03-06-2018 08:23 AM
Hi,
I am playing in lab with wildfire and i would like to drop file downloads that are analyzed by wildfire as malicious verdict.
I have configured the follwong wildfire submission profile.
i created a wildfire profile (copy of the default)
admin@PA-220# show
wildfire {
rules {
default {
application any;
file-type any;
direction both;
analysis public-cloud;
}
}
}
I also create an antivirus profile to have an action of reset both for wildfire.
"Antivirus - WildFire" {
decoder {
http {
action reset-both;
wildfire-action reset-both;
}
smtp {
action default;
wildfire-action alert;
}
imap {
action default;
wildfire-action alert;
}
pop3 {
action default;
wildfire-action alert;
}
ftp {
action reset-both;
wildfire-action reset-both;
}
smb {
action default;
wildfire-action alert;
}
}
}
I have created a security policy with these secuirty profiles attached bot the malware test file from palo alto over http is still going through.
"OUTBOUND ACCESS POLICY" {
to UNTRUST;
from TRUST;
source any;
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
profile-setting {
profiles {
url-filtering home-filter;
virus "Antivirus - WildFire";
spyware strict;
vulnerability strict;
wildfire-analysis wildfire;
}
}
}
The verdict is malicous bot the action i allowed.
Can somebody tell me what is misconfigure on my end?
Kind regards,
Frederik.
03-06-2018 09:41 AM - edited 03-06-2018 09:41 AM
There are a couple things that are incorrect.
The first thing is, you are assuming that a Malicious verdict from WildFire on a file, means instantaneous Antivirus coverage. Once WildFire determines a sample is malicious, it sends it to PAN-AV, which generates a signature for the sample. This signature is then stacked, and is released every 5 minutes. You have to actually fetch the WildFire-Virus database to the firewall through Dynamic Updates for it to have the signature to detect files matching its pattern.
The second thing, is you are assuming WildFire would create an AV signature for the WildFire PE file, and that's not true. The WildFire PE file is only meant to test the WildFire forwarding (uploading sample to WildFire) and receiving back a report from WildFire, but it does not send the WildFire PE file to PAN-AV, so a signature is never generated for it.
03-06-2018 09:41 AM - edited 03-06-2018 09:41 AM
There are a couple things that are incorrect.
The first thing is, you are assuming that a Malicious verdict from WildFire on a file, means instantaneous Antivirus coverage. Once WildFire determines a sample is malicious, it sends it to PAN-AV, which generates a signature for the sample. This signature is then stacked, and is released every 5 minutes. You have to actually fetch the WildFire-Virus database to the firewall through Dynamic Updates for it to have the signature to detect files matching its pattern.
The second thing, is you are assuming WildFire would create an AV signature for the WildFire PE file, and that's not true. The WildFire PE file is only meant to test the WildFire forwarding (uploading sample to WildFire) and receiving back a report from WildFire, but it does not send the WildFire PE file to PAN-AV, so a signature is never generated for it.
03-06-2018 10:20 AM
Hi Mivaldi,
Tnx for the update and that explains a lot 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
