Forward Files For WildFire Appliance Analysis
Focus
Focus
Advanced WildFire Powered by Precision AI™

Forward Files For WildFire Appliance Analysis

Table of Contents

Forward Files For WildFire Appliance Analysis

Where Can I Use This?What Do I Need?
  • WildFire Appliance
  • WildFire License
Configure Palo Alto Networks firewalls to forward unknown files or email links and blocked files that match existing antivirus signatures for analysis. Use the WildFire Analysis profile to define files to forward to the WildFire private cloud (or additionally, the public cloud for hybrid could deployments), and then attach the profile to a security rule to trigger inspection for zero-day malware.
Specify traffic to be forwarded for analysis based on the application in use, the file type detected, links contained in email messages, or the transmission direction of the sample (upload, download, or both). For example, you can set up the firewall to forward Portable Executables (PEs) or any files that users attempt to download during a web-browsing session. In addition to unknown samples, the firewall forwards blocked files that match existing antivirus signatures. This provides Palo Alto Networks a valuable source of threat intelligence based on malware variants that signatures successfully prevented but neither WildFire nor the firewall has seen before.
You can extend WildFire analysis resources to a WildFire Hybrid Cloud, by configuring the firewall to continue to forward sensitive files to your WildFire private cloud for local analysis, and forward less sensitive or unsupported file types to the WildFire public cloud.
Additionally, you can dedicate WildFire appliance resources to analyze specific file types: either documents (Microsoft Office files and PDFs) or PEs. For example, if you deploy a WildFire Hybrid Cloud to analyze documents locally and PEs in one of the WildFire public clouds, you can dedicate all analysis environments to documents. This allows you to offload analysis of PEs to the public cloud, allowing you to allocate additional WildFire appliance resources to process sensitive documents.
Before you begin:
  • If another firewall resides between the firewall you are configuring to forward files and the WildFire cloud or WildFire appliance, make sure that the firewall in the middle allows the following ports:
    PortUsage
    443
    • Registration
    • PCAP Downloads
    • Sample Downloads
    • Report Retrieval
    • File Submission
    • PDF Report Downloads
    10443Dynamic Updates
  1. (PA-7000 Series Firewalls Only) To enable a PA-7000 Series firewall to forward samples for WildFire analysis, you must first configure a data port on an NPC as a Log Card interface. If you have a PA-7000 series appliance equipped with an LFC (log forwarding card), you must configure a port used by the LFC. When configured, the log card port or the LFC interface takes precedence over the management port when forwarding WildFire samples.
  2. Specify the WildFire private or hybrid cloud to which you want to forward samples.
    Select DeviceSetupWildFire and edit the General Settings based on your WildFire cloud deployment (private or hybrid).
    WildFire Private Cloud:
    1. Enter the IP address or FQDN of the WildFire appliance in the WildFire Private Cloud field.
    WildFire Hybrid Cloud:
    1. Enter the WildFire Public Cloud URL:
      • United States: wildfire.paloaltonetworks.com
      • Europe: eu.wildfire.paloaltonetworks.com
      • Japan: jp.wildfire.paloaltonetworks.com
      • Singapore: sg.wildfire.paloaltonetworks.com
      • United Kingdom: uk.wildfire.paloaltonetworks.com
      • Canada: ca.wildfire.paloaltonetworks.com
      • Australia: au.wildfire.paloaltonetworks.com
      • Germany: de.wildfire.paloaltonetworks.com
      • India: in.wildfire.paloaltonetworks.com
      • Switzerland: ch.wildfire.paloaltonetworks.com
      • Poland: pl.wildfire.paloaltonetworks.com
      • Indonesia: id.wildfire.paloaltonetworks.com
      • Taiwan: tw.wildfire.paloaltonetworks.com
      • France: fr.wildfire.paloaltonetworks.com
      • Qatar: qatar.wildfire.paloaltonetworks.com
      • South Korea: kr.wildfire.paloaltonetworks.com
      • Israel: il.wildfire.paloaltonetworks.com
      • Saudi Arabia: sa.wildfire.paloaltonetworks.com
      • Spain: es.wildfire.paloaltonetworks.com
    2. Enter the IP address or FQDN of the WildFire appliance in the WildFire Private Cloud field.
  3. Define the size limits for files the firewall forwards and configure WildFire logging and reporting settings.
    Continue editing WildFire General Settings (DeviceSetupWildFire).
    • Review the File Size Limits for files forwarded from the firewall.
      It is a recommended WildFire best practice to set the File Size for PEs to the maximum size limit of 10 MB, and to leave the File Size for all other file types set to the default value.
    • Select Report Benign Files to allow logging for files that receive a WildFire verdict of benign.
    • Select Report Grayware Files to allow logging for files that receive a WildFire verdict of grayware.
    • Define what session information is recorded in WildFire analysis reports by editing the Session Information Settings. By default, all session information is displayed in WildFire analysis reports. Clear the check boxes to remove the corresponding fields from WildFire analysis reports and click OK to save the settings.
  4. (Panorama Only) Configure Panorama to gather additional information about samples collected from firewalls running a PAN-OS version prior to PAN-OS 7.0.
    Some WildFire Submissions log fields introduced in PAN-OS 7.0 are not populated for samples submitted by firewalls running earlier software versions. If you are using Panorama to manage firewalls running software versions earlier than PAN-OS 7.0, Panorama can communicate with WildFire to gather complete analysis information for samples submitted by those firewalls from the defined WildFire Server (the WildFire global cloud, by default) to complete the log details.
    Select PanoramaSetupWildFire and enter a WildFire Server if you’d like to modify the default setting to instead allow Panorama to gather details from the specified WildFire cloud or from a WildFire appliance.
  5. Define traffic to forward for WildFire analysis.
    If you have a WildFire appliance set up, you can use both the private cloud and the public cloud in a hybrid cloud deployment. Analyze sensitive files locally on your network, while sending all other unknown files to the WildFire public cloud for comprehensive analysis and prompt verdict returns.
    1. Select ObjectsSecurity ProfilesWildFire Analysis, Add a new WildFire analysis profile, and give the profile a descriptive Name.
    2. Add a profile rule to define traffic to be forwarded for analysis and give the rule a descriptive Name, such as local-PDF-analysis.
    3. Define for the profile rule to match to unknown traffic and to forward samples for analysis based on:
      • Applications—Forward files for analysis based on the application in use.
      • File Types—Forward files for analysis based on file types, including links contained in email messages. For example, select PDF to forward unknown PDFs detected by the firewall for analysis.
      • Direction—Forward files for analysis based the transmission direction of the file (upload, download, or both). For example, select both to forward all unknown PDFs for analysis, regardless of the transmission direction.
    4. Set the Analysis location to which the firewall forwards files matched to the rule.
      • Select public-cloud to forward matching samples to the WildFire public cloud for analysis.
      • Select private-cloud to forward matching samples to a WildFire private cloud for analysis.
        For example, to analyze PDFs that could contain sensitive or proprietary information without sending these documents out of your network, set the Analysis location for the rule local-PDF-analysis to private-cloud.
      Different rules can forward matched samples to different analysis locations, depending on your needs. The example above shows a rule that forwards sensitive file types for local analysis in a WildFire private cloud. You could create another rule to forward less sensitive file types, such as PEs, to the WildFire public cloud. This flexibility is supported with a WildFire hybrid cloud deployment.
      In a hybrid cloud deployment, files that match to both private-cloud and public-cloud rules are forwarded only to the private cloud as a cautionary measure.
    5. (Optional) Continue to add rules to the WildFire analysis profile as needed. For example, you could add a second rule to the profile to forward Android application package (APK), Portable Executable (PE), and Flash files to the WildFire public cloud for analysis.
    6. Click OK to save the WildFire analysis profile.
    7. (Optional) Continue to add rules to the WildFire analysis profile as needed. For example, you could add a second rule to the profile to forward Android application package (APK), Portable Executable (PE), and Flash files to the WildFire public cloud for analysis.
    8. Click OK to save the WildFire analysis profile.
  6. (Optional) Allocate WildFire appliance resources to analyze either documents or executables.
    If you are deploying a hybrid cloud to analyze specific file types locally and in the WildFire public cloud, you can dedicate analysis environments to process a file type. This allows you to better allocate resources according to your analysis environment configuration. If you do not dedicate resources for an analysis environment, resources are allocated using default settings.
    Use the following CLI command:
    admin@WF-500# set
    
    deviceconfig setting wildfire preferred-analysis-environment documents
    
    | executables | default
    and choose from one of the following options:
    • documents—Dedicate analysis resources to concurrently analyze 25 documents, 1 PE, and 2 email links.
    • executables—Dedicate analysis resources to concurrently analyze 25 PEs, 1 documents, and 2 email links.
    • default—The appliance concurrently analyzes 16 documents, 10 portable executables (PE), and 2 email links.
    Confirm that all WildFire appliances processes are running by running the following command:
    admin@WF-500> show system
    
    software status
  7. Attach the WildFire Analysis profile to a security policy rule.
    Traffic allowed by the security policy rule is evaluated against the attached WildFire analysis profile; the firewalls forwards traffic matched to the profile for WildFire analysis.
    1. Select PoliciesSecurity and Add or modify a policy rule.
    2. Click the Actions tab within the policy rule.
    3. In the Profile Settings section, select Profiles as the Profile Type and select a WildFire Analysis profile to attach to the policy rule
  8. Make sure to enable the firewall to also Forward Decrypted SSL Traffic for WildFire Analysis.
  9. Review and implement WildFire Best Practices.
  10. Click Commit to apply the WildFire settings.
  11. (Optional) Verify WildFire Submissions.
  12. Choose what to do next...