WildFire 6.1 Administrator’s Guide
Palo Alto Networks
WildFire™ Administrator’s Guide
Version 6.1
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-us
About this Guide
This guide describes the administrative tasks required to use and maintain the Palo Alto Networks WildFire feature. Topics covered include licensing information, configuring firewalls to forward files for inspection, viewing reports, and how to configure and manage the WF-500 appliance.
For information on the additional capabilities and for instructions on configuring the features on the firewall, refer
to https://www.paloaltonetworks.com/documentation.
For access to the knowledge base, discussion forums, and videos, refer to https://live.paloaltonetworks.com. For contacting support, for information on the support programs, or to manage your account or devices, refer to
https://support.paloaltonetworks.com.
For the latest release notes, go to the software downloads page at
https://support.paloaltonetworks.com/Updates/SoftwareUpdates.
WildFire Cloud File Analysis
The following topics describe how to configure a Palo Alto Networks firewall to forward files to the WildFire cloud for analysis and also describes how to manually upload files using the WildFire Portal. You can also use the WildFire API to submit samples to the WildFire cloud.
Forward Samples to the WildFire Cloud
To configure a Palo Alto Networks firewall to automatically submit samples to the WildFire cloud to identify malware, you must configure a file blocking profile with the forward or continue-and-forward action (forward only for email links) and then attach the profile to the security rule that will trigger inspection for zero-day malware. The samples can be specific file types or HTTP/HTTPS links contained in SMTP or POP3 messages. For example, you can configure a policy with a file blocking profile that triggers the firewall to forward a specific file type (PDF for example) to WildFire, or all supported file types that users attempt to download during a web-browsing session. The firewall can forward encrypted files if SSL decryption is configured and the option to forward encrypted files is enabled. To enable WildFire Email Link Analysis, you simply configure the firewall to forward the file type email-link.
If you are using Panorama to manage your firewalls, simplify WildFire administration by using Panorama Templates to push the WildFire server information, allowed file size, and the session information settings to the firewalls. Use Panorama device groups to configure and push file blocking profiles and security policy rules. Starting with PAN-OS 6.0, the WildFire logs show which WildFire system each firewall used for file analysis (WildFire cloud, WF-500 appliance, and/or the WildFire Japan cloud). When configuring the WildFire server on Panorama (Panorama > Setup > WildFire), enter the WildFire server that your firewalls are using. For example,
if your firewalls are forwarding samples to the WildFire cloud, the Panorama setting should point to the cloud server named wildfire-public-cloud. If your firewalls are forwarding to a WF-500 appliance, the Panorama setting should point to the IP address or FQDN of the appliance.
Perform the following steps on each firewall that will forward files to WildFire:
If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed. • WildFire cloud: Uses port 443 for registration and file submissions.
• WildFire appliance: Uses port 443 for registration and 10443 for file submissions.
Configure a File Blocking Profile and Add it to a Security Profile
Step 1 Verify that the firewall has valid Threat
Prevention and WildFire subscriptions and that dynamic updates are scheduled and up-to-date. See Best Practices for Keeping Signatures up to Date for recommended settings.
Having a WildFire subscription provides many benefits, such as forwarding of advanced file types and receiving WildFire signatures within 15 minutes. For details, see WildFire Subscription
Requirements.
1. Select Device > Licenses and confirm that the firewall has valid
WildFire and Threat Prevention subscriptions.
2. Select Device > Dynamic Updates and click Check Now to
ensure that the firewall has the most recent Antivirus, Applications and Threats, and WildFire updates.
WildFire Administrator’s Guide
Step 2 Configure the file blocking profile to
define which applications and file types will trigger forwarding to WildFire.
If you choose PE in the objects
profile File Types column to select
a category of file types, do not also add an individual file type that is part of that category because this will result in redundant entries in the Data Filtering logs. For example, if you select PE, there is no need to select exe because it is part of the PE category. This also applies to the zip file type, because the firewall will automatically forward supported file types that are zipped. If you would like to ensure that all supported Microsoft Office file types are forwarded, it is recommended that you choose the category msoffice.
Choosing a category rather than an individual file type also ensures that as new file type support is added to a given category, they are automatically made part of the file blocking profile. If you select Any,
all supported file types are forwarded to WildFire.
1. Select Objects > Security Profiles > File Blocking.
2. Click Add to add a new profile and enter a Name and Description.
3. Click Add in the File Blocking Profile window and then click Add again. Click in the Names field and enter a rule name.
4. Select the Applications that will match this profile. For example,
selecting web-browsing to match any application traffic
identified as web-browsing.
5. In the File Type field, select the file types that will trigger the
forwarding action. Choose Any to forward all file types
supported by WildFire or select PE to only forward Portable
Executable files.
6. In the Direction field, select upload, download, or both. The both option will trigger forwarding whenever a user attempts to
upload or download a file.
7. Define an Action as follows:
• Forward—The firewall will automatically forward any files
matching this profile to WildFire for analysis in addition to delivering the file to the user.
• Continue-and-forward—The user is prompted and must
click continue before the download occurs and the file is forwarded to WildFire. Because this action requires user interaction with a web browser, it is only supported for web-browsing applications.
8. Click OK to save.
Step 3 (Optional) Enable response pages to
allow users to decide whether to forward a file.
If the continue-and-forward
action is configured for any file type, you must enable the response page option on the ingress interface (the interface that first receives traffic for your users).
1. Select Network > Network Profiles > Interface Mgmt and
either add a new profile or edit an existing profile.
2. Click the Response Pages check box to enable.
3. Click OK to save the profile.
4. Select Network > Interfaces and then edit the Layer 3 interface
or VLAN interface that is the ingress interface.
5. On the Advanced tab, select the Interface Mgmt profile that has
the response page option enabled.
6. Click OK to save.
Step 4 Enable forwarding of decrypted content. To forward SSL encrypted files to WildFire, the firewall must have a decryption policy and have forwarding of decrypted content enabled.
Only a superuser can enable this option.
1. Select Device > Setup > Content-ID.
2. Click the edit icon for the URL Filtering options and enable Allow Forwarding of Decrypted Content.
3. Click OK to save the changes.
If the firewall has multiple virtual systems, you must enable this option per VSYS. In this situation, select
Device > Virtual Systems, click the virtual system to be
modified and select the Allow Forwarding of Decrypted Content check box.
Step 5 Attach the file blocking profile to a
security policy.
1. Select Policies > Security.
2. Click Add to create a new policy for the zones to which to apply
WildFire forwarding, or select an existing security policy.
3. On the Actions tab, select the File Blocking profile from the
drop-down.
If this security rule does not have any profiles attached to it, select Profiles from the Profile Type drop-down to
enable selection of a file blocking profile.
Step 6 (Optional) Modify the maximum file size
allowed for upload to WildFire.
1. Select Device > Setup > WildFire.
2. Click the General Settings edit icon.
3. Set the maximum file size for each file type. For example, if you set PDF to 5MB, any PDF larger than 5MB will not be forwarded.
Step 7 (Optional) Modify session options that
define what session information to record in WildFire analysis reports.
1. Click the Session Information Settings edit icon.
2. By default, all session information items will display in the reports. Clear the check boxes that correspond to any fields to remove from the WildFire analysis reports.
WildFire Administrator’s Guide
Step 8 (PA-7050 only) If you are configuring log
forwarding on a PA-7050 firewall, you must configure a data port on one of the NPCs with the interface type Log Card.
This is due to the traffic/logging capabilities of the PA-7050 to avoid overwhelming the MGT port. The log card (LPC) will use this port directly and the port will act as a log forwarding port for syslog, email, and SNMP. The firewall will forward the following log types through this port: traffic, HIP match, threat, and WildFire logs. The firewall also uses this port to forward files/emails links to WildFire for analysis.
If the port is not configured, a commit error is displayed. Note that only one data port can be configured with the Log Card
type. The MGT port cannot be used for forwarding samples to WildFire, even if you configure a service route.
The PA-7050 does not forward logs to Panorama. Panorama will query the PA-7050 log card for log information.
1. Select Network > Interfaces and locate an available port on an
NPC.
2. Select the port and change the Interface Type to Log Card.
3. In the Log Card Forwarding tab, enter IP information (IPv4
and/or IPv6) that will enable the firewall to communicate with your syslog servers and your email servers to enable the firewall to logs and email alerts. The port will also need to reach the WildFire cloud or your WildFire appliance to enable file forwarding.
4. Connect the newly configured port to a switch or router. There is no other configuration needed. The PA-7050 firewall will automatically use this port as soon as it is activated.
Step 9 Commit the configuration. Click Commit to apply the settings.
During security policy evaluation, all files that meet the criteria defined in the file blocking policy are forwarded by the firewall to WildFire. For information on viewing WildFire reports, see WildFire Reporting.
For information on verifying the configuration, see Verify Forwarding to the WildFire Cloud.
Verify Forwarding to the WildFire Cloud
This topic describes the steps required to verify that the firewall is properly configured to forward samples to the WildFire cloud. For information on a test file that you can use to verify the process, see Malware Test Samples.
Verify Forwarding to the WildFire Cloud
Step 1 Check the WildFire and Threat
Prevention subscriptions and WildFire registration.
1. Select Device > Licenses and confirm that a valid WildFire and
Threat Prevention subscription is installed. If valid licenses are not installed, go to the License Management section and click Retrievelicense keys from the license server.
2. Check that the firewall can communicate with a WildFire server for file forwarding:
admin@PA-200> test wildfire registration
In the following output, the firewall is pointing to the WildFire cloud. If the firewall is pointing to a WildFire appliance, it will show the FQDN or IP address of the appliance.
Test wildfire
wildfire registration: successful download server list: successful select the best server:
s1.wildfire.paloaltonetworks.com
3. If problems persist with the licenses, contact your reseller or Palo Alto Networks System Engineer to confirm each license and to get a new authorization code if required.
Step 2 Confirm that the firewall is sending files
to the correct WildFire system.
1. To determine where the firewall is forwarding files (to the Palo Alto Networks WildFire cloud or to a WildFire appliance), select Device > Setup > WildFire.
2. Click the General Settings edit button.
The U.S.-based WildFire Server is wildfire-public-cloud and the Japan-based WildFire server is wildfire-paloaltonetworks.jp. If the firewall is configured to forward to a WF-500 appliance, the IP address or FQDN of the WildFire appliance is displayed.
If you forget the name of the WildFire public cloud, clear the WildFire Server field and click OK and the
WildFire Administrator’s Guide
Step 3 Check the logs to verify that forwarding is
working.
For information on enabling email header details in logs, see Enable Email Header Information in WildFire Logs.
1. Select Monitor > Logs > Data Filtering.
2. View the Action column to determine the forwarding results:
• Forward—Indicates that the sample was successfully
forwarded from the dataplane to the management plane on the firewall by a file blocking profile and a security policy. At this point, the firewall has not yet forwarded the sample to the WildFire cloud or a WildFire appliance.
• Wildfire-upload-success—Indicates that the firewall
forwarded the file to WildFire. This means that a trusted signer did not sign the file and it has not been previously analyzed by WildFire.
• Wildfire-upload-skip—Indicates that the file is eligible to
be sent to WildFire, but did not need to be analyzed because WildFire has already analyzed it previously.
3. View the WildFire logs by selecting Monitor > Logs > WildFire Submissions. If WildFire logs are listed, the firewall is
successfully forwarding files to WildFire and WildFire is returning file analysis results.
For more information on WildFire-related logs, see WildFire Logs.
Step 4 Verify the action setting in the file
blocking profile.
1. Select Objects > Security Profiles > File Blocking and click the
file blocking profile.
2. Confirm that the action is set to forward or
continue-and-forward. If you set to continue-and-forward,
the firewall will only forward http/https traffic because this is the only type of traffic that will allow the firewall to serve a response page to the user.
Step 5 Verify that the file blocking profile is in
the correct security policy.
1. Select Policies > Security and click the security policy rule that
triggers file forwarding to WildFire.
2. Click the Actions tab and ensure that the file blocking profile is
Step 6 Check the WildFire server status on the appliance.
admin@PA-200> show wildfire status
When forwarding files to the WildFire cloud, the output should look similar to the following:
Connection info:
Wildfire cloud: public cloud Status: Idle
Best server: s1.wildfire.paloaltonetworks.com Device registered: yes
Valid wildfire license: yes Service route IP address: 192.168.2.1 Signature verification: enable Server selection: enable Through a proxy: no Forwarding info:
file size limit for pe (MB): 10
file size limit for jar (MB): 1
file size limit for apk (MB): 2
file size limit for pdf (KB): 500
file size limit for ms-office (KB): 10000
file idle time out (second): 90
total file forwarded: 1
file forwarded in last minute: 0
WildFire Administrator’s Guide
Step 7 Check WildFire statistics to confirm that
counters are incrementing.
The following command displays the output of a working firewall and shows counters for each file type that the firewall forwarded to WildFire. If the counter fields all show 0, the firewall is not forwarding files and you should check connectivity between the firewall and the WF-500 appliance. Also verify that the file blocking profile on the firewall is configured correctly and the profile is attached to a security rule that allows file transfers.
admin@PA-200> show wildfire statistics Packet based counters:
Total msg rcvd: 12011
Total bytes rcvd: 10975328
Total msg read: 11963
Total bytes read: 10647634
Total msg lost by read: 48
Total DROP_NO_MATCH_FILE 48
Total files received from DP: 196 Counters for file cancellation: CANCEL_FILE_DUP 11
CANCEL_CONCURRENT_LIMIT 7
Counters for file forwarding: file type: apk file type: pdf file type: email-link file type: ms-office file type: pe file type: flash FWD_CNT_LOCAL_FILE 178 FWD_CNT_LOCAL_DUP 11 FWD_CNT_REMOTE_FILE 121 FWD_CNT_REMOTE_DUP_CLEAN 56 FWD_CNT_REMOTE_DUP_TBD 8 FWD_CNT_REMOTE_DUP_MAL 3
file type: jar file type: unknown file type: pdns Error counters: LOG_ERR_REPORT_CACHE_NOMATCH 880
Reset counters: DP receiver reset cnt: 2
File cache reset cnt: 2
Service connection reset cnt: 1
Log cache reset cnt: 2
Report cache reset cnt: 2
Resource meters: data_buf_meter 0%
msg_buf_meter 0%
ctrl_msg_buf_meter 0% File forwarding queues:
Step 8 Check the dynamic updates status and schedules to ensure that the firewall is automatically receiving signatures generated by WildFire. See Best Practices for Keeping Signatures up to Date.
1. Select Device > Dynamic Updates.
2. Ensure that Antivirus, Applications and Threats, and WildFire have the most recent updates and that a schedule is set for each item.
3. Click Check Now at the bottom of the windows to see if any
new updates are available, which also confirms that the firewall can communicate with updates.paloaltonetworks.com. If the firewall does not have connectivity to the update server, download the updates directly from Palo Alto Networks. Log in to the Palo Alto Networks Support site and select Dynamic Updates.
WildFire Administrator’s Guide
Upload Files using the WildFire Cloud Portal
All Palo Alto Networks customers with a support account can manually upload files to the Palo Alto Networks WildFire portal for analysis. The WildFire portal supports manual uploading of all Supported File Types.
Manual Upload to WildFire
Step 1 Manually upload a file to WildFire for
analysis.
1. Log in to the WildFire Portal.
If your firewall is forwarding to the WildFire portal in Japan, use https://wildfire.paloaltonetworks.jp.
2. Click the Upload Sample button then click Add files.
3. Navigate to the file, highlight it, and then click Open. The file
name will appear below the Add files icon.
4. Click the Start icon to the right of the file, or click the Start upload button if multiple files are waiting for upload. If the
file(s) upload successfully, Success will appear next to each file.
5. Close the Uploaded File Information pop-up.
Step 2 View the analysis results. It will take
approximately five minutes for WildFire to complete a file analysis.
Because a manual upload is not associated with a specific firewall, manual uploads will appear separately from your registered firewalls and will not show session information in the reports.
1. Refresh the portal page from your browser.
2. Click Manual under the source column to view the results of
manual sample upload.
3. The report page will show a list of all files that have been uploaded to your account. Find the file you uploaded and click the detail icon to the left of the date field.
