The WildFire appliance can now leverage WildFire global
cloud intelligence to deliver quick verdicts for known samples.
This allows the WildFire appliance to dedicate analysis resources
to samples that are truly unknown to both your private network and
the global WildFire community. Before analyzing a sample locally,
the WildFire appliance checks if the WildFire global cloud has already
analyzed the sample (the WildFire appliance sends only the sample
hash to the WildFire global cloud—it does not send the raw file
or any additional sample data). If the sample is known to the WildFire
global cloud, the WildFire appliance retrieves the sample verdict
and analysis report and delivers them promptly to the firewall that
detected the sample. If the sample is unknown to the WildFire global
cloud, the WildFire appliance analyzes the sample locally. In either
case, the WildFire appliance locally generates a signature to detect
the malware, and delivers the signature to the firewall as part
of the WildFire private cloud content update.
The WildFire appliance continues to periodically synchronize
verdicts and analysis reports for locally-analyzed samples so that
they match the verdicts and analysis reports the WildFire global
cloud provides—this ensures that analysis information for locally-analyzed
samples stays up-to-date with worldwide WildFire submissions and
the latest threat intelligence. In cases where the WildFire global
cloud and the WildFire appliance record a different verdict for
a sample, the WildFire global cloud verdict takes precedence and
changes the local verdict.
The following CLI command enables the WildFire appliance to perform
verdict lookups and synchronize verdicts with the WildFire global
cloud. This feature is disabled by default; set the command to
enable the feature.
set deviceconfig setting wildfire cloud-intelligence cloud-query [yes | no]
Another new WildFire appliance feature supports Verdict
Changes for locally-analyzed samples. If you change the verdict
for a sample, the new verdict continues to apply to the locally-submitted
sample, even if the WildFire global cloud has recorded a different
verdict for the same sample.