Forward Files for Advanced WildFire Analysis
Focus
Focus
Advanced WildFire

Forward Files for Advanced WildFire Analysis

Table of Contents

Forward Files for Advanced WildFire Analysis

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
  • VM-Series
  • CN-Series
  • Advanced WildFire License
    For
    Prisma Access
    , this is usually included with your
    Prisma Access
    license.
Configure Palo Alto Networks firewalls to forward unknown files or email links and blocked files that match existing antivirus signatures for analysis. Use the
WildFire Analysis
profile to define files to forward to one of the Advanced WildFire public cloud options and then attach the profile to a security rule to trigger inspection for zero-day malware.
Specify traffic to be forwarded for analysis based on the application in use, the file type detected, links contained in email messages, or the transmission direction of the sample (upload, download, or both). For example, you can set up the firewall to forward Portable Executables (PEs) or any files that users attempt to download during a web-browsing session. In addition to unknown samples, the firewall forwards blocked files that match existing antivirus signatures. This provides Palo Alto Networks a valuable source of threat intelligence based on malware variants that signatures successfully prevented but has not been seen before.
If you are using a WildFire appliance to host a WildFire private cloud, you can extend WildFire analysis resources to a WildFire hybrid cloud, by configuring the firewall to continue to forward sensitive files to your WildFire private cloud for local analysis, and forward less sensitive or unsupported file types to the WildFire public cloud. For more information about using and configuring the WildFire appliance, refer to the WildFire Appliance Administration.
Before you begin:
  • If a firewall resides between the firewall you are configuring to forward files and the Advanced WildFire cloud, make sure that the firewall in the middle allows the following ports:
    Port
    Usage
    443
    Registration, PCAP Downloads, Sample Downloads, Report Retrieval, File Submission, PDF Report Downloads
    10443
    Dynamic Updates

Cloud Management

If you’re using Panorama to manage
Prisma Access
:
Toggle over to the
PAN-OS
tab and follow the guidance there.
If you’re using
Prisma Access
Cloud Management, continue here.
  1. Specify the Advanced WildFire cloud to which you want to forward samples.
    Select
    Manage
    Configuration
    NGFW and
    Prisma Access
    Security Services
    WildFire and Antivirus
    General Settings
    and edit the General Settings based on your WildFire cloud deployment (public, government, private, or hybrid).
    The WildFire U.S. Government Cloud is only available to U.S. Federal agencies as an optional analysis environment.
    Add the
    WildFire Cloud
    URL for the cloud environment to forward samples to for analysis.
    Advanced WildFire Public Cloud options:
    1. Enter the
      WildFire Public Cloud
      URL:
      • United States:
        wildfire.paloaltonetworks.com
      • Europe:
        eu.wildfire.paloaltonetworks.com
      • Japan:
        jp.wildfire.paloaltonetworks.com
      • Singapore:
        sg.wildfire.paloaltonetworks.com
      • United Kingdom:
        uk.wildfire.paloaltonetworks.com
      • Canada:
        ca.wildfire.paloaltonetworks.com
      • Australia:
        au.wildfire.paloaltonetworks.com
      • Germany:
        de.wildfire.paloaltonetworks.com
      • India:
        in.wildfire.paloaltonetworks.com
      • Switzerland:
        ch.wildfire.paloaltonetworks.com
      • Poland:
        pl.wildfire.paloaltonetworks.com
      • Indonesia:
        id.wildfire.paloaltonetworks.com
      • Taiwan:
        tw.wildfire.paloaltonetworks.com
      • France:
        fr.wildfire.paloaltonetworks.com
      • Qatar:
        qatar.wildfire.paloaltonetworks.com
      • South Korea:
        kr.wildfire.paloaltonetworks.com
    2. Make sure the
      WildFire Private Cloud
      field is clear.
    WildFire U.S. Government Cloud:
    1. Enter the
      WildFire U.S. Government Cloud
      URL: wildfire.gov.paloaltonetworks.com
    2. Make sure the
      WildFire Private Cloud
      field is clear.
  2. Enable
    Prisma Access
    to forward decrypted SSL traffic for Advanced WildFire analysis by selecting
    Allow Forwarding of Decrypted Content
    . Decrypted traffic is evaluated against security policy rules; if it matches the WildFire analysis profile attached to the security rule, the decrypted traffic is forwarded for analysis before it is re-encrypted.
    Forwarding decrypted SSL traffic for analysis is an Advanced WildFire Best Practice.
  3. Define the size limits for samples the
    Prisma Access
    forwards for analysis.
    It is a Advanced WildFire Best Practice to set the file forwarding values to the default setting.
  4. Configure submission log settings.
    1. Select
      Report Benign Files
      to allow logging for files that receive a verdict of benign.
    2. Select
      Report Grayware Files
      to allow logging for files that receive a verdict of grayware.
  5. When finished,
    Save
    your changes.
  6. Define traffic to forward for analysis.
    1. Select
      Manage
      Configuration
      NGFW and
      Prisma Access
      Security Services
      WildFire and Antivirus
      , and then
      Add Profile
      . Provide a
      Name
      and
      Description
      for the profile.
    2. Add Rule
      to define traffic to be forwarded for analysis and give the rule a descriptive
      Name
      , such as local-PDF-analysis.
    3. Define the profile rule to match to unknown traffic and to forward samples for analysis based on:
      • Direction of Traffic
        —Forward files for analysis based the transmission direction of the file (
        Upload
        ,
        Download
        , or
        Upload and Download
        ). For example, select
        Upload and Download
        to forward all unknown PDFs for analysis, regardless of the transmission direction.
      • Applications
        —Forward files for analysis based on the application in use.
      • File Types
        —Forward files for analysis based on file types, including links contained in email messages. For example, select
        PDF
        to forward unknown PDFs detected by the firewall for analysis.
      • Select the destination for traffic to be forwarded for Analysis.
        • Select
          Public Cloud
          so that all traffic matched to the rule is forwarded to the Advanced WildFire public cloud for analysis.
        • Select
          Private Cloud
          so that all traffic matched to the rule is forwarded to the WildFire appliance for analysis.
        • Save
          the WildFire analysis forwarding rule when finished.
    4. Save
      the WildFire and Antivirus security profile.
  7. Traffic allowed by the security policy rule is evaluated against the attached WildFire analysis profile;
    Prisma Access
    forwards traffic matched to the profile for WildFire analysis.
  8. Choose what to do next...

PAN-OS & Panorama

  1. (
    PA-7000 Series Firewalls Only
    ) To enable a PA-7000 Series firewall to forward samples for analysis, you must first configure a data port on an NPC as a Log Card interface. If you have a PA-7000 series appliance equipped with an LFC (log forwarding card), you must configure a port used by the LFC. When configured, the log card port or the LFC interface takes precedence over the management port when forwarding samples.
  2. Specify the Advanced WildFire Deployments to which you want to forward samples.
    Select
    Device
    Setup
    WildFire
    and edit the General Settings based on your WildFire cloud deployment (public, government, private, or hybrid).
    The WildFire U.S. Government Cloud is only available to U.S. Federal agencies as an optional analysis environment.
    Advanced WildFire Public Cloud:
    1. Enter the
      WildFire Public Cloud
      URL:
      • United States:
        wildfire.paloaltonetworks.com
      • Europe:
        eu.wildfire.paloaltonetworks.com
      • Japan:
        jp.wildfire.paloaltonetworks.com
      • Singapore:
        sg.wildfire.paloaltonetworks.com
      • United Kingdom:
        uk.wildfire.paloaltonetworks.com
      • Canada:
        ca.wildfire.paloaltonetworks.com
      • Australia:
        au.wildfire.paloaltonetworks.com
      • Germany:
        de.wildfire.paloaltonetworks.com
      • India:
        in.wildfire.paloaltonetworks.com
      • Switzerland:
        ch.wildfire.paloaltonetworks.com
      • Poland:
        pl.wildfire.paloaltonetworks.com
      • Indonesia:
        id.wildfire.paloaltonetworks.com
      • Taiwan:
        tw.wildfire.paloaltonetworks.com
      • France:
        fr.wildfire.paloaltonetworks.com
      • Qatar:
        qatar.wildfire.paloaltonetworks.com
      • South Korea:
        kr.wildfire.paloaltonetworks.com
    2. Make sure the
      WildFire Private Cloud
      field is clear.
    WildFire U.S. Government Cloud:
    1. Enter the
      WildFire U.S. Government Cloud
      URL: wildfire.gov.paloaltonetworks.com
    2. Make sure the
      WildFire Private Cloud
      field is clear.
  3. Define the size limits for files the firewall forwards and configure logging and reporting settings.
    Continue editing General Settings (
    Device
    Setup
    WildFire
    ).
    • Review the
      File Size Limits
      for files forwarded from the firewall.
      It is a Advanced WildFire Best Practices to set the
      File Size
      for PEs to the maximum size limit of 10 MB, and to leave the
      File Size
      for all other file types set to the default value.
    • Select
      Report Benign Files
      to allow logging for files that receive a verdict of benign.
    • Select
      Report Grayware Files
      to allow logging for files that receive a verdict of grayware.
    • Define what session information is recorded in WildFire analysis reports by editing the Session Information Settings. By default, all session information is displayed in WildFire analysis reports. Clear the check boxes to remove the corresponding fields from WildFire analysis reports and click
      OK
      to save the settings.
  4. (
    Panorama Only
    ) Configure Panorama to gather additional information about samples collected from firewalls running a PAN-OS version prior to PAN-OS 7.0.
    Some WildFire Submissions log fields introduced in PAN-OS 7.0 are not populated for samples submitted by firewalls running earlier software versions. If you are using Panorama to manage firewalls running software versions earlier than PAN-OS 7.0, Panorama can communicate with WildFire to gather complete analysis information for samples submitted by those firewalls from the defined
    WildFire Server
    (the WildFire global cloud, by default) to complete the log details.
    Select
    Panorama
    Setup
    WildFire
    and enter a
    WildFire Server
    if you’d like to modify the default setting to instead allow Panorama to gather details from the specified WildFire cloud or from a WildFire appliance.
  5. Define traffic to forward for analysis.
    1. Select
      Objects
      Security Profiles
      WildFire Analysis
      ,
      Add
      a new WildFire analysis profile, and give the profile a descriptive
      Name
      .
    2. Add
      a profile rule to define traffic to be forwarded for analysis and give the rule a descriptive
      Name
      , such as local-PDF-analysis.
    3. Define the profile rule to match to unknown traffic and to forward samples for analysis based on:
      • Applications
        —Forward files for analysis based on the application in use.
      • File Types
        —Forward files for analysis based on file types, including links contained in email messages. For example, select
        PDF
        to forward unknown PDFs detected by the firewall for analysis.
      • Direction
        —Forward files for analysis based the transmission direction of the file (upload, download, or both). For example, select
        both
        to forward all unknown PDFs for analysis, regardless of the transmission direction.
    4. Click
      OK
      to save the WildFire analysis profile.
  6. Attach the WildFire Analysis profile to a security policy rule.
    Traffic allowed by the security policy rule is evaluated against the attached WildFire analysis profile; the firewalls forwards traffic matched to the profile for WildFire analysis.
    1. Select
      Policies
      Security
      and
      Add
      or modify a policy rule.
    2. Click the
      Actions
      tab within the policy rule.
    3. In the Profile Settings section, select
      Profiles
      as the
      Profile Type
      and select a
      WildFire Analysis
      profile to attach to the policy rule
  7. Review and implement Advanced WildFire Best Practices.
  8. Click
    Commit
    to apply the updated settings.
  9. (Optional)
    Install a Device Certificate to update to the latest version of the certificate used by the firewall to communicate with Palo Alto Networks cloud services.
  10. Choose what to do next...

Recommended For You