Antivirus profile question, wildfire action?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Antivirus profile question, wildfire action?

Not applicable

Hello,

Have a question about how to configure an antivirus profile. When try to define Decoders and actions can see a tab for "Wildfire Action" and that's where my confusion appear. what's the purpose of this tab? that implies that if I select block, all the files were be blocked? ? As far as I know wildfire is an "on the cloud" scanning system but in the documentation of panOS 6.0 I can see this:

it's possible that wildifre have an internal database to check the files without the need to send it to the cloud?

Thanks in advance.

Regards.

6 REPLIES 6

L7 Applicator

Hello Sir,

You can define different actions for standard antivirus signatures (Action column) and signatures generated by the WildFire system (WildFire Action column). This is applicable if you have a valid Wildfire license on your PAN firewall. Some environments may have requirements for a longer soak time for antivirus signatures, so this option enables the ability to set different actions for the two antivirus signature types provided by Palo Alto Networks. For example, the standard antivirus signatures go through a longer soak period before being released (24 hours), versus WildFire signatures, which can be generated and released within 15 minutes after a threat is detected. Because of this, you may want to choose the alert action on WildFire signatures instead of blocking.

Hope this helps.

Thanks

L4 Transporter

Hi

Hulk, could You tell us how to check in thread log is a WildFire signatures triggered for any kind of thread?

Regards

Slawek

Wildfire logs will be available under Monitor > Logs > wildfire only. ( not under threat logs).

Thanks

L4 Transporter

Hi Hulk

I'm a bit confused.

In Monitor>Logs I have "WildFire Submissions" log with just two entries from april. I hope thats because my users are not downloading a lot of malwares from internet.

One of them has details:

2014-05-08_101820.png

In my opinion this is log which collecting data about files that are not known by WildFire cloud and passed my device.

I'm looking for files that was blocked by my device o based on wildfire updates (which I gets every 15 minuts)

Regards

Slawek

We are also looking for something that shows traffic being blocked because of a WildFire update.  Has anyone found a way to get this type of report?  Trying to find a way to justify the purchase to management.

From my understanding, there is no way to figure out that traffic was blocked by antivirus signature or wildfire signature from threat log (especially "type" field. this will be 'virus' in both case).

Though I think you can figure out by looking at threat ID.

Please refer to following KB: Threat ID Ranges in the Palo Alto Networks Content Database

For example, if you hit any virus with TID is between 2000000 - 3000000, then this might be hit to antivirus signature. But if it is between 3000000 - 3100000, then this might be wildfire signature.

Isn't it?

  • 5984 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!