Enable Free WildFire Forwarding

WildFire is a cloud-based virtual environment that analyzes and executes unknown samples (files and email links) and determines the samples to be malicious, phishing, grayware, or benign. With WildFire enabled, a Palo Alto Networks firewall can forward unknown samples to WildFire for analysis. For newly-discovered malware, WildFire generates a signature to detect the malware and distributes it to all firewalls with active WildFire subscription within minutes. This enables all Palo Alto next-generation firewalls worldwide to detect and prevent malware found by a single firewall. Malware signatures often match multiple variants of the same malware family, and as such, block new malware variants that the firewall has never seen before. The Palo Alto Networks threat research team uses the threat intelligence gathered from malware variants to block malicious IP addresses, domains, and URLs.

A basic WildFire service is included as part of the Palo Alto Networks next-generation firewall and does not require a WildFire subscription. With the basic WildFire service, you can enable the firewall to forward portable executable (PE) files. Additionally, if you do not have a WildFire subscription, but you do have a Threat Prevention subscription, you can receive signatures for malware WildFire identifies every 24- 48 hours (as part of the Antivirus updates).

Beyond the basic WildFire service, a WildFire subscription is required for the firewall to:

Get the latest WildFire signatures within a minute of availability—new signatures are released every five minutes.

Forward advanced file types and email links for analysis.

Use the WildFire API.

Use a WildFire appliance to host a WildFire private cloud or a WildFire hybrid cloud.

If you have a WildFire subscription, go ahead and get started with WildFire to get the most out of your subscription. Otherwise, take the following steps to enable basic WildFire forwarding:

Confirm that your firewall is registered and that you have a valid support account as well as any subscriptions you require.

Assets

Devices

Verify that the firewall is listed. If it is not listed, select

and continue to Register the Firewall.

(Optional) If you have a Threat Prevention subscription, be sure to Activate Subscription Licenses.

Select

Device

Setup

WildFire

and edit the General Settings.

Set the

WildFire Public Cloud

field to forward files to the WildFire global cloud at:

wildfire.paloaltonetworks.com

You can also forward files to a regional cloud or a private cloud based on your location and your organizational requirements.

Review the

File Size Limits

for PEs the firewall forwards for WildFire analysis. set the

Size Limit

for PEs that the firewall can forward to the maximum available limit of 10 MB.

As a WildFire best practice, set the

Size Limit

for PEs to the maximum available limit of 10 MB.

Click

to save your changes.

Enable the firewall to forward PEs for analysis.

Select

Objects

Security Profiles

WildFire Analysis

and

Add

a new profile rule.

Name

the new profile rule.

Add

a forwarding rule and enter a

Name

for it.

In the

File Types

column, add

files to the forwarding rule.

In the

Analysis

column, select

public-cloud

to forward PEs to the WildFire public cloud.

Click

Apply the new WildFire Analysis profile to traffic that the firewall allows.

Select

Policies

Security

and either select an existing policy rule or create a new policy rule as described in Set Up a Basic Security Policy.

Select

Actions

and in the Profile Settings section, set the

Profile Type

Profiles

Select the

WildFire Analysis

profile you just created to apply that profile rule to all traffic this policy rule allows.

Click

Enable the firewall to forward decrypted SSL traffic for WildFire analysis.

Review and implement WildFire best practices to ensure that you are getting the most of WildFire detection and prevention capabilities.

Commit

your configuration updates.

Verify that the firewall is forwarding PE files to the WildFire public cloud.

Select

Monitor

Logs

WildFire Submissions

to view log entries for PEs the firewall successfully submitted for WildFire analysis. The Verdict column displays whether WildFire found the PE to be malicious, grayware, or benign. (WildFire only assigns the phishing verdict to email links). The Action column indicates whether the firewall allowed or blocked the sample. The Severity column indicates how much of a threat a sample poses to an organization using the following values: critical, high, medium, low, information.

(Threat Prevention subscription only) If you have a Threat Prevention subscription, but do not have a WildFire subscription, you can still receive WildFire signature updates every 24- 48 hours.

Select

Device

Dynamic Updates

Check that the firewall is scheduled to download, and install Antivirus updates.

Document:PAN-OS® Administrator’s Guide

Enable Free WildFire Forwarding

Enable Free WildFire Forwarding

Related Documentation

Document:PAN-OS® Administrator’s Guide

Enable Free WildFire Forwarding

Enable Free WildFire Forwarding

Related Documentation

Get Started with WildFire

Get Started with WildFire

WildFire Subscription

WildFire Subscription

Forward Files for WildFire Analysis

WildFire Signatures

WildFire Signatures

Review WildFire Logs

Transition WildFire Profiles Safely to Best Practices

About the WildFire Appliance