalability and accessibility of the cloud to ensure the best combination of visibility, analysis and enforcement. The next-generation firewall provides full inspection of all traffic across all ports, and can identify unknown files at a rate of up to 10Gbps. When an unknown file is encountered is copied and delivered over an encrypted connection to Palo Alto Networks malware analysis cloud. In the cloud, the suspect sample is executed in a virtual environment and observed for more than 100 malicious behaviors to determine if the file is a risk. If the file is determined to be a risk, WildFire automatically generates new protections, which are then delivered back to ALL customer firewalls worldwide. New malware infections as well as malware communications are blocked by the firewall, again at a rate of up to 10 Gbps.

I understand what the technology does, that is not what my question was. My question was about identifying which threats have been mitigated by the Wildfire signatures vs the Threat Prevention signatures.

L4 Transporter

Hello Mike,

You can identify them by the Threat ID. Check these two documents and let me know if that's what you are looking for:

Threat ID Ranges in the Palo Alto Networks Content Database

How to Create a Report on Panorama for WildFire Threats Sent to the Cloud



You can also log into your account and visit your Wildfire portal and get a report on the malware that has been detected in the traffic that was uploaded by your firewall.

L3 Networker

have your SE run a WF coverage report its much more comprehenisve similar to what you can do with a AVR

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!