05-06-2014 07:50 AM
Hello,
Have a question about how to configure an antivirus profile. When try to define Decoders and actions can see a tab for "Wildfire Action" and that's where my confusion appear. what's the purpose of this tab? that implies that if I select block, all the files were be blocked? ? As far as I know wildfire is an "on the cloud" scanning system but in the documentation of panOS 6.0 I can see this:
it's possible that wildifre have an internal database to check the files without the need to send it to the cloud?
Thanks in advance.
Regards.
05-06-2014 08:12 AM
Hello Sir,
You can define different actions for standard antivirus signatures (Action column) and signatures generated by the WildFire system (WildFire Action column). This is applicable if you have a valid Wildfire license on your PAN firewall. Some environments may have requirements for a longer soak time for antivirus signatures, so this option enables the ability to set different actions for the two antivirus signature types provided by Palo Alto Networks. For example, the standard antivirus signatures go through a longer soak period before being released (24 hours), versus WildFire signatures, which can be generated and released within 15 minutes after a threat is detected. Because of this, you may want to choose the alert action on WildFire signatures instead of blocking.
Hope this helps.
Thanks
05-06-2014 11:34 PM
Hi
Hulk, could You tell us how to check in thread log is a WildFire signatures triggered for any kind of thread?
Regards
Slawek
05-07-2014 08:16 AM
Wildfire logs will be available under Monitor > Logs > wildfire only. ( not under threat logs).
Thanks
05-08-2014 01:22 AM
Hi Hulk
I'm a bit confused.
In Monitor>Logs I have "WildFire Submissions" log with just two entries from april. I hope thats because my users are not downloading a lot of malwares from internet.
One of them has details:
In my opinion this is log which collecting data about files that are not known by WildFire cloud and passed my device.
I'm looking for files that was blocked by my device o based on wildfire updates (which I gets every 15 minuts)
Regards
Slawek
07-31-2014 11:18 AM
We are also looking for something that shows traffic being blocked because of a WildFire update. Has anyone found a way to get this type of report? Trying to find a way to justify the purchase to management.
07-31-2014 09:13 PM
From my understanding, there is no way to figure out that traffic was blocked by antivirus signature or wildfire signature from threat log (especially "type" field. this will be 'virus' in both case).
Though I think you can figure out by looking at threat ID.
Please refer to following KB: Threat ID Ranges in the Palo Alto Networks Content Database
For example, if you hit any virus with TID is between 2000000 - 3000000, then this might be hit to antivirus signature. But if it is between 3000000 - 3100000, then this might be wildfire signature.
Isn't it?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
