The VM interface (labeled 1 on the back of the appliance) is used by WildFire to improve malware detection capabilities. The interface allows a sample running on the WildFire virtual machines to communicate with the Internet so that the WF-500 appliance can better analyze the behavior of the sample file to determine if it exhibits characteristics of malware.
While it is recommended that you enable the VM interface, it is very important that you do not connect the interface to a network that allows access to any of your servers/hosts because malware that runs in the WildFire virtual machines could potentially use this interface to propagate itself. This connection can be a dedicated DSL line or a network connection that only allows direct access from the VM interface to the Internet and restricts any access to internal servers/client hosts.
The following illustration shows two options for connecting the VM interface to the network.
Virtual Machine Interface Example
Option-1 (recommended) —Connect the VM interface to an interface in a dedicated zone on a firewall that has a policy that only allows access to the Internet. This is important because malware that runs in the WildFire virtual machines can potentially use this interface to propagate itself. This is the recommended option because the firewall logs will provide visibility into any traffic that is generated by the VM interface. Option-2—Use a dedicated Internet provider connection, such as a DSL, to connect the VM interface to the Internet. Ensure that there is no access from this connection to internal servers/hosts. Although this is a simple solution, traffic generated by the malware out the VM interface will not be logged unless you place a firewall or a traffic monitoring tool between the WF-500 appliance and the DSL connection.

Related Documentation