set deviceconfig setting wildfire

Description

Configure Wildfire settings on the WildFire appliance. You can configure forwarding of malicious files, define the cloud server that receives malware infected files, and enable or disable the vm-interface.

Hierarchy Location

set deviceconfig setting

Syntax

wildfire { 
active-vm {vm-1 | vm-2 | vm-3 | vm-4 | vm-5 | <value>}; 
cloud-server <value>; 
custom-dns-name <value>; 
preferred-analysis-environment {Documents | Executables | default}; 
vm-network-enable {no | yes}; 
vm-network-use-tor {enable 
| disable}; 
cloud-intelligence { 
cloud-query {no | yes};submit-diagnostics {no | yes}; 
submit-report {no | yes}; 
submit-sample {no | yes}; 
} 
file-retention { 
malicious {indefinite | <1-2000>}; 
non-malicious <1-90> 
} 
signature-generation { 
av {no | yes}; 
dns {no | yes}; 
url {no | yes}; 
} 
} 

Options

+ active-vm — Select the virtual machine environment that WildFire will use for sample analysis. Each vm has a different configuration, such as Windows XP, a specific versions of Flash, Adobe reader, etc. To view which VM is selected, run the following command: show wildfire status and view the Selected VM field. To view the VM environment information, run the following command : show wildfire vm-images.
+ cloud-server — Hostname for the cloud server that the appliance will forward malicious samples/reports to for a re-analysis. The default cloud server is wildfire-public-cloud. To configure forwarding, use the following command: set deviceconfig setting wildfire cloud-intelligence.
+ custom-dns-name — Configure a custom DNS name to use in server certificates and the WildFire server list instead of the default DNS name wfpc.sevice.<clustername>.<domain>.
+ preferred-analysis-environment — Allocate the majority of the resources to document analysis or to executable analysis, depending on the type of samples most often analyzed in your environment. The default allocation balances resources between document and executable samples. For example, to allocate the majority of the analysis resources to documents: set deviceconfig setting wildfire preferred-analysis-environment Documents.
+ vm-network-enable — Enable or disable the vm-network. When enabled, sample files running in the virtual machine sandbox can access the Internet. This helps WildFire better analyze the behavior of the malware to look for things like phone home activity.
+ vm-network-use-tor — Enable or disable the Tor network for the vm-interface. When this option is enabled, any malicious traffic coming from the sandbox systems on the WildFire appliance during sample analysis is sent through the Tor network. The Tor network will mask your public facing IP address, so the owners of the malicious site cannot determine the source of the traffic.
> cloud-intelligence — Configure the appliance to submit WildFire diagnostics, reports or samples to the Palo Alto Networks WildFire cloud, or to automatically query the public WildFire cloud before performing local analysis to conserve WildFire appliance resources. The submit report option sends reports for malicious samples to the cloud for statistical gathering. The submit sample option sends malicious samples to the cloud. If submit-sample enabled, you don’t need to enable submit-report because the cloud re-analyzes the sample and a new report and signature is generated if the sample is malicious.
> file-retention — Configure how long to save malicious (malware and phishing) samples and non-malicious (grayware and benign) samples. The default for malicious samples is indefinite (never delete). The default for non-malicious samples is 14 days. For example, to retain non-malicious samples for 30 days: set deviceconfig setting wildfire file-retention non-malicious 30.
> signature-generation — Enable the appliance to generate signatures locally, eliminating the need to send any data to the public cloud in order to block malicious content. The WildFire appliance will analyze files forwarded to it from Palo Alto Networks firewalls or from the WildFire API and generate antivirus and DNS signatures that block both the malicious files as well as associated command and control traffic. When the appliance detects a malicious URL, it sends the URL to PAN-DB and PAN-DB assigns it the malware category.

Sample Output

The following shows an example output of the WildFire settings.
admin@WF-500# show deviceconfig setting wildfire 
wildfire { 
signature-generation { 
    av yes; 
    dns yes; 
    url yes; 
} 
cloud-intelligence { 
submit-report no; 
submit-sample yes; 
submit-diagnostics yes; 
cloud-query yes; 
} 
file-retention { 
non-malicious 30; 
malicious 1000; 
{ 
active-vm vm-5; 
cloud-server wildfire-public-cloud; 
vm-network-enable yes; 
} 

Related Documentation