Wildfire
Wildfire Concepts
When a file receives a file:
o It will check to see if it is signed by trusted signer.
o If there is not a signature, it creates a hash of the file to check if it has already been
sent to wildfire
If not already submitted, it will check if it is below the maximum file size
configured to be uploaded to WF
If exceeded max size, it is allowed through the firewall
if under max size, it is uploaded and checked with Wildfire, and the response is
sent to the firewall.
o The Types of verdicts assigned to files scanned by wildfire include:
Benign - Found to be safe and pose no risk
Greyware (intro'd in panos 7.0) - No security threat but may display obtrusive
behavior; adware, spyware, browser helper objects.
Malware - the file contains a malicious payload; viruses, worms, trojans, rootkits,
botnets and remote access tools.
Phishing (intro'd in panos 8.0) - scans links in emails to determine if the site is a
site to phish for credentials or other personal data
o File attachments and URL in emails are also scanned and will be categorized in one of
the options above.
When files and URL's are submitted to wildfire, new signatures are generated and are
available for download within 24-48 hours as content updates.
Two types of wildfire subscription service
o Standard Subscription: All systems running panOS 4.0+ can access wildfire standard
subscription service (as an XP or Win7 VM)
Includes Windows PE Analysis: EXE, DLL, SCR, FON, etc
AV signature delivered daily dynamic content updates (requires Threat
prevention license)
Automatic file submission
o Wildfire Licensed Service get standard features plus:
Additional file types scanned, including MSOffice files, PDF, JAR, CLASS, SWF,
SWC, APK, Mach-O, DMG, and PKG
Wildfire signature files updated every 5 minutes
API File submission
Wildfire private cloud appliance: WF-500
Wildfire Private Cloud
o WF-500 is a private cloud Win7 64-bit image based Wildfire private system hosted on
your network.
o Locally analyzes files forwarded from the FW or from the PAN XML API
� o Signatures can be generated locally. Benign and Greyware never leave the network.
o You have the option to forward malware to the wildfire cloud for signature generation.
o Signatures updates every 5 minutes.
o Supports XML API
o Does not support Phishing; all positive matches are classified as 'malware'.
o Content updates can be installed manually or automatically
Hybrid Cloud
o Combines local and cloud solutions. WF-500 can analyze sensitive files locally, and
less sensitive files can be uploaded to wildfire for analysis.
Configuring and Managing Wildfire
Device > Setup > Wildfire to configured
o Default cloud is wildfire.paloaltonetworks.com (other clouds for different regions are
available)
o If you have a WF-500 locally, you can specify the IP on this screen
o Can also specify the maximum size files to upload; anything larger is permitted.
o Can report benign and greyware by selecting the checkboxes
o Decrypted content is not forwarded to Wildfire by default; this can be set under Device
> Setup > Content ID > Content ID settings to enable 'allow forwarding of decrypted
content'
Under Device > Setup > Wildfire, you can specify what information is reported to wildfire. This
can include information such as source/dest IP, ports, VSYS, Application, User, etc.
Wildfire submission is activated by being added to a firewall security policy rule. This is added
on the action tab in the rule details.
o Logs for submissions to wildfire are set under: Monitor > Logs > Wildfire Submissions
A wildfire Analysis profile is created under Objects > Security Profiles > Wildfire Analysis
o A pre-configured default profile is included, that can be cloned/modified, or a new from-
scratch profile can be created.
o The types of files can besent to a specific destination (public, private or hybrid).
example: JAR can be sent to cloud, while DOCX can stay on a local WF-500 appliance.
The profile can be added as an individual or as part of a group
o If a file block profile blocks a file, the file is not sent to wildfire for analysis.
Updates are available under Device > Dynamic Updates. With a wildfire licence, you can
specify to updates from 1 minute to every hour. If you do not have a license, it can be set to
update once a day.
Wildfire Reporting
Each time a file is analyzed, it reports its findings back to the firewall. The amount of
information reported is configurable.
To verify successful uploads, you can use the CLI command:
o debug wildfire upload-log show
Output should indicate an uploaded successful
� Detailed reports can be viewed by clicking the magnifying glass, and the analysis report tab to
get details on users, and the file details.
More details can be seen at wildfire.paloaltonetworks.com - this will give a breakdown of the
category of findings (benign, greyware, malware, phishing).
o Files can also be manually uploaded on this portal as well.
o Reports button on the web portal can let you generate a custom report, and individual
entries can be viewed.
o Email reports can also be configured on this to get automatic reports.
o If a file was found to be flagged as something other than benign, you can open the
individual report, scroll to the bottom and submit a request to have it reviewed.
