Blocking Unknown Malware with Wildfire

>>WildFire concepts

WildFire Threat Intelligence Cloud

WildFire is a cloud based, virtual sandbox used to evaluate unknown files and URL links found in emails

analysis --> files and links --> label -->benign, grayware, malware, or phishing

WildFire Operation Overview

yes,  firewall trusts that the file does not have hidden malware and allows the file to be delivered. NO creates a # number for the file,

MAX file limit applies. i.e not sent to WildfFire

WildFire Verdict Descriptions

As benign, grayware, malware, or phishing

WildFire Protects Email

The firewall sends email with attachments or URL links to WildFire for analysis.

Content Packages and WildFire Updates

Antivirus signatures are made available within 24 to 48 hours as content updates to the Antivirus content database.

Standard and Licensed Functionality

Standard subscription service:

WildFire licensed service:

Additional feature to standard like file analysis (Microsoft Office, PDF, JAR, CLASS, SWF, SWC, RAR, 7) in real time, API submission plus private cloud

Hybrid Cloud Example

Combines public and private cloud

.private cloud analysis prevails.

>>Configure and manage WildFire

Configure WildFire Settings

Device > Setup > WildFire

WildFire Public Cloud setting is configured with the URL value wildfire.paloaltonetworks.com

Submission Settings

Device > Setup > WildFire

WildFire Analysis

WildFire Analysis Profiles are objects that are added to Security policy rules that are configured with an action of “allow.” WildFire Analysis Profiles are not necessary for Security policy rules configured with the “deny” action, because no further processing is needed if the network traffic will be blocked.

WildFire Analysis Profile

Objects > Security Profiles WildFire Analysis

trusted zones. In a Zero Trust configuration, no zone is completely trusted

Creating a WildFire Analysis Profile

Objects > Security Profiles > WildFire Analysis > Add

... which application file types to send to WildFire for analysis.

Configure Real-Time WildFire Analysis

Objects > Security Profiles > AntiVirus

..configure real time WildFire analysis on the firewall.

..configured to:
• Enable : Allows the traffic to pass without any policy
• Alert only : The traffic is allowed, and a log entry is generated in the threat
• Disable : The traffic is blocked, and the user will see a response page. The user will not be able to continue to the website, and a log entry is generated in the URL Filtering log.

Attach WildFire Analysis Profiles to Security Rules

Policies > Security > Add

WildFire Update Schedule

Schedule poll period for WildFire antivirus signature updates: Any new WildFire antivirus signatures created by WildFire are available for download from WildFire in real
time. ...If you have a WildFire license...

>> WildFire reporting

Information reported back to the firewall is recorded by the firewall in the WildFire Submissions log.

Verify Submissions and View Reports

> debug wildfire upload log show

On the command line..

This can be reached by using SSH via puTTy

shown.. status “upload success” and the name of the file..

Monitor > Logs > WildFire Submissions

WildFire Analysis Verdict Example

Monitor > Logs > WildFire Submissions

Detailed Log View window.. WildFire Analysis Report tab

Use the log entry and the WildFire analysis to find

  • the users that were targeted
  • the applications that were used
  • the malicious behaviour that was observed


..Download PDF and print the PDF document. The PDF includes a detailed

WildFire Portal

Go to https://wildfire.paloaltonetworks.com

Dashboard also reports summary information for the files that were submitted manually by a user using the WildFire XML API.

WildFire Dashboard Reports

...click the Reports button at the top of the WildFire portal.

Report Incorrect Verdict: WildFire Portal

report an incorrect verdict link. In the window that..

1. What is the maximum size of .EXE files uploaded from the Next Generation firewall to Wildfire?

Always 10 megabytes

Configurable up to 2 megabytes

Configurable up to 10 megabytes

Always 2 megabytes

2. Without a Wildfire subscription, which of the following files can be submitted by the Next Generation Firewall to the hosted Wildfire virtualized sandbox?

PDF files only

MS Office doc/docx, xls/xlsx, and ppt/pptx files only

PE and Java Applet only

PE files only

3. In the latest Next Generation firewall version, what is the shortest time that can be configured on the firewall to check for Wildfire updates?

5 Minutes

30 Minutes NO

1 Hour NO

15 Minutes NO

4. Which CLI command is used to verify successful file uploads to WildFire?

debug wildfire upload-log

debug wildfire download-log show

debug wildfire upload-log show YES

debug wildfire upload-threat show NO

5. True . If a file type is matched in the File Blocking Profile and WildFire Analysis Profile, and if the File Blocking Profile action is set to “block,” then the file is not forwarded to WildFire.

6. Which file type can a firewall send to WildFire when the firewall does not have a WildFire subscription?

Select one:





7. Which WildFire verdict might indicate obtrusive behaviour but not a security threat?

Select one:





8. false? When a malicious file or link is detected in an email, WildFire can update antivirus signatures in the PAN-DB database.

9. Assume you have a WildFire subscription. Which file state or condition might result in a file not being analysed by WildFire?

file already has WildFire hash NO

executable file signed by trusted signer NO

file located in a JAR or RAR archive

file size limit exceeded