Managed WildFire Cluster and Appliance Administration

Select PanoramaManaged WildFire Clusters and select a cluster to manage it or select a WildFire appliance (PanoramaManaged WildFire Appliances) to manage a standalone appliance. The PanoramaManaged WildFire Cluster view lists cluster nodes (WildFire appliances that are members of the cluster) and standalone appliances so that you can add available appliances to a cluster. Because the cluster manages the nodes, selecting a cluster node provides only limited management capability.
Unless noted, the settings and descriptions in the following table apply to both WildFire clusters and WildFire standalone appliances. Information previously configured on the cluster or an appliance is pre-populated. Changes and additions to the information must be committed on Panorama and then pushed to the appliances.
Setting
Description
General Tab
Name
The cluster or appliance Name or the appliance serial number.
Enable DNS
(WildFire clusters only)
Enable DNS service for the cluster.
Register Firewall To
The domain name to which you register firewalls. Format must be wfpc.service.<cluster-name>.<domain>. For example, the default domain name is wfpc.service.mycluster.paloaltonetworks.com.
Content Update Server
Enter the Content Update Server location or use the default wildfire.paloaltonetworks.com so that the cluster or appliance receives content updates from the closest server in the Content Delivery Network infrastructure. Connecting to the global cloud gives you the benefit of accessing signatures and updates based on threat analysis from all sources connected to the cloud, instead of relying only on the analysis of local threats.
Check Server Identity
Check Server Identity to confirm the identity of the update server by matching the common name (CN) in the certificate with the IP address or FQDN of the server.
WildFire Cloud Server
Enter the global WildFire Cloud Server location or use the default wildfire.paloaltonetworks.com so that the cluster or appliance can send information to the closest server. You can choose whether to send information and what types of information to send to the global cloud (WildFire Cloud Services).
Sample Analysis Image
Select the VM image the cluster or appliance uses for sample analysis. The default image is vm-5. You can Get a Malware Test File (WildFire API) to see the result of the sample analysis.
WildFire Cloud Services
If the cluster or appliance is connected to the global WildFire Cloud Server, you can choose whether to Send Analysis Data, Send Malicious Samples, and Send Diagnostics to the global cloud, and whether to perform a Verdict Lookup in the global cloud. Sending information to the global cloud benefits the entire community of WildFire appliance users because the shared information increases the ability of every appliance to identify malicious traffic and prevent it from traversing the network.
Sample Data Retention
The number of days to retain benign or grayware samples and malicious samples:
  • Benign/Grayware samples—Range is 1 to 90; default is 14.
  • Malicious samples—Minimum is 1 and there is no maximum (indefinite); default is indefinite.
Analysis Environment Services
Environment Networking enables virtual machines to communicate with the internet. You can select Anonymous Networking to make network communication anonymous but you must select Environment Networking before you can enable Anonymous Networking.
Different network environments produce different types of analysis loads depending on whether more documents need to be analyzed or more executable files need to be analyzed. You can configure your Preferred Analysis Environment to allocate more resources to Executables or to Documents, depending on the needs of your environment. The Default allocation is balanced between Executables and Documents.
The amount of available resources depends on how many WildFire nodes are in the cluster.
Signature Generation
Select whether you want the cluster or appliance to generate signatures for AV, DNS, and URLs.
Appliance Tab
Hostname
(Standalone WildFire appliance only)
Enter the hostname of the WildFire appliance.
Panorama Server
Enter the IP address or FQDN of the appliance or of the primary Panorama managing the cluster.
Panorama Server 2
Enter the IP address or FQDN of the appliance or of the backup Panorama managing the cluster.
Domain
Enter the domain name of the appliance cluster or appliance.
Primary DNS Server
Enter the IP address of the primary DNS Server.
Secondary DNS Server
Enter the IP address of the secondary DNS Server.
Timezone
Select the time zone to use for the cluster or appliance.
Latitude
(Standalone WildFire appliance only)
Enter the latitude of the of the WildFire appliance.
Longitude
(Standalone WildFire appliance only)
Enter the longitude of the of the WildFire appliance.
Primary NTP Server
Enter the IP address of the primary NTP Server and set the Authentication Type to None, Symmetric Key, or Autokey. The default is None.
Setting the Authentication Type to Symmetric Key reveals four more fields:
  • Key ID—Enter the authentication key ID.
  • Algorithm—Select the authentication algorithm, SHA1 or MD5.
  • Authentication Key—Enter the authentication key.
  • Confirm Authentication Key—Enter the authentication key again to confirm it.
Secondary NTP Server
Enter the IP address of the secondary NTP Server and set the Authentication Type to None, Symmetric Key, or Autokey. The default is None.
Setting the Authentication Type to Symmetric Key reveals four more fields:
  • Key ID—Enter the authentication key ID.
  • Algorithm—Select the authentication algorithm, SHA1 or MD5.
  • Authentication Key—Enter the authentication key.
  • Confirm Authentication Key—Enter the authentication key again to confirm it.
Login Banner
Enter a banner message that displays when users log in to the cluster or appliance.
Logging Tab (Includes System Tab and Configuration Tab)
Add
Add log forwarding profiles (PanoramaManaged WildFire Clusters<cluster>LoggingSystem or PanoramaManaged WildFire Clusters<cluster>LoggingConfiguration) to forward:
  • system or configuration logs as SNMP traps to SNMP trap receivers.
  • syslog messages to syslog servers.
  • email notifications to email servers.
  • HTTP requests to HTTP servers.
No other log types are supported (see Device > Log Settings).
The log forwarding profiles specify which logs to forward and to which destination servers. For each profile, complete the following:
  • Name—A name that identifies the log settings (up to 31 characters) that consists of alphanumeric characters and underscores only—spaces and special characters are not allowed.
  • Filter—By default, the Panorama appliance forwards All Logs of the specified profile. To forward a subset of the logs, select a filter (severity eq critical, severity eq high, severity eq informational, severity eq low, or severity eq medium) or select Filter Builder to create a new filter.
  • Description—Enter a description (up to 1,023 characters) to explain the purpose of the profile.
Add > Filter > Filter Builder
Use Filter Builder to create new log filters. Select Create Filter to construct filters and, for each query in a new filter, specify the following settings and then Add the query:
  • Connector—Select the connector logic (and or or). Select Negate if you want to apply negation. For example, to avoid forwarding a subset of log descriptions, select Description as the Attribute, select contains as the Operator, and enter the description string as the Value to identify the description or descriptions that you don’t want to forward.
  • Attribute—Select a log attribute. The options vary by log type.
  • Operator—Select the criterion that determines how the attribute applies (such as contains). The options vary by log type.
  • Value—Specify the attribute value to match.
  • Add—Add the new filter.
To display or export logs that the filter matches, select View Filtered Logs.
  • To find matching log entries, you can add artifacts to the search field, such as an IP address or a time range.
  • Select the time period for which you want to see logs (Last 15 Minutes, Last Hour, Last 6 Hrs, Last 12 Hrs, Last 24 Hrs, Last 7 Days, or All). The default is All.
  • Use the options to the right of the time period drop-down to apply, clear, create, save, and load filters:
    • Apply filters ( apply-filter-icon.png )—Display log entries that match the terms in the search field.
    • Clear filters ( remove-filter-icon.png )—Clear the filter field.
    • Create a new filter ( add_icon.png )—Define new search criteria (takes you to Add Log Filter, which is similar to create filters).
    • Save a filter ( icon_save_filter.png )—Enter a name for the filter and then click OK.
    • Use a saved filter ( icon_load_filter.png )—Add a saved filter to the filter field.
    • Export to CSV ( excel-icon.png )—Export logs to a CSV-formatted report and Download file downloads the report. By default, the report contains up to 2,000 lines of logs. To change the line limit for generated CSV reports, select DeviceSetupManagementLogging and Reporting SettingsLog Export and Reporting and enter a new Max Rows in CSV Export value.
You can change the number and order of entries displayed per page and you can use the paging controls at the bottom left of the page to navigate through the log list. Log entries are retrieved in blocks of 10 pages.
  • per page—Use the drop-down to change the number of log entries per page (20, 30, 40, 50, 75, or 100).
  • ASC or DESC—Select ASC to sort results in ascending order (oldest log entry first) or DESC to sort in descending order (newest log entry first). The default is DESC.
  • Resolve Hostname—Select to resolve external IP addresses to domain names.
  • Highlight Policy Actions—Specify an action and select to highlight log entries that match the action. The filtered logs are highlighted in the following colors:
    • Green—Allow
    • Yellow—Continue, or override
    • Red—Deny, drop, drop-icmp, rst-client, reset-server, reset-both, block-continue, block-override, block-url, drop-all, sinkhole
Delete
Select and then Delete the log forwarding settings you want to remove from the System or Configuration log list.
Authentication Tab
Remote Authentication
Select the Authentication Profile for access. The default is None. If there are no authentication profiles to choose from, you can Configure an Authentication Profile and Sequence.
Local Authentication
Configure local authentication for the administrator:
  • Administrator—This is always admin because there is only one admin-level user on a Panorama appliance.
  • Mode—Select the local authentication mode—either Password or Password Hash:
    • Password—Enter and confirm a user password.
    • Password Hash—Enter a hashed password string. For example, a hashed password is useful if you want to reuse the credentials for an existing Unix account but you don’t know the plain-text password and you remember the hashed password. The appliance accepts any string of up to 63 characters regardless of the algorithm used to generate the hash value. Any Minimum Password Complexity parameters you set for the firewall (PanoramaSetupManagement) do not apply to accounts that use a Password Hash.
Timeout Configuration
Configure cluster authentication timeouts:
  • Idle Timeout (min)—Set the idle timeout in minutes. When a user remains idle longer than the idle timeout specified, the system ends the user’s session. The default is None (no timeout).
  • Failed Attempts—Set the number of failed login attempts before the system locks a user out of the system. The default is 10 failed attempts.
  • Lockout Time (min)—Set the amount of time in minutes that a locked out user must wait before logging in. The default is 5 minutes.
Clustering Tab (Managed WildFire Clusters only) and Interface Tab (Managed WildFire Appliances only)
You must add appliances to Panorama to manage interfaces and add appliances to clusters to manage clusters node interfaces.
Appliance
(Clustering Tab only)
Select a cluster node to access the Appliance and Interfaces tabs for that node. The Appliance tab node information is pre-populated and is not configurable except for the hostname. The Interfaces tab lists the node interfaces. Select an interface to manage it as described in Interface Name Management, Interface Name Analysis Environment Network, Interface Name Ethernet2, and Interface Name Ethernet3.
Interface Name Management
The management interface is Ethernet0. Configure or view management interface settings:
  • Speed and Duplex—Select from auto-negotiate, 10Mbps-half-duplex, 10Mbps-full-duplex, 100Mbps-half-duplex, 100Mbps-full-duplex, 1Gbps-half-duplex, and 1Gbps-full-duplex. The default is auto-negotiate.
  • IP Address—Enter the interface IP address.
  • Netmask—Enter the interface netmask.
  • Default Gateway—Enter the IP address of the default gateway.
  • MTU—Enter the MTU in bytes (range is 576 to 1,500; default is 1,500).
  • Management Services—Select the management services you want to support. You can support Ping, SSH, and SNMP services.
Configure proxy settings if you use a proxy server to connect to the Internet:
  • Server—IP address of the proxy server.
  • Port—Port number configured on the proxy server to listen for Panorama device requests.
  • User—Username configured on the proxy server for authentication.
  • Password and Confirm Password—Password configured on the proxy server for authentication.
  • Clustering Services (Clustering tab only)—Select the HA service:
    • HA—If there are two Controller nodes in the cluster, you can configure the management interface as an HA interface so that management information is available to both Controller nodes. If the cluster node you are configuring is the primary Controller node, mark it as the HA interface.
      Depending on how you use the WildFire appliance Ethernet interfaces, alternatively, you can configure Etherent2 or Ethernet3 as the HA and HA Backup interfaces on the primary and backup Controller nodes, respectively. For example, you can use Ethernet 2 as the HA and HA Backup interface. The HA and HA Backup interfaces must be the same interface (management, Ethernet2, or Ethernet3) on the primary and backup Controller nodes. You cannot use Ethernet1 as the HA/HA Backup interface.
    • HA Backup—If the cluster node you are configuring is the backup Controller node, mark it as the HA Backup interface.
Specify IP addresses that are permitted on the interface:
  • Search box—Enter search terms to filter the permitted IP address list. The search box indicates the number of IP addresses (items) in the list so you know how long the list is. After you enter search terms, apply the filter ( apply-filter-icon.png ) or clear the filter ( remove-filter-icon.png ) and enter a different set of terms.
  • AddAdd a permitted IP address by specifying the IP address.
  • Delete—Select and Delete the IP address or addresses you want to remove from management interface access.
Interface Name Analysis Environment Network
Configure settings for the WildFire appliance cluster or standalone WildFire appliance analysis environment network interface (Ethernet1, also known as the VM interface):
  • Speed and Duplex—Select from auto-negotiate, 10Mbps-half-duplex, 10Mbps-full-duplex, 100Mbps-half-duplex, 100Mbps-full-duplex, 1Gbps-half-duplex, and 1Gbps-full-duplex. The default is auto-negotiate.
  • IP Address—Enter the interface IP address.
  • Netmask—Enter the interface netmask.
  • Default Gateway—Enter the IP address of the default gateway.
  • MTU—Enter the MTU in bytes (range is 576 to 1,500; default is 1,500).
  • DNS Server—Enter the DNS server IP address.
  • Link State—Set the interface link state to Up or Down.
  • Management Services—Select Ping if you want the interface to support ping services.
Specify IP addresses that are permitted on the interface:
  • Search box—Enter search terms to filter the permitted IP address list. The search box indicates the number of IP addresses (items) in the list so you know how long the list is. After you enter search terms, apply the filter ( apply-filter-icon.png ) or clear the filter ( remove-filter-icon.png ) and enter a different set of terms.
  • AddAdd a permitted IP address by specifying the IP address.
  • Delete—Select the IP address or IP addresses you want to remove from management interface access and then Delete.
Interface Name Ethernet2
Interface Name Ethernet3
You can set the same parameters for the Ethernet2 and Ethernet3 interfaces:
  • Speed and Duplex—Select from auto-negotiate, 10Mbps-half-duplex, 10Mbps-full-duplex, 100Mbps-half-duplex, 100Mbps-full-duplex, 1Gbps-half-duplex, and 1Gbps-full-duplex. The default is auto-negotiate.
  • IP Address—Enter the interface IP address.
  • Netmask—Enter the interface netmask.
  • Default Gateway—Enter the IP address of the default gateway.
  • MTU—Enter the MTU in bytes (range is 576 to 1,500; default is 1,500).
  • Management Services—Select Ping if you want the interface to support ping services.
  • Clustering Services—Select cluster services:
    • HA—If there are two Controller nodes in the cluster, you can configure the Ethernet2 or the Ethernet3 interface as an HA interface so that management information is available to both Controller nodes. If the cluster node you are configuring is the primary Controller node, mark it as the HA interface.
      Depending on how you use the WildFire appliance Ethernet interfaces, alternatively, you can configure the management interface (Ethernet1) as the HA and HA Backup interfaces on the primary and backup Controller nodes, respectively. The HA and HA Backup interfaces must be the same interface (management, Ethernet2, or Ethernet3) on the primary and backup Controller nodes. You cannot use Ethernet1 as the HA/HA Backup interface.
    • HA Backup—If the cluster node you are configuring is the backup Controller node, mark it as the HA Backup interface.
    • Cluster Management—Configure the Ethernet2 or Ethernet3 interface as the interface used for cluster-wide management and communication.
Role
(Clustering Tab only)
When a cluster has member appliances, the appliance roles can be Controller, Controller Backup, or Worker. Select Controller or Backup Controller to change the WildFire appliance used for each role from the appliances in the cluster. Changing the Controller results in data loss during the role change.
Browse
(Clustering Tab only)
The Clustering tab lists the WildFire appliance nodes in the cluster. Browse to view and add standalone WildFire appliances that the Panorama device already manages:
  • Search box—Enter search terms to filter the node list. The search box indicates the number of appliances (items) in the list so you know how long the list is. After you enter search terms, apply the filter ( apply-filter-icon.png ) or clear the filter ( remove-filter-icon.png ) and enter a different set of terms.
  • Add Nodes—Add each node to the cluster using the ( add_icon.png ) next to the node in the list.
The first WildFire appliance you add to a cluster automatically becomes the Controller node. The second WildFire appliance you add automatically becomes the Controller Backup node.
You can add up to 20 WildFire appliances to a cluster. After adding the Controller and Controller Backup nodes, all subsequent added nodes are Worker nodes.
Delete
(Clustering Tab only)
Select one or more appliances from the Appliance list and then Delete them from the cluster. You can remove a Controller node only if there are two Controller nodes in the cluster.
Manage Controller
(Clustering Tab only)
Select Manage Controller to specify a Controller and a Controller Backup from the WildFire appliance nodes that belong to the cluster. The current Controller node and backup Controller node are selected by default. The backup Controller node can’t be the same node as the primary Controller node.

Related Documentation