Wildfire In Pan-Os 5: Enabling Advanced Threat Protection

Palo Alto Networks' WildFire is a cloud-based malware detection and prevention service. It uses machine learning to analyse files traversing a network in real time, blocking any files identified as malicious before they can be downloaded and spread. WildFire is enabled and configured through the WildFire Analysis profile and requires an active WildFire license. PAN-OS 11.1 includes the following WildFire features: Real Time WildFire Verdicts and Signatures for PDF and APK Files, and Advanced WildFire Inline Cloud Analysis.

Explore related products

Firewalls and Internet Security: Repelling the Wily Hacker

$78.02

Firewalla: Cyber Security Firewall for Home & Business, Protect Network from Malware and Hacking | Smart Parental Control | Block Ads | VPN Server and Client | No Monthly Fee (Purple SE)

$249

Network Security, Firewalls, and VPNs: . (Issa)

$94.3 $104.95

SonicWall TZ270 Gen7 Firewall | Compact SMB Security Appliance with 2 Gbps Firewall Throughput, 750 Mbps Threat Prevention, Up to 64 VLANs, and SD-WAN Capability (02-SSC-2821)

$399.2

Firewalls Don't Stop Dragons: A Step-by-Step Guide to Computer Security and Privacy for Non-Techies

$24.77 $39.99

TP-Link ER605 V2 Wired Gigabit VPN Router, Up to 3 WAN Ethernet Ports + 1 USB WAN, SPI Firewall SMB Router, Omada SDN Integrated, Load Balance, Lightning Protection

$49.99 $59.99

Wildfire analysis and configuration

WildFire is a cloud-based malware detection and prevention service offered by Palo Alto Networks. It uses advanced analysis techniques to identify and block malware, protecting your network from cyber threats.

To configure WildFire analysis and enable it in PAN-OS 5, follow these steps:

• Enable WildFire Analysis: Ensure that your firewall is configured to forward decrypted SSL traffic for WildFire analysis. This is a recommended best practice.
• Submit Samples for Analysis: Start submitting files for WildFire analysis. Define the traffic that you want to forward for analysis by selecting "Objects > Security Profiles > WildFire Analysis." Here, you can modify or add a WildFire Analysis profile.
• Use Default or Custom Analysis Profile: As a best practice, use the WildFire Analysis default profile to ensure complete coverage for traffic allowed by the firewall. However, if you prefer, you can create a custom WildFire Analysis profile. If you choose to customize, set the profile to forward "Any file type" to enable automatic forwarding of newly supported file types for analysis.
• Set File Size Limits: Define the size limits for files that the firewall forwards. It is recommended to set the file size for PEs to the maximum limit of 10 MB, while leaving other file types at their default values.
• Attach Analysis Profile to Security Policy Rule: Attach the WildFire analysis profile to a security policy rule. This ensures that traffic matching the policy rule is forwarded for WildFire analysis.
• Enable Automatic Signature Updates: Enable your firewall to receive the latest Advanced WildFire signatures. These signatures are used to detect and identify malware. If you are using PAN-OS 9.1 or earlier, you can receive new signatures every five minutes. Set the schedule to download and install these updates automatically.
• Configure Update Frequency: Use the "Recurrence" field to configure the firewall to retrieve WildFire signatures in real-time. This ensures that your firewall stays up to date with the latest malware signatures.
• Monitor and View Analysis Reports: Use the firewall to monitor malware activity and view WildFire analysis reports. You can access these reports on the Advanced WildFire portal for all samples submitted to the Advanced WildFire public cloud.
• Control Site Access: Control access to websites that WildFire has identified as malicious or associated with phishing attempts. This option requires a PAN-DB URL Filtering license. You can block users from accessing these sites or allow access while generating alerts to ensure visibility into such events.
• Test Your Configuration: Test your WildFire configuration by submitting a sample malware file. Investigate the analysis results to ensure that your configuration is working as expected.

Explore related products

ASUS ExpertWiFi EBG15 Gigabit VPN Wired Router, up to 3 WAN ethernet Ports + 1 USB WAN, IPS Intrusion Prevention, Layer 7 Firewall, Commercial-Grade Network Security, Remote Management with App

$89.99

Ubiquiti Unifi Security Appliance (USG), Single,White

$229.99

FortiGate-40F Firewall Appliance - 5 Gigabit Ethernet RJ45 Ports, Ideal for Small Businesses (Appliance Only, No Subscription) (FG-40F)

$297

Mastering Linux Security and Hardening: A practical guide to protecting your Linux system from cyber attacks

$27.32 $49.99

Network Security, Firewalls And Vpns (Jones & Bartlett Learning Information Systems Security & Ass) (Standalone book) (Jones & Bartlett Learning Information Systems Security & Assurance)

$40 $104.95

Netgate 1100 pfSense+ Security Gateway | VPN, Router, Firewall | Lifetime TAC Lite Support | 3X 1 GbE Ports | Protect Your Network with This Fully Featured, Professional Network Security Appliance.

$209

Wildfire subscriptions and updates

WildFire is a cloud-based malware detection and analysis service offered by Palo Alto Networks. It is designed to protect organizations from unknown malware threats by generating protections to block further instances of detected threats. The basic WildFire service is included with the Palo Alto Networks next-generation firewall and does not require a separate subscription. With the basic service, the firewall can forward portable executable (PE) files for analysis and retrieve WildFire signatures with antivirus and/or Threat Prevention updates every 24-48 hours.

However, Palo Alto Networks offers several advanced subscription options for WildFire that provide additional features and capabilities. Here are the key features of each subscription type:

WildFire Subscription:

• Protection from malware by forwarding samples to the Advanced WildFire cloud for analysis.
• Access to regular Advanced WildFire signature updates.
• Advanced file type forwarding capabilities.
• Ability to upload files using the WildFire API.
• Real-Time Updates: The firewall can retrieve Advanced WildFire signatures for newly discovered malware as soon as they are generated (available for PAN-OS 10.0 and later).

Advanced WildFire Subscription:

• Intelligent Run-time Memory Analysis: A cloud-based advanced analysis engine that detects and prevents evasive malware threats, including malware using cloaking strategies and exhibiting fast-spreading qualities.
• Cloud-based detection engines that are continuously monitored, updated, and deployed automatically without the need for manual content update packages or resource-intensive appliance-based analyzers.

WildFire Standalone API Subscription:

• Direct queries to the WildFire cloud threat database for information about potentially malicious content.
• Submit files for analysis using advanced threat analysis capabilities based on specific organizational requirements.
• Enhanced access limits that allow organizations to customize their access according to their usage, including scalable licenses for file/report queries and sample submissions.

It is important to note that WildFire subscriptions provide additional protection and features beyond the basic WildFire service included with the Palo Alto Networks firewall. These subscriptions offer more frequent signature updates, advanced analysis capabilities, and customizable options to meet the specific needs of organizations.

Explore related products

Fortinet FortiGate 60F Hardware, 36 Month Unified Threat Protection (UTP), Firewall Security

$1205.13 $1275.9

Palo Alto PA-220 8-Port Next Gen Firewall Security Appliance w/ Power Adapter [No License] (Renewed)

$159.9 $249.9

SonicWall TZ370 Gen7 Firewall | Advanced SMB Security Appliance with Multi-Gigabit (2.5/5 G) Interfaces, SD-WAN, and Real-Time Threat Defense (02-SSC-2825)

$559.2

TP-Link ER7206 Multi-WAN Professional Wired Gigabit VPN Router Increased Network Capacity SPI Firewall Omada SDN Integrated Load Balance Lightning Protection

$139.99 $149.99

Wildfire: A Novel (The Maple Hills Series)

$10.11 $18.99

Wildfire (The Wild Series)

$7.49 $8.99

Wildfire appliance setup

To set up a WildFire appliance, you must first power it on by connecting power to the first power supply. A warning beep will sound until you connect the second power supply. If the appliance is already plugged in and in a shutdown state, use the power button on the front of the appliance to turn it on. Next, register the appliance. Obtain the serial number from the S/N tag on the appliance or run the following command and refer to the serial field:

[command]

From a browser, navigate to the Palo Alto Networks Support Portal and log in. If this is your first time registering a Palo Alto Networks device, provide an email address and the serial number of the device. Set up a username and password for access to the Palo Alto Networks support community.

Once registered, log in to the appliance with an SSH client or by using the Console port and enter configuration mode. Enter the following command:

Admin@WF-500# set deviceconfig system ip-address ip-address> netmask netmask> default-gateway default-gateway> dns-setting servers primary primary-dns-server>

Configure a secondary DNS server by replacing "primary" with "secondary" in the above command, excluding the other IP parameters. Set the hostname with the following command:

Admin@WF-500# set deviceconfig system hostname hostname>

Commit the configuration to activate the new management (MGT) port configuration. Connect the MGT interface port to a network switch. Put the management PC back on your corporate network or whatever network is required to access the appliance on the management network.

Next, activate the appliance with the WildFire authorization code that you received from Palo Alto Networks. Although the appliance will function without an auth-code, it cannot retrieve software or content updates without a valid auth-code. Set the WildFire appliance clock by manually setting the date, time, and timezone, or configure the appliance to synchronize its local clock with a Network Time Protocol (NTP) server. To set the clock manually, enter the following commands:

Admin@WF-500> set clock date YYYY/MM/DD> time hh:mm:ss>

Admin@WF-500> configure

Admin@WF-500# set deviceconfig system timezone timezone>

Finally, confirm WildFire registration by logging in to the appliance with an SSH client or by using the Console port. Enter the username/password "admin/admin" and enter the following command:

The following output indicates that the appliance is registered with one of the Palo Alto Networks WildFire cloud servers:

Test wildfire wildfire registration: successful

Download server list: successful

Select the best server:

Reset the admin password by typing the old password, pressing enter, and then entering and confirming the new password. Commit the configuration to ensure that the new password is saved in the event of a restart. The predefined default administrator password ("admin/admin") must be changed on the first login to the device. The new password must be a minimum of eight characters and include at least one lowercase and one uppercase letter, as well as one number or special character.

Explore related products

Wildfire: A Hidden Legacy Novel

$0.99 $18.99

Wild Fire (John Corey Book 4)

$10.99 $19.99

Wildfire!

$16.63 $19.99

Wildfire (A Graphic Novel)

$10.65 $12.99

Wildfire: The Culture, Science, and Future of Fire

$26.51 $38.65

Wildfire Rescue: A Branches Book (Disaster Squad #1)

$6.99 $6.99

Wildfire general settings

WildFire is a cloud-based malware detection and signature generation service. It is designed to identify unknown malware and generate signatures to protect against them. The firewall first receives a file and checks if it has been signed by a trusted digital signature. If not, the firewall takes a hash of the file and checks it against WildFire. If the hash is new, WildFire checks the file size.

To configure WildFire, you must first enable the firewall to forward decrypted SSL traffic for Advanced WildFire analysis. This is a recommended best practice. Next, start submitting samples for analysis by defining the traffic to be forwarded. Use the WildFire Analysis default profile for complete coverage of allowed traffic. Alternatively, create a custom profile and set it to forward any file type, allowing the firewall to automatically forward newly-supported file types. Attach the WildFire analysis profile to a security policy rule.

For each profile rule, set the public cloud as the destination for forwarding samples to the Advanced WildFire cloud. You can also forward files to the WildFire private cloud or hybrid cloud. If you are using Advanced WildFire on Prisma Access, configure your WildFire Analysis Security Profile to forward files for Advanced WildFire Analysis. If you do not have a subscription, you can still forward PEs for analysis.

To confirm that the firewall is successfully forwarding samples, enable logging of benign files and select Monitor>WildFire Submissions. Check that entries are being logged for benign files submitted for analysis. You can disable logging of benign files after confirming the firewall is connected to a WildFire cloud.

To adjust general settings, select DeviceSetup>WildFire and edit the General Settings. Here, you can adjust file size limits based on file type. The default file size limits are designed to include most malware while excluding large files that are unlikely to be malicious and could impact WildFire file-forwarding capacity. You can also configure data retention policies, logging settings, and the analysis environment. Set IP addresses for the DNS server, NTP server, and more.

Explore related products

Wildfires: Revolt Against Apathy and Ignite Your World with God's Power

$11.6 $19.99

Paradise: One Town's Struggle to Survive an American Wildfire

$7.99 $20

Wildfire: Season 1

$13

Wildfire Days: A Woman, a Hotshot Crew, and the Burning American West

$11.87 $29.99

This Is Wildfire: How to Protect Yourself, Your Home, and Your Community in the Age of Heat

$23.39 $27.99

Wildfires (National Geographic Kids Readers, Level 3)

$5.99 $5.99

Wildfire submission and logging

WildFire is a cloud-based malware detection and signature generation service. When a firewall receives a file, it checks if it has been signed by a trusted digital signature. If it has not, the firewall will take a hash of the file and check it against WildFire. If WildFire has not seen the file before, it will check if the file size is smaller than the configured maximum threshold. If the file is smaller than the threshold, it can be submitted to WildFire for analysis.

Once the analysis is complete, WildFire will generate a verdict of benign, grayware, phishing, or malware. This verdict will appear in the WildFire submissions log and will be communicated to the submitting firewall. WildFire will then generate malware signatures and make them available for firewalls to download.

To check WildFire submissions, go to Monitor > Logs > WildFire Submission. You can also view reports on the Advanced WildFire portal for all samples submitted to the WildFire cloud, including manually submitted samples. These reports can be downloaded as PDFs.

You can change the WildFire submission log settings to include Grayware and Benign samples, as well as additional session information contained in email links.

Frequently asked questions