Blocking Unknown Malware with Wildfire
>>WildFire concepts
WildFire Threat Intelligence Cloud
WildFire is a cloud based, virtual sandbox used to evaluate unknown files and URL links found in emails
analysis --> files and links --> label -->benign, grayware, malware, or phishing
WildFire Operation Overview
yes, firewall trusts that the file does not have hidden malware and allows the file to be delivered. NO creates a # number for the file,
MAX file limit applies. i.e not sent to WildfFire
WildFire Verdict Descriptions
As benign, grayware, malware, or phishing
WildFire Protects Email
The firewall sends email with attachments or URL links to WildFire for analysis.
Content Packages and WildFire Updates
Antivirus signatures are made available within 24 to 48 hours as content updates to the Antivirus content database.
Standard and Licensed Functionality
Standard subscription service:
WildFire licensed service:
Additional feature to standard like file analysis (Microsoft Office, PDF, JAR, CLASS, SWF, SWC, RAR, 7) in real time, API submission plus private cloud
Hybrid Cloud Example
Combines public and private cloud
.private cloud analysis prevails.
>>Configure and manage WildFire
Configure WildFire Settings
Device > Setup > WildFire
WildFire Public Cloud setting is configured with the URL value wildfire.paloaltonetworks.com
Submission Settings
Device > Setup > WildFire
WildFire Analysis
WildFire Analysis Profiles are objects that are added to Security policy rules that are configured with an action of “allow.” WildFire Analysis Profiles are not necessary for Security policy rules configured with the “deny” action, because no further processing is needed if the network traffic will be blocked.
WildFire Analysis Profile
Objects > Security Profiles WildFire Analysis
trusted zones. In a Zero Trust configuration, no zone is completely trusted
Creating a WildFire Analysis Profile
Objects > Security Profiles > WildFire Analysis > Add
... which application file types to send to WildFire for analysis.
Configure Real-Time WildFire Analysis
Objects > Security Profiles > AntiVirus
..configure real time WildFire analysis on the firewall.
..configured to:
• Enable : Allows the traffic to pass without any policy
• Alert only : The traffic is allowed, and a log entry is generated in the threat
• Disable : The traffic is blocked, and the user will see a response page. The user will not be able to continue to the website, and a log entry is generated in the URL Filtering log.
Attach WildFire Analysis Profiles to Security Rules
Policies > Security > Add
WildFire Update Schedule
Schedule poll period for WildFire antivirus signature updates: Any new WildFire antivirus signatures created by WildFire are available for download from WildFire in real
time. ...If you have a WildFire license...
>> WildFire reporting
Information reported back to the firewall is recorded by the firewall in the WildFire Submissions log.
Verify Submissions and View Reports
> debug wildfire upload log show
On the command line..
This can be reached by using SSH via puTTy
shown.. status “upload success” and the name of the file..
Monitor > Logs > WildFire Submissions
WildFire Analysis Verdict Example
Monitor > Logs > WildFire Submissions
Detailed Log View window.. WildFire Analysis Report tab
Use the log entry and the WildFire analysis to find
- the users that were targeted
- the applications that were used
- the malicious behaviour that was observed
..Download PDF and print the PDF document. The PDF includes a detailed
WildFire Portal
Go to https://wildfire.paloaltonetworks.com
Dashboard also reports summary information for the files that were submitted manually by a user using the WildFire XML API.
WildFire Dashboard Reports
...click the Reports button at the top of the WildFire portal.
Report Incorrect Verdict: WildFire Portal
report an incorrect verdict link. In the window that..
1. What is the maximum size of .EXE files uploaded from the Next Generation firewall to Wildfire?
Always 10 megabytes
Configurable up to 2 megabytes
Configurable up to 10 megabytes
Always 2 megabytes
2. Without a Wildfire subscription, which of the following files can be submitted by the Next Generation Firewall to the hosted Wildfire virtualized sandbox?
PDF files only
MS Office doc/docx, xls/xlsx, and ppt/pptx files only
PE and Java Applet only
PE files only
3. In the latest Next Generation firewall version, what is the shortest time that can be configured on the firewall to check for Wildfire updates?
5 Minutes
30 Minutes NO
1 Hour NO
15 Minutes NO
4. Which CLI command is used to verify successful file uploads to WildFire?
debug wildfire upload-log
debug wildfire download-log show
debug wildfire upload-log show YES
debug wildfire upload-threat show NO
5. True . If a file type is matched in the File Blocking Profile and WildFire Analysis Profile, and if the File Blocking Profile action is set to “block,” then the file is not forwarded to WildFire.
6. Which file type can a firewall send to WildFire when the firewall does not have a WildFire subscription?
Select one:
JAR
EXE
APK
7. Which WildFire verdict might indicate obtrusive behaviour but not a security threat?
Select one:
grayware
phishing
malware
benign
8. false? When a malicious file or link is detected in an email, WildFire can update antivirus signatures in the PAN-DB database.
9. Assume you have a WildFire subscription. Which file state or condition might result in a file not being analysed by WildFire?
file already has WildFire hash NO
executable file signed by trusted signer NO
file located in a JAR or RAR archive
file size limit exceeded
- Log in to post comments
Comments