Configure Palo Alto Networks firewalls to forward unknown files or email links for analysis. Use the WildFire Analysis profile to define files to forward to the WildFire cloud (use the public cloud or a private cloud), and then attach the profile to a security rule to trigger inspection for zero-day malware.
Specify traffic to be forwarded for analysis based on the application in use, the file type detected, links contained in email messages, or the transmission direction of the sample (upload, download, or both). For example, you can set up the firewall to forward Portable Executables (PEs) or any files that users attempt to download during a web-browsing session.
If you are using a WF-500 appliance to host a WildFire private cloud, you can extend WildFire analysis resources to a WildFire Hybrid Cloud, by configuring the firewall to continue to forward sensitive files to your WildFire private cloud for local analysis, and forward less sensitive or unsupported file types to the WildFire public cloud.
Before you begin:
If another firewall resides between the firewall you are configuring to forward files and the WildFire cloud or WF-500 appliance, make sure that the firewall in the middle allows the following ports: The WildFire public cloud uses port 443 for registration and file submissions. The WF-500 appliance uses port 443 for registration and 10443 for file submissions. (PA-7000 Series Firewalls Only) To enable a PA-7000 Series firewall to forward files and email links for WildFire analysis, you must first configure a data port on an NPC as a Log Card interface.
Configure a Firewall to Forward Files and Email Links to WildFire
Specify the WildFire Deployments to which you want to forward samples. Select Device > Setup > WildFire and edit the General Settings based on your WildFire cloud deployment (public, private, or hybrid). WildFire Public Cloud: Enter the WildFire Public Cloud URL: United States: wildfire.paloaltonetworks.com Europe: eu.wildfire.paloaltonetworks.com Japan: wildfire.paloaltonetworks.jp Singapore: sg.wildfire.paloaltonetworks.com Make sure the WildFire Private Cloud field is clear. WildFire Private Cloud: Enter the IP address or FQDN of the WF-500 appliance in the WildFire Private Cloud field. Clear the WildFire Public Cloud field. WildFire Hybrid Cloud: Enter the WildFire Public Cloud URL: United States: wildfire.paloaltonetworks.com Europe: eu.wildfire.paloaltonetworks.com Japan: wildfire.paloaltonetworks.jp Singapore: sg.wildfire.paloaltonetworks.com Enter the IP address or FQDN of the WF-500 appliance in the WildFire Private Cloud field.
Define the size limits for files the firewall forwards and configure WildFire logging and reporting settings. Continue editing WildFire General Settings ( Device > Setup > WildFire). Review the File Size Limits for files forwarded from the firewall. It is a recommended WildFire best practice to set the File Size for PEs to the maximum size limit of 10 MB, and to leave the File Size for all other file types set to the default value. Select Report Benign Files to allow logging for files that receive a WildFire verdict of benign. Select Report Grayware Files to allow logging for files that receive a WildFire verdict of grayware. Define what session information is recorded in WildFire analysis reports by editing the Session Information Settings. By default, all session information is displayed in WildFire analysis reports. Clear the check boxes to remove the corresponding fields from WildFire analysis reports and click OK to save the settings.
(Panorama Only) Configure Panorama to gather additional information about samples collected from firewalls running a PAN-OS version prior to PAN-OS 7.0. Some WildFire Submissions log fields introduced in PAN-OS 7.0 are not populated for samples submitted by firewalls running earlier software versions. If you are using Panorama to manage firewalls running software versions earlier than PAN-OS 7.0, Panorama can communicate with WildFire to gather complete analysis information for samples submitted by those firewalls from the defined WildFire Server (the WildFire global cloud, by default) to complete the log details. Select Panorama > Setup > WildFire and enter a WildFire Server if you’d like to modify the default setting to instead allow Panorama to gather details from the WildFire cloud hosted in Japan or from a WF-500 appliance.
Define traffic to forward for WildFire analysis. If you have a WF-500 appliance set up, you can use both the private cloud and the public cloud in a hybrid cloud deployment. Analyze sensitive files locally on your network, while sending all other unknown files to the WildFire public cloud for comprehensive analysis and prompt verdict returns. Select Objects > Security Profiles > WildFire Analysis, Add a new WildFire analysis profile, and give the profile a descriptive Name. Add a profile rule to define traffic to be forwarded for analysis and give the rule a descriptive Name, such as local-PDF-analysis. Define for the profile rule to match to unknown traffic and to forward samples for analysis based on: Applications —Forward files for analysis based on the application in use. File Types —Forward files for analysis based on file types, including links contained in email messages. For example, select PDF to forward unknown PDFs detected by the firewall for analysis. Direction —Forward files for analysis based the transmission direction of the file (upload, download, or both). For example, select both to forward all unknown PDFs for analysis, regardless of the transmission direction. Set the Analysis location to which the firewall forwards files matched to the rule. Select public-cloud to forward matching samples to the WildFire public cloud for analysis. Select private-cloud to forward matching samples to a WildFire private cloud for analysis. For example, to analyze PDFs that could contain sensitive or proprietary information without sending these documents out of your network, set the Analysis location for the rule local-PDF-analysis to private-cloud.
Different rules can forward matched samples to different analysis locations, depending on your needs. The example above shows a rule that forwards sensitive file types for local analysis in a WildFire private cloud. You could create another rule to forward less sensitive file types, such as PEs, to the WildFire public cloud. This flexibility is supported with a WildFire Hybrid Cloud deployment. In a hybrid cloud deployment, files that match to both private-cloud and public-cloud rules are forwarded only to the private cloud as a cautionary measure. (Optional) Continue to add rules to the WildFire analysis profile as needed. For example, you could add a second rule to the profile to forward Android application package (APK), Portable Executable (PE), and Flash files to the WildFire public cloud for analysis. Click OK to save the WildFire analysis profile.
Attach the WildFire Analysis profile to a security policy rule. Traffic allowed by the security policy rule is evaluated against the attached WildFire analysis profile; the firewalls forwards traffic matched to the profile for WildFire analysis. Select Policies > Security and Add or modify a policy rule. Click the Actions tab within the policy rule. In the Profile Settings section, select Profiles as the Profile Type and select a WildFire Analysis profile to attach to the policy rule .
Make sure to enable the firewall to also Forward Decrypted SSL Traffic for WildFire Analysis. This is a recommended WildFire best practice.
Review and implement WildFire Best Practices.
Click Commit to apply the WildFire settings.
Choose what to do next... Verify WildFire Submissions to confirm that the firewall is successfully forwarding files for WildFire analysis. (WildFire Private Cloud Only) Submit Malware or Reports from the WF-500 Appliance. Enable this feature to automatically forward malware identified in your WildFire private cloud to the WildFire public cloud. The WildFire public cloud re-analyzes the sample and generates a signature if the sample is malware. The signature is distributed to global users through Wildfire signature updates. Monitor WildFire Activity to assess alerts and details reported for malware.

Related Documentation