For Prisma Access, this is usually included
with your Prisma Access license.
The following example scenario summarizes the
full Advanced WildFire™ lifecycle. In this example, a sales representative
from Palo Alto Networks downloads a new software sales tool that
a sales partner uploaded to Dropbox. The sales partner unknowingly
uploaded an infected version of the sales tool install file and
the sales rep then downloads the infected file.
will demonstrate how a Palo Alto Networks firewall in conjunction
with Advanced WildFire can discover zero-day malware downloaded
by an end user, even if the traffic is SSL encrypted. After Advanced
WildFire identifies the malware a log is sent to the firewall and
the firewall alerts the administrator who then contacts the user
to eradicate the malware. Advanced WildFire then generates a new
signature for the malware, after which firewalls automatically download
the signature to protect against future exposure. Although some
file sharing web sites have an antivirus feature that checks files
as they are uploaded, they can only protect against known malware.
example uses a web site that uses SSL encryption. In this case,
the firewall has decryption enabled, including the
option to forward decrypted content for analysis.
The sales person from the partner company uploads
a sales tool file named sales-tool.exe to his Dropbox account and then
sends an email to the Palo Alto Networks sales person with a link
to the file.
The Palo Alto sales person receives the email from the
sales partner and clicks the download link, which takes her to the
Dropbox site. She then clicks
save the file to her desktop.
The firewall that is protecting the Palo Alto sales rep
has a WildFire Analysis profile rule attached to a security policy
rule that will look for files in any application that is used to
download or upload any of the supported file types. The firewall
can also be configured to forward the email-link file type, which
enables the firewall to extract HTTP/HTTPS links contained in SMTP
and POP3 email messages. As soon as the sales rep clicks download,
the firewall forwards the sales-toole.exe file to Advanced WildFire,
where the file is analyzed for zero-day malware. Even though the
sales rep is using Dropbox, which is SSL encrypted, the firewall
is configured to decrypt traffic, so all traffic can be inspected. The
following screen shots show the WildFire Analysis profile rule,
the security policy rule configured with the WildFire analysis profile
rule attached, and the option to allow forwarding of decrypted content
At this point, Advanced WildFire has received the file
and is analyzing it for more than 200 different malicious behaviors.
After Advanced WildFire has completed the file analysis,
it sends an Advanced WildFire log back to the firewall with the
analysis results. In this example, the log shows that the file is
The firewall is configured with a log forwarding profile
that will send alerts to the security administrator when malware
The security administrator identifies the user by name
(if User-ID is configured), or by IP address if User-ID is not enabled.
At this point, the administrator can shut down the network or VPN
connection that the sales representative is using and will then
contact the desktop support group to work with the user to check
and clean the system.
By using the Advanced WildFire detailed analysis report,
the desktop support person can determine if the user system is infected
with malware by looking at the files, processes, and registry information
detailed in the Advanced WildFire analysis report. If the user runs
the malware, the support person can attempt to clean the system
manually or re-image it.
Now that the administrator has identified the malware
and the user system is being checked, how do you protect from future exposure?
Answer: In this example, the administrator set a schedule on the
firewall to download and install Advanced WildFire signatures every 15
minutes and to download and install Antivirus updates once per day.
In less than an hour and a half after the sales rep downloaded the infected
file, Advanced WildFire identified the zero-day malware, generated
a signature, added it to the Advanced WildFire update signature database
provided by Palo Alto Networks, and the firewall downloaded and
installed the new signature. This firewall and any other Palo Alto Networks
firewall configured to download Advanced WildFire and antivirus
signatures is now protected against this newly discovered malware. The
following screenshot shows the Advanced WildFire update schedule:
of this occurs well before most antivirus vendors are even aware
of the zero-day malware. In this example, within a very short period
of time, the malware is no longer considered zero-day because Palo
Alto Networks has already discovered it and has provided protection
to customers to prevent future exposure.