End-of-Life (EoL)

Managed WildFire Cluster and Appliance Administration

Select
Panorama
Managed WildFire Clusters
and select a cluster to manage it or select a WildFire appliance (
Panorama
Managed WildFire Appliances
) to manage a standalone appliance. The
Panorama
Managed WildFire Cluster
view lists cluster nodes (WildFire appliances that are members of the cluster) and standalone appliances so that you can add available appliances to a cluster. Because the cluster manages the nodes, selecting a cluster node provides only limited management capability.
Unless noted, the settings and descriptions in the following table apply to both WildFire clusters and WildFire standalone appliances. Information previously configured on the cluster or an appliance is pre-populated. Changes and additions to the information must be committed on Panorama and then pushed to the appliances.
Setting
Description
General Tab
Name
The cluster or appliance
Name
or the appliance serial number.
Enable DNS
(
WildFire clusters only
)
Enable DNS
service for the cluster.
Register Firewall To
The domain name to which you register firewalls. Format must be
wfpc.service.<
cluster-name
>.<
domain
>
. For example, the default domain name is
wfpc.service.mycluster.paloaltonetworks.com
.
Content Update Server
Enter the
Content Update Server
location or use the default
wildfire.paloaltonetworks.com
so that the cluster or appliance receives content updates from the closest server in the Content Delivery Network infrastructure. Connecting to the global cloud gives you the benefit of accessing signatures and updates based on threat analysis from all sources connected to the cloud, instead of relying only on the analysis of local threats.
Check Server Identity
Check Server Identity
to confirm the identity of the update server by matching the common name (CN) in the certificate with the IP address or FQDN of the server.
WildFire Cloud Server
Enter the global
WildFire Cloud Server
location or use the default
wildfire.paloaltonetworks.com
so that the cluster or appliance can send information to the closest server. You can choose whether to send information and what types of information to send to the global cloud (
WildFire Cloud Services
).
Sample Analysis Image
Select the VM image the cluster or appliance uses for sample analysis. The default image is vm-5. You can Get a Malware Test File (WildFire API) to see the result of the sample analysis.
WildFire Cloud Services
If the cluster or appliance is connected to the global WildFire Cloud Server, you can choose whether to
Send Analysis Data
,
Send Malicious Samples
, and
Send Diagnostics
to the global cloud, and whether to perform a
Verdict Lookup
in the global cloud. Sending information to the global cloud benefits the entire community of WildFire appliance users because the shared information increases the ability of every appliance to identify malicious traffic and prevent it from traversing the network.
Sample Data Retention
The number of days to retain benign or grayware samples and malicious samples:
  • Benign/Grayware
    samples—Range is 1 to 90; default is 14.
  • Malicious
    samples—Minimum is 1 and there is no maximum (indefinite); default is indefinite.
Analysis Environment Services
Environment Networking
enables virtual machines to communicate with the internet. You can select
Anonymous Networking
to make network communication anonymous but you must select
Environment Networking
before you can enable
Anonymous Networking
.
Different network environments produce different types of analysis loads depending on whether more documents need to be analyzed or more executable files need to be analyzed. You can configure your Preferred Analysis Environment to allocate more resources to
Executables
or to
Documents
, depending on the needs of your environment. The
Default
allocation is balanced between
Executables
and
Documents
.
The amount of available resources depends on how many WildFire nodes are in the cluster.
Signature Generation
Select whether you want the cluster or appliance to generate signatures for AV, DNS, and URLs.
Appliance Tab
Hostname
(
Standalone WildFire appliance only
)
Enter the hostname of the WildFire appliance.
Panorama Server
Enter the IP address or FQDN of the appliance or of the primary Panorama managing the cluster.
Panorama Server 2
Enter the IP address or FQDN of the appliance or of the backup Panorama managing the cluster.
Domain
Enter the domain name of the appliance cluster or appliance.
Primary DNS Server
Enter the IP address of the primary DNS Server.
Secondary DNS Server
Enter the IP address of the secondary DNS Server.
Timezone
Select the time zone to use for the cluster or appliance.
Latitude
(
Standalone WildFire appliance only
)
Enter the latitude of the of the WildFire appliance.
Longitude
(
Standalone WildFire appliance only
)
Enter the longitude of the of the WildFire appliance.
Primary NTP Server
Enter the IP address of the primary NTP Server and set the Authentication Type to
None
,
Symmetric Key
, or
Autokey
. The default is
None
.
Setting the Authentication Type to
Symmetric Key
reveals four more fields:
  • Key ID
    —Enter the authentication key ID.
  • Algorithm
    —Select the authentication algorithm,
    SHA1
    or
    MD5
    .
  • Authentication Key
    —Enter the authentication key.
  • Confirm Authentication Key
    —Enter the authentication key again to confirm it.
Secondary NTP Server
Enter the IP address of the secondary NTP Server and set the Authentication Type to
None
,
Symmetric Key
, or
Autokey
. The default is
None
.
Setting the Authentication Type to
Symmetric Key
reveals four more fields:
  • Key ID
    —Enter the authentication key ID.
  • Algorithm
    —Select the authentication algorithm,
    SHA1
    or
    MD5
    .
  • Authentication Key
    —Enter the authentication key.
  • Confirm Authentication Key
    —Enter the authentication key again to confirm it.
Login Banner
Enter a banner message that displays when users log in to the cluster or appliance.
Logging Tab (Includes System Tab and Configuration Tab)
Add
Add
log forwarding profiles (
Panorama
Managed WildFire Clusters
<cluster>
Logging
System
or
Panorama
Managed WildFire Clusters
<cluster>
Logging
Configuration
) to forward:
  • system or configuration logs as SNMP traps to SNMP trap receivers.
  • syslog messages to syslog servers.
  • email notifications to email servers.
  • HTTP requests to HTTP servers.
No other log types are supported (see Device > Log Settings).
The log forwarding profiles specify which logs to forward and to which destination servers. For each profile, complete the following:
  • Name
    —A name that identifies the log settings (up to 31 characters) that consists of alphanumeric characters and underscores only—spaces and special characters are not allowed.
  • Filter
    —By default, the Panorama appliance forwards
    All Logs
    of the specified profile. To forward a subset of the logs, select a filter (
    severity eq critical
    ,
    severity eq high
    ,
    severity eq informational
    ,
    severity eq low
    , or
    severity eq medium
    ) or select
    Filter Builder
    to create a new filter.
  • Description
    —Enter a description (up to 1,023 characters) to explain the purpose of the profile.
Add > Filter > Filter Builder
Use
Filter Builder
to create new log filters. Select
Create Filter
to construct filters and, for each query in a new filter, specify the following settings and then
Add
the query:
  • Connector
    —Select the connector logic (
    and
    or
    or
    ). Select
    Negate
    if you want to apply negation. For example, to avoid forwarding a subset of log descriptions, select
    Description
    as the Attribute, select
    contains
    as the Operator, and enter the description string as the Value to identify the description or descriptions that you don’t want to forward.
  • Attribute
    —Select a log attribute. The options vary by log type.
  • Operator
    —Select the criterion that determines how the attribute applies (such as
    contains
    ). The options vary by log type.
  • Value
    —Specify the attribute value to match.
  • Add
    —Add the new filter.
To display or export logs that the filter matches, select
View Filtered Logs
.
  • To find matching log entries, you can add artifacts to the search field, such as an IP address or a time range.
  • Select the time period for which you want to see logs (
    Last 15 Minutes
    ,
    Last Hour
    ,
    Last 6 Hrs
    ,
    Last 12 Hrs
    ,
    Last 24 Hrs
    ,
    Last 7 Days
    , or
    All
    ). The default is
    All
    .
  • Use the options to the right of the time period drop-down to apply, clear, create, save, and load filters:
    • Apply filters
      ( )—Display log entries that match the terms in the search field.
    • Clear filters
      ( )—Clear the filter field.
    • Create a new filter
      ( )—Define new search criteria (takes you to Add Log Filter, which is similar to create filters).
    • Save a filter
      ( )—Enter a name for the filter and then click
      OK
      .
    • Use a saved filter
      ( )—Add a saved filter to the filter field.
    • Export to CSV
      ( )—Export logs to a CSV-formatted report and
      Download file
      downloads the report. By default, the report contains up to 2,000 lines of logs. To change the line limit for generated CSV reports, select
      Device
      Setup
      Management
      Logging and Reporting Settings
      Log Export and Reporting
      and enter a new
      Max Rows
      in
      CSV Export
      value.
You can change the number and order of entries displayed per page and you can use the paging controls at the bottom left of the page to navigate through the log list. Log entries are retrieved in blocks of 10 pages.
  • per page
    —Use the drop-down to change the number of log entries per page (
    20
    ,
    30
    ,
    40
    ,
    50
    ,
    75
    , or
    100
    ).
  • ASC
    or
    DESC
    —Select
    ASC
    to sort results in ascending order (oldest log entry first) or
    DESC
    to sort in descending order (newest log entry first). The default is
    DESC
    .
  • Resolve Hostname
    —Select to resolve external IP addresses to domain names.
  • Highlight Policy Actions
    —Specify an action and select to highlight log entries that match the action. The filtered logs are highlighted in the following colors:
    • Green—Allow
    • Yellow—Continue, or override
    • Red—Deny, drop, drop-icmp, rst-client, reset-server, reset-both, block-continue, block-override, block-url, drop-all, sinkhole
Delete
Select and then
Delete
the log forwarding settings you want to remove from the System or Configuration log list.
Authentication Tab
Remote Authentication
Select the
Authentication Profile
for access. The default is
None
. If there are no authentication profiles to choose from, you can Configure an Authentication Profile and Sequence.
Local Authentication
Configure local authentication for the administrator:
  • Administrator
    —This is always
    admin
    because there is only one admin-level user on a Panorama appliance.
  • Mode
    —Select the local authentication mode—either
    Password
    or
    Password Hash
    :
    • Password
      —Enter and confirm a user password.
    • Password Hash
      —Enter a hashed password string. For example, a hashed password is useful if you want to reuse the credentials for an existing Unix account but you don’t know the plain-text password and you remember the hashed password. The appliance accepts any string of up to 63 characters regardless of the algorithm used to generate the hash value. Any Minimum Password Complexity parameters you set for the firewall (
      Panorama
      Setup
      Management
      ) do not apply to accounts that use a Password Hash.
Timeout Configuration
Configure cluster authentication timeouts:
  • Idle Timeout (min)
    —Set the idle timeout in minutes. When a user remains idle longer than the idle timeout specified, the system ends the user’s session. The default is
    None
    (no timeout).
  • Failed Attempts
    —Set the number of failed login attempts before the system locks a user out of the system. The default is 10 failed attempts.
  • Lockout Time (min)
    —Set the amount of time in minutes that a locked out user must wait before logging in. The default is 5 minutes.
Clustering Tab (
Managed WildFire Clusters only
) and Interface Tab (
Managed WildFire Appliances only
)
You must add appliances to Panorama to manage interfaces and add appliances to clusters to manage clusters node interfaces.
Appliance
(
Clustering Tab only
)
Select a cluster node to access the Appliance and Interfaces tabs for that node. The Appliance tab node information is pre-populated and is not configurable except for the hostname. The Interfaces tab lists the node interfaces. Select an interface to manage it as described in Interface Name Management, Interface Name Analysis Environment Network, Interface Name Ethernet2, and Interface Name Ethernet3.
Interface Name Management
The management interface is Ethernet0. Configure or view management interface settings:
  • Speed and Duplex
    —Select from
    auto-negotiate
    ,
    10Mbps-half-duplex
    ,
    10Mbps-full-duplex
    ,
    100Mbps-half-duplex
    ,
    100Mbps-full-duplex
    ,
    1Gbps-half-duplex
    , and
    1Gbps-full-duplex
    . The default is
    auto-negotiate
    .
  • IP Address
    —Enter the interface IP address.
  • Netmask
    —Enter the interface netmask.
  • Default Gateway
    —Enter the IP address of the default gateway.
  • MTU
    —Enter the MTU in bytes (range is 576 to 1,500; default is 1,500).
  • Management Services
    —Select the management services you want to support. You can support
    Ping
    ,
    SSH
    , and
    SNMP
    services.
Configure proxy settings if you use a proxy server to connect to the Internet:
  • Server
    —IP address of the proxy server.
  • Port
    —Port number configured on the proxy server to listen for Panorama device requests.
  • User
    —Username configured on the proxy server for authentication.
  • Password
    and
    Confirm Password
    —Password configured on the proxy server for authentication.
  • Clustering Services
    (
    Clustering tab only
    )—Select the HA service:
    • HA
      —If there are two Controller nodes in the cluster, you can configure the management interface as an HA interface so that management information is available to both Controller nodes. If the cluster node you are configuring is the primary Controller node, mark it as the
      HA
      interface.
      Depending on how you use the WildFire appliance Ethernet interfaces, alternatively, you can configure Etherent2 or Ethernet3 as the HA and HA Backup interfaces on the primary and backup Controller nodes, respectively. For example, you can use Ethernet 2 as the HA and HA Backup interface. The HA and HA Backup interfaces must be the same interface (management, Ethernet2, or Ethernet3) on the primary and backup Controller nodes. You cannot use Ethernet1 as the HA/HA Backup interface.
    • HA Backup
      —If the cluster node you are configuring is the backup Controller node, mark it as the
      HA Backup
      interface.
Specify IP addresses that are permitted on the interface:
  • Search box
    —Enter search terms to filter the permitted IP address list. The search box indicates the number of IP addresses (items) in the list so you know how long the list is. After you enter search terms, apply the filter ( ) or clear the filter ( ) and enter a different set of terms.
  • Add
    Add
    a permitted IP address by specifying the IP address.
  • Delete
    —Select and
    Delete
    the IP address or addresses you want to remove from management interface access.
Interface Name Analysis Environment Network
Configure settings for the WildFire appliance cluster or standalone WildFire appliance analysis environment network interface (Ethernet1, also known as the VM interface):
  • Speed and Duplex
    —Select from
    auto-negotiate
    ,
    10Mbps-half-duplex
    ,
    10Mbps-full-duplex
    ,
    100Mbps-half-duplex
    ,
    100Mbps-full-duplex
    ,
    1Gbps-half-duplex
    , and
    1Gbps-full-duplex
    . The default is
    auto-negotiate
    .
  • IP Address
    —Enter the interface IP address.
  • Netmask
    —Enter the interface netmask.
  • Default Gateway
    —Enter the IP address of the default gateway.
  • MTU
    —Enter the MTU in bytes (range is 576 to 1,500; default is 1,500).
  • DNS Server
    —Enter the DNS server IP address.
  • Link State
    —Set the interface link state to
    Up
    or
    Down
    .
  • Management Services—Select
    Ping
    if you want the interface to support ping services.
Specify IP addresses that are permitted on the interface:
  • Search box
    —Enter search terms to filter the permitted IP address list. The search box indicates the number of IP addresses (items) in the list so you know how long the list is. After you enter search terms, apply the filter ( ) or clear the filter ( ) and enter a different set of terms.
  • Add
    Add
    a permitted IP address by specifying the IP address.
  • Delete
    —Select the IP address or IP addresses you want to remove from management interface access and then
    Delete
    .
Interface Name Ethernet2
Interface Name Ethernet3
You can set the same parameters for the Ethernet2 and Ethernet3 interfaces:
  • Speed and Duplex
    —Select from
    auto-negotiate
    ,
    10Mbps-half-duplex
    ,
    10Mbps-full-duplex
    ,
    100Mbps-half-duplex
    ,
    100Mbps-full-duplex
    ,
    1Gbps-half-duplex
    , and
    1Gbps-full-duplex
    . The default is
    auto-negotiate
    .
  • IP Address
    —Enter the interface IP address.
  • Netmask
    —Enter the interface netmask.
  • Default Gateway
    —Enter the IP address of the default gateway.
  • MTU
    —Enter the MTU in bytes (range is 576 to 1,500; default is 1,500).
  • Management Services—Select
    Ping
    if you want the interface to support ping services.
  • Clustering Services
    —Select cluster services:
    • HA
      —If there are two Controller nodes in the cluster, you can configure the Ethernet2 or the Ethernet3 interface as an HA interface so that management information is available to both Controller nodes. If the cluster node you are configuring is the primary Controller node, mark it as the
      HA
      interface.
      Depending on how you use the WildFire appliance Ethernet interfaces, alternatively, you can configure the management interface (Ethernet1) as the HA and HA Backup interfaces on the primary and backup Controller nodes, respectively. The HA and HA Backup interfaces must be the same interface (management, Ethernet2, or Ethernet3) on the primary and backup Controller nodes. You cannot use Ethernet1 as the HA/HA Backup interface.
    • HA Backup
      —If the cluster node you are configuring is the backup Controller node, mark it as the
      HA Backup
      interface.
    • Cluster Management
      —Configure the Ethernet2 or Ethernet3 interface as the interface used for cluster-wide management and communication.
Role
(
Clustering Tab only
)
When a cluster has member appliances, the appliance roles can be Controller, Controller Backup, or Worker. Select
Controller
or
Backup Controller
to change the WildFire appliance used for each role from the appliances in the cluster. Changing the Controller results in data loss during the role change.
Browse
(
Clustering Tab only
)
The
Clustering
tab lists the WildFire appliance nodes in the cluster.
Browse
to view and add standalone WildFire appliances that the Panorama device already manages:
  • Search box
    —Enter search terms to filter the node list. The search box indicates the number of appliances (items) in the list so you know how long the list is. After you enter search terms, apply the filter ( ) or clear the filter ( ) and enter a different set of terms.
  • Add Nodes
    —Add each node to the cluster using the ( ) next to the node in the list.
The first WildFire appliance you add to a cluster automatically becomes the Controller node. The second WildFire appliance you add automatically becomes the Controller Backup node.
You can add up to 20 WildFire appliances to a cluster. After adding the Controller and Controller Backup nodes, all subsequent added nodes are Worker nodes.
Delete
(
Clustering Tab only
)
Select one or more appliances from the Appliance list and then
Delete
them from the cluster. You can remove a Controller node only if there are two Controller nodes in the cluster.
Manage Controller
(
Clustering Tab only
)
Select
Manage Controller
to specify a
Controller
and a
Controller Backup
from the WildFire appliance nodes that belong to the cluster. The current Controller node and backup Controller node are selected by default. The backup Controller node can’t be the same node as the primary Controller node.

Recommended For You