Get Started with WildFire
- Get your WildFire Subscription. If you do not have a WildFire subscription, you can still forward PEs for WildFire analysis.
- Decide which of the WildFire Deployments works for you:
- WildFire global cloud—Forward samples to a Palo Alto Networks-hosted WildFire public cloud.
- WildFire private cloud—(Requires a WildFire appliance) Forward samples to a local WildFire appliance that resides on your network.
- WildFire hybrid cloud—(Requires a WildFire appliance) Forward some samples to the WildFire public cloud and some samples to a WildFire private cloud.
- (WildFire private and hybrid cloud only) Set Up and Manage a WildFire Appliance, including Upgrading the WildFire Appliance to the latest release version. Firewalls connected to the appliance must be running the same release version.
your WildFire license is active on the firewall.
- Log in to the firewall.
- Select DeviceLicenses and check that the
WildFire License is active.If the WildFire License is not displayed, select one of the License Management options to activate the license.
- Connect the firewall to WildFire and configure WildFire
- Select DeviceSetupWildFire and edit General Settings.
- Use the WildFire Private Cloud and WildFire Public Cloud fields to Specify the WildFire Deployments to whichyouwanttoforwardsamples.
- Define the size limits for files the firewallforwardsandconfigureWildFirelogging and reporting settings.
- Click OK to save the WildFire General Settings.
- Enable the firewall to Forward Decrypted SSL Traffic for WildFireAnalysis.
- Start submitting samples for WildFire analysis.
- Define traffic to forward for WildFire analysis.
ProfilesWildFire Analysis and
modify or Add a WildFire Analysis profile).As a best practice, use the WildFire Analysis default profile to ensure complete WildFire coverage for traffic the firewall allows. If you still decide to create a custom WildFire Analysis profile, set the profile to forward Any file type—this enables the firewall to automatically start forwarding newly-supported file types for analysis.
- For each profile rule, set the WildFire DeploymentsDestination to which you want the firewall to forward samples for analysis—public-cloud or the private-cloud.
- Attach the WildFire Analysis profile to asecuritypolicyrule. Traffic matched to the policy rule is forwarded for WildFire analysis (PoliciesSecurity and Add or modify a security policy rule).
- Define traffic to forward for WildFire analysis. (Select ObjectsSecurity ProfilesWildFire Analysis and modify or Add a WildFire Analysis profile).
the firewall to get the latest WildFire signatures.New WildFire signatures are made available every five minutes to detect and identify malware.
- Select DeviceDynamic Updates:
- (WildFire public and hybrid cloud) Check that WildFire updates are displayed.
- (WildFire private and hybrid cloud) Check that WF-Private updates are displayed. For the firewall to receive signatures from a WildFire appliance, you must enable the WildFire appliance to locally generate signatures and URL categories.
- Select Check Now to retrieve the latest signature update packages.
- Set the Schedule to download and install the latest WildFire signatures.
- Use the Recurrence field to
set the frequency at which the firewall checks for new updates to Every
Minute.As new WildFire signatures are available every five minutes, this setting ensures the firewall retrieves these signatures within a minute of availability.
- Enable the firewall to Download and Install these updates as the firewall retrieves them.
- Click OK.
- Select DeviceDynamic Updates:
- Start scanning traffic for threats, including
malware that WildFire identifies.Attach the default Antivirus profile to a security policy rule to scan traffic the rules allows based on WildFire antivirus signatures (select PoliciesSecurity and add or a modify the defined Actions for a rule).
- Control site access to web sites where WildFire has identified
the associated link as malicious or phishing.This option requires a PAN-DB URL Filtering license. Learn more about URL Filtering and how it enables you to control web site access and corporate credential submissions (to prevent phishing attempts) based on URL category.
- Select ObjectsSecurity ProfilesURL Filtering and Add or modify a URL Filtering profile.
- Select Categories and define Site Access for the phishing and malicious URL categories.
- Block users from accessing sites in these categories altogether, or instead, allow access but generate an Alert when users access sites in these categories, to ensure you have visibility into such events.
- Enable Credential Phishing Prevention to stop users from submitting credentials to untrusted sites, without blocking their access to these sites.
- Apply the new or updated URL Filtering profile, and
attach it to a security policy rule to apply the profile settings
to allowed traffic:
- Select PoliciesSecurity and Add or modify a security policy rule.
- Select Actions and in the Profile Setting section, set the Profile Type to profiles.
- Attach the new or updated URL Filtering profile to the security policy rule.
- Click OK to save the security policy rule.
that the firewall is successfully forwarding samples.
- If you enabled logging of benign files in Step , select MonitorWildFire Submissions and check that entries are being logged for benign files submitted to WildFire. (If you’d like to disable logging of benign files after confirming that the firewall is connected to WildFire, select DeviceSetupWildFire and clear Report Benign Files).
- Other options to allow you to confirm that the firewall forwarded a specific sample, view samples the firewall forwards according to file type, and to view the total number of samples the firewall forwards.
- Test a Sample Malware File to test your complete WildFire configuration.
- Investigate WildFire analysis results.
- Find WildFire analysis results:
- Use the Firewall to Monitor Malware and view WildFire analysis reports for a sample.
- View Reports on the WildFire Portal for all samples submitted to the WildFire public cloud, including samples that you manually submitted to the WildFire public cloud.
- Use the WildFire API to retrieve sample verdicts and reports from a WildFire appliance.
- Assess the risk of malware you find on your network with the AutoFocus threat intelligence portal. AutoFocus layers data from global WildFire submissions with statistics to identify pervasive and targeted malware, both on your network, within our industry, and globally.
- Find WildFire analysis results:
- Next step:Review and implement WildFire Best Practices.
Forward Files for WildFire Analysis
Forward Files for WildFire Analysis Configure Palo Alto Networks firewalls to forward unknown files or email links and blocked files that match existing antivirus signatures ...
WildFire Subscription The basic WildFire service is included as part of the Palo Alto Networks next generation firewall and does not require a WildFire subscription. ...
WildFire Global Cloud
WildFire Global Cloud A Palo Alto Networks firewall with can forward unknown files and email links to the WildFire global cloud or to one of ...
Enable Basic WildFire Forwarding
Enable Basic WildFire Forwarding WildFire is a cloud-based virtual environment that analyzes and executes unknown samples (files and email links) and determines the samples to ...
About WildFire The WildFire Analysis Environment identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls can use to then detect and block ...
WildFire Concepts Samples Firewall Forwarding Session Information Sharing Analysis Environment Verdicts File Analysis Email Link Analysis Compressed and Encoded File Analysis WildFire Signatures WildFire Example ...
Submit Files for WildFire Analysis
Submit Files for WildFire Analysis The following topics describe how to submit files for WildFire™ analysis. You can set up Palo Alto Networks firewalls to ...
WildFire Hybrid Cloud
WildFire Hybrid Cloud A firewall in a WildFire hybrid cloud deployment can forward certain samples to the Palo Alto Networks-hosted WildFire global cloud and other ...
About WildFire Logs and Reporting
About WildFire Logs and Reporting You can Monitor WildFire Activity on the firewall, with the WildFire portal, or with the WildFire API. For each sample ...