Focus

Traps Endpoint Security Manager Administrator's Guide

Set Up a Private WildFire Cloud

Table of Contents

Set Up a Private WildFire Cloud

For deployments with privacy and legal regulations that restrict the transfer of files outside your network, you can set up your ESM to integrate with a private WildFire cloud. To set up the private cloud, you must install an on-premise WF-500 appliance. This appliance supports up to 40,000 Traps agents.

When an unknown file attempts to run on your endpoints, the WF-500 appliance queries the WildFire public cloud to obtain the verdict and analyzes the executable file in the local private sandbox. By default, the WF-500 appliance does not send discovered malware outside your network, however, you can choose to automatically forward malware to the WildFire public cloud to generate and distribute signatures to all Palo Alto Networks firewalls with Threat Prevention and WildFire licenses. Otherwise, the WF-500 appliance only forwards the malware report (and not the sample itself) to the WildFire public cloud.

To enable the ESM Server to verify and trust the identity of the WF-500 appliance, you obtain the WF-500 Root CA certificate from Support and import it on each ESM Server.

To integrate a WF-500 application in with your ESM deployment, use the following workflow:

On each ESM Server, import the WF-500 Root CA certificate (Palo Alto Networks Root CA 1) into the Trusted Root Certification Authorities.
1. Contact Support to obtain the WF-500 Root CA certificate and save it to a location you can access from the ESM Server.
2. On the ESM Server, open the Microsoft Management Console (MMC.exe).
3. Select FileAdd/Remove Snap-InCertificates and add the Certificates snap-in for the Computer account.
4. Select Local ComputerFinish, and then click OK.
5. Expand the Certificates (Local Computer) folder.
6. Right-click Trusted Root Certification Authorities and then select All TasksImportNext.
7. Browse to the certificate you saved in the previous step and then click Next. The certificate import wizard displays details about the Trusted Root CA certificate.
8. Click Finish.
Configure WildFire Integration in the ESM Console.
1. Get Your WF-500 Appliance API Keyand copy it into memory.
2. From the ESM Console, select SettingsESMWildFire.
3. Select Use Private Cloud (Requires a WF-500 appliance).
4. Enter the WildFire Address of the WF-500 appliance:
  - Hostname—If the WF-500 appliance has a set hostname, enter the hostname for the WildFire Address (for example: https://HostName/). You must also ensure there is a DNS record to map the hostname to the IP address of the WF-500 appliance.
  - Hostname and domain—If the WF-500 appliance has a set hostname and domain, use the FQDN for the WildFire Address (for example: https://HostName.DomainName/). You must also ensure there is a DNS record to map the FQDN to the IP address of the WF-500 appliance.
  - No hostname or domain—If the WF-500 appliance does not have a set hostname or domain name, use the IP address of the WF-500 appliance as the WildFire Address (for example: https://172.10.10.10/).
5. Paste the WildFire API Key from memory.
6. Save the WildFire configuration.
To verify connectivity between the ESM Server and the local WF-500 appliance, recheck a hash verdict with WildFire.
1. Select PoliciesHash Control.
2. Select a record in the hash control table.
3. Select Recheck Verdict. If the connection is successful, the WF-500 appliance returns a verdict. If the connection is not successful, the verdict is No Connection.

Set Up the ESM to Communicate with WildFire

Configure a WildFire Rule