A Palo Alto Networks firewall can extract HTTP/HTTPS
links contained in SMTP and POP3 email messages and forward the
links for WildFire analysis. The firewall only extracts links and
associated session information (sender, recipient, and subject)
from email messages; it does not receive, store, forward, or view
the email message.
WildFire visits submitted links to determine if the corresponding
web page hosts any exploits or displays phishing activity. A link
that WildFire finds to be malicious or phishing is:
Recorded on the firewall as a WildFire Submissions log
entry. The WildFire analysis report that details the behavior and
activity observed for the link is available for each WildFire Submissions
log entry. The log entry also includes the email header information—email sender,
recipient, and subject—so that you can identify the message and
delete it from the mail server, or mitigate the threat if the email has
been delivered or opened.
Added to PAN-DB and the URL is categorized as malware.
The firewall forwards email links in batches of 100 email links
or every two minutes (depending on which limit is hit first). Each
batch upload to WildFire counts as one upload toward the upload
per-minute capacity for the given firewall
Capacity by Model
(PAN-OS 8.1, 9.0, 9.1, 10.0,10.1). If a link included
in an email corresponds to a file download instead of a URL, the
firewall forwards the file only if the corresponding file type is
enabled for WildFire analysis.
To enable the firewall to forward links included in emails for
WildFire analysis, see
Forward Files for WildFire Analysis
(PAN-OS 8.1, 9.0, 9.1, 10.0, 10.1). With a PAN-DB URL
Filtering license, you can also block user access to malicious and