Verify File Forwarding
After the firewall is set up to Forward Files for WildFire Analysis, use the following options to verify the connection between the firewall and the WildFire public or private cloud, and to monitor file forwarding.
Several of the options to verify that a firewall is forwarding samples for WildFire analysis are CLI commands; for details on getting started with and using the CLI, refer to the PAN-OS CLI Quick Start Guide.
- Verify that the firewall is communicating
with a WildFire server(s).Use the test wildfire registration command to verify that the firewall is connected to a WildFire private cloud, the WildFire public cloud, or both.The following example output is for a firewall in a WildFire Private Cloud deployment:The example output confirms that the firewall is connected to the WildFire private cloud, and is not connected to the WildFire public cloud (public cloud registration fails).If the firewall is configured in a WildFire Hybrid Cloud deployment, check that the firewall is successfully registered with and connected to both the WildFire public cloud and a WildFire private cloud.
- Verify the status of the firewall connection to the WildFire
public and/or private cloud, including the total number of files
forwarded by the firewall for analysis.Use the show wildfire status command to:
The following example shows the show wildfire status output for a firewall in a WildFire private cloud deployment:To view forwarding information for only the WildFire public cloud or WildFire private cloud, use the following commands:
- Check the status of the WildFire public and/or private cloud to which the firewall is connected. The status Idle indicates that the WildFire cloud (public or private) is ready to receive files for analysis.
- Confirm the configured size limits for files forwarded by the firewall (DeviceSetupWildFire).
- Monitor file forwarding, including how the total count of files forwarded by the firewall for WildFire analysis. If the firewall is in a WildFire hybrid cloud deployment, the number of files forwarded to the WildFire public cloud and the WildFire private cloud are also displayed.
- show wildfire status channel public
- show wildfire status channel private
- View samples forwarded by the firewall according to file
type (including email links).Use this option to confirm that email links are being forwarded for WildFire analysis, since only email links that receive a malicious or phishing verdict are logged as WildFire Submissions entries on the firewall, even if logging for benign and grayware samples is enabled. This is due to the sheer number of WildFire Submissions entries that would be logged for benign email links.Use the show wildfire statistics command to confirm the file types being forwarded to the WildFire public or private cloud:
- The command displays the output of a working firewall and shows counters for each file type that the firewall forwards for WildFire analysis. If a counter field shows 0, the firewall is not forwarding that file type.
- Confirm that email links are being forwarded for analysis by checking that the following counters do not show zero:
- FWD_CNT_APPENDED_BATCH—Indicates the number of email links added to a batch waiting for upload to WildFire.
- FWD_CNT_LOCAL_FILE— Indicates the total number of email links uploaded to WildFire.
- Verify that a specific sample was forwarded by the firewall
and check that status of that sample.This option can be helpful when troubleshooting to:
Execute the following CLI commands on the firewall to view samples the firewall has forwarded WildFire analysis:
- Confirm that samples that have not yet received a WildFire verdict were correctly forwarded by the firewall. Because WildFire Submissions are logged on the firewall only when WildFire analysis is complete and the sample has received a WildFire verdict, use this option to verify the firewall forwarded a sample that is currently undergoing WildFire analysis.
- Track the status for a single file or email link that was allowed according to your security policy, matched to a WildFire Analysis profile, and then forwarded for WildFire analysis.
- Check that a firewall in a WildFire Hybrid Cloud deployment is forwarding the correct file types and email links to either the WildFire public cloud or a WildFire private cloud.
The following example shows the output for the three commands listed above when issued on a firewall in a WildFire public cloud deployment:
- View all samples forwarded by the firewall with the CLI command debug wildfire upload-log.
- View only samples forwarded to the WildFire public cloud with the CLI command debug wildfire upload-log channel public.
- View only samples forwarded to the WildFire private cloud with the CLI command debug wildfire upload-log channel private.
- Monitor samples successfully submitted for WildFire analysis.Using the firewall web interface, select MonitorLogsWildFire Submissions. All files forwarded by a firewall to the WildFire public or private cloud for analysis are logged on the WildFire Submissions page.
- Check the WildFire
verdict for a sample:By default, only samples that receive malicious or phishing verdicts are displayed as WildFire Submissions entries. To enable logging for benign and/or grayware samples, select DeviceSetupWildFireReport Benign Files/ Report Grayware Files.Enable logging for benign files as a quick troubleshooting step to verify that the firewall is forwarding files. Check the WildFire Submissions logs to verify that files are being submitted for analysis and receiving WildFire verdicts (in this case, a benign verdict).
- Confirm the analysis location for a sample:The WildFire Cloud column displays the location to which the file was forwarded and where it was analyzed (public cloud or private cloud). This is useful when deploying a WildFire Hybrid Cloud.
- Check the WildFire verdict for a sample:
Submit Files for WildFire Analysis
Submit Files for WildFire Analysis The following topics describe how to submit files for WildFire™ analysis. You can set up Palo Alto Networks firewalls to ...
Forward Files for WildFire Analysis
Forward Files for WildFire Analysis Configure Palo Alto Networks firewalls to forward unknown files or email links and blocked files that match existing antivirus signatures ...
Get Started with WildFire
Get Started with WildFire The following steps provide a quick workflow to get started with WildFire™. If you’d like to learn more about WildFire before ...
Submit Locally-Discovered Malware or Reports to the WildFir...
Submit Locally-Discovered Malware or Reports to the WildFire Public Cloud Enable the WildFire appliance to automatically submit malware samples to the WildFire public cloud. The ...
WildFire Hybrid Cloud
WildFire Hybrid Cloud A firewall in a WildFire hybrid cloud deployment can forward certain samples to the Palo Alto Networks-hosted WildFire global cloud and other ...
About WildFire Logs and Reporting
About WildFire Logs and Reporting You can Monitor WildFire Activity on the firewall, with the WildFire portal, or with the WildFire API. For each sample ...
WildFire Subscription The basic WildFire service is included as part of the Palo Alto Networks next generation firewall and does not require a WildFire subscription. ...
WildFire Global Cloud
WildFire Global Cloud A Palo Alto Networks firewall with can forward unknown files and email links to the WildFire global cloud or to one of ...
About the WildFire Appliance
About the WildFire Appliance The WildFire appliance provides an on-premises WildFire private cloud, enabling you to analyze suspicious files in a sandbox environment without requiring ...