Configure a Firewall to Forward Files and Email Links to WildFire
|
Specify the
WildFire Deployments
to which you want to forward samples.
|
Select
Device > Setup > WildFire
and edit the General Settings based on your WildFire cloud deployment (public, private, or hybrid).
WildFire Public Cloud:
Enter the
WildFire Public Cloud
URL:
United States:
wildfire.paloaltonetworks.com
Europe:
eu.wildfire.paloaltonetworks.com
Japan:
jp.wildfire.paloaltonetworks.com
Singapore:
sg.wildfire.paloaltonetworks.com
Make sure the
WildFire Private Cloud
field is clear.
WildFire Private Cloud:
Enter the IP address or FQDN of the WF-500 appliance in the
WildFire Private Cloud
field.
Clear the
WildFire Public Cloud
field.
WildFire Hybrid Cloud:
Enter the
WildFire Public Cloud
URL:
United States:
wildfire.paloaltonetworks.com
Europe:
eu.wildfire.paloaltonetworks.com
Japan:
jp.wildfire.paloaltonetworks.com
Singapore:
sg.wildfire.paloaltonetworks.com
Enter the IP address or FQDN of the WF-500 appliance in the
WildFire Private Cloud
field.
|
|
Define the size limits for files the firewall forwards and configure WildFire logging and reporting settings.
|
Continue editing WildFire General Settings (
Device > Setup > WildFire).
Review the
File Size Limits
for files forwarded from the firewall.
It is a
recommended WildFire best practice
to set the
File Size
for PEs to the maximum size limit of 10 MB, and to leave the
File Size
for all other file types set to the default value.
Select
Report Benign Files
to allow logging for files that receive a WildFire verdict of benign.
Select
Report Grayware Files
to allow logging for files that receive a WildFire verdict of grayware.
Define what session information is recorded in WildFire analysis reports by editing the Session Information Settings. By default, all session information is displayed in WildFire analysis reports. Clear the check boxes to remove the corresponding fields from WildFire analysis reports and click
OK
to save the settings.
|
|
(Panorama Only)
Configure Panorama to gather additional information about samples collected from firewalls running a PAN-OS version prior to PAN-OS 7.0.
Some WildFire Submissions log fields introduced in PAN-OS 7.0 are not populated for samples submitted by firewalls running earlier software versions. If you are using Panorama to manage firewalls running software versions earlier than PAN-OS 7.0, Panorama can communicate with WildFire to gather complete analysis information for samples submitted by those firewalls from the defined
WildFire Server
(the WildFire global cloud, by default) to complete the log details.
|
Select
Panorama > Setup > WildFire
and enter a
WildFire Server
if you’d like to modify the default setting to instead allow Panorama to gather details from the WildFire cloud hosted in Japan or from a WF-500 appliance.
|
Define traffic to forward for WildFire analysis.
If you have a WF-500 appliance set up, you can use both the private cloud and the public cloud in a
hybrid cloud
deployment. Analyze sensitive files locally on your network, while sending all other unknown files to the WildFire public cloud for comprehensive analysis and prompt verdict returns.
|
Select
Objects > Security Profiles > WildFire Analysis,
Add
a new WildFire analysis profile, and give the profile a descriptive
Name.
Add
a profile rule to define traffic to be forwarded for analysis and give the rule a descriptive
Name, such as local-PDF-analysis.
Define for the profile rule to match to unknown traffic and to forward samples for analysis based on:
Applications
—Forward files for analysis based on the application in use.
File Types
—Forward files for analysis based on file types, including links contained in email messages. For example, select
PDF
to forward unknown PDFs detected by the firewall for analysis.
Direction
—Forward files for analysis based the transmission direction of the file (upload, download, or both). For example, select
both
to forward all unknown PDFs for analysis, regardless of the transmission direction.
Set the
Analysis
location to which the firewall forwards files matched to the rule.
Select
public-cloud
to forward matching samples to the WildFire public cloud for analysis.
Select
private-cloud
to forward matching samples to a WildFire private cloud for analysis.
For example, to analyze PDFs that could contain sensitive or proprietary information without sending these documents out of your network, set the
Analysis
location for the rule local-PDF-analysis to
private-cloud.
Different rules can forward matched samples to different analysis locations, depending on your needs. The example above shows a rule that forwards sensitive file types for local analysis in a WildFire private cloud. You could create another rule to forward less sensitive file types, such as PEs, to the WildFire public cloud. This flexibility is supported with a
WildFire Hybrid Cloud
deployment.
In a hybrid cloud deployment, files that match to both
private-cloud
and
public-cloud
rules are forwarded only to the private cloud as a cautionary measure.
(Optional)
Continue to add rules to the WildFire analysis profile as needed. For example, you could add a second rule to the profile to forward Android application package (APK), Portable Executable (PE), and Flash files to the WildFire public cloud for analysis.
Click
OK
to save the WildFire analysis profile.
|
|
Attach the WildFire Analysis profile to a security policy rule.
Traffic allowed by the security policy rule is evaluated against the attached WildFire analysis profile; the firewalls forwards traffic matched to the profile for WildFire analysis.
|
Select
Policies > Security
and
Add
or modify a policy rule.
Click the
Actions
tab within the policy rule.
In the Profile Settings section, select
Profiles
as the
Profile Type
and select a
WildFire Analysis
profile to attach to the policy rule
.
|
Make sure to enable the firewall to also
Forward Decrypted SSL Traffic for WildFire Analysis.
This is a
recommended WildFire best practice.
|
|
Review and implement
WildFire Best Practices.
|
|
Click
Commit
to apply the WildFire settings.
|
|
Choose what to do next...
|
Verify WildFire Submissions
to confirm that the firewall is successfully forwarding files for WildFire analysis.
(WildFire Private Cloud Only)
Submit Malware or Reports from the WF-500 Appliance. Enable this feature to automatically forward malware identified in your WildFire private cloud to the WildFire public cloud. The WildFire public cloud re-analyzes the sample and generates a signature if the sample is malware. The signature is distributed to global users through Wildfire signature updates.
Monitor WildFire Activity
to assess alerts and details reported for malware.
|
