| Where Can I Use
This? | What Do I Need? |
|---|
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama) VM-Series CN-Series
|
Advanced WildFire License For Prisma Access, this is usually included with
your Prisma Access license.
|
Configure Palo Alto Networks firewalls to forward
unknown files or email links and blocked files that match existing
antivirus signatures for analysis. Use the WildFire Analysis profile
to define files to forward to one of the Advanced WildFire public
cloud options and then attach the profile to a security rule to
trigger inspection for zero-day malware.
Specify traffic to
be forwarded for analysis based on the application in use, the file
type detected, links contained in email messages, or the transmission
direction of the sample (upload, download, or both). For example,
you can set up the firewall to forward Portable Executables (PEs)
or any files that users attempt to download during a web-browsing
session. In addition to unknown samples, the firewall forwards blocked
files that match existing antivirus signatures. This provides Palo
Alto Networks a valuable source of threat intelligence based on
malware variants that signatures successfully prevented but has
not been seen before.
If you are using a WildFire appliance
to host a WildFire private cloud, you can extend WildFire analysis
resources to a
WildFire hybrid cloud,
by configuring the firewall to continue to forward sensitive files
to your WildFire private cloud for local analysis, and forward less
sensitive or unsupported file types to the WildFire public cloud.
For more information about using and configuring the WildFire appliance,
refer to the
WildFire Appliance Administration.
Before
you begin:
Forward Files for Advanced WildFire Analysis (Cloud Management)
If you’re using Panorama to manage Prisma Access:
Toggle over to the PAN-OS tab
and follow the guidance there.
If you’re using Prisma Access Cloud Management, continue here.
Review the Advanced WildFire cloud
to which you forward samples to.
Select and edit the General Settings based on your WildFire cloud
deployment (public, government, private, or hybrid).
The WildFire U.S. Government Cloud is only available to U.S. Federal
agencies as an optional analysis environment.
Add the WildFire Cloud URL for the cloud environment
to forward samples to for analysis.
Advanced WildFire Public Cloud options:
The regional WildFire cloud location for sample processing might differ
from their respective Prisma Access Compute location. For more details
on how the Prisma Access Compute locations maps to the WildFire public
cloud, refer to:
Prisma Access Privacy
Datasheet.
Enter the
WildFire Public Cloud URL:
United States:
wildfire.paloaltonetworks.com
Europe:
eu.wildfire.paloaltonetworks.com
Japan:
jp.wildfire.paloaltonetworks.com
Singapore:
sg.wildfire.paloaltonetworks.com
United Kingdom:
uk.wildfire.paloaltonetworks.com
Canada:
ca.wildfire.paloaltonetworks.com
Australia:
au.wildfire.paloaltonetworks.com
Germany:
de.wildfire.paloaltonetworks.com
India:
in.wildfire.paloaltonetworks.com
Switzerland:
ch.wildfire.paloaltonetworks.com
Poland:
pl.wildfire.paloaltonetworks.com
Indonesia:
id.wildfire.paloaltonetworks.com
Taiwan:
tw.wildfire.paloaltonetworks.com
France:
fr.wildfire.paloaltonetworks.com
Qatar:
qatar.wildfire.paloaltonetworks.com
South Korea:
kr.wildfire.paloaltonetworks.com
South Africa:
za.wildfire.paloaltonetworks.com
Israel:
il.wildfire.paloaltonetworks.com
Saudi Arabia:
sa.wildfire.paloaltonetworks.com
Italy:
it.wildfire.paloaltonetworks.com
Spain:
es.wildfire.paloaltonetworks.com
Brazil:
br.wildfire.paloaltonetworks.com
Make sure the
WildFire Private Cloud field is
clear.
WildFire FedRAMP Cloud options:
Enter the
WildFire FedRAMP Cloud URL:
U.S. Government Cloud:
wildfire.gov.paloaltonetworks.com
Advanced WildFire Government Cloud:
gov-cloud.wildfire.paloaltonetworks.com
Advanced WildFire Public Sector Cloud:
pubsec-cloud.wildfire.paloaltonetworks.com
Make sure the
WildFire Private Cloud field is
clear.
Enable
Prisma Access to forward decrypted SSL traffic for Advanced WildFire
analysis by selecting
Allow Forwarding of Decrypted
Content. Decrypted traffic is evaluated against security policy
rules; if it matches the WildFire analysis profile attached to the security
rule, the decrypted traffic is forwarded for analysis before it is
re-encrypted.
Forwarding decrypted SSL traffic for analysis is an Advanced WildFire
Best Practice.
Define the size limits for samples
that
Prisma Access forwards for analysis.
Configure submission log settings.
Select
Report Benign Files to
allow logging for files that receive a verdict of benign.
Select
Report Grayware Files to
allow logging for files that receive a verdict of grayware.
When finished,
Save your changes.
Define
traffic to forward for analysis.
Select , and then
Add Profile. Provide a
Name and
Description
for the profile.
Add Rule to define traffic
to be forwarded for analysis and give the rule a descriptive
Name,
such as local-PDF-analysis.
Define the profile rule to match to unknown traffic
and to forward samples for analysis based on:
Direction of Traffic—Forward
files for analysis based the transmission direction of the file
(Upload, Download,
or Upload and Download). For example, select Upload
and Download to forward all unknown PDFs for analysis,
regardless of the transmission direction.
Applications—Forward files for analysis
based on the application in use.
File Types—Forward files for analysis
based on file types, including links contained in email messages.
For example, select PDF to forward unknown
PDFs detected by the firewall for analysis.
Select the destination for traffic to be forwarded for Analysis.
Select Public Cloud so that all traffic
matched to the rule is forwarded to the Advanced WildFire public
cloud for analysis.
Select Private Cloud so that all traffic
matched to the rule is forwarded to the WildFire appliance for analysis.
Save the WildFire analysis forwarding
rule when finished.
Save the WildFire and Antivirus
security profile.
(
Optional) Enable MacOS (Dynamic Analysis) forwarding support. The
file size limits as well as any forwarding profile rules are inherited from the
file type
MacOSX.
Select .
Enable Mac OS file forwarding for Dynamic
Analysis and select the Preferred
Region, whereby suspicious MacOS samples are sent
for MacOS dynamic analysis.
MacOS dynamic analysis forwarding support is available only in
select WildFire cloud regions. If your configured WildFire
public cloud region does not support MacOS dynamic
analysis, the sample is temporarily sent to the region
designated for MacOS dynamic analysis, during which the file is
analyzed and subsequently deleted. The sample analysis results
are then sent to your configured WildFire public cloud region
for access.
The following WildFire public cloud regions are available:
United States (US)
European Union (EU)
Japan (JP)
Singapore (SG)
Apply Change to save the configuration.
Forward Files for Advanced WildFire Analysis (PAN-OS & Panorama)
(
PA-7000 Series Firewalls Only) To enable
a PA-7000 Series firewall to forward samples for analysis, you must
first
configure a data port on an NPC
as a Log Card interface. If you have a PA-7000 series appliance
equipped with an LFC (
log forwarding card),
you must
configure a port used by the
LFC. When configured, the log card port or the LFC interface
takes precedence over the management port when forwarding samples.
Specify
the
Advanced WildFire Deployments to which
you want to forward samples.
Select and edit the General
Settings based on your WildFire cloud deployment (public, government,
private, or hybrid).
The WildFire U.S. Government Cloud
is only available to U.S. Federal agencies as an optional analysis
environment.
Advanced WildFire
Public Cloud:
Enter the
WildFire Public Cloud URL:
United States: wildfire.paloaltonetworks.com
Europe: eu.wildfire.paloaltonetworks.com
Japan: jp.wildfire.paloaltonetworks.com
Singapore: sg.wildfire.paloaltonetworks.com
United Kingdom: uk.wildfire.paloaltonetworks.com
Canada: ca.wildfire.paloaltonetworks.com
Australia: au.wildfire.paloaltonetworks.com
Germany: de.wildfire.paloaltonetworks.com
India: in.wildfire.paloaltonetworks.com
Switzerland: ch.wildfire.paloaltonetworks.com
Poland: pl.wildfire.paloaltonetworks.com
Indonesia: id.wildfire.paloaltonetworks.com
Taiwan: tw.wildfire.paloaltonetworks.com
France:
fr.wildfire.paloaltonetworks.com
Qatar:
qatar.wildfire.paloaltonetworks.com
South Korea:
kr.wildfire.paloaltonetworks.com
South Africa:
za.wildfire.paloaltonetworks.com
Israel:
il.wildfire.paloaltonetworks.com
Saudi Arabia:
sa.wildfire.paloaltonetworks.com
Italy:
it.wildfire.paloaltonetworks.com
Spain:
es.wildfire.paloaltonetworks.com
Brazil:
br.wildfire.paloaltonetworks.com
Make sure the
WildFire Private Cloud field
is clear.
WildFire FedRAMP Cloud options:
Enter the
WildFire FedRAMP Cloud URL:
U.S. Government Cloud:
wildfire.gov.paloaltonetworks.com
Advanced WildFire Government Cloud:
gov-cloud.wildfire.paloaltonetworks.com
Advanced WildFire Public Sector Cloud:
pubsec-cloud.wildfire.paloaltonetworks.com
Make sure the
WildFire Private Cloud field
is clear.
Define
the size limits for files the firewall forwards and configure logging
and reporting settings.
Continue editing General Settings ().
- Review the File Size Limits for files
forwarded from the firewall.
It is a
Advanced WildFire Best Practices to set
the
File Size for PEs to the maximum size
limit of 10 MB, and to leave the
File Size for
all other file types set to the default value.
- Select Report Benign Files to allow logging
for files that receive a verdict of benign.
- Select Report Grayware Files to allow
logging for files that receive a verdict of grayware.
- Define what session information is recorded in WildFire analysis
reports by editing the Session Information Settings. By default,
all session information is displayed in WildFire analysis reports.
Clear the check boxes to remove the corresponding fields from WildFire
analysis reports and click OK to save the
settings.
Define
traffic to forward for analysis.
Select ,
Add a
new WildFire analysis profile, and give the profile a descriptive
Name.
Add a profile rule to define
traffic to be forwarded for analysis and give the rule a descriptive
Name,
such as local-PDF-analysis.
Define the profile rule to match to unknown traffic
and to forward samples for analysis based on:
Applications—Forward files
for analysis based on the application in use.
File Types—Forward files for analysis
based on file types, including links contained in email messages.
For example, select PDF to forward unknown
PDFs detected by the firewall for analysis.
Direction—Forward files for analysis
based the transmission direction of the file (upload, download,
or both). For example, select both to forward
all unknown PDFs for analysis, regardless of the transmission direction.
Click
OK to save the WildFire
analysis profile.
Attach
the WildFire Analysis profile to a security policy rule.
Traffic allowed by the security policy rule is evaluated
against the attached WildFire analysis profile; the firewalls forwards
traffic matched to the profile for WildFire analysis.
Select and
Add or
modify a policy rule.
Click the
Actions tab within
the policy rule.
In the Profile Settings section, select
Profiles as
the
Profile Type and select a
WildFire
Analysis profile to attach to the policy rule
-
