Configure General Cluster Settings Locally
Focus
Focus
Advanced WildFire

Configure General Cluster Settings Locally

Table of Contents

Configure General Cluster Settings Locally

Where Can I Use This?
What Do I Need?
  • WildFire Appliance
  • WildFire License
Some general settings are optional and some general settings are pre-populated with default values. It’s best to at least check these settings to ensure that the cluster configuration matches your needs. General settings include:
  • Connecting to the WildFire public cloud and submitting samples to the public cloud.
  • Configuring data retention policies.
  • Configuring logging.
  • Setting the analysis environment (the VM image that best matches your environment) and customizing the analysis environment to best service the types of samples the firewalls submit to WildFire.
  • Set IP addresses for the DNS server, NTP server, and more.
Configure WildFire settings using the CLI on the cluster’s primary controller node. The rest of the cluster nodes use the settings configured on the cluster controller.
  1. Configure the general settings for the WildFire cluster. This process is similar to Configuring the WildFire Appliance settings.
    1. Configure the management interface settings. Set WildFire appliance cluster node IP addresses and the default gateway. Each WildFire appliance cluster node must have a static IP address in the same subnet. Also set the DNS server IP addresses.
    2. Set the WildFire appliance clock. Set the clock either manually or by specifying NTP servers, and set NTP Server authentication.
    3. (Optional) Allow additional users to manage the WildFire appliance. Add administrator accounts and assign them roles to manage the cluster.
  2. (
    Optional
    ) Connect the cluster to the WildFire public cloud and configure the cloud services the cluster will use.
    If business reasons don’t prevent you from connecting the WildFire appliance cluster to the public WildFire cloud, connecting the cluster to the cloud provides benefits such as:
    • Using the cloud’s resources to perform sample analysis in multiple environments, using different methods.
    • Automatically querying the cloud for verdicts before performing local analysis to offload work from the cluster. (Disabled by default.)
    • Benefiting from and contributing to the intelligence of the global WildFire community.
    The features described in this table row are not cluster-specific You can also configure these features on standalone WildFire appliances.
    1. Benefit from the intelligence gathered from all connected WildFire appliances:
      admin@WF-500(active-controller)#
      set deviceconfig setting wildfire cloud-server
      <hostname-value>
      The default value for the WildFire public cloud server hostname is
      wildfire-public-cloud
      . You can Forward Files for WildFire Analysis to any public WildFire cloud.
    2. If you connect the cluster to a WildFire public cloud, configure whether to automatically query the public cloud for verdicts before performing local analysis. Querying the public cloud first reduces the load on the local WildFire cluster:
      admin@WF-500(active-controller)#
      set deviceconfig setting wildfire cloud-intelligence cloud-query (no | yes)
    3. If you connect the cluster to a WildFire public cloud, configure the types of information for which you want to Submit Locally-Discovered Malware or Reports to the WildFire Public Cloud (diagnostic data, XML reports about malware analysis, malware samples). If you send malware samples, the cluster doesn’t send reports.
      admin@WF-500(active-controller)#
      set deviceconfig setting wildfire cloud-intelligence submit-diagnostics (no | yes) submit-report (no | yes) submit-sample (no | yes)
  3. (
    Optional
    ) Configure the controller node to publish the service status using the DNS protocol.
    admin@WF-500(active-controller)#
    set deviceconfig cluster mode controller service-advertisement dns-service enabled yes
  4. (
    Optional
    ) Configure data retention policies for malicious and benign or grayware samples.
    1. Select the amount of time to retain different types of data:
      admin@WF-500(active-controller)#
      set deviceconfig setting wildfire file-retention malicious <indefinite | 1-2000> non-malicious
      <1-90>
      The default for retaining malicious samples is indefinite (do not delete). The default for retaining non-malicious (benign and grayware) samples is 14 days.
  5. (
    Optional
    ) Configure the preferred analysis environment.
    1. If your analysis environment analyzes mostly executable samples or mostly document samples, you can allocate the majority of the cluster resources to analyzing those sample types:
      admin@WF-500(active-controller)#
      set deviceconfig setting wildfire preferred-analysis-environment (Documents | Executables | default)
      For each WildFire appliance in the cluster:
      • The
        default
        option concurrently analyzes 16 documents, 10 portable executables (PE), and 2 email links.
      • The Documents option concurrently analyzes 25 documents, 1 PE, and 2 email links.
      • The Executables option concurrently analyzes 25 PEs, 1 document, and 2 email links.
      You can configure a different preferred analysis environment for each node in the cluster. (If you manage the cluster from Panorama, Panorama can set the analysis environment for the entire cluster.)
  6. Configure node analysis settings.
    1. (
      Optional
      ) Set Up Content Updates to improve malware analysis.
    2. Set Up the VM Interface to enable the cluster to observe malicious behaviors where the sample being analyzed seeks network access.
    3. (
      Optional
      ) Enable Local Signature and URL Category Generation to generate DNS and antivirus signatures and URL categories.

Recommended For You