The Traps agent is designed to block attacks before
any malicious code can run on the endpoint. While this approach
ensures the safety of data and infrastructure, it enables the collection
of forensic evidence only at the moment of prevention. And while
Traps can prevent the attack, Traps alone cannot fully reveal the
purpose of the attack or its entire flow.
To provide more insight into malware activity, the Endpoint Security
Manager supports WildFire integration. This enables the Endpoint
Security Manager to send any unknown executable files to WildFire,
a malware analysis environment that turns unknown threats into preventable
You can integrate WildFire with your Endpoint Security Manager
using either of the following two options:
WildFire public cloud
—The WildFire Virtual Environment
analyzes and identifies previously unknown malware and generates
signatures that Palo Alto Networks firewalls and Palo Alto Networks
Endpoint Security Managers can use to detect and block the malware.
When Traps detects an unknown sample (an executable file or macro),
the Endpoint Security Manager can automatically forward the sample
for WildFire analysis.
WildFire private cloud
—A WildFire private cloud enables
you to analyze unknown executable files discovered on Windows endpoints
in a local sandbox. To deploy a WildFire private cloud, you must
install a local WF-500 appliance.
local WF-500 appliance is ideal for deployments with privacy and
legal regulations that restrict the transfer of files outside your
network. The WildFire-500 appliance queries the WildFire public
cloud to obtain the verdict and, if unknown, analyzes the executable
file in the local sandbox. By default, the WF-500 appliance does
not send discovered malware outside your network, however, you can
choose to automatically forward malware to the WildFire public cloud
to generate and distribute signatures to all Palo Alto Networks
firewalls with Threat Prevention and WildFire licenses. Otherwise,
the WF-500 appliance only forwards the malware report (and not the
sample itself) to the WildFire public cloud.
If WildFire integration is enabled in the ESM Console, the
of the Traps Console displays a
. If WildFire is not enabled, the Traps
Console displays an