Session Information Sharing

In addition to forwarding unknown and blocked samples for analysis, the firewall also forwards information about the network session for a sample. Palo Alto Networks uses session information to learn more about the context of the suspicious network event, indicators of compromise related to the malware, affected hosts and clients, and applications used to deliver the malware.
The firewall is enabled to forward session information by default; however, you can adjust the default settings and choose what type of session information the firewall forwards to WildFire. On the firewall, select
Device
Setup
WildFire
and select or clear the following
Session Information Settings
:
  • Source IP
    —Forward the source IP address that sent the unknown file.
  • Source Port
    —Forward the source port that sent the unknown file.
  • Destination IP
    —Forward the destination IP address for the unknown file.
  • Destination Port
    —Forward the destination port for the unknown file.
  • Virtual System
    —Forward the virtual system that detected the unknown file.
  • Application
    —Forward the user application that transmitted the unknown file.
  • User
    —Forward the targeted user.
  • URL
    —Forward the URL associated with the unknown file.
  • Filename
    —Forward the name of the unknown file.
  • Email sender
    —Forward the sender of an unknown email link (the name of the email sender also appears in WildFire logs and reports).
  • Email recipient
    —Forward the recipient of an unknown email link (the name of the email recipient also appears in WildFire logs and reports).
  • Email subject
    —Forward the subject of an unknown email link (the email subject also appears in WildFire logs and reports).

Related Documentation