1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. WildFire Features
    5. WildFire Phishing Verdict

    WildFire Phishing Verdict

    The new WildFire phishing verdict classifies credential phishing links found in emails separately from emailed links found to be exploits or malware. When the firewall detects a link in an email, it forwards the link to WildFire for analysis. WildFire classifies the link as phishing based on properties and behaviors the accompanying website displays and assigns the link the new phishing verdict. Phishing links are logged as WildFire Submissions to indicate that the firewall detected such a link in an email.
    Firewalls with an active WildFire license that are connected to the WildFire public cloud and are configured to forward email links for analysis will automatically start receiving phishing verdicts after the upgrade to PAN-OS 8.0. Firewalls with both a WildFire license and a PAN-DB URL Filtering license can block access to phishing sites within five minutes of initial discovery.
    For Firewalls in a WildFire Private Cloud Deployment:
    The WildFire appliance does not support the new Phishing verdict. However, firewalls connected to a WildFire appliance that also have an active PAN-DB URL Filtering license can still benefit from phishing protection. For these firewalls, continue to step 5 to block users from accessing newly-discovered phishing sites.
    1. Check that the firewall has an active WildFire license and is connected to WildFire.
      Blocking access to phishing sites requires a PAN-DB URL Filtering license, in addition to the WildFire license.
      1. Select
        Device
        Licenses
         to confirm that the WildFire License is active. If you are also planning to block access to phishing sites, confirm that the PAN-DB URL Filtering license is active.
      2. Select
        Device
        Setup
        WildFire
         and confirm that the
        WildFire Public Cloud
         is set to:
        wildfire.paloaltonetworks.com
      3. Alternatively, you can connect the firewall to a WildFire regional cloud in the European Union (EU) or in Japan.
    2. Verify that the firewall is enabled to forward email links for WildFire analysis.
      1. Select
        Objects
        Security Profiles
        WildFire Analysis
         and confirm that at least one profile is configured to forward
        email-link
         or
        any
         File Types for WildFire analysis.
      2. Select
        Policies
        Security
         to confirm that the WildFire Analysis profile is attached to a security policy rule:
        check-wf-profile.png
    3. Monitor phishing links.
      • View links the firewall forwarded that WildFire found to be phishing links:
        Select
        Monitor
        WildFire Submissions
        . The Verdict column displays Phishing for entries that record a phishing link. You can add the following filter to display only logs for phishing links:
        (verdict eq phishing)
      • View phishing activity on the firewall ACC:
        Select
        ACC
        Threat Activity
        , view WildFire Activity By Type and select
        phishing
        .
      • View all phishing links WildFire has identified:
        The WildFire portal displays the total number of WildFire submissions that were found to be phishing links in the last hour and the last 24 hours:
        portal-phishing.png
      Select
      Reports
      , filter by
      Verdict
      , and select
      Phishing
       to find the analysis reports for phishing links.
      If you are submitting links to a regional WildFire cloud for analysis, instead use the WildFire EU portal or the WildFire Japan portal.
    4. Forward phishing logs as SNMP traps, syslog messages, or email notifications.
      1. Select
        Objects
        Log Forwarding
         and
        Add
         or modify a log forwarding profile to define the logs you want to forward.
      2. Add
         a rule to the profile.
      3. Set the
        Log Type
         to wildfire.
      4. Add the
        Filter
        ( verdict eq phishing )
        .
      5. Continue to define or update the profile, and click
        OK
         to save the profile when you’re done.
      6. Apply the new or updated log forwarding settings to traffic:
        1. Select
          Policies
          Security
           and
          Add
           or modify a security policy rule.
        2. Select
          Actions
           and in the Log Setting section, attach the new or updated
          Log Forwarding
           profile to the security policy rule.
        3. Click
          OK
           to save the security policy rule.
    5. (
      Optional
      ) To prevent users from inadvertently leaking corporate credentials to attackers, block access to phishing sites and block users from submitting usernames and passwords to untrusted and unsanctioned sites.
      1. Select
        Objects
        URL Filtering
         and
        Add
         or modify a URL Filtering profile.
      2. Select
        Categories
         and filter the list of URL categories to find the phishing category.
      3. Set the
        Site Access
         for phishing websites to
        Block
         to prevent users from accessing sites that aim to steal usernames and passwords.
      4. Enable the new Credential Phishing Prevention feature to stop users from submitting credentials to untrusted sites, without blocking their access to these sites.
      5. Apply the new or updated URL Filtering profile to traffic:
        1. Select
          Policies
          Security
           and
          Add
           or modify a security policy rule.
        2. Select
          Actions
           and in the Profile Setting section, set the
          Profile Type
           to profiles.
        3. Attach the new or updated
          URL Filtering
           profile to the security policy rule.
        4. Click
          OK
           to save the security policy rule.

    Related Documentation

    WildFire Features

    WildFire Features PAN-OS 8.0.1 is the base image for WF-500 appliances (not PAN-OS 8.0.0). New WildFire Features Description WildFire Appliance Clusters In environments where you ...

    Get Started with WildFire

    Get Started with WildFire The following steps provide a quick workflow to get started with WildFire™. If you’d like to learn more about WildFire before ...

    Five-Minute Updates for PAN-DB Malware and Phishing URL Categories

    Five-Minute Updates for PAN-DB Malware and Phishing URL Categories The Malware and Phishing URL categories in the PAN-DB cloud are now updated every five minutes ...

    Email Link Analysis

    Email Link Analysis A Palo Alto Networks firewall can extract HTTP/HTTPS links contained in SMTP and POP3 email messages and forward the links for WildFire ...

    Credential Phishing Prevention

    Credential Phishing Prevention Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the user credentials that ...

    WildFire Submissions Logs

    WildFire Submissions Logs The firewall forwards samples (files and emails links) to the WildFire cloud for analysis based on WildFire Analysis profiles settings ( Objects ...

    WildFire Signatures

    WildFire Signatures WildFire can discover zero-day malware in web traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can quickly generate signatures ...

    Enable Basic WildFire Forwarding

    Enable Basic WildFire Forwarding WildFire is a cloud-based virtual environment that analyzes and executes unknown samples (files and email links) and determines the samples to ...

    Control Access to Web Content

    Control Access to Web Content URL Filtering provides visibility and control over web traffic on your network. With URL filtering enabled, the firewall can categorize ...

    Create Best Practice Security Profiles for the Internet Gat...

    Use these File Blocking settings as a best practice at your internet gateway. ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo