This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Wildfire submission entries with Severity High showing Action Allow

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Wildfire submission entries with Severity High showing Action Allow

Go to solution
MohamedSharief
L4 Transporter

‎02-16-2017 10:31 AM

Hi Guys,

 

I'm got one complain today that wildfire submissions with severity high are showing action as allow!

When I check the antivirus and antispyware, everything was configured as DROP and it was called in the Security Rule for incoming traffic - Outside to DMZ.

 

The client is using PANOS version 8 and I think it might be some kind of a bug.

 

Does anyone experienced the same behavior?

 

Regards,

Sharief

Regards,
Sharief
1 person had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to MohamedSharief

‎02-20-2017 01:27 AM

Hi Sharief

 

I think you were looking at the wildfire submission log at first

This log is a representation of which files were processed by wildfire and uploaded to the wildfire cloud for analysis. For every file uploaded the verdict is only added afterward, when the analysis is complete. (files that are already known will not be uploaded and will be processes by your AntiVirus profile settings) After a file has reached a verdict of malicious, signatures are created and made available through the wildfire dynamic updates.

Once downloaded and installed, this infected file can now be blocked and a Treat log entry will be generated (not for the first time the file is seen, as there is no signature yet and the file is not blocked)

 

so if you see a malicious file via the wildfire log but nothing in threat, the file was only seen once

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

Go to solution
reaper
Cyber Elite
Cyber Elite

‎02-16-2017 10:35 AM

could you add some screenshots ?

 

are you seeing an allow on the traffic log? and is it a wildfire upload or awildfire signature match ?

 

if you click the magnification glass for log details (first collumn of the log line), can you see other logs listed at the bottom and what verdicts/actions do they list ?

 

a traffic log may list an allow where a threat log lists a block and several other valid scenarios

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
MohamedSharief
L4 Transporter
In response to reaper

‎02-16-2017 10:50 AM - edited ‎02-16-2017 11:07 AM

Hi @reaper,

 

When I check the magnification glass for most of them and vulnerability action is alert and severity is informational.

 

Below is a screenshot from WildFire submission logs:wildfire.png

 

 I'm confirming with client regarding sessions at traffic logs. Will keep you updated.

 

Regards,

Sharief

 

 

Regards,
Sharief
0 Likes Likes

Go to solution
MohamedSharief
L4 Transporter
In response to reaper

‎02-19-2017 04:44 AM

Hi @reaper,

 

The traffic log doesn't show what you said!

 

I checked the same session ID in traffic log and found the following:

 

5.JPG

 

Below are the rest of screenshots:

 

1.JPG

 

 

2.JPG

 

 

3.JPG

 

 

4.JPG

 

 

6.JPG

 

 

7.JPG

 

 

 

Regards,

Sharief

 

 

 

Regards,
Sharief
0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to MohamedSharief

‎02-20-2017 01:27 AM

Hi Sharief

 

I think you were looking at the wildfire submission log at first

This log is a representation of which files were processed by wildfire and uploaded to the wildfire cloud for analysis. For every file uploaded the verdict is only added afterward, when the analysis is complete. (files that are already known will not be uploaded and will be processes by your AntiVirus profile settings) After a file has reached a verdict of malicious, signatures are created and made available through the wildfire dynamic updates.

Once downloaded and installed, this infected file can now be blocked and a Treat log entry will be generated (not for the first time the file is seen, as there is no signature yet and the file is not blocked)

 

so if you see a malicious file via the wildfire log but nothing in threat, the file was only seen once

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
MohamedSharief
L4 Transporter
In response to reaper

‎02-24-2017 12:05 PM

Hi @reaper,

 

Thanks for your support. I've checked all the malicious files that were allowed and they were first seen at the same time of logs at wildfire submission.

 

But the new option of PANOS 8.0 "Action" is really misleading.

 

Regards,

Sharief

Regards,
Sharief
0 Likes Likes

Go to solution
Tician
L3 Networker
In response to MohamedSharief

‎12-01-2017 01:38 AM - edited ‎12-01-2017 01:41 AM

Hi All,

 

at least this is completely strange!?

 

If you review my WF submission, framed part definitely is not seen by WF cloud for the first time, right?

File has same name, same hash and it is marked as malicious?! 

Why this file with high severity, marked as malicious, repeatable allowed by PAN OS8.0?

 

p.s. Off course all my profiles, antivirus and antispyware were tuned with reset-both action...

 

WF.png

0 Likes Likes

Go to solution
InfraSys
L1 Bithead

‎09-13-2024 05:20 AM

Dear All,
I am reaching out to seek clarification regarding an issue we are encountering with the WildFire analysis profile in our Palo Alto firewall.

We have noticed that in certain cases, files marked with a "malicious" verdict and an "informational" severity are being blocked, as shown in the attached screenshot. Specifically, one of the files with an informational severity triggered a "block" action, which seems inconsistent with our configuration and expected behavior.

Our expectation is that only files with "high" or "critical" severity should trigger a "block" action. Could you please advise on why the block action is being applied to informational severity files and how we can adjust our settings to ensure appropriate actions are taken based on the severity level?

Thank you in advance for your assistance. We look forward to your guidance on this matter.

Thank you.
Preview file
141 KB
0 Likes Likes
  • 1 accepted solution
  • 7904 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks