WildFire Example

The following example scenario summarizes the full WildFire™ lifecycle. In this example, a sales representative from Palo Alto Networks downloads a new software sales tool that a sales partner uploaded to Dropbox. The sales partner unknowingly uploaded an infected version of the sales tool install file and the sales rep then downloads the infected file.
This example will demonstrate how a Palo Alto Networks firewall in conjunction with WildFire can discover zero-day malware downloaded by an end user, even if the traffic is SSL encrypted. After WildFire identifies the malware a log is sent to the firewall and the firewall alerts the administrator who then contacts the user to eradicate the malware. WildFire then generates a new signature for the malware and firewalls with a Threat Prevention or WildFire subscription automatically downloads the signature to protect against future exposure. Although some file sharing web sites have an antivirus feature that checks files as they are uploaded, they can only protect against known malware.
This example uses a web site that uses SSL encryption. In this case, the firewall has decryption enabled, including the option to forward decrypted content for analysis.
  1. The sales person from the partner company uploads a sales tool file named sales-tool.exe to his Dropbox account and then sends an email to the Palo Alto Networks sales person with a link to the file.
  2. The Palo Alto sales person receives the email from the sales partner and clicks the download link, which takes her to the Dropbox site. She then clicks Download to save the file to her desktop.
    example-dropbox-email.png
  3. The firewall that is protecting the Palo Alto sales rep has a WildFire Analysis profile rule attached to a security policy rule that will look for files in any application that is used to download or upload any of the supported file types. The firewall can also be configured to forward the email-link file type, which enables the firewall to extract HTTP/HTTPS links contained in SMTP and POP3 email messages. As soon as the sales rep clicks download, the firewall forwards the sales-toole.exe file to WildFire, where the file is analyzed for zero-day malware. Even though the sales rep is using Dropbox, which is SSL encrypted, the firewall is configured to decrypt traffic, so all traffic can be inspected. The following screen shots show the WildFire Analysis profile rule, the security policy rule configured with the WildFire analysis profile rule attached, and the option to allow forwarding of decrypted content enabled.
    example-fileblock.png
    example-securitypolicy.png
    example-allow-forwarding.png
  4. At this point, WildFire has received the file and is analyzing it for more than 200 different malicious behaviors.
  5. Within approximately five minutes, WildFire has completed the file analysis and then sends a WildFire log back to the firewall with the analysis results. In this example, the WildFire log shows that the file is malicious.
    example-wildfirelog-malicious.png
  6. The firewall is configured with a log forwarding profile that will send WildFire alerts to the security administrator when malware is discovered.
    example-log--forwarding-2.png
  7. The security administrator identifies the user by name (if User-ID is configured), or by IP address if User-ID is not enabled. At this point, the administrator can shut down the network or VPN connection that the sales representative is using and will then contact the desktop support group to work with the user to check and clean the system.
    By using the WildFire detailed analysis report, the desktop support person can determine if the user system is infected with malware by looking at the files, processes, and registry information detailed in the WildFire analysis report. If the user runs the malware, the support person can attempt to clean the system manually or re-image it.
    example-report.png
  8. Now that the administrator has identified the malware and the user system is being checked, how do you protect from future exposure? Answer: In this example, the administrator set a schedule on the firewall to download and install WildFire signatures every 15 minutes and to download and install Antivirus updates once per day. In less than an hour and a half after the sales rep downloaded the infected file, WildFire identified the zero-day malware, generated a signature, added it to the WildFire update signature database provided by Palo Alto Networks, and the firewall downloaded and installed the new signature. This firewall and any other Palo Alto Networks firewall configured to download WildFire and antivirus signatures is now protected against this newly discovered malware. The following screenshot shows the WildFire update schedule:
    example-dynamic-update-wf.png
    All of this occurs well before most antivirus vendors are even aware of the zero-day malware. In this example, within a very short period of time, the malware is no longer considered zero-day because Palo Alto Networks has already discovered it and has provided protection to customers to prevent future exposure.

Related Documentation