Set Up a Private WildFire Cloud

For deployments with privacy and legal regulations that restrict the transfer of files outside your network, you can set up your ESM to integrate with a private WildFire cloud. To set up the private cloud, you must install an on-premise WF-500 appliance. This appliance supports up to 40,000 Traps agents.
When an unknown file attempts to run on your endpoints, the WF-500 appliance queries the WildFire public cloud to obtain the verdict and analyzes the executable file in the local private sandbox. By default, the WF-500 appliance does not send discovered malware outside your network, however, you can choose to automatically forward malware to the WildFire public cloud to generate and distribute signatures to all Palo Alto Networks firewalls with Threat Prevention and WildFire licenses. Otherwise, the WF-500 appliance only forwards the malware report (and not the sample itself) to the WildFire public cloud.
To enable the ESM Server to verify and trust the identity of the WF-500 appliance, you obtain the WF-500 Root CA certificate from Support and import it on each ESM Server.
To integrate a WF-500 application in with your ESM deployment, use the following workflow:
  1. On each ESM Server, import the WF-500 Root CA certificate (Palo Alto Networks Root CA 1) into the Trusted Root Certification Authorities.
    1. Contact Support to obtain the WF-500 Root CA certificate and save it to a location you can access from the ESM Server.
    2. On the ESM Server, open the Microsoft Management Console (MMC.exe).
    3. Select
      File
      Add/Remove Snap-In
      Certificates
      and add the Certificates snap-in for the Computer account.
    4. Select
      Local Computer
      Finish
      , and then click
      OK
      .
    5. Expand the
      Certificates (Local Computer)
      folder.
    6. Right-click
      Trusted Root Certification Authorities
      and then select
      All Tasks
      Import
      Next
      .
    7. Browse to the certificate you saved in the previous step and then click
      Next
      . The certificate import wizard displays details about the Trusted Root CA certificate.
    8. Click
      Finish
      .
  2. Configure WildFire Integration in the ESM Console.
    1. Get Your WF-500 Appliance API Keyand copy it into memory.
    2. From the ESM Console, select
      Settings
      ESM
      WildFire
      .
    3. Select
      Use Private Cloud (Requires a WF-500 appliance)
      .
    4. Enter the
      WildFire Address
      of the WF-500 appliance:
      • Hostname
        —If the WF-500 appliance has a set hostname, enter the hostname for the
        WildFire Address
        (for example:
        https://HostName/
        ). You must also ensure there is a DNS record to map the hostname to the IP address of the WF-500 appliance.
      • Hostname and domain
        —If the WF-500 appliance has a set hostname and domain, use the FQDN for the
        WildFire Address
        (for example:
        https://HostName.DomainName/
        ). You must also ensure there is a DNS record to map the FQDN to the IP address of the WF-500 appliance.
      • No hostname or domain
        —If the WF-500 appliance does not have a set hostname or domain name, use the IP address of the WF-500 appliance as the
        WildFire Address
        (for example:
        https://172.10.10.10/
        ).
    5. Paste the
      WildFire API Key
      from memory.
    6. Save
      the WildFire configuration.
  3. To verify connectivity between the ESM Server and the local WF-500 appliance, recheck a hash verdict with WildFire.
    1. Select
      Policies
      Hash Control
      .
    2. Select a record in the hash control table.
    3. Select
      Recheck Verdict
      . If the connection is successful, the WF-500 appliance returns a verdict. If the connection is not successful, the verdict is No Connection.

Recommended For You