>
    Strata Copilot
    Enable Free WildFire Fowarding on Your NGFW
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Perform the Initial Setup and Configuration for NGFWs
    4. Enable Free WildFire Fowarding on Your NGFW
    Download PDF
    Next-Generation Firewall

    Enable Free WildFire Fowarding on Your NGFW

    Table of Contents

    Enable Free WildFire Fowarding on Your NGFW

    Enable free WildFire forwarding on your NGFW for sample analysis.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS)
    No prerequisites needed
    WildFire is a cloud-based virtual environment that analyzes and executes unknown samples (files and email links) and determines the samples to be malicious, phishing, grayware, or benign. With WildFire enabled, a Palo Alto Networks NGFW can forward unknown samples to WildFire for analysis. For newly-discovered malware, WildFire generates a signature to detect the malware, which is made available for retrieval in real-time for all NGFWs with an active WildFire subscription. This enables all Palo Alto next-generation NGFWs worldwide to detect and prevent malware found by a single NGFW. Malware signatures often match multiple variants of the same malware family, and as such, block new malware variants that the NGFW has never seen before. The Palo Alto Networks threat research team uses the threat intelligence gathered from malware variants to block malicious IP addresses, domains, and URLs.
    A basic WildFire service is included as part of the Palo Alto Networks next-generation NGFW and does not require a WildFire subscription. With the basic WildFire service, you can enable the NGFW to forward portable executable (PE) files. Additionally, if you do not have a WildFire subscription, but you do have a Threat Prevention subscription, you can receive signatures for malware WildFire identifies every 24- 48 hours (as part of the Antivirus updates).
    Beyond the basic WildFire service, a WildFire subscription is required for the NGFW to:
    • Get the latest WildFire signatures in real-time.
    • Prevent malicious PE (portable executables), ELF and MS Office files, and PowerShell and shell scripts from entering your network in real-time using WildFire Inline ML.
    • Forward advanced file types and email links for analysis.
    • Use the WildFire API.
    • Use a WildFire appliance to host a WildFire private cloud or a WildFire hybrid cloud.
    If you have a WildFire subscription, go ahead and get started with WildFire to get the most out of your subscription. Otherwise, take the following steps to enable basic WildFire forwarding:
    1. Confirm that your NGFW is registered and that you have a valid support account as well as any subscriptions you require.
      1. Log in to the Palo Alto Networks Customer Support Portal (CSP) and on the left-hand side navigation pane, select AssetsDevices.
      2. Verify that the NGFW is listed. If it is not listed, select Register New Device and continue to register the NGFW.
      3. (Optional) If you have a Threat Prevention subscription, be sure to Activate Subscription Licenses.
    2. Log in to the NGFW and configure WildFire forwarding settings.
      1. Select DeviceSetupWildFire and edit the General Settings.
      2. Set the WildFire Public Cloud field to forward files to the WildFire global cloud (U.S.) at: wildfire.paloaltonetworks.com.
        You can also forward files to a WildFire regional cloud or a private cloud based on your location and your organizational requirements.
      3. Review the File Size Limits for PEs the NGFW forwards for WildFire analysis. set the Size Limit for PEs that the NGFW can forward to the maximum available limit of 10 MB.
        As a WildFire best practice, set the Size Limit for PEs to the maximum available limit of 10 MB.
      4. Click OK to save your changes.
    3. Enable the NGFW to forward PEs for analysis.
      1. Select ObjectsSecurity ProfilesWildFire Analysis and Add a new profile rule.
      2. Name the new profile rule.
      3. Add a forwarding rule and enter a Name for it.
      4. In the File Types column, add pe files to the forwarding rule.
      5. In the Analysis column, select public-cloud to forward PEs to the WildFire public cloud.
      6. Click OK.
    4. Apply the new WildFire Analysis profile to traffic that the NGFW allows.
      1. Select PoliciesSecurity and either select an existing policy rule or create a new policy rule as described in Set Up a Basic Security Policy.
      2. Select Actions and in the Profile Settings section, set the Profile Type to Profiles.
      3. Select the WildFire Analysis profile you just created to apply that profile rule to all traffic this policy rule allows.
      4. Click OK.
    5. Enable the NGFW to forward decrypted SSL traffic for WildFire analysis.
    6. Review and implement WildFire best practices to ensure that you are getting the most of WildFire detection and prevention capabilities.
    7. Commit your configuration updates.
    8. Verify that the NGFW is forwarding PE files to the WildFire public cloud.
      Select MonitorLogsWildFire Submissions to view log entries for PEs the NGFW successfully submitted for WildFire analysis. The Verdict column displays whether WildFire found the PE to be malicious, grayware, or benign. (WildFire only assigns the phishing verdict to email links). The Action column indicates whether the NGFW allowed or blocked the sample. The severity column indicates how much of a threat a sample poses to an organization using the following values: critical, high, medium, low, information.
    9. (Threat Prevention subscription only) If you have a Threat Prevention subscription, but do not have a WildFire subscription, you can still receive WildFire signature updates every 24- 48 hours.
      1. Select DeviceDynamic Updates.
      2. Check that the NGFW is scheduled to download, and install Antivirus updates.

    © 2026 Palo Alto Networks, Inc. All rights reserved.