The firewall forwards unknown samples for WildFire analysis based on the configured WildFire Analysis profile settings (
Objects > Security Profiles > WildFire Analysis). In addition to detecting links included in emails, files that are attached to emails, and browser-based file downloads, the firewall leverages Palo Alto Networks
feature to detect file transfers within applications. For samples that the firewall detects, the firewall checks the sample hash against WildFire signatures to determine if WildFire has previously analyzed the sample. If the sample is identified as malware, it is blocked. If the sample remains unknown after comparing it against existing WildFire signatures, the firewall forwards the sample for WildFire analysis.
In addition to forwarding unknown samples for analysis, the firewall also forwards information about the unknown sample’s network session. Palo Alto Networks uses session information to learn more about the context of the suspicious network event, indicators of compromise related to the malware, affected hosts and clients, and applications used to deliver the malware.
The firewall is enabled to forward session information by default; however, you can adjust the default settings and choose what type of session information the firewall forwards to WildFire. On the firewall, select
Device > Setup > WildFire
and select or clear the following
Session Information Settings:
Multiple virtual machines run in the WildFire public cloud to represent a variety of operating systems and applications. WildFire executes samples in a virtual environment and observes sample behavior for signs of malicious activities, such as changes to browser security settings, injection of code into other processes, modification of files in the Windows system folder, or attempts by the sample to access malicious domains. The WildFire public cloud also analyzes files across application versions in order to identify malware intended to uniquely target specific versions of client applications (the WildFire private cloud does not support multi-version analysis, and does not analyze application-specific files are analyzed across several versions of the application). For links that the firewall extracts from email messages and forwards to WildFire, WildFire visits the links to determine if the corresponding web page hosts any exploits. When WildFire completes analysis, it generates a detailed forensics report that summarizes sample behaviors and assigns a verdict of malware, benign, or grayware to the sample.
A Palo Alto Networks firewall configured with a WildFire analysis profile forwards samples for WildFire analysis based on file type (including email links). Additionally, the firewall decodes files that have been encoded or compressed up to four times (such as files in ZIP format); if the decoded file matches WildFire Analysis profile criteria, the firewall forwards the decoded file for WildFire analysis.
A Palo Alto Networks firewall can extract HTTP/HTTPS links contained in SMTP and POP3 email messages and forward the links for WildFire analysis. The firewall only extracts links and associated session information (sender, recipient, and subject) from email messages; it does not receive, store, forward, or view the email message.
The firewall forwards email links in batches of 100 email links or every two minutes (depending on which limit is hit first). Each batch upload to WildFire counts as one upload toward the upload per-minute capacity for the given firewall platform (
Firewall File Forwarding Capacity by Platform).
To enable the firewall to forward links included in emails for WildFire analysis, see
Forward Files for WildFire Analysis.
By default, the firewall decodes files that have been encoded or compressed up to four times, including files that have been compressed using the ZIP format. The firewall then inspects and enforces policy on the decoded file; if the file is unknown, the firewall forwards the decoded file for WildFire analysis.
WildFire can discover zero-day malware in web traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can quickly generate signatures to identify and protect against future infections from the malware it discovers. WildFire will automatically generate a signature based on the malware payload of the sample and tests it for accuracy and safety. Because malware evolves rapidly, the signatures that WildFire generates address multiple variants of the malware. WildFire generates and makes new signatures available every five minutes. Firewalls with an active WildFire license can retrieve the latest signatures every five minutes. If you do not have a WildFire subscription, signatures are made available within 24-48 hours as part of the antivirus update for firewalls with an active Threat Prevention license.