View Blocked Files

  1. Verify that your firewall can forward files to WildFire.
    If you have a WildFire license, verify that it is active on the firewall, and get started with WildFire.
    If you don’t have a WildFire subscription, you can forward unknown and blocked files in portable executable (PE) format for WildFire analysis.
  2. View blocked files and their WildFire analysis information.
    The firewall and the WildFire portal do not generate email alerts for blocked files.
    On the firewall, select MonitorLogsWildFire Submissions, and choose from the following options:
    • To check whether a file was allowed or blocked by the firewall, view the Action column.
    WildFire submissions prior to PAN-OS 8.0 display with the firewall action alert. Now, for files forwarded to WildFire after upgrading to PAN-OS 8.0, the action displayed is either allow or block. Log entries with the action allow are files that the firewall has allowed to pass through your network. They can be known files that are benign or files allowed by your security policies. Log entries with the action block are files that the firewall has blocked based on antivirus signatures.
    • To view only blocked files in the WildFire Submissions log, construct the filter (action eq block) and click Apply Filter. Refer to the complete workflow for filtering logs.
    • To view the WildFire file analysis details for a blocked file, click the spyglass ( icon_spyglass_log.png ) next to the log entry and view the WildFire Analysis Report tab.
    Alternatively, view blocked files on the WildFire portal:
    1. Log in to the WildFire portal (https://wildfire.paloaltonetworks.com) with your support account credentials.
    2. On the dashboard, choose one of the following actions:
      • Select a Source to view a list of files uploaded to WildFire by a particular source.
      • Click Reports to view all files uploaded to WildFire.
    3. Click report icon to view the WildFire analysis report for a file.
    4. Under Session Information, view the file Status to check whether the file was allowed or blocked by the firewall.
      wf-report-status-field.png
      The file Status is not available for files uploaded manually to the WildFire portal or with the WildFire API.
  3. Continue investigating blocked files.
    • Use the SHA-256 hash (now provided for a blocked file that match antivirus signatures) to view artifacts associated with a blocked file in AutoFocus or VirusTotal.
    • Use Globally Unique Threat IDs, found in the log entry for a blocked file, to search Threat Vault for the name of the signature that blocked the file.

Related Documentation