Advanced Wildfire Allowing High Severity Verdicts but blocking Informational

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Advanced Wildfire Allowing High Severity Verdicts but blocking Informational

L4 Transporter

Hi

 

I have Advanced Wildfire in our Lab env and have noticed something very odd, when the firewall is submitting any files to Wildfire if they are returning "informational" they are blocked, if they are returning Malicious and "High" the action is allow, this has also been confirmed by the fact that the samples of Malware are being blocked by the Windows defender running on the test desktop.

 

I have configured decryption and allowed the forwarding of decrypted traffic ( I assume that the submissions would not show if this was not working correctly ) and have confirmed that the traffic is running across the defined rule and that rule has the Wildfire and Anti-virus profiles that are set to reset everything, this is very strange behavior and I am hoping that it is an omission in my configuration somewhere.

 

Additionally this does not seem to matter if the session is http or http2

 

Any help would be greatly received as this has me scratching my head at the moment.

 

Thank you in advance,  

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants
1 REPLY 1

L4 Transporter

Hello @laurence64 - are you in a position to share your profile and policy configurations?

Iain Robertson
Senior Customer Success Engineer, NGFW, Palo Alto Networks
  • 926 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!