Wildfire

Wildfire Concepts
 When a file receives a file:
o It will check to see if it is signed by trusted signer.
o If there is not a signature, it creates a hash of the file to check if it has already been
sent to wildfire
 If not already submitted, it will check if it is below the maximum file size
configured to be uploaded to WF
 If exceeded max size, it is allowed through the firewall
 if under max size, it is uploaded and checked with Wildfire, and the response is
sent to the firewall.
o The Types of verdicts assigned to files scanned by wildfire include:
 Benign - Found to be safe and pose no risk
 Greyware (intro'd in panos 7.0) - No security threat but may display obtrusive
behavior; adware, spyware, browser helper objects.
 Malware - the file contains a malicious payload; viruses, worms, trojans, rootkits,
botnets and remote access tools.
 Phishing (intro'd in panos 8.0) - scans links in emails to determine if the site is a
site to phish for credentials or other personal data
o File attachments and URL in emails are also scanned and will be categorized in one of
the options above.
 When files and URL's are submitted to wildfire, new signatures are generated and are
available for download within 24-48 hours as content updates.
 Two types of wildfire subscription service
o Standard Subscription: All systems running panOS 4.0+ can access wildfire standard
subscription service (as an XP or Win7 VM)
 Includes Windows PE Analysis: EXE, DLL, SCR, FON, etc
 AV signature delivered daily dynamic content updates (requires Threat
prevention license)
 Automatic file submission
o Wildfire Licensed Service get standard features plus:
 Additional file types scanned, including MSOffice files, PDF, JAR, CLASS, SWF,
SWC, APK, Mach-O, DMG, and PKG
 Wildfire signature files updated every 5 minutes
 API File submission
 Wildfire private cloud appliance: WF-500
 Wildfire Private Cloud
o WF-500 is a private cloud Win7 64-bit image based Wildfire private system hosted on
your network.
o Locally analyzes files forwarded from the FW or from the PAN XML API
 o Signatures can be generated locally. Benign and Greyware never leave the network.
o You have the option to forward malware to the wildfire cloud for signature generation.
o Signatures updates every 5 minutes.
o Supports XML API
o Does not support Phishing; all positive matches are classified as 'malware'.
o Content updates can be installed manually or automatically
 Hybrid Cloud
o Combines local and cloud solutions. WF-500 can analyze sensitive files locally, and
less sensitive files can be uploaded to wildfire for analysis.
Configuring and Managing Wildfire
 Device > Setup > Wildfire to configured
o Default cloud is wildfire.paloaltonetworks.com (other clouds for different regions are
available)
o If you have a WF-500 locally, you can specify the IP on this screen
o Can also specify the maximum size files to upload; anything larger is permitted.
o Can report benign and greyware by selecting the checkboxes
o Decrypted content is not forwarded to Wildfire by default; this can be set under Device
> Setup > Content ID > Content ID settings to enable 'allow forwarding of decrypted
content'
 Under Device > Setup > Wildfire, you can specify what information is reported to wildfire. This
can include information such as source/dest IP, ports, VSYS, Application, User, etc.
 Wildfire submission is activated by being added to a firewall security policy rule. This is added
on the action tab in the rule details.
o Logs for submissions to wildfire are set under: Monitor > Logs > Wildfire Submissions
 A wildfire Analysis profile is created under Objects > Security Profiles > Wildfire Analysis
o A pre-configured default profile is included, that can be cloned/modified, or a new from-
scratch profile can be created.
o The types of files can besent to a specific destination (public, private or hybrid).
example: JAR can be sent to cloud, while DOCX can stay on a local WF-500 appliance.
 The profile can be added as an individual or as part of a group
o If a file block profile blocks a file, the file is not sent to wildfire for analysis.
 Updates are available under Device > Dynamic Updates. With a wildfire licence, you can
specify to updates from 1 minute to every hour. If you do not have a license, it can be set to
update once a day.
Wildfire Reporting
 Each time a file is analyzed, it reports its findings back to the firewall. The amount of
information reported is configurable.
 To verify successful uploads, you can use the CLI command:
o debug wildfire upload-log show
 Output should indicate an uploaded successful
 Detailed reports can be viewed by clicking the magnifying glass, and the analysis report tab to
get details on users, and the file details.
 More details can be seen at wildfire.paloaltonetworks.com - this will give a breakdown of the
category of findings (benign, greyware, malware, phishing).
o Files can also be manually uploaded on this portal as well.
o Reports button on the web portal can let you generate a custom report, and individual
entries can be viewed.
o Email reports can also be configured on this to get automatic reports.
o If a file was found to be flagged as something other than benign, you can open the
individual report, scroll to the bottom and submit a request to have it reviewed.