cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

Not understanding "WildFire: Automatically Detect and Prevent Unknown Threats"

L1 Bithead

First of all I'm very impressed with Palo Alto's firewall, I'm definitely a "fan", however we purchased a wildfire subscription under this premise:

WildFireTM simplifies an organization’s response to the most dangerous threats, automatically detecting unknown malware and quickly preventing threats before an enterprise is compromised. Unlike legacy security solutions, WildFire quickly identifies and stops these advanced attacks without requiring manual human intervention or costly Incident Response (IR) services after the fact.

However Wildfire doesn't actually do this, it seems to do the exact opposite when it encounters an unknown file. When wildfire encounters a new file it sends it to the wildfire cloud for analysis as well as allowing it through the firewall. I understand that our little PA-200 can't hold every file and wait for the analysis to come back from Wildfire whether a file is benign or malware and THEN release the file to the network if it's benign, however the advertisement for wildfire would lead you to believe it does just that or something similar to "prevent unknown threats." If we receive an unknown malicious doc file via email (which we usually do almost every day) it will be delivered to the users inbox and a couple hours later I'll get a report that it was malicious. By then our users will have already opened the file, or accused the firewall of not working because they received it, regardless of the complaint it's now on the network.

I have verified our firewall configuration with palo alto support several times and am assured it's functioning as it's intended. Can someone explain how this "automatically detects unknown malware and quickly prevents threats without requiring manual human intervention" as the sales page implies? Wildfire detects threats several hours after the malware has landed on the network and does nothing to stop a user from launching it there after.

Thank you for your time, I am really trying to get a complete understanding of wildfire and not trying to "criticize" it but it doesn't seem to be functioning as advertised.

Luke



Who Me Too'd this topic