WildFire Phishing Verdict

Check that the firewall has an active WildFire license and is connected to WildFire.
Blocking access to phishing sites requires a PAN-DB URL Filtering license, in addition to the WildFire license.
Select
Device
Licenses
to confirm that the WildFire License is active. If you are also planning to block access to phishing sites, confirm that the PAN-DB URL Filtering license is active.
Select
Device
Setup
WildFire
and confirm that the
WildFire Public Cloud
is set to:
wildfire.paloaltonetworks.com
Alternatively, you can connect the firewall to a WildFire regional cloud in the European Union (EU) or in Japan.
Verify that the firewall is enabled to forward email links for WildFire analysis.
Select

Objects

Security Profiles

WildFire Analysis

and confirm that at least one profile is configured to forward

email-link

or

any

File Types for WildFire analysis.

Select

Policies

Security

and then select a security profile rule to which you want to attach the WildFire Analysis Profile. In the

Actions

tab, select the WildFire Analysis profile that you want to use under Profile Settings:


Monitor phishing links.
View links the firewall forwarded that WildFire found to be phishing links:

Select

Monitor

WildFire Submissions

. The Verdict column displays Phishing for entries that record a phishing link. You can add the following filter to display only logs for phishing links:

(verdict eq phishing)

View phishing activity on the firewall ACC:

Select

ACC

Threat Activity

, view WildFire Activity By Type and select

phishing

.

View all phishing links WildFire has identified:

The WildFire portal displays the total number of WildFire submissions that were found to be phishing links in the last hour and the last 24 hours:


Select
Reports
, filter by
Verdict
, and select
Phishing
to find the analysis reports for phishing links.
If you are submitting links to a regional WildFire cloud for analysis, instead use the WildFire EU portal or the WildFire Japan portal.
Forward phishing logs as SNMP traps, syslog messages, or email notifications.
Select
Objects
Log Forwarding
and
Add
or modify a log forwarding profile to define the logs you want to forward.
Add
a rule to the profile.
Set the
Log Type
to wildfire.
Add the
Filter
( verdict eq phishing )
.
Continue to define or update the profile, and click
OK
to save the profile when you’re done.
Apply the new or updated log forwarding settings to traffic:
Select
Policies
Security
and
Add
or modify a security policy rule.
Select
Actions
and in the Log Setting section, attach the new or updated
Log Forwarding
profile to the security policy rule.
Click
OK
to save the security policy rule.
(
Optional
) To prevent users from inadvertently leaking corporate credentials to attackers, block access to phishing sites and block users from submitting usernames and passwords to untrusted and unsanctioned sites.
Select
Objects
URL Filtering
and
Add
or modify a URL Filtering profile.
Select
Categories
and filter the list of URL categories to find the phishing category.
Set the
Site Access
for phishing websites to
Block
to prevent users from accessing sites that aim to steal usernames and passwords.
Enable the new Credential Phishing Prevention feature to stop users from submitting credentials to untrusted sites, without blocking their access to these sites.
Apply the new or updated URL Filtering profile to traffic:
Select
Policies
Security
and
Add
or modify a security policy rule.
Select
Actions
and in the Profile Setting section, set the
Profile Type
to profiles.
Attach the new or updated
URL Filtering
profile to the security policy rule.
Click
OK
to save the security policy rule.