WildFire

The Traps agent is designed to block attacks before any malicious code can run on the endpoint. While this approach ensures the safety of data and infrastructure, it enables the collection of forensic evidence only at the moment of prevention. And while Traps can prevent the attack, Traps alone cannot fully reveal the purpose of the attack or its entire flow.
To provide more insight into malware activity, the Endpoint Security Manager supports WildFire integration. This enables the Endpoint Security Manager to send any unknown executable files to WildFire, a malware analysis environment that turns unknown threats into preventable incidents.
You can integrate WildFire with your Endpoint Security Manager using either of the following two options:
  • WildFire public cloud—The WildFire Virtual Environment analyzes and identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls and Palo Alto Networks Endpoint Security Managers can use to detect and block the malware. When Traps detects an unknown sample (an executable file or macro), the Endpoint Security Manager can automatically forward the sample for WildFire analysis.
    wildfire-integration.png
  • WildFire private cloud—A WildFire private cloud enables you to analyze unknown executable files discovered on Windows endpoints in a local sandbox. To deploy a WildFire private cloud, you must install a local WF-500 appliance.
    wf-500-deployment.png
    The local WF-500 appliance is ideal for deployments with privacy and legal regulations that restrict the transfer of files outside your network. The WildFire-500 appliance queries the WildFire public cloud to obtain the verdict and, if unknown, analyzes the executable file in the local sandbox. By default, the WF-500 appliance does not send discovered malware outside your network, however, you can choose to automatically forward malware to the WildFire public cloud to generate and distribute signatures to all Palo Alto Networks firewalls with Threat Prevention and WildFire licenses. Otherwise, the WF-500 appliance only forwards the malware report (and not the sample itself) to the WildFire public cloud.
If WildFire integration is enabled in the ESM Console, the Status page of the Traps Console displays a 3.1-active-icon.png next to Forensic Data Collection. If WildFire is not enabled, the Traps Console displays an icon-inactive.png next to Forensic Data Collection.

Related Documentation