Forward Files for WildFire Analysis

Configure Palo Alto Networks firewalls to forward unknown files or email links and blocked files that match existing antivirus signatures for analysis. Use the
WildFire Analysis
profile to define files to forward to the WildFire cloud (use the public cloud or a private cloud), and then attach the profile to a security rule to trigger inspection for zero-day malware.
Specify traffic to be forwarded for analysis based on the application in use, the file type detected, links contained in email messages, or the transmission direction of the sample (upload, download, or both). For example, you can set up the firewall to forward Portable Executables (PEs) or any files that users attempt to download during a web-browsing session. In addition to unknown samples, the firewall forwards blocked files that match existing antivirus signatures. This provides Palo Alto Networks a valuable source of threat intelligence based on malware variants that signatures successfully prevented but neither WildFire nor the firewall has seen before.
If you are using a WildFire appliance to host a WildFire private cloud, you can extend WildFire analysis resources to a WildFire Hybrid Cloud, by configuring the firewall to continue to forward sensitive files to your WildFire private cloud for local analysis, and forward less sensitive or unsupported file types to the WildFire public cloud.
Additionally, you can dedicate WildFire appliance resources to analyze specific file types: either documents (Microsoft Office files and PDFs) or PEs. For example, if you deploy a WildFire hybrid cloud to analyze documents locally and PEs in the WildFire global cloud, you can dedicate all analysis environments to documents. This allows you to offload analysis of PEs to the public cloud, allowing you to allocate additional WildFire appliance resources to process sensitive documents.
Before you begin:
  • If another firewall resides between the firewall you are configuring to forward files and the WildFire cloud or WildFire appliance, make sure that the firewall in the middle allows the following ports:
    Port
    Usage
    443
    • Registration
    • PCAP Downloads
    • Sample Downloads
    • Report Retrieval
    • File Submission
    • PDF Report Downloads
    10443
    Dynamic Updates
  • (
    PA-7000 Series Firewalls Only
    ) To enable a PA-7000 Series firewall to forward files and email links for WildFire analysis, you must first configure a data port on an NPC as a Log Card interface.
  1. Specify the WildFire Deployments to which you want to forward samples.
    Select
    Device
    Setup
    WildFire
    and edit the General Settings based on your WildFire cloud deployment (public, private, or hybrid).
    WildFire Public Cloud:
    1. Enter the
      WildFire Public Cloud
      URL:
      • United States:
        wildfire.paloaltonetworks.com
      • Europe:
        eu.wildfire.paloaltonetworks.com
      • Japan:
        jp.wildfire.paloaltonetworks.com
      • Singapore:
        sg.wildfire.paloaltonetworks.com
    2. Make sure the
      WildFire Private Cloud
      field is clear.
    WildFire Private Cloud:
    1. Enter the IP address or FQDN of the WildFire appliance in the
      WildFire Private Cloud
      field.
    2. Clear the
      WildFire Public Cloud
      field.
    WildFire Hybrid Cloud:
    1. Enter the
      WildFire Public Cloud
      URL:
      • United States:
        wildfire.paloaltonetworks.com
      • Europe:
        eu.wildfire.paloaltonetworks.com
      • Japan:
        jp.wildfire.paloaltonetworks.com
      • Singapore:
        sg.wildfire.paloaltonetworks.com
    2. Enter the IP address or FQDN of the WildFire appliance in the
      WildFire Private Cloud
      field.
  2. Define the size limits for files the firewall forwards and configure WildFire logging and reporting settings.
    Continue editing WildFire General Settings (
    Device
    Setup
    WildFire
    ).
    • Review the
      File Size Limits
      for files forwarded from the firewall.
      It is a recommended WildFire best practice to set the
      File Size
      for PEs to the maximum size limit of 10 MB, and to leave the
      File Size
      for all other file types set to the default value.
    • Select
      Report Benign Files
      to allow logging for files that receive a WildFire verdict of benign.
    • Select
      Report Grayware Files
      to allow logging for files that receive a WildFire verdict of grayware.
    • Define what session information is recorded in WildFire analysis reports by editing the Session Information Settings. By default, all session information is displayed in WildFire analysis reports. Clear the check boxes to remove the corresponding fields from WildFire analysis reports and click
      OK
      to save the settings.
  3. (
    Panorama Only
    ) Configure Panorama to gather additional information about samples collected from firewalls running a PAN-OS version prior to PAN-OS 7.0.
    Some WildFire Submissions log fields introduced in PAN-OS 7.0 are not populated for samples submitted by firewalls running earlier software versions. If you are using Panorama to manage firewalls running software versions earlier than PAN-OS 7.0, Panorama can communicate with WildFire to gather complete analysis information for samples submitted by those firewalls from the defined
    WildFire Server
    (the WildFire global cloud, by default) to complete the log details.
    Select
    Panorama
    Setup
    WildFire
    and enter a
    WildFire Server
    if you’d like to modify the default setting to instead allow Panorama to gather details from the specified WildFire cloud or from a WildFire appliance.
  4. Define traffic to forward for WildFire analysis.
    If you have a WildFire appliance set up, you can use both the private cloud and the public cloud in a
    hybrid cloud
    deployment. Analyze sensitive files locally on your network, while sending all other unknown files to the WildFire public cloud for comprehensive analysis and prompt verdict returns.
    1. Select
      Objects
      Security Profiles
      WildFire Analysis
      ,
      Add
      a new WildFire analysis profile, and give the profile a descriptive
      Name
      .
    2. Add
      a profile rule to define traffic to be forwarded for analysis and give the rule a descriptive
      Name
      , such as local-PDF-analysis.
    3. Define for the profile rule to match to unknown traffic and to forward samples for analysis based on:
      • Applications
        —Forward files for analysis based on the application in use.
      • File Types
        —Forward files for analysis based on file types, including links contained in email messages. For example, select
        PDF
        to forward unknown PDFs detected by the firewall for analysis.
      • Direction
        —Forward files for analysis based the transmission direction of the file (upload, download, or both). For example, select
        both
        to forward all unknown PDFs for analysis, regardless of the transmission direction.
    4. Set the
      Analysis
      location to which the firewall forwards files matched to the rule.
      • Select
        public-cloud
        to forward matching samples to the WildFire public cloud for analysis.
      • Select
        private-cloud
        to forward matching samples to a WildFire private cloud for analysis.
        For example, to analyze PDFs that could contain sensitive or proprietary information without sending these documents out of your network, set the
        Analysis
        location for the rule local-PDF-analysis to
        private-cloud
        .
      wildfire-analysis-private-rule.png
      Different rules can forward matched samples to different analysis locations, depending on your needs. The example above shows a rule that forwards sensitive file types for local analysis in a WildFire private cloud. You could create another rule to forward less sensitive file types, such as PEs, to the WildFire public cloud. This flexibility is supported with a WildFire Hybrid Cloud deployment.
      In a hybrid cloud deployment, files that match to both
      private-cloud
      and
      public-cloud
      rules are forwarded only to the private cloud as a cautionary measure.
    5. (
      Optional
      ) Continue to add rules to the WildFire analysis profile as needed. For example, you could add a second rule to the profile to forward Android application package (APK), Portable Executable (PE), and Flash files to the WildFire public cloud for analysis.
    6. Click
      OK
      to save the WildFire analysis profile.
    7. (
      Optional
      ) Continue to add rules to the WildFire analysis profile as needed. For example, you could add a second rule to the profile to forward Android application package (APK), Portable Executable (PE), and Flash files to the WildFire public cloud for analysis.
    8. Click
      OK
      to save the WildFire analysis profile.
  5. (
    Optional
    ) Allocate WildFire appliance resources to analyze either documents or executables.
    If you are deploying a hybrid cloud to analyze specific file types locally and in the WildFire global cloud, you can dedicate analysis environments to process a file type. This allows you to better allocate resources according to your analysis environment configuration. If you do not dedicate resources for an analysis environment, resources are allocated using default settings.
    Use the following CLI command:
    admin@WF-500#
    set deviceconfig setting wildfire preferred-analysis-environment documents | executables | default
    and choose from one of the following options:
    • documents—Dedicate analysis resources to concurrently analyze 25 documents, 1 PE, and 2 email links.
    • executables—Dedicate analysis resources to concurrently analyze 25 PEs, 1 documents, and 2 email links.
    • default—The appliance concurrently analyzes 16 documents, 10 portable executables (PE), and 2 email links.
    Confirm that all WildFire appliances processes are running by running the following command:
    admin@WF-500>
    show system software status
  6. Attach the WildFire Analysis profile to a security policy rule.
    Traffic allowed by the security policy rule is evaluated against the attached WildFire analysis profile; the firewalls forwards traffic matched to the profile for WildFire analysis.
    1. Select
      Policies
      Security
      and
      Add
      or modify a policy rule.
    2. Click the
      Actions
      tab within the policy rule.
    3. In the Profile Settings section, select
      Profiles
      as the
      Profile Type
      and select a
      WildFire Analysis
      profile to attach to the policy rule
      wildfire-analysis-profile-in-policy.png
  7. Review and implement WildFire Best Practices.
  8. Click
    Commit
    to apply the WildFire settings.
  9. Choose what to do next...
    • Verify WildFire Submissions to confirm that the firewall is successfully forwarding files for WildFire analysis.
    • (
      WildFire Private Cloud Only
      ) Submit Malware or Reports from the WildFire Appliance. Enable this feature to automatically forward malware identified in your WildFire private cloud to the WildFire public cloud. The WildFire public cloud re-analyzes the sample and generates a signature if the sample is malware. The signature is distributed to global users through Wildfire signature updates.
    • Monitor WildFire Activity to assess alerts and details reported for malware.

Related Documentation