Most everything is handled locally, with the exception of malware verdicts. Instead of leveraging signature files, the agent will check with WildFire via a SHA-256 hash. If the file is known, it will respond accordingly. If it is unknown, local analysis will score the file and make a temporary verdict. At the same time the file is uploaded and detonated in WildFire. After analysis, the file is known. This logic is the same logic that applied in the on-premise ESM.
Do you have connectivity challenges or are you trying to limit internet traffic?