You can set up a Palo Alto Networks firewall to submit unknown samples to the Palo Alto Networks-hosted WildFire global cloud, to a locally-hosted WildFire private cloud, or you can enable the firewall to forward certain samples to a WildFire global cloud and certain samples to a WildFire private cloud:
A Palo Alto Networks firewall with can forward unknown files and email links to the WildFire global cloud or to one of three WildFire regional clouds that Palo Alto Networks owns and maintains. Choose the WildFire cloud to which you want to submit samples for analysis based on your location and your organization’s needs:
Each WildFire cloud—global and regional—analyzes samples and generates malware signatures independently of the other WildFire clouds. WildFire signatures are then shared globally, enabling WildFire users worldwide to benefit from malware coverage regardless of the location the malware was first detected. Review
WildFire File Type Support
to learn more about the file types that each cloud analyzes. If you have a WF-500 appliance, you can enable a
WildFire Hybrid Cloud
deployment, where the firewall can forward certain files to a WildFire public cloud, and other files to a WildFire private cloud for local analysis.
In a Palo Alto Networks private cloud deployment, Palo Alto Networks firewalls forward files to a WF-500 appliance on your corporate network that is being used to host a private cloud analysis location. A WildFire private cloud can receive and analyze files from up to 100 Palo Alto Networks firewalls.
Because the WildFire private cloud is a local sandbox, benign and grayware files it analyzes never leave your network. By default, the private cloud also does not send discovered malware outside of your network; however, you can choose to automatically forward malware to the WildFire public cloud for signature generation and distribution. In this case, The WildFire public cloud re-analyzes the sample, generates a signature to identify the sample, and distributes the signature to all Palo Alto Networks firewalls with Threat Prevention and WildFire licenses.
You can also
Enable Local Signature and URL Category Generation
on the WF-500 appliance. Signatures the WF-500 appliance generates are distributed to connected firewalls so that the firewalls can effectively block the malware the next time it is detected.
A firewall in a WildFire hybrid cloud deployment can forward certain samples to the Palo Alto Networks-hosted WildFire global cloud and other samples to a WildFire private cloud hosted by a WF-500 appliance. A WildFire hybrid cloud deployment allows the flexibility to analyze private documents locally and inside your network, while the WildFire public cloud analyzes files from the Internet. For example, forward Payment Card Industry (PCI) and Protected Health Information (PHI) data exclusively to the WildFire private cloud for analysis, while forwarding Portable Executables (PEs) to the WildFire public cloud for analysis. In a WildFire hybrid cloud deployment, offloading files to the public cloud for analysis allows you benefit from a prompt verdict for files that have been previously processed in the WildFire public cloud, and also frees up the WF-500 appliance capacity to process sensitive content. Additionally, you can forward certain file types to the WildFire public cloud that are not currently supported for WF-500 appliance analysis, such as Android Application Package (APK) files.
To set up hybrid cloud forwarding, see
Forward Files for WildFire Analysis.