Configure WildFire for Cloud NGFW on AWS
Table of Contents
Configure WildFire for Cloud NGFW on AWS
Cloud NGFW can now detect and forward files, executables, and
malicious scripts (such as JScript and PowerShell) in your VPC traffic to WildFire™
(WF) cloud service for analysis. Wildfire then applies threat intelligence,
analytics, and correlations on these forwarded files (executables or scripts) and
delivers verdicts based on the analysis. If a threat is detected on them, WildFire
creates protections to block malware, and globally distribute these protection for
that threat in a few minutes.
WildFire goes beyond traditional sandboxing approaches and uses multiple techniques
to identify files with potential malicious behaviors. These techniques include:
- Dynamic analysis- observes files as they execute in a purpose-built, evasion-resistant virtual environment, enabling detection of previously unknown malware using hundreds of behavioral characteristics.
- Static analysis- complements dynamic analysis with effective detection of malware, providing instant identification of malware variants. Static analysis further leverages dynamic unpacking to analyze threats attempting to evade detection through the use of packing tool sets.
- Network traffic profiles- detect malicious traffic patterns based on malware variants such as backdoor creation, download of next-stage malware, access to low-reputation domains, and network reconnaissance.
- Machine learning- extracts thousands of unique features from each file, training a predictive machine learning model to identify new malware, which is not possible with static or dynamic analysis alone.
- A custom-built hypervisor- prevents attacker evasion techniques with a robust, proprietary hypervisor that does not depend on open source projects or proprietary software to which attackers have access.
To configure Wildfire on your Cloud NGFW AWS resource, you will need to:
Configure a Wildfire Profile
- Login toPanoramaand clickObjects>WildFire Analysis. The WildFire Analysis Profile window appears.
- Select the device group from the drop-down menu where you want to create the profile.
- ClickAdd.
- Enter aNamefor the WildFire profile and clickAdd.
- Enter a descriptiveNamefor any rules you add to the profile
- In the application section, clickAddto select the application from the list of applications that you wish to allow access through your Wildfire profile.
- ClickFileTypesto select the file types you wish to allow.
- ClickDirectionto allow download / upload or both options.
- Select theDestinationfor traffic to be forwarded for analysis: Selectpublic-cloudif you wish that all traffic matched to the rule be forwarded to the WildFire public cloud for analysis.
- Selectprivate-cloudif you wish that all traffic matched to the rule be forwarded to the WildFire appliance for analysis.
- ClickOK.
Define Security Rules
- Login to Panorama, and clickPolicies.
- Choose the required Device Group and click the preconfigured security rule (Pre Rule or Post Rule) or create a new rule.
- ClickActions.
- In the profile setting, selectProfilesunder the profile type.
- Select the Wildfire profile you wish to choose in theWildFire Analysisdrop-down.
- ClickOK.
Commit and push the device group to the Cloud NGFW resources.
For information, see
Latest WildFire Cloud
Features
.View WildFire Submission Logs
You can view WildFire submission logs in:
View Logs in AWS Destinations
If you have previously configured Amazon Cloudwatch, Amazon S3 or Amazon Kinesis
as your log destination you can review them for blocks of malicious traffic by
Wildfire.
View Logs in Panorama
On Panorama, you can view the logs on the DG using
Monitor
>
Threats
.
View Logs in Cortex Data Lake
You can also view WildFire logs in your Cortex Data Lake (CDL) instance.
- ClickExploreand selectFirewall/Threatfrom the explore drop-down.
- Entersub_typevalue =wildfireorwildfire-virusand filter for WildFire logs.
