settings on the WildFire appliance. You can configure forwarding
of malicious files, define the cloud server that receives malware infected
files, and enable or disable the vm-interface.
Select the virtual machine environment that WildFire will use for
sample analysis. Each vm has a different configuration, such as
Windows XP, a specific versions of Flash, Adobe reader, etc. To
view which VM is selected, run the following command:
show wildfire status
view the Selected VM field. To view the VM environment information,
run the following command
: show wildfire vm-images.
— Hostname for the cloud server that
the appliance will forward malicious samples/reports to for a re-analysis.
The default cloud server is wildfire-public-cloud. To configure
forwarding, use the following command:
set deviceconfig setting wildfire cloud-intelligence
— Configure a custom DNS name to
use in server certificates and the WildFire server list instead
of the default DNS name
— Allocate the majority
of the resources to document analysis or to executable analysis,
depending on the type of samples most often analyzed in your environment.
The default allocation balances resources between document and executable
samples. For example, to allocate the majority of the analysis resources
set deviceconfig setting wildfire preferred-analysis-environment Documents
— Enable or disable the vm-network.
When enabled, sample files running in the virtual machine sandbox
can access the Internet. This helps WildFire better analyze the
behavior of the malware to look for things like phone home activity.
— Enable or disable the Tor network
for the vm-interface. When this option is enabled, any malicious
traffic coming from the sandbox systems on the WildFire appliance
during sample analysis is sent through the Tor network. The Tor
network will mask your public facing IP address, so the owners of
the malicious site cannot determine the source of the traffic.
— Configure the appliance to submit
WildFire diagnostics, reports or samples to the Palo Alto Networks
WildFire cloud, or to automatically query the public WildFire cloud
before performing local analysis to conserve WildFire appliance resources.
The submit report option sends reports for malicious samples to
the cloud for statistical gathering. The submit sample option sends
malicious samples to the cloud. If submit-sample enabled, you don’t
need to enable submit-report because the cloud re-analyzes the sample
and a new report and signature is generated if the sample is malicious.
— Configure how long to save malicious
(malware and phishing) samples and non-malicious (grayware and benign)
samples. The default for malicious samples is indefinite (never
delete). The default for non-malicious samples is 14 days. For example,
to retain non-malicious samples for 30 days:
set deviceconfig setting wildfire file-retention non-malicious 30
— Enable the appliance to generate
signatures locally, eliminating the need to send any data to the
public cloud in order to block malicious content. The WildFire appliance
will analyze files forwarded to it from Palo Alto Networks firewalls
or from the WildFire API and generate antivirus and DNS signatures
that block both the malicious files as well as associated command
and control traffic. When the appliance detects a malicious URL,
it sends the URL to PAN-DB and PAN-DB assigns it the malware category.
The following shows an example
output of the WildFire settings.