Wildfire

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Wildfire

L3 Networker

Hi I've a couple of question re wildfire.

1. I've configured my device to inspect .exe and .dll files and selected the aciton continue and forward under the file blocking policy. When I try to download a .exe im promoted with the message that the file has been blocked due to a company policy. There is no continue option. I've uploaded the default block continue code from my box and it appears the script is missing from the code?

2. How long does it take before entries are logged onto the Wildfire portal as of yet I can't see the file activty of my tests appear on the web portal?

Thanks

Rod

1 accepted solution

Accepted Solutions

L3 Networker

Hi djrobd,

I had the same problem. I had to reset the file block repsonse pages to default and it started working again. Device > Response pages > Click on Restore to Default on all the profiles type of pages you are using. After commit  and a few tries it started working.

I dont know how long it takes for the files to show up on wildfire if it has been forwarded. Its not minutes from what I can see so far. I will let you know if I find out.

Regards,

Sunil

View solution in original post

5 REPLIES 5

L3 Networker

Hi djrobd,

I had the same problem. I had to reset the file block repsonse pages to default and it started working again. Device > Response pages > Click on Restore to Default on all the profiles type of pages you are using. After commit  and a few tries it started working.

I dont know how long it takes for the files to show up on wildfire if it has been forwarded. Its not minutes from what I can see so far. I will let you know if I find out.

Regards,

Sunil

Hi

Thanks for the tip - it worked a treat.

I've tried to export the message to change the wording. however when I export the file it's just the original txt file with no script funciton (for continue). Do you have any ideas on how I can change the default text for the warning screen !!!

Thanks

Rod

Hi ,

Just checked again , its been under 15 mintues sisnce I activated it. There are loads of files showing up on my wildfire portal.

Regards,

Sunil

Its been over 1 hour now and I still can't see any file activity on the wildfire portal. more research needed I think.

Not applicable

Hello djrodb,

I think I have the answer for your question No 2.

You have to know (if you do not know) that PA firewall does not upload all .exe or .dll files to

the wildfire cloud (because of that you do not see them on the wildfire portal). This is how it works:

When users download .exe or .dll files, PA computes the hash of the file and send only computed hash

to the wildfire cloud. Then in the cloud, this hash is compared with the hash base which is maintained

by palaltonetworks. If the hash matches, then the verdict is known and file is not uploaded to the cloud,

if hash do not match then the file is uploaded and inspected and you can see the file on the portal.

So if the files do not appear on the portal this is probably because computed hash matches hash that is

in their base. If you want to test what I said you can try to download some custom built application, probably

computed hash will not be in their base and you will see file on the portal. I tried this, it works fine, you can see the

files on the portal in a minute.

Let me know if this was correct,

Vladimir

  • 1 accepted solution
  • 4563 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!