Palo Alto NGFW Training Course

Palo Alto Wildfire service is a cloud based analysis techniques to detect malware and then generate signature to protect from them. For simplicity you can says, it’s turns unknown malware into known malware. Today, in this lesson we will learn how to configure wildfire in Palo Alto firewall.

How wildfire works?

First, the firewall receives a file. Then the firewall checks to see, if the file has been signed by a trusted digital signature. If it has, then the file would be allowed. If it has not then the firewall will take a hash of the file. Then it will check against wildfire, to see if that hash has been seen before.

If that hash has been seen before, then there will be a verdict associated, benign, grayware/phishing or malware verdicts. However, if wildfire has not seen this file before, then the fire will check to see, if the file size is smaller than the configured maximum thresholds.

If the file is too large then the firewall has no option but to allow the file. However, if the file is not too large, then it can be submitted up to wildfire for analysis. Once the analysis is complete, a verdict will be generated based on the characteristics and behavior of the file and that verdict would be again benign, grayware, phishing or malware.

After that then wildfire will inform the submitting firewall of this verdict and this will appear within the wildfire submissions log. After which, wildfire will generate malware signatures and make them available for firewalls to download. If your firewall has a valid wildfire subscription, you can immediately download the signature, once it’s placed on the update server, after about a five minute period. If your firewall does not have a wildfire subscription you still benefit from the submission of this file during the next days antivirus update.

Palo Alto Wildfire Deployment options

  • Global Cloud: WildFire Public cloud
  • Private Cloud: WildFire Appliance WF-500
  • Hybrid Cloud: Combination of Public cloud and appliance

How to configure Palo Alto wildfire?

Go to Device >> Setup >> WildFire and click General Settings.

You will find URL for public cloud. You can choose your desire public cloud if you are using global wildfire. If you using appliance then add ip address of your WildFire Private Cloud. You also can change default file size here.

Palo Alto Wildfire Configuration - General Settings

Now, go to Objects >> Security Profiles >> WildFire Analysis and click Add. You can define file types and destination cloud (private/public).

Palo Alto WildFire Analysis

Finally, go to Policies >> Security and click on your desire policy, mostly it will be access-to-internet policy. Go to Actions of the policy and select Profiles in profile type. Choose your newly create Wildfire analysis profile. In my case it is OUR-WILDFIRE-PROFILE.

Palo Alto Security Policy Rule

Test a sample Malware File:

If you have SSL decryption enabled on the firewall, use one of the following URLs:

  • PE—https://wildfire.paloaltonetworks.com/publicapi/test/pe
  • APK—https://wildfire.paloaltonetworks.com/publicapi/test/apk
  • MacOSX—https://wildfire.paloaltonetworks.com/publicapi/test/macos
  • ELF—wildfire.paloaltonetworks.com/publicapi/test/elf

If you do not have SSL decryption enabled on the firewall, use one of the following URLs instead:

  • PE—http://wildfire.paloaltonetworks.com/publicapi/test/pe
  • APK—http://wildfire.paloaltonetworks.com/publicapi/test/apk
  • MacOSX—http://wildfire.paloaltonetworks.com/publicapi/test/macos
  • ELF—wildfire.paloaltonetworks.com/publicapi/test/elf

Verification:

To test the connect between firewall and wildfire cloud, run test wildfire registration command.

admin@PA-FW-01> test wildfire registration 
This test may take a few minutes to finish. Do you want to continue? (y or n) 

Test wildfire Public Cloud

        Testing cloud server wildfire.paloaltonetworks.com ...
        wildfire registration:         successful                    
        download server list:          successful                    
        select the best server:        panos.wildfire.paloaltonetworks.com

Test wildfire Private Cloud

        Cloud server is empty

admin@PA-FW-01> 

You also can run –

show wildfire status channel public
show wildfire status channel private

To check submission, go to Monitor >> Logs >> WildFire Submission.

Palo Alto Wildfire Verification

Written by Rajib Kumer Das

I am Rajib Kumer Das, a network engineer with 8+ years of experience in multi-vendor environment. In my current position, I am responsible to take care critical projects and it's support cases. I do have several vendor certificates and have plans to go further.

Leave a Comment

Your email address will not be published. Required fields are marked *