Connect a computer to the appliance using the MGT or Console port and power on the appliance.
Connect to the console port or the MGT port. Both are located on the back of the appliance.
—This is a 9-pin male serial connector. Use the following settings on the console application: 9600-8-N-1. Connect the provided cable to the serial port on the management computer or USB-To-Serial converter.
—This is an Ethernet RJ-45 port. By default, the MGT port IP address is 192.168.1.1. The interface on your management computer must be on the same subnet as the MGT port. For example, set the IP address on the management computer to 192.168.1.5.
Power on the appliance.
The appliance will power on as soon as you connect power to the first power supply and a warning beep will sound until you connect the second power supply. If the appliance is already plugged in and is in the shutdown state, use the power button on the front of the appliance to power on.
Register the WF-500 appliance.
Obtain the serial number from the S/N tag on the appliance, or run the following command and refer to the
admin@WF-500> show system info
From a browser, navigate to the Palo Alto Networks Support Portal
and log in.
Register the device as follows:
If this is the first Palo Alto Networks device that you are registering and you do not have a login, click Register at the bottom of the page.
To register, provide an email address and the serial number of the device. When prompted, set up a username and password for access to the Palo Alto Networks support community.
For existing accounts, log in and then click
. Scroll down to the
section at the bottom of the screen and enter the serial number of the device, the city and postal code, and then click
To confirm WildFire registration on the WF-500 appliance, log in to the appliance with an SSH client or by using the Console port. Enter a username/password of admin/admin and enter the following command on the appliance:
admin@WF-500> test wildfire registration
The following output indicates that the appliance is registered with one of the Palo Alto Networks WildFire cloud servers.
wildfire registration: successful
download server list: successful
select the best server:cs-s1.wildfire.paloaltonetworks.com
Reset the admin password.
Set a new password by running the command:
admin@WF-500> set password
Type the old password, press enter and then enter and confirm the new password. Commit the configuration to ensure that the new password is saved in the event of a restart.
to log out and then log back in to confirm that the new password is set.
Configure the management interface settings.
This example uses the following values:
IPv4 address - 10.10.0.5/22
Subnet Mask - 255.255.252.0
Default Gateway - 10.10.0.1
Hostname - wildfire-corp1
DNS Server - 10.0.0.246
Log in to the appliance with an SSH client or by using the Console port and enter configuration mode:
Set the IP information:
admin@WF-500# set deviceconfig system ip-address 10.10.0.5 netmask 255.255.252.0 default-gateway 10.10.0.1 dns-setting servers primary 10.0.0.246
Configure a secondary DNS server by replacing primary with secondary in the above command, excluding the other IP parameters. For example:
admin@WF-500# set deviceconfig system dns-setting servers secondary 10.0.0.247
Set the hostname (wildfire-corp1 in this example):
admin@WF-500# set deviceconfig system hostname wildfire-corp1
Commit the configuration to activate the new management (MGT) port configuration:
Connect the MGT interface port to a network switch.
Put the management PC back on your corporate network, or whatever network is required to access the appliance on the management network.
From your management computer, use an SSH client to connect to the new IP address or hostname assigned to the MGT port on the appliance. In this example, the IP address is 10.10.0.5.
Activate the appliance with the WildFire authorization code that you received from Palo Alto Networks.
Though it will function without an auth-code, the WF-500 appliance cannot retrieve software or content updates without a valid auth-code.
Change to operational mode:
Fetch and install the WildFire license:
admin@WF-500> request license fetch auth-code <auth-code>
Verify the license:
admin@WF-500> request support check
Information about the support site and the support contract date is displayed. Confirm that the date displayed is valid.
Set the WF-500 clock.
There are two ways to do this. You can either manually set the date, time, and timezone or you can configure the WF-500 appliance to synchronize its local clock with a Network Time Protocol (NTP) server.
To set the clock manually, enter the following commands:
admin@WF-500> set clock date <YY/MM/DD> time <hh:mm:ss>
admin@WF-500# set deviceconfig system timezone <timezone>
The time stamp that will appear on the WildFire detailed report will use the time zone set on the appliance. If administrators in various regions will view reports, consider setting the time zone to UTC.
To configure the WF-500 to synchronize with an NTP server, enter the following commands:
admin@WF-500# set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <NTP primary server IP address>
admin@WF-500# set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address <NTP secondary server IP address>
The WF-500 appliance does not prioritize the primary or secondary NTP server; it synchronizes with either server.
(Optional for NTP configuration) Set up NTP authentication.
Disable NTP authentication:
admin@WF-500# set deviceconfig system ntp-servers primary-ntp-server authentication-type none
Enable symmetric key exchange (shared secrets) to authenticate the NTP server time updates:
admin@WF-500# set deviceconfig system ntp-servers primary-ntp-server authentication-type symmetric-key
Continue to enter the key-ID (1 - 65534), choose the algorithm to use in NTP authentication (MD5 or SHA1), and then enter and confirm the authentication algorithm authentication-key.
Use autokey (public key cryptography) to authenticate the NTP server time updates:
admin@WF-500# set deviceconfig system ntp-servers primary-ntp-server authentication-type autokey
Choose the virtual machine image for the appliance to use to analyze files.
The image should be based on the attributes that most accurately represent the software installed on your end user computers. Each virtual image contains different versions of operating systems and software, such as Windows XP or Windows 7 32-bit or 64-bit and specific versions of Adobe Reader, and Flash. Although you configure the appliance to use one virtual machine image configuration, the appliance uses multiple instances of the image to improve performance.
To view a list of available virtual machines to determine which one best represents your environment:
admin@WF-500> show wildfire vm-images
View the current virtual machine image by running the following command and refer to the
admin@WF-500> show wildfire status
Select the image that the appliance will use for analysis:
admin@WF-500# set deviceconfig setting wildfire active-vm <vm-image-number>
For example, to use vm-1:
admin@WF-500# set deviceconfig setting wildfire active-vm vm-1
Enable the WF-500 appliance to observe malicious behaviors where the file being analyzed seeks network access.
(Optional) If you do not want to forward malware samples outside of the WildFire private cloud, instead submit WildFire analysis reports to the WildFire public cloud.
If you do not want to submit locally-discovered malware to the WildFire public cloud, it is a best practice to enable malware analysis report submissions to improve and refine WildFire threat intelligence.
(Optional) Allow additional users to manage the WF-500 appliance.
You can assign two role types: superuser and superreader. Superuser is equivalent to the admin account, and superreader only has read access.
In this example, you will create a superreader account for the user bsimpson:
Enter configuration mode:
Create the user account:
admin@WF-500# set mgt-config users bsimpson <password>
Enter and confirm a new password.
Assign the superreader role:
admin@WF-500# set mgt-config users bsimpson permissions role-based superreader yes
Configure RADIUS authentication for administrator access.
Create a RADIUS profile using the following options:
admin@WF-500# set shared server-profile radius <profile-name>
(Configure the RADIUS server and other attributes.)
Create an authentication profile:
admin@WF-500# set shared authentication-profile <profile-name> method radius server-profile <server-profile-name>
Assign the profile to a local admin account:
admin@WF-500# set mgt-config users username authentication-profile authentication-profile-name>