on the back of the
appliance) is used by WildFire to improve malware detection capabilities.
The interface allows a sample running on the WildFire virtual machines
to communicate with the Internet so that the WildFire appliance
can better analyze the behavior of the sample file to determine
if it exhibits characteristics of malware.
While it is recommended that you
enable the VM interface, it is very important that you do not connect
the interface to a network that allows access to any of your servers/hosts
because malware that runs in the WildFire virtual machines could
potentially use this interface to propagate itself.
This connection can be a dedicated DSL line or a network
connection that only allows direct access from the VM interface
to the Internet and restricts any access to internal servers/client
The VM interface on WildFire appliances operating in FIPS/CC
mode is disabled.
The following illustration shows two options for connecting the
VM interface to the network.
)—Connect the VM interface
to an interface in a dedicated zone on a firewall that has a policy
that only allows access to the Internet. This is important because
malware that runs in the WildFire virtual machines can potentially
use this interface to propagate itself. This is the recommended
option because the firewall logs will provide visibility into any
traffic that is generated by the VM interface.
—Use a dedicated Internet provider connection, such
as a DSL, to connect the VM interface to the Internet. Ensure that
there is no access from this connection to internal servers/hosts.
Although this is a simple solution, traffic generated by the malware
out the VM interface will not be logged unless you place a firewall
or a traffic monitoring tool between the WildFire appliance and
the DSL connection.