The WF-500 appliance provides an on-premises WildFire private cloud, enabling you to analyze suspicious files in a sandbox environment without requiring the firewall to sends files out of network. To use the WF-500 appliance to host a WildFire private cloud, configure the firewall to submit samples to the WF-500 appliance for analysis. The WF-500 appliance sandboxes all files locally and analyzes them for malicious behaviors using the same engine the WildFire public cloud uses. Within minutes, the private cloud returns analysis results to the firewall WildFire Submissions logs.
You can continue to enable a WF-500 appliance to:
Locally generate antivirus and DNS signatures for discovered malware, and to assign a URL category to malicious links. You can then enable connected firewalls to retrieve the latest signatures and URL categories every five minutes. Submit malware to the WildFire public cloud. The WildFire public cloud re-analyzes the sample and generates a signature to detect the malware—this signature can be made available within minutes to protect global users Submit locally-generated malware reports (without sending the raw sample content) to the WildFire public cloud, to contribute to malware statistics and threat intelligence.
You can configure up to 100 Palo Alto Networks firewalls, each with valid WildFire subscriptions, to forward to a single WF-500 appliance. Beyond the WildFire firewall subscriptions, no additional WildFire subscription is required to enable a WildFire private cloud deployment.
WF-500 Appliance Interfaces
The WF-500 appliance has two interfaces:
MGT—Receives all files forwarded from the firewalls and returns logs detailing the results back to the firewalls. See Configure the WF-500 Appliance. Virtual Machine Interface (VM interface) —Provides network access for the WildFire sandbox systems to enable sample files to communicate with the Internet, which allows WildFire to better analyze the behavior of the sample. When the VM interface is configured, WildFire can observe malicious behaviors that the malware would not normally perform without network access, such as phone-home activity. However, to prevent malware from entering your network from the sandbox, configure the VM interface on an isolated network with an Internet connection. You can also enable the Tor option to hide the public IP address used by your company from malicious sites that are accessed by the sample. For more information on the VM interface, see Set Up the WF-500 Appliance VM Interface.
Obtain the information required to configure network connectivity on the MGT port and the VM interface from your network administrator (IP address, subnet mask, gateway, hostname, DNS server). All communication between the firewalls and the appliance occurs over the MGT port, including file submissions, WildFire log delivery, and appliance administration. Therefore, ensure that the firewalls have connectivity to the MGT port on the appliance. In addition, the appliance must be able to connect to updates.paloaltonetworks.com to retrieve its operating system software updates.

Related Documentation