Document:WildFire® Administrator’s Guide
WildFire Concepts
Last Updated:
Wed May 06 13:22:31 PDT 2020
Table of Contents
Search the Table of Contents
-
- About the WF-500 Appliance
- Configure the WF-500 Appliance
- Set Up the WF-500 Appliance VM Interface
- Virtual Machine Interface Overview
- Configure the VM Interface on the WF-500 Appliance
- Connect the Firewall to the WF-500 Appliance VM Interface
- Enable WF-500 Appliance Analysis Features
- Set Up WF-500 Appliance Content Updates
- Enable Local Signature and URL Category Generation
- Submit Locally-Discovered Malware or Reports to the WildFire Public Cloud
- Upgrade a WF-500 Appliance
-
- WildFire Best Practices
- Forward Files for WildFire Analysis
- Forward Decrypted SSL Traffic for WildFire Analysis
- Verify WildFire Submissions
- Test a Sample Malware File
- Verify File Forwarding
- Manually Upload Files to the WildFire Portal
- Submit Malware or Reports from the WF-500 Appliance
- Firewall File Forwarding Capacity by Platform
-
- About WildFire Logs and Reporting
- Use the Firewall to Monitor Malware
- Configure WildFire Submissions Log Settings
- Monitor WildFire Submissions and Analysis Reports
- Set Up Alerts for Malware
- Use the WildFire Portal to Monitor Malware
- Configure WildFire Portal Settings
- Add WildFire Portal Users
- View Reports on the WildFire Portal
- WildFire Analysis Reports—Close Up
- WildFire Example
- Use the WildFire API
-
- WF-500 Appliance Software CLI Concepts
- WF-500 Appliance Software CLI Structure
- WF-500 Appliance Software CLI Command Conventions
- WF-500 Appliance CLI Command Messages
- WF-500 Appliance Command Option Symbols
- WF-500 Appliance Privilege Levels
- WildFire CLI Command Modes
- WF-500 Appliance CLI Configuration Mode
- WF-500 Appliance CLI Operational Mode
- Access the WF-500 Appliance CLI
- Use the WF-500 Appliance CLI
- Access WF-500 Appliance Operational and Configuration Modes
- Display WF-500 Appliance Software CLI Command Options
- Restrict WF-500 Appliance CLI Command Output
- Set the Output Format for WF-500 Appliance Configuration Commands
- WF-500 Appliance Configuration Mode Command Reference
- set deviceconfig setting wildfire
- set deviceconfig system update-schedule
- set deviceconfig system vm-interface
- WF-500 Appliance Operational Mode Command Reference
- create wildfire api-key
- delete wildfire api-key
- delete wildfire-metadata
- edit wildfire api-key
- load wildfire api-key
- request system raid
- request system wildfire-vm-image
- request wf-content
- save wildfire api-key
- set wildfire portal-admin
- show system raid
- show wildfire
- test wildfire registration
Samples are all file types and email links the firewall forwards for WildFire analysis. See
Email Link Analysis
and
Email Link Analysis
for details on the file types and links that a firewall can submit for WildFire analysis.
The firewall forwards unknown samples for WildFire analysis based on the configured WildFire Analysis profile settings (
Objects > Security Profiles > WildFire Analysis ). In addition to detecting links included in emails, files that are attached to emails, and browser-based file downloads, the firewall leverages Palo Alto Networks
App-ID
feature to detect file transfers within applications. For samples that the firewall detects, the firewall checks the sample hash against WildFire signatures to determine if WildFire has previously analyzed the sample. If the sample is identified as malware, it is blocked. If the sample remains unknown after comparing it against existing WildFire signatures, the firewall forwards the sample for WildFire analysis.
In addition to forwarding unknown samples for analysis, the firewall also forwards information about the unknown sample’s network session. Palo Alto Networks uses session information to learn more about the context of the suspicious network event, indicators of compromise related to the malware, affected hosts and clients, and applications used to deliver the malware.
The firewall is enabled to forward session information by default; however, you can adjust the default settings and choose what type of session information the firewall forwards to WildFire. On the firewall, select
Device > Setup > WildFire
and select or clear the following
Session Information Settings :
Multiple virtual machines run in the WildFire public cloud to represent a variety of operating systems and applications. WildFire executes samples in a virtual environment and observes sample behavior for signs of malicious activities, such as changes to browser security settings, injection of code into other processes, modification of files in the Windows system folder, or attempts by the sample to access malicious domains. The WildFire public cloud also analyzes files across application versions in order to identify malware intended to uniquely target specific versions of client applications (the WildFire private cloud does not support multi-version analysis, and does not analyze application-specific files are analyzed across several versions of the application). For links that the firewall extracts from email messages and forwards to WildFire, WildFire visits the links to determine if the corresponding web page hosts any exploits. When WildFire completes analysis, it generates a detailed forensics report that summarizes sample behaviors and assigns a verdict of malware, benign, or grayware to the sample.
A Palo Alto Networks firewall configured with a WildFire analysis profile forwards samples for WildFire analysis based on file type (including email links). Additionally, the firewall decodes files that have been encoded or compressed up to four times (such as files in ZIP format); if the decoded file matches WildFire Analysis profile criteria, the firewall forwards the decoded file for WildFire analysis.
While the firewall can
forward
all the file types listed below, WildFire analysis support can vary depending on the WildFire cloud to which you are submitted samples. Review
WildFire File Type Support
to learn more.
A Palo Alto Networks firewall can extract HTTP/HTTPS links contained in SMTP and POP3 email messages and forward the links for WildFire analysis. The firewall only extracts links and associated session information (sender, recipient, and subject) from email messages; it does not receive, store, forward, or view the email message.
The firewall forwards email links in batches of 100 email links or every two minutes (depending on which limit is hit first). Each batch upload to WildFire counts as one upload toward the upload per-minute capacity for the given firewall platform (
Firewall File Forwarding Capacity by Platform ).
To enable the firewall to forward links included in emails for WildFire analysis, see
Forward Files for WildFire Analysis .
By default, the firewall decodes files that have been encoded or compressed up to four times, including files that have been compressed using the ZIP format. The firewall then inspects and enforces policy on the decoded file; if the file is unknown, the firewall forwards the decoded file for WildFire analysis.
WildFire can discover zero-day malware in web traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can quickly generate signatures to identify and protect against future infections from the malware it discovers. WildFire will automatically generate a signature based on the malware payload of the sample and tests it for accuracy and safety. Because malware evolves rapidly, the signatures that WildFire generates address multiple variants of the malware. WildFire generates and makes new signatures available every five minutes. Firewalls with an active WildFire license can retrieve the latest signatures every five minutes. If you do not have a WildFire subscription, signatures are made available within 24-48 hours as part of the antivirus update for firewalls with an active Threat Prevention license.