Configure the VM Interface on the WildFire Appliance
Where Can I Use
This?
What Do I Need?
WildFire Appliance
WildFire License
This section describes the steps required to
configure the VM interface on the WildFire appliance using the Option
1 configuration detailed in the Virtual
Machine Interface Example. After configuring the VM interface
using this option, you must also configure an interface on a Palo
Alto Networks firewall through which traffic from the VM interface
is routed as described in Connect
the Firewall to the WildFire Appliance VM Interface.
By
default, the VM interface has the following settings:
IP
Address: 192.168.2.1
Netmask: 255.255.255.0
Default Gateway: 192.168.2.254
DNS: 192.168.2.254
If you plan on enabling
this interface, configure it with the appropriate settings for your
network. If you do not plan on using this interface, leave the default
settings. Note that this interface must have network values configured
or a commit failure will occur.
Set the IP information for the VM interface on
the WildFire appliance. The following IPv4
values are used in this example, but the appliance also supports
IPv6 addresses:
IP address - 10.16.0.20/22
Subnet Mask - 255.255.252.0
Default Gateway - 10.16.0.1
DNS Server - 10.0.0.246
The VM interface
cannot be on the same network as the management interface (MGT).
Enter configuration mode:
admin@WF-500>
configure
Set the IP information for the VM interface:
admin@WF-500#
set
deviceconfig system vm-interface ip-address 10.16.0.20 netmask 255.255.252.0
default-gateway 10.16.0.1 dns-server 10.0.0.246
You
can only configure one DNS server on the VM interface. As a best
practice, use the DNS server from your ISP or an open DNS service.
Enable the VM interface.
Enable the VM interface:
admin@WF-500#
set
deviceconfig setting wildfire vm-network-enable yes
Commit the configuration:
admin@WF-500#
commit
Test connectivity of the VM interface.
Ping a system and specify the VM interface as the source.
For example, if the VM interface IP address is 10.16.0.20, run the
following command where
ip-or-hostname
is the
IP or hostname of a server/network that has ping enabled:
admin@WF-500>
ping
source 10.16.0.20 host ip-or-hostname
For
example:
admin@WF-500>
ping
source 10.16.0.20 host 10.16.0.1
(
Optional
) Send any malicious traffic that the
malware generates to the Internet. The Tor network masks your public
facing IP address, so the owners of the malicious site cannot determine
the source of the traffic.
Enable the Tor network:
admin@WF-500#
set
deviceconfig setting wildfire vm-network-use-tor
Commit the configuration:
admin@WF-500#
commit
(
Optional
) Verify that the Tor network connection
is active and healthy.
Issue the following CLI commands to search
for Tor event IDs in the appliance logs. A properly configured and
operational WildFire appliance should not generate any event IDs:
admin@WF-500(active-controller)>showlog system direction equal backward | match anonymous-network-unhealthy—
The
Tor service is down or otherwise non-operational. Consider restarting
your Tor service and verify that it is operating properly.
admin@WF-500(active-controller)>show log systemdirection equal backward | match anonymous-network-unavailable—
The Tor
service is operating normally but the WildFire appliance VM interface
is unable to establish a connection. Verify your network connections
and settings and re-test.
