Set Up a Private WildFire Cloud
For deployments with privacy and legal regulations that restrict the transfer of files outside your network, you can set up your ESM to integrate with a private WildFire cloud. To set up the private cloud, you must install an on-premise WF-500 appliance. This appliance supports up to 40,000 Traps agents.
When an unknown file attempts to run on your endpoints, the WF-500 appliance queries the WildFire public cloud to obtain the verdict and analyzes the executable file in the local private sandbox. By default, the WF-500 appliance does not send discovered malware outside your network, however, you can choose to automatically forward malware to the WildFire public cloud to generate and distribute signatures to all Palo Alto Networks firewalls with Threat Prevention and WildFire licenses. Otherwise, the WF-500 appliance only forwards the malware report (and not the sample itself) to the WildFire public cloud.
To enable the ESM Server to verify and trust the identity of the WF-500 appliance, you obtain the WF-500 Root CA certificate from Support and import it on each ESM Server.
To integrate a WF-500 application in with your ESM deployment, use the following workflow:
- On each ESM Server, import the WF-500 Root CA certificate (Palo Alto Networks Root CA 1) into the Trusted Root Certification Authorities.
- Contact Support to obtain the WF-500 Root CA certificate and save it to a location you can access from the ESM Server.
- On the ESM Server, open the Microsoft Management Console (MMC.exe).
- Selectand add the Certificates snap-in for the Computer account.FileAdd/Remove Snap-InCertificates
- Select, and then clickLocal ComputerFinishOK.
- Expand theCertificates (Local Computer)folder.
- Right-clickTrusted Root Certification Authoritiesand then select.All TasksImportNext
- Browse to the certificate you saved in the previous step and then clickNext. The certificate import wizard displays details about the Trusted Root CA certificate.
- Configure WildFire Integration in the ESM Console.
- Get Your WF-500 Appliance API Keyand copy it into memory.
- From the ESM Console, select.SettingsESMWildFire
- SelectUse Private Cloud (Requires a WF-500 appliance).
- Enter theWildFire Addressof the WF-500 appliance:
- Hostname—If the WF-500 appliance has a set hostname, enter the hostname for theWildFire Address(for example:https://HostName/). You must also ensure there is a DNS record to map the hostname to the IP address of the WF-500 appliance.
- Hostname and domain—If the WF-500 appliance has a set hostname and domain, use the FQDN for theWildFire Address(for example:https://HostName.DomainName/). You must also ensure there is a DNS record to map the FQDN to the IP address of the WF-500 appliance.
- No hostname or domain—If the WF-500 appliance does not have a set hostname or domain name, use the IP address of the WF-500 appliance as theWildFire Address(for example:https://188.8.131.52/).
- Paste theWildFire API Keyfrom memory.
- Savethe WildFire configuration.
- To verify connectivity between the ESM Server and the local WF-500 appliance, recheck a hash verdict with WildFire.
- Select.PoliciesHash Control
- Select a record in the hash control table.
- SelectRecheck Verdict. If the connection is successful, the WF-500 appliance returns a verdict. If the connection is not successful, the verdict is No Connection.
Recommended For You
Recommended videos not found.