Configure the WildFire Appliance

1. Rack mount and cable the WildFire appliance.

   Refer to the WildFire Appliance Hardware Reference Guide for instructions.
2. Connect a computer to the appliance using the MGT or Console port and power on the appliance.

   1. Connect to the console port or the MGT port. Both are located on the back of the appliance.

      • Console Port—This is a 9-pin male serial connector. Use the following settings on the console application: 9600-8-N-1. Connect the provided cable to the serial port on the management computer or USB-To-Serial converter.
      • MGT Port—This is an Ethernet RJ-45 port. By default, the MGT port IP address is 192.168.1.1. The interface on your management computer must be on the same subnet as the MGT port. For example, set the IP address on the management computer to 192.168.1.5.
   2. Power on the appliance.

      The appliance will power on as soon as you connect power to the first power supply and a warning beep will sound until you connect the second power supply. If the appliance is already plugged in and is in the shutdown state, use the power button on the front of the appliance to power on.
3. Register the WildFire appliance.

   1. Obtain the serial number from the S/N tag on the appliance, or run the following command and refer to the serial field:

      admin@WF-500> show system info

   2. From a browser, navigate to the Palo Alto Networks Support Portal and log in.
   3. Register the device as follows:

      • If this is the first Palo Alto Networks device that you are registering and you do not have a login, click Register at the bottom of the page.
        To register, provide an email address and the serial number of the device. When prompted, set up a username and password for access to the Palo Alto Networks support community.
      • For existing accounts, log in and then click My Devices. Scroll down to the Register Device section at the bottom of the screen and enter the serial number of the device, the city and postal code, and then click Register Device.
   4. To confirm WildFire registration on the WildFire appliance, log in to the appliance with an SSH client or by using the Console port. Enter a username/password of admin/admin and enter the following command on the appliance:

      admin@WF-500> test wildfire registration

      The following output indicates that the appliance is registered with one of the Palo Alto Networks WildFire cloud servers.

      Test wildfire 
      wildfire registration: successful 
      download server list:  successful 
      select the best server: 
      cs-s1.wildfire.paloaltonetworks.com 

4. Reset the admin password.

   1. Set a new password by running the command:

      admin@WF-500> set password

   2. Type the old password, press enter and then enter and confirm the new password. Commit the configuration to ensure that the new password is saved in the event of a restart.

      Starting with PAN-OS 9.0.4, the predefined, default administrator password (admin/admin) must be changed on the first login on a device. The new password must be a minimum of eight characters and include a minimum of one lowercase and one uppercase character, as well as one number or special character.

      Be sure to use the best practices for password strength to ensure a strict password.
   3. Type exit to log out and then log back in to confirm that the new password is set.
5. Configure the management interface settings.

   This example uses the following IPv4 values, but the appliance also supports IPv6 addresses:

   • IPv4 address - 10.10.0.5/22
   • Subnet Mask - 255.255.252.0
   • Default Gateway - 10.10.0.1
   • Hostname - wildfire-corp1
   • DNS Server - 10.0.0.246

   1. Log in to the appliance with an SSH client or by using the Console port and enter configuration mode:

      admin@WF-500> configure

   2. Set the IP information:

      admin@WF-500# set deviceconfig system ip-address 10.10.0.5 netmask 255.255.252.0 default-gateway 10.10.0.1 dns-setting servers primary 10.0.0.246

      Configure a secondary DNS server by replacing primary with secondary in the above command, excluding the other IP parameters. For example:

      admin@WF-500# set deviceconfig system dns-setting servers secondary 10.0.0.247

   3. Set the hostname (wildfire-corp1 in this example):

      admin@WF-500# set deviceconfig system hostname wildfire-corp1

   4. Commit the configuration to activate the new management (MGT) port configuration:

      admin@WF-500# commit

   5. Connect the MGT interface port to a network switch.
   6. Put the management PC back on your corporate network, or whatever network is required to access the appliance on the management network.
   7. From your management computer, use an SSH client to connect to the new IP address or hostname assigned to the MGT port on the appliance. In this example, the IP address is 10.10.0.5.
6. Activate the appliance with the WildFire authorization code that you received from Palo Alto Networks.

   Though it will function without an auth-code, the WildFire appliance cannot retrieve software or content updates without a valid auth-code.

   1. Change to operational mode:

      admin@WF-500# exit

   2. Fetch and install the WildFire license:

      admin@WF-500> request license fetch auth-code <auth-code>

   3. Verify the license:

      admin@WF-500> request support check

      Information about the support site and the support contract date is displayed. Confirm that the date displayed is valid.
7. Set the WildFire appliance clock.

   There are two ways to do this. You can either manually set the date, time, and timezone or you can configure the WildFire appliance to synchronize its local clock with a Network Time Protocol (NTP) server.

   • To set the clock manually, enter the following commands:

     admin@WF-500> set clock date <YYYY/MM/DD> time <hh:mm:ss> 
     admin@WF-500> configure  
     admin@WF-500# set deviceconfig system timezone <timezone> 

     The time stamp that will appear on the WildFire detailed report will use the time zone set on the appliance. If administrators in various regions will view reports, consider setting the time zone to UTC.
   • To configure the WildFire appliance to synchronize with an NTP server, enter the following commands:

     admin@WF-500> configure 
     admin@WF-500# set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <NTP primary server IP address> 
     admin@WF-500# set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address <NTP secondary server IP address> 

     The WildFire appliance does not prioritize the primary or secondary NTP server; it synchronizes with either server.
8. (Optional for NTP configuration) Set up NTP authentication.

   • Disable NTP authentication:

     admin@WF-500# set deviceconfig system ntp-servers primary-ntp-server authentication-type none

   • Enable symmetric key exchange (shared secrets) to authenticate the NTP server time updates:

     admin@WF-500# set deviceconfig system ntp-servers primary-ntp-server authentication-type symmetric-key

     Continue to enter the key-ID (1 - 65534), choose the algorithm to use in NTP authentication (MD5 or SHA1), and then enter and confirm the authentication algorithm authentication-key.
   • Use autokey (public key cryptography) to authenticate the NTP server time updates:

     admin@WF-500# set deviceconfig system ntp-servers primary-ntp-server authentication-type autokey

9. Choose the virtual machine image for the appliance to use to analyze files.

   The image should be based on the attributes that most accurately represent the software installed on your end user computers. Each virtual image contains different versions of operating systems and software, such as Windows XP or Windows 7 32-bit or 64-bit and specific versions of Adobe Reader, and Flash. Although you configure the appliance to use one virtual machine image configuration, the appliance uses multiple instances of the image to improve performance.

   • To view a list of available virtual machines to determine which one best represents your environment:

     admin@WF-500> show wildfire vm-images

   • View the current virtual machine image by running the following command and refer to the Selected VM field:

     admin@WF-500> show wildfire status

   • Select the image that the appliance will use for analysis:

     admin@WF-500# set deviceconfig setting wildfire active-vm <vm-image-number>

     For example, to use vm-5:

     admin@WF-500# set deviceconfig setting wildfire active-vm vm-5

10. Enable the WildFire appliance to observe malicious behaviors where the file being analyzed seeks network access.

    Set Up the WildFire Appliance VM Interface.
11. forward-files-for-wildfire-appliance-analysis.html#id2a131bc8-6901-4569-a719-b71625fd799f_id6238a293-599d-4923-9d9c-fec8463cd3e4
12. (Optional) Enable the WildFire appliance to perform quick verdict lookups and synchronize verdicts with the WildFire public cloud.

    The following CLI command enables the WildFire appliance to perform verdict lookups and synchronize verdicts with the WildFire public cloud. This feature is disabled by default; set the command to yes to enable the feature.

    admin@WF-500# set deviceconfig setting wildfire cloud-intelligence cloud-query yes | no

13. (Optional) Enable the WildFire appliance to get daily Palo Alto Networks content updates to facilitate and improve malware analysis.

    Enable WildFire Appliance Analysis Features
14. (Optional) Enable the WildFire appliance to generate DNS and antivirus signatures and URL categories, and to distribute new signatures and URL categorizations to connected firewalls.

    Enable Local Signature and URL Category Generation
15. (Optional) Automatically submit malware the WildFire private cloud discovers to the WildFire public cloud, to support global protection against the malware.

    Submit Malware to the WildFire Public Cloud..
16. (Optional) If you do not want to forward malware samples outside of the WildFire private cloud, instead submit WildFire analysis reports to the WildFire public cloud.

    If you do not want to submit locally-discovered malware to the WildFire public cloud, it is a best practice to enable malware analysis report submissions to improve and refine WildFire threat intelligence.

    Submit Analysis Reports to the WildFire Public Cloud.
17. (Optional) Allow additional users to manage the WildFire appliance.

    You can assign two role types: superuser and superreader. Superuser is equivalent to the admin account, and superreader only has read access.

    In this example, you will create a superreader account for the user bsimpson:

    1. Enter configuration mode:

       admin@WF-500> configure

    2. Create the user account:

       admin@WF-500# set mgt-config users bsimpson <password>

    3. Enter and confirm a new password.
    4. Assign the superreader role:

       admin@WF-500# set mgt-config users bsimpson permissions role-based superreader yes

18. Configure RADIUS authentication for administrator access.

    1. Create a RADIUS profile using the following options:

       admin@WF-500# set shared server-profile radius <profile-name>

       (Configure the RADIUS server and other attributes.)
    2. Create an authentication profile:

       admin@WF-500# set shared authentication-profile <profile-name> method radius server-profile <server-profile-name>

    3. Assign the profile to a local admin account:

       admin@WF-500# set mgt-config users username authentication-profile <authentication-profile-name>