: WildFire API Best Practices
Focus
Focus

WildFire API Best Practices

Table of Contents

WildFire API Best Practices

Palo Alto Networks recommends adhering to the following best practices when using the WildFire API:
  • Do not distribute or share the API key to users that do not require access to WildFire API functions.
  • Do not embed API keys in code or application source tree files. This can inadvertently expose the API key. Instead, consider storing the API key in environmental variables or files that are excluded from your application source tree files.
  • WildFire API sample submissions are processed using the following interaction flow:
    The API response resolution time varies based on several factors; consider the following:
    • After submitting a sample for analysis, wait at least 30 seconds before querying for response(s).
    • Samples that undergo full dynamic analysis can take up to 5 minutes.
  • Perform hash lookups before submitting files—Client applications should calculate the sample hash locally and use the GetVerdict API to first check whether a WildFire result is known for a given sample or not. If the verdict response from WildFire indicates an unknown verdict (-100), then the client application should submit the unknown sample for analysis.
  • Return WildFire response codes in logs to improve troubleshooting—Custom error codes can cause confusion if assistance is needed while troubleshooting. For information about the response codes, refer to WildFire API Error Codes.
  • WildFire API cloud configuration
    • Palo Alto Networks maintains a high level of WildFire availability but it does have scheduled downtimes for upgrades and maintenance. Auto switch to a secondary WildFire API cloud if the primary does not respond after 10 minutes to avoid service disruption. Downtimes are published on the Palo Alto Networks Status Page.
    • When configuring your primary and secondary WildFire API cloud selections, be sure to select an instance that meets your data residency requirements.
  • Do not enable in-line synchronous analysis—There are scenarios when it might seem like a good idea to directly integrate file upload flow in a client application with WildFire. However, given the asynchronous nature of the WildFire analysis process, as well as the overall time that it can take to analyze one sample (time can vary from seconds to minutes based on the attributes of the sample), Palo Alto Networks does not recommend blocking client application end-users in the WildFire scanning stage. Letting WildFire perform sample analysis in the background provides a better client application user experience.