Connect the Firewall to the WildFire Appliance VM Interface
Where Can I Use
What Do I Need?
The following example workflow describes how
to connect the VM interface to a port on a Palo Alto Networks firewall.
Before connecting the VM interface to the firewall, the firewall
must already have an Untrust zone connected to the Internet. In
this example, you configure a new zone named wf-vm-zone that will
contain the interface used to connect the VM interface on the appliance
to the firewall. The policy associated with the wf-vm-zone will
only allow communication from the VM interface to the Untrust zone.
Configure the interface on the firewall that the
VM interface will connect to and set the virtual router.
The wf-vm-zone should only contain the interface
(ethernet1/3 in this example) used to connect the VM interface on
the appliance to the firewall. This is done to avoid having any
traffic generated by the malware from reaching other networks.
From the web interface on the firewall,
then select an interface, for example
tab, from the
drop-down box, select
In the Zone dialog
enter wf-vm-zone and click
To assign an IP address to the interface, select the
in the IP section, and enter the
IP address and network mask to assign to the interface, for example
10.16.0.0/22 (IPv4) or 2001:db8:123:1::1/64 (IPv6).
To save the interface configuration, click
Create a security policy on the firewall to allow access
from the VM interface to the Internet and block all incoming traffic.
In this example, the policy name is WildFire VM Interface. Because
you will not create a security policy from the Untrust zone to the
wf-vm-interface zone, all inbound traffic is blocked by default.
tab, enter a
tab, set the
tabs, leave the default as
tab, set the
, select the
at Session End
If there are concerns that someone might inadvertently
add other interfaces to the wf-vm-zone, clone the WildFire VM Interface
security policy and then in the
for the cloned rule, select
. Make sure
this new security policy is listed below the WildFire VM interface policy.
This will override the implicit intra-zone allow rule that allows
communications between interfaces in the same zone and will deny/block
all intra-zone communication.
Connect the cables.
Physically connect the VM interface on the WildFire appliance
to the port you configured on the firewall (Ethernet 1/3 in this
example) using a straight through RJ-45 cable. The VM interface