Where Can I Use This?
What Do I Need?
The basic WildFire service is included as part of the Palo Alto Networks next generation firewall and does not require an Advanced WildFire or WildFire subscription. With the basic WildFire service, the firewall can forward portable executable (PE) files for analysis, and can retrieve Advanced WildFire signatures only with antivirus and/or Threat Prevention updates which are made available every 24-48 hours.
Palo Alto Networks offers several subscription options:
- WildFire—The WildFire subscription provides protection from malware by forwarding samples to the Advanced WildFire cloud, where a series of analysis environments are used to detect and prevent unknown malware threats by generating protections that to block further instances of the threat. As part of your subscription, you get access to regular Advanced WildFire signature updates, advanced file type forwarding, as well as the ability to upload files using the WildFire API. If you are operating an environment that requires an on-prem solution, the WildFire subscription can be used to forward files to a local WildFire appliance.
- Advanced WildFire—(PAN-OS 10.0 and later)The Advanced WildFire subscription includes all of the features found in the standard WildFire subscription, and improves upon it by providing sample analysis through an advanced cloud-based detector. The advanced detection system analyzes samples using intelligent real-time runtime memory analysis, runtime DLL emulation, automated unpacking, family classification, stealth observation, and other techniques to target highly-evasive malware.
- Standalone WildFire API—Palo Alto Networks customers operating SOAR tools, custom security applications, and other threat assessment software can access the advanced file analysis capabilities of the WildFire cloud with a standalone subscription that provides API-only access. This allows you to leverage WildFire-based analytics without relying on the Palo Alto Networks firewall as a forwarding mechanism. The WildFire Standalone API subscription allows you to make direct queries to the WildFire cloud threat database for information about potentially malicious content, and submit files for analysis using the advanced threat analysis capabilities of WildFire, based on your organization’s specific requirements. The enhanced access limits of the subscription allow organizations of various sizes to customize their access limits according to their usage - this includes scalable licenses that allow a specific number of file/report queries, sample submissions (for Advanced WildFire analysis), or a combination of the two. For more information, refer to the WildFire API Reference.
The standard WildFire subscription unlocks the following features:
- Real-Time Updates—(PAN-OS 10.0 and later)The firewall can retrieve Advanced WildFire signatures for newly-discovered malware as soon as the Advanced WildFire public cloud can generate them. Signatures that are downloaded during a sample check are saved in the firewall cache, and are available for fast (local) look-ups. In addition, to maximize coverage, the firewall also automatically downloads a signature package on a regular basis when real-time signatures is enabled. These supplemental signatures are added to the firewall cache and remain available until they become stale and are refreshed or are overwritten by new signatures. Using real-time Advanced WildFire updates is a recommended best practice setting.Selectand enable the firewall to get the latest Advanced WildFire signaturesin real-time.DeviceDynamic Updates
- Five-Minute Updates—(All PAN-OS versions)The Advanced WildFire public cloud can generate and distribute Advanced WildFire signatures for newly-discovered malware every five minutes, and you can set the firewall to retrieve and install these signatures every minute (this allows the firewall to get the latest signatures within a minute of availability).If you are running PAN-OS 10.0 or later, it is a best practice to use real-time Advanced WildFire updates instead of scheduling recurring updates.Selectto enable the firewall to get the latest Advanced WildFire signatures. Depending on your Advanced WildFire deployment, you can set up one or both of the following signature package updates:DeviceDynamic Updates
- WildFire—Get the latest signatures from the WildFire public cloud.
- WF-Private—Get the latest signatures from a WildFire appliance that is configured to locally generate signatures and URL categories.
- Advanced WildFire Inline ML—(PAN-OS 10.0 and later)Prevent malicious variants of portable executables, executable and linked format (ELF) files, and PowerShell scripts from entering your network in real-time using machine learning (ML) on the firewall dataplane. By utilizing Advanced WildFire Cloud analysis technology on the firewall, Advanced WildFire Inline ML dynamically detects malicious files of a specific type by evaluating various file details, including decoder fields and patterns, to formulate a high probability classification of a file. This protection extends to currently unknown as well as future variants of threats that match characteristics that Palo Alto Networks identified as malicious. Advanced WildFire inline ML complements your existing Antivirus profile protection configuration. Additionally, you can specify file hash exceptions to exclude any false-positives that you encounter, which enables you to create more granular rules in your profiles to support your specific security needs.
- File Type Support—In addition to PEs, forward advanced file types for Advanced WildFire analysis, including APKs, Flash files, PDFs, Microsoft Office files, Java Applets, Java files (.jar and .class), and HTTP/HTTPS email links contained in SMTP and POP3 email messages. (WildFire private cloud analysis does not support APK, Mac OS X, Linux (ELF), archive (RAR/7-Zip), and script (JS, BAT, VBS, Shell Script, PS1, and HTA) files).
- Advanced WildFire API—Access to the
- WildFire Private and Hybrid Cloud Support—Forward Files for Advanced WildFire Analysis. WildFire private cloud and WildFire hybrid cloud deployments both require the firewall to be able to submit samples to a WildFire appliance. Enabling a WildFire appliance requires only a support license.
If you have purchased a Advanced WildFire subscription, you must activate the license before you can take advantage of the subscription-only WildFire features.
The Advanced WildFire subscription unlocks the following feature:
- Intelligent Run-time Memory Analysis—Intelligent Run-time Memory Analysis is a cloud-based, advanced analysis engine that complements the static and dynamic analysis engines, to detect and prevent evasive malware threats. These evasive techniques used by advanced threats include, but are not limited to, malware using cloaking strategies, displaying signs of bespoke design / ephemeral behaviors, created using sophisticated tools, and exhibit fast-spreading qualities. By leveraging a cloud-based detection infrastructure, introspective analysis detectors operate a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download content update packages or run resource intensive, appliance-based analyzers. The cloud-based detection engines are continuously monitored and updated using based on ML-based datasets used to analyze Advanced WildFire samples, with additional support from Palo Alto Networks threat researchers, who provide human intervention for highly accurized detection enhancements.Intelligent Run-time Memory Analysis relies on the existing WildFire analysis profile settings and does not require any additional configuration; however, you must have an active Advanced WildFire license. Samples that display or otherwise indicate evasive and/or advanced malware qualities are automatically forwarded to the appropriate analysis environments.
Recommended For You
Recommended videos not found.