The WF-500 appliance can generate signatures locally based on the samples received from connected firewalls and the WildFire API, as an alternative to sending malware to the public cloud for signature generation. The appliance can generate the following types of signatures for the firewalls to use to block malware and any associated command and control traffic:
—Detect and block malicious files. WildFire adds these signatures to WildFire and Antivirus content updates.
—Detect and block callback domains for command and control traffic associated with malware. WildFire adds these signatures to WildFire and Antivirus content updates.
—Categorizes callback domains as malware and updates the URL category in PAN-DB.
Configure the firewalls to retrieve the signatures generated by the WF-500 appliance as frequently as every five minutes. You can also send the malware sample to the WildFire public cloud, in order to enable the signature to be distributed globally through Palo Alto Networks content releases.
This allows the WF-500 appliance to receive the latest threat intelligence from Palo Alto Networks.
Enable signature and URL category generation.
Log in to the appliance and type
to enter configuration mode.
Enable all threat prevention options:
admin@WF-500# set deviceconfig setting wildfire signature-generation av yes dns yes url yes
Commit the configuration:
Set the schedule for connected firewalls to retrieve the signatures and URL categories the WF-500 appliance generates.
It is a best practice to configure your firewalls to retrieve content updates from both the WildFire public cloud and WF-500 appliance. This ensures that your firewalls receive signatures based on threats detected worldwide, in addition to the signatures generated by the local appliance.
For multiple firewalls managed by Panorama:
Launch Panorama and select
Panorama > Device Deployment > Dynamic Updates, click
scheduled content updates for managed devices.
For details on using Panorama to set up managed firewalls to receive signatures and URL categories from a WF-500 appliance, see Schedule Content Updates to Devices Using Panorama.
For a single firewall:
Log in to the firewall web interface and select
Device > Dynamic Updates.
For firewalls configured to forward files to a WF-500 appliance (in either a WildFire private cloud or hybrid cloud deployment), the WF-Private section is displayed.
for the firewall to download and install content updates
from the WF-500 appliance.