Get Started with WildFire

Get your WildFire Subscription. If you do not have a WildFire subscription, you can still forward PEs for WildFire analysis (PAN-OS 9.1, 10.0, 10.1, 10.2).
Decide which of the WildFire Deployments works for you:
WildFire Public Cloud—Forward samples to a Palo Alto Networks-hosted WildFire public cloud.
WildFire U.S. Government cloud—Forward samples to a Palo Alto Networks-hosted WildFire U.S. Government cloud.
WildFire Private Cloud—(
Requires a WildFire appliance
) Forward samples to a local WildFire appliance that resides on your network.
WildFire Hybrid Cloud—(
Requires a WildFire appliance
) Forward some samples to the WildFire public cloud and some samples to a WildFire private cloud.
(
WildFire private and hybrid cloud only
) Set up and manage a WildFire appliance (PAN-OS 9.1, 10.0, 10.1, 10.2), including upgrading the WildFire appliance (PAN-OS 9.1, 10.0, 10.1, 10.2) to the latest release version. Firewalls connected to the appliance must be running the same release version.
Confirm your WildFire license is active on the firewall.
Log in to the firewall.
Select
Device
Licenses
and check that the WildFire License is active.
If the WildFire License is not displayed, select one of the License Management options to activate the license.
Connect the firewall to WildFire and configure WildFire settings.
Select
Device
Setup
WildFire
and edit General Settings.
Use the
WildFire Private Cloud
and
WildFire Public Cloud
fields to specify the WildFire deployments to which you want to forward samples (PAN-OS 9.1, 10.0, 10.1, 10.2).
Define the size limits for files the firewall forwards and configure WildFire logging and reporting settings (PAN-OS 9.1, 10.0, 10.1, 10.2).
It is a recommended WildFire best practice to set the
File Size
for PEs to the maximum size limit of 10 MB, and to leave the
File Size
for all other file types set to the default value.
Click
OK
to save the WildFire General Settings.
Enable the firewall to forward decrypted SSL traffic for WildFire analysis (PAN-OS 9.1, 10.0, 10.1, 10.2).
This is a recommended WildFire best practice.
Start submitting samples for WildFire analysis.
Define traffic to forward for WildFire analysis (PAN-OS 9.1, 10.0, 10.1, 10.2). (Select
Objects
Security Profiles
WildFire Analysis
and modify or
Add
a WildFire Analysis profile).
As a best practice, use the WildFire Analysis default profile to ensure complete WildFire coverage for traffic the firewall allows. If you still decide to create a custom WildFire Analysis profile, set the profile to forward
Any
file type—this enables the firewall to automatically start forwarding newly-supported file types for analysis.
For each profile rule, set the WildFire Deployments
Destination
to which you want the firewall to forward samples for analysis—
public-cloud
or the
private-cloud
.
Attach the WildFire analysis profile to a security policy rule (PAN-OS 9.1, 10.0, 10.1, 10.2). Traffic matched to the policy rule is forwarded for WildFire analysis (
Policies
Security
and
Add
or modify a security policy rule).
Enable the firewall to get the latest WildFire signatures.
New WildFire signatures are retrieved in real-time to detect and identify malware. If you are operating PAN-OS 9.1 or earlier, you can receive new signatures every five minutes.
PAN-OS 9.1 and earlier
Select
Device
Dynamic Updates
:
(
WildFire public and hybrid cloud
) Check that
WildFire
updates are displayed.
(
WildFire private and hybrid cloud
) Check that
WF-Private
updates are displayed. For the firewall to receive signatures from a WildFire appliance, you must enable the WildFire appliance to locally generate signature and URL categories (PAN-OS 9.1, 10.0, 10.1, 10.2).
Select
Check Now
to retrieve the latest signature update packages.
Set the
Schedule
to download and install the latest WildFire signatures.
Use the
Recurrence
field to set the frequency at which the firewall checks for new updates to
Every Minute
.
As new WildFire signatures are available every five minutes, this setting ensures the firewall retrieves these signatures within a minute of availability.
Enable the firewall to
Download and Install
these updates as the firewall retrieves them.
Click
OK
.
PAN-OS 10.0 and later
Select
Device
Dynamic Updates
:
Check that the
WildFire
updates are displayed.
Select Schedule to configure the update frequency and then use the
Recurrence
field to configure the firewall to retrieve WildFire signatures in
Real-time
.
Click
OK
.
Start scanning traffic for threats (PAN-OS 9.1, 10.0, 10.1, 10.2), including malware that WildFire identifies.
Attach the
default
Antivirus profile to a security policy rule to scan traffic the rules allows based on WildFire antivirus signatures (select
Policies
Security
and add or a modify the defined
Actions
for a rule).
Control site access to web sites where WildFire has identified the associated link as malicious or phishing.
This option requires a PAN-DB URL Filtering license. Learn more about URL Filtering (PAN-OS 9.1, 10.0, 10.1, 10.2) and how it enables you to control web site access and corporate credential submissions (to prevent phishing attempts) based on URL category.
To configure URL Filtering (PAN-OS 9.1, 10.0, 10.1, 10.2):
Select
Objects
Security Profiles
URL Filtering
and
Add
or modify a URL Filtering profile.
Select
Categories
and define
Site Access
for the phishing and malicious URL categories.
Block
users from accessing sites in these categories altogether, or instead, allow access but generate an
Alert
when users access sites in these categories, to ensure you have visibility into such events.
Enable credential phishing prevention (PAN-OS 9.1, 10.0, 10.1, 10.2) to stop users from submitting credentials to untrusted sites, without blocking their access to these sites.
Apply the new or updated URL Filtering profile, and attach it to a security policy rule to apply the profile settings to allowed traffic:
Select
Policies
Security
and
Add
or modify a security policy rule.
Select
Actions
and in the Profile Setting section, set the
Profile Type
to profiles.
Attach the new or updated
URL Filtering
profile to the security policy rule.
Click
OK
to save the security policy rule.
Confirm that the firewall is successfully forwarding samples.
If you enabled logging of benign files, select
Monitor
WildFire Submissions
and check that entries are being logged for benign files submitted to WildFire. (If you’d like to disable logging of benign files after confirming that the firewall is connected to WildFire, select
Device
Setup
WildFire
and clear
Report Benign Files
).
Other options to allow you to confirm that the firewall forwarded a specific sample, view samples the firewall forwards according to file type, and to view the total number of samples the firewall forwards.
Test a sample malware file (PAN-OS 9.1, 10.0, 10.1, 10.2) to test your complete WildFire configuration.
Investigate WildFire analysis results.
Find WildFire analysis results:
Use the firewall to monitor malware (PAN-OS 9.1, 10.0, 10.1, 10.2) and view WildFire analysis reports for a sample.
View reports on the WildFire portal (PAN-OS 9.1, 10.0, 10.1, 10.2) for all samples submitted to the WildFire public cloud, including samples that you manually submitted to the WildFire public cloud.
Use the WildFire API to retrieve sample verdicts and reports from a WildFire appliance.
Assess the risk of malware you find on your network with the AutoFocus threat intelligence portal. AutoFocus layers data from global WildFire submissions with statistics to identify pervasive and targeted malware, both on your network, within our industry, and globally.
Next step:
Review and implement WildFire Best Practices.