Wildfire submission entries with Severity High showing Action Allow

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wildfire submission entries with Severity High showing Action Allow

L4 Transporter

Hi Guys,

 

I'm got one complain today that wildfire submissions with severity high are showing action as allow!

When I check the antivirus and antispyware, everything was configured as DROP and it was called in the Security Rule for incoming traffic - Outside to DMZ.

 

The client is using PANOS version 8 and I think it might be some kind of a bug.

 

Does anyone experienced the same behavior?

 

Regards,

Sharief

Regards,
Sharief
1 accepted solution

Accepted Solutions

Hi Sharief

 

I think you were looking at the wildfire submission log at first

This log is a representation of which files were processed by wildfire and uploaded to the wildfire cloud for analysis. For every file uploaded the verdict is only added afterward, when the analysis is complete. (files that are already known will not be uploaded and will be processes by your AntiVirus profile settings) After a file has reached a verdict of malicious, signatures are created and made available through the wildfire dynamic updates.

Once downloaded and installed, this infected file can now be blocked and a Treat log entry will be generated (not for the first time the file is seen, as there is no signature yet and the file is not blocked)

 

so if you see a malicious file via the wildfire log but nothing in threat, the file was only seen once

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

could you add some screenshots ?

 

are you seeing an allow on the traffic log? and is it a wildfire upload or awildfire signature match ?

 

if you click the magnification glass for log details (first collumn of the log line), can you see other logs listed at the bottom and what verdicts/actions do they list ?

 

a traffic log may list an allow where a threat log lists a block and several other valid scenarios

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi @reaper,

 

When I check the magnification glass for most of them and vulnerability action is alert and severity is informational.

 

Below is a screenshot from WildFire submission logs:wildfire.png

 

 I'm confirming with client regarding sessions at traffic logs. Will keep you updated.

 

Regards,

Sharief

 

 

Regards,
Sharief

Hi @reaper,

 

The traffic log doesn't show what you said!

 

I checked the same session ID in traffic log and found the following:

 

5.JPG

 

Below are the rest of screenshots:

 

1.JPG

 

 

2.JPG

 

 

3.JPG

 

 

4.JPG

 

 

6.JPG

 

 

7.JPG

 

 

 

Regards,

Sharief

 

 

 

Regards,
Sharief

Hi Sharief

 

I think you were looking at the wildfire submission log at first

This log is a representation of which files were processed by wildfire and uploaded to the wildfire cloud for analysis. For every file uploaded the verdict is only added afterward, when the analysis is complete. (files that are already known will not be uploaded and will be processes by your AntiVirus profile settings) After a file has reached a verdict of malicious, signatures are created and made available through the wildfire dynamic updates.

Once downloaded and installed, this infected file can now be blocked and a Treat log entry will be generated (not for the first time the file is seen, as there is no signature yet and the file is not blocked)

 

so if you see a malicious file via the wildfire log but nothing in threat, the file was only seen once

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi @reaper,

 

Thanks for your support. I've checked all the malicious files that were allowed and they were first seen at the same time of logs at wildfire submission.

 

But the new option of PANOS 8.0 "Action" is really misleading.

 

Regards,

Sharief

Regards,
Sharief

Hi All,

 

at least this is completely strange!?

 

If you review my WF submission, framed part definitely is not seen by WF cloud for the first time, right?

File has same name, same hash and it is marked as malicious?! 

Why this file with high severity, marked as malicious, repeatable allowed by PAN OS8.0?

 

p.s. Off course all my profiles, antivirus and antispyware were tuned with reset-both action...

 

WF.png

L1 Bithead

Dear All,
I am reaching out to seek clarification regarding an issue we are encountering with the WildFire analysis profile in our Palo Alto firewall.

We have noticed that in certain cases, files marked with a "malicious" verdict and an "informational" severity are being blocked, as shown in the attached screenshot. Specifically, one of the files with an informational severity triggered a "block" action, which seems inconsistent with our configuration and expected behavior.

Our expectation is that only files with "high" or "critical" severity should trigger a "block" action. Could you please advise on why the block action is being applied to informational severity files and how we can adjust our settings to ensure appropriate actions are taken based on the severity level?

Thank you in advance for your assistance. We look forward to your guidance on this matter.

Thank you.
  • 1 accepted solution
  • 8733 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!