WildFire Appliance Archive Support

The WildFire appliance running PAN-OS 9.0 or later can now analyze and classify RAR and 7-Zip archives, which can be used by an adversary to covertly deliver malicious payloads to users.
The WildFire appliance can now analyze and classify archive (RAR and 7-Zip) files with malicious, benign, or grayware verdicts. Previously this feature was only present in the WildFire cloud. This analysis capability has now been expanded to include WildFire appliances running PAN-OS 9.0 and later.
  • When any file contained within an archive is determined to be malicious, the archive file is considered malicious by WildFire.
  • Archive files that are multi-part or password protected cannot be analyzed.
The WildFire appliance is capable of analyzing the following archive file types:
  • RAR—Supports Roshal Archive (.rar) files.
  • 7-Zip—Supports (.7z) files.
To forward archive files for analysis, the
WildFire Analysis Profile
on the firewall must be configured to forward the
archive
file type or
Any
unknown files to the WildFire private cloud.
  1. Enable file type forwarding.
    1. Select
      Objects > Security Profiles > WildFire Analysis
      and
      Add
      or modify a profile to define traffic to forward for WildFire analysis.
    2. Add or modify a profile rule, select
      file type
      , and set the rule to forward the new
      Any
      file type. You can also specify the
      archive
      file type if you want to forward only archives.
      Profile rules with the file type set to
      Any
      forward all file types for WildFire analysis.
    3. Select Destination and set the profile rule to forward the files to the
      private-cloud
      .
    4. Click
      OK
      to save the new or modified WildFire Analysis profile.
  2. Attach the WildFire Analysis profile to a security policy rule—traffic matched to the policy rule is forwarded for WildFire Analysis.
    1. Select
      Policies > Security
      and
      Add
      or modify a security policy rule.
    2. Select
      Actions
      and set the
      Profile Type
      to
      Profiles
      .
    3. Select the newly-created
      WildFire Analysis
      profile.
    4. Click
      OK
      to save the security policy rule.
      For detailed steps to configure a WildFire Analysis profile and to attach the profile to a security policy rule, see Forward Files for WildFire Analysis.
  3. Select
    Monitor > WildFire Submissions
    to find WildFire verdicts and analysis reports for archive files that have been submitted by the firewall.

Related Documentation