Advanced WildFire Powered by Precision AI™
set deviceconfig setting wildfire
Table of Contents
Expand All
|
Collapse All
Advanced WildFire
-
-
- Forward Files for Advanced WildFire Analysis
- Manually Upload Files to the WildFire Portal
- Forward Decrypted SSL Traffic for Advanced WildFire Analysis
- Enable Advanced WildFire Inline Cloud Analysis
- Enable Advanced WildFire Inline ML
- Enable Hold Mode for Real-Time Signature Lookup
- Configure the Content Cloud FQDN Settings
- Sample Removal Request
- Firewall File-Forwarding Capacity by Model
-
-
-
- set deviceconfig cluster
- set deviceconfig high-availability
- set deviceconfig setting management
- set deviceconfig setting wildfire
- set deviceconfig system eth2
- set deviceconfig system eth3
- set deviceconfig system panorama local-panorama panorama-server
- set deviceconfig system panorama local-panorama panorama-server-2
- set deviceconfig system update-schedule
- set deviceconfig system vm-interface
-
- clear high-availability
- create wildfire api-key
- delete high-availability-key
- delete wildfire api-key
- delete wildfire-metadata
- disable wildfire
- edit wildfire api-key
- load wildfire api-key
- request cluster decommission
- request cluster reboot-local-node
- request high-availability state
- request high-availability sync-to-remote
- request system raid
- request wildfire sample redistribution
- request system wildfire-vm-image
- request wf-content
- save wildfire api-key
- set wildfire portal-admin
- show cluster all-peers
- show cluster controller
- show cluster data migration status
- show cluster membership
- show cluster task
- show high-availability all
- show high-availability control-link
- show high-availability state
- show high-availability transitions
- show system raid
- submit wildfire local-verdict-change
- show wildfire
- show wildfire global
- show wildfire local
- test wildfire registration
set deviceconfig setting wildfire
Description
Configure Wildfire
settings on the WildFire appliance. You can configure forwarding
of malicious files, define the cloud server that receives malware infected
files, and enable or disable the vm-interface.
Hierarchy Location
set deviceconfig setting
Syntax
wildfire {
active-vm {vm-1 | vm-2 | vm-3 | vm-4 | vm-5 | <value>};
cloud-server <value>;
custom-dns-name <value>;
preferred-analysis-environment {Documents | Executables | default};
vm-network-enable {no | yes};
vm-network-use-tor {enable
| disable};
cloud-intelligence {
cloud-query {no | yes};submit-diagnostics {no | yes};
submit-report {no | yes};
submit-sample {no | yes};
}
file-retention {
malicious {indefinite | <1-2000>};
non-malicious <1-90>
}
signature-generation {
av {no | yes};
dns {no | yes};
url {no | yes};
}
} Options
+ active-vm —
Select the virtual machine environment that WildFire will use for
sample analysis. Each vm has a different configuration, such as
Windows XP, a specific versions of Flash, Adobe reader, etc. To
view which VM is selected, run the following command: show wildfire status and
view the Selected VM field. To view the VM environment information,
run the following command : show wildfire vm-images.
+
cloud-server — Hostname for the cloud server that
the appliance will forward malicious samples/reports to for a re-analysis.
The default cloud server is wildfire-public-cloud. To configure
forwarding, use the following command: set deviceconfig setting wildfire cloud-intelligence.
+
custom-dns-name — Configure a custom DNS name to
use in server certificates and the WildFire server list instead
of the default DNS name wfpc.sevice.<clustername>.<domain>.
+
preferred-analysis-environment — Allocate the majority
of the resources to document analysis or to executable analysis,
depending on the type of samples most often analyzed in your environment.
The default allocation balances resources between document and executable
samples. For example, to allocate the majority of the analysis resources
to documents: set deviceconfig setting wildfire preferred-analysis-environment Documents.
+
vm-network-enable — Enable or disable the vm-network.
When enabled, sample files running in the virtual machine sandbox
can access the Internet. This helps WildFire better analyze the
behavior of the malware to look for things like phone home activity.
+
vm-network-use-tor — Enable or disable the Tor network
for the vm-interface. When this option is enabled, any malicious
traffic coming from the sandbox systems on the WildFire appliance
during sample analysis is sent through the Tor network. The Tor
network will mask your public facing IP address, so the owners of
the malicious site cannot determine the source of the traffic.
>
cloud-intelligence — Configure the appliance to submit
WildFire diagnostics, reports or samples to the Palo Alto Networks
WildFire cloud, or to automatically query the public WildFire cloud
before performing local analysis to conserve WildFire appliance resources.
The submit report option sends reports for malicious samples to
the cloud for statistical gathering. The submit sample option sends
malicious samples to the cloud. If submit-sample enabled, you don’t
need to enable submit-report because the cloud re-analyzes the sample
and a new report and signature is generated if the sample is malicious.
>
file-retention — Configure how long to save malicious
(malware and phishing) samples and non-malicious (grayware and benign)
samples. The default for malicious samples is indefinite (never
delete). The default for non-malicious samples is 14 days. For example,
to retain non-malicious samples for 30 days: set deviceconfig setting wildfire file-retention non-malicious 30.
>
signature-generation — Enable the appliance to generate
signatures locally, eliminating the need to send any data to the
public cloud in order to block malicious content. The WildFire appliance
will analyze files forwarded to it from Palo Alto Networks firewalls
or from the WildFire API and generate antivirus and DNS signatures
that block both the malicious files as well as associated command
and control traffic. When the appliance detects a malicious URL,
it sends the URL to PAN-DB and PAN-DB assigns it the malware category.
Sample Output
The following shows an example
output of the WildFire settings.
admin@WF-500# show deviceconfig setting wildfire
wildfire {
signature-generation {
av yes;
dns yes;
url yes;
}
cloud-intelligence {
submit-report no;
submit-sample yes;
submit-diagnostics yes;
cloud-query yes;
}
file-retention {
non-malicious 30;
malicious 1000;
{
active-vm vm-5;
cloud-server wildfire-public-cloud;
vm-network-enable yes;
}