End-of-Life (EoL)

View Blocked Files

  1. Verify that your firewall can forward files to WildFire.
    If you have a WildFire license, verify that it is active on the firewall, and get started with WildFire.
    If you don’t have a WildFire subscription, you can forward unknown and blocked files in portable executable (PE) format for WildFire analysis.
  2. View blocked files and their WildFire analysis information.
    The firewall and the WildFire portal do not generate email alerts for blocked files.
    On the firewall, select
    Monitor
    Logs
    WildFire Submissions
    , and choose from the following options:
    • To check whether a file was allowed or blocked by the firewall, view the Action column.
    WildFire submissions prior to PAN-OS 8.0 display with the firewall action
    alert
    . Now, for files forwarded to WildFire after upgrading to PAN-OS 8.0, the action displayed is either
    allow
    or
    block
    . Log entries with the action
    allow
    are files that the firewall has allowed to pass through your network. They can be known files that are benign or files allowed by your security policies. Log entries with the action
    block
    are files that the firewall has blocked based on antivirus signatures.
    • To view only blocked files in the WildFire Submissions log, construct the filter
      (action eq block)
      and click Apply Filter. Refer to the complete workflow for filtering logs.
    • To view the WildFire file analysis details for a blocked file, click the spyglass ( ) next to the log entry and view the
      WildFire Analysis Report
      tab.
    Alternatively, view blocked files on the WildFire portal:
    1. Log in to the WildFire portal (https://wildfire.paloaltonetworks.com) with your support account credentials.
    2. On the dashboard, choose one of the following actions:
      • Select a
        Source
        to view a list of files uploaded to WildFire by a particular source.
      • Click
        Reports
        to view all files uploaded to WildFire.
    3. Click report icon to view the WildFire analysis report for a file.
    4. Under Session Information, view the file Status to check whether the file was
      allowed
      or
      blocked
      by the firewall.
      The file Status is not available for files uploaded manually to the WildFire portal or with the WildFire API.
  3. Continue investigating blocked files.
    • Use the SHA-256 hash (now provided for a blocked file that match antivirus signatures) to view artifacts associated with a blocked file in AutoFocus or VirusTotal.
    • Use Globally Unique Threat IDs, found in the log entry for a blocked file, to search Threat Vault for the name of the signature that blocked the file.

Recommended For You