Professional Documents
Culture Documents
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
http://www.paloaltonetworks.com/contact/contact/
This guide describes the administrative tasks required to use and maintain the Palo Alto Networks WildFire feature.
Topics covered include licensing information, configuring firewalls to forward files for inspection, viewing reports, and
how to configure and manage the WF-500 WildFire appliance.
Refer to the following sources for more information:
For information on the additional capabilities and for instructions on configuring the features on the firewall, refer
to https://www.paloaltonetworks.com/documentation.
For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to
https://live.paloaltonetworks.com.
For contacting support, for information on the support programs, or to manage your account or devices, refer to
https://support.paloaltonetworks.com
ii
Table of Contents
WildFire Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
About WildFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
WildFire Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
File/Email Link Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Supported File Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
WildFire Virtual Sandboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
WildFire Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
WildFire Email Link Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
WildFire Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
WildFire Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Malware Test Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
WildFire Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
WildFire Subscription Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Best Practices for Keeping Signatures up to Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Reference: Firewall File Forwarding Capacity by Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
WildFire Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
WildFire Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Enable Email Header Information in WildFire Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Monitor Submissions Using the WildFire Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Customize WildFire Portal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Add WildFire Portal User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
View WildFire Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
WildFire Report Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Set Up Alerts for Detected Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
WildFire in Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
WildFire API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
About WildFire Subscriptions and API Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Use the WildFire API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
WildFire API File Submission Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Submit a File to the WildFire Cloud Using the Submit File Method . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Submit a File to WildFire Using the Submit URL Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Query for a WildFire PDF or XML Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Use the API to Retrieve a Sample Malware Test File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Use the API to Retrieve a Sample File or PCAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Use the WildFire API on a WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Generate API Keys on the WildFire Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Manage API Keys on the WildFire Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Use the WildFire API on a WildFire Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
About WildFire
Modern malware is at the heart of many of today's most sophisticated network attacks and is increasingly
customized to avoid traditional security solutions. Palo Alto Networks has developed an integrated approach
that addresses the full malware life cycle, which includes preventing infections, identifying zero-day malware
(undiscovered malware), or targeted malware (malware targeting a specific industry or corporation), as well as
pinpointing and disrupting active infections.
The Palo Alto Networks WildFire engine exposes zero-day and targeted malware through direct observation in
a virtual environment within the WildFire system. The WildFire feature also makes extensive use of the Palo
Alto Networks App-ID technology by identifying file transfers within all applications, not just email
attachments or browser-based file downloads.
For information on Palo Alto Networks WildFire privacy policy, refer to
https://live.paloaltonetworks.com/docs/DOC-2880.
Figure: High-Level WildFire Decision Workflow illustrates the basic WildFire workflow, Figure: Detailed
WildFire Decision Flow describes the entire WildFire lifecycle from the time a user downloads a malicious file
to the point where WildFire generates a signature to be used by Palo Alto Networks firewalls to protect against
future exposure to the malware.
The the High-Level WildFire Decision Workflow describes the workflow for a file download. The
analysis of an HTTP/HTTPS link contained in an email is very similar, but there are minor
differences. For details on email-links analysis, see WildFire Email Link Analysis.
WildFire Concepts
File/Email Link Forwarding
Supported File Types
WildFire Virtual Sandboxes
WildFire Signatures
WildFire Email Link Analysis
WildFire Alerts
WildFire Logging and Reporting
Malware Test Samples
With the integrated solution between WildFire and Palo Alto Networks firewalls, you configure the firewall with
a file blocking profile and attach it to a security policy rule that instructs the firewall to automatically forward
samples to the WildFire system for threat analysis. The samples can be specific file types or HTTP/HTTPS links
contained in SMTP or POP3 messages. If a user downloads a file sample over a session that matches the security
rule, the firewall performs a file hash check with WildFire to determine if WildFire has previously analyzed the
sample. If the file is new, it is forwarded for analysis, even if it is contained within a ZIP file or over compressed
HTTP. In the case of an email link, the firewall will extract HTTP/HTTPS links from SMTP and POP3 email
messages that match the forwarding policy and will forward the link to WildFire (see WildFire Email Link
Analysis. You can also configure the firewall to forward files inside of encrypted SSL sessions if SSL decryption
is enabled.
For information on configuring forwarding, see Forward Files to a WF-500 Appliance or Forward Samples to
the WildFire Cloud.
Email-linkHTTP/HTTPS email links contained in SMTP and POP3 email messages. Note that the
firewall only extracts links and associated session information (sender, recipient, and subject) from the email
messages that traverse the firewall; it does not receive, store, forward, or view the email message. The
WF-500 appliance does not support email link analysis.
JARJava Applet (JAR/Class files types). The WF-500 appliance will analyze Java content, but will not
generate signatures for malicious samples. You must download the sample from the WildFire Submission
log and upload it to the WildFire cloud for signature generation.
PEPortable Executable, which includes executable files, object code, DLLs, FON (fonts), and others
MS-OfficeMicrosoft Office files including: documents (doc, docx, rtf), workbooks (xls, xlsx), and
PowerPoint (ppt, pptx). As of content update 450, WildFire can generate antivirus signatures for Office
Open XML (OOXML) 2007+ documents that it determines to be malicious and delivers the signatures
through WildFire and antivirus updates, enabling the firewall to alert or block malicious content in these
types of files.
A WildFire subscription is not required on the firewall to forward PE file types to WildFire for
analysis, but is required to analyze all other supported file types.
WildFire executes the suspect files it receives in a virtual environment and observes the behavior for signs of
malicious activities, such as changes to browser security settings, injection of code into other processes,
modification of files in the Windows system folder, or domains that the sample attempted to access. When the
WildFire engine completes the analysis, it generates a detailed forensics report that summarizes the observed
behaviors and assigns a verdict of malware or benign. Similarly, WildFire will extract HTTP/HTTPS links in
SMTP and POP3 emails messages and visits the links to determine if the corresponding web page hosts any
exploits. If WildFire detects malicious behavior, it generates a report and submits the URL to PAN-DB and
categorizes the URL as malware. Note that WildFire does not generate logs for benign email links.
WildFire includes sandbox support for the following operating system environments:
WildFire Signatures
The key benefits of the Palo Alto Networks WildFire feature are that it can discover zero-day malware in web
traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can quickly generate
signatures to protect against future infections from the malware it discovers. WildFire will automatically
generate a signature based on the malware payload of the sample and tests it for accuracy and safety. Because
malware evolves rapidly, the signatures that WildFire generates will address multiple variants of the malware. As
WildFire detects new malware, it generates new signatures within 15-30 minutes. Firewalls equipped with a
WildFire subscription can receive the new signatures within 15 minutes. If you do not have a WildFire
subscription, signatures are made available within 24-48 hours as part of the antivirus update for firewalls
equipped with a Threat Prevention subscription.
As soon as the firewall downloads and installs the new signature, any files that contain that malware (or a variant
of it) will automatically be dropped by the firewall. Information gathered by WildFire during the analysis of
malware is also used to fortify other Threat Prevention features, such as adding malware URLs to PAN-DB,
generating DNS signatures, antivirus, and anti-spyware signatures. Palo Alto Networks also develops signatures
for command and control traffic, enabling immediate disruption in the communications of any malware inside
the network. For details on signatures and the benefits of having a WildFire subscription, see WildFire
Subscription Requirements.
The firewall not only forwards files to WildFire for threat analysis, it can also extract HTTP/HTTPS links
contained in SMTP and POP3 email messages and forward the links to the WildFire cloud for analysis. This
feature is not supported on the WF-500 appliance. You enable this functionality by configuring the firewall to
forward the email-link file type. Note that the firewall only extracts links and associated session information
(sender, recipient, and subject) from the email messages that traverse the firewall; it does not receive, store,
forward, or view the email message.
After receiving an email link from a firewall, WildFire visits the links to determine if the corresponding web
page hosts any exploits. If WildFire determines that the page itself is benign, it will not generate a log. However,
if it detects malicious behavior on the page, it returns a malicious verdict and:
Generates a detailed analysis report and logs it to the WildFire Submissions log on the firewall that
forwarded the links. This log now includes the email header informationemail sender, recipient, and
subjectso that you can identify the message and delete it from the mail server and/or track down the
recipient and mitigate the threat if the email has already been delivered and/or opened.
View the file type: email-link counter section under Counters for file forwarding.
When email links are forwarded, the following counters will increment:
FWD_CNT_APPENDED_BATCHIndicates the number of email links added to a batch waiting
for upload to WildFire.
FWD_CNT_LOCAL_FILE Indicates the total number of email links uploaded to WildFire.
To ensure that you gain the full benefits of this feature, confirm the following on each firewall that will forward
samples to WildFire.
A valid WildFire subscription is installed.
WildFire Alerts
The firewall can provide instant notification whenever it detects malware on your network by sending email
alerts, syslog, or SNMP traps. This enables you to quickly identify the user who downloaded the malware and
eradicate it before it causes extensive damage or propagates to other users. In addition, every signature that
WildFire generates is automatically propagated to all Palo Alto Networks firewalls protected with a Threat
Prevention and/or WildFire subscription, which provides automatic protection from malware discovered on
networks all over the world.
For each sample that WildFire analyzes, WildFire generates a detailed behavioral report within minutes of the
sample submission. These reports are available in the WildFire Submissions log on the firewall, from the
WildFire portal, or though WildFire API queries. The reports show detailed behavioral information about the
sample, information on the targeted user, the application that delivered the file, and all URLs involved in the
delivery or phone-home activity of the file. For details on how to access the reports and descriptions of the
report fields, see View WildFire Reports.
The following screen capture shows part of a sample report for a file analysis followed by a screen capture for
an email link analysis report.
Palo Alto Networks provides a sample malware system that you can use to test a WildFire configuration. Before
downloading the file to test your configuration, make sure you configure your firewall based on the procedures
described in Forward Files to a WF-500 Appliance or Forward Samples to the WildFire Cloud.
The following lists information about the test file:
Each time you access the test URL, the server generates a unique file named wildfire-test-pe-file.exe and
initiates a download. Each test file also has a unique SHA-256 hash value.
Although WildFire will generate a signature for the test file, the signature is disabled and will not be
distributed to the Palo Alto Networks update server. If signature generation is enabled on a WF-500
appliance, it will not generate a signatures for the test file.
To access the malware test file, highlight the following link and copy and paste it into a browser:
http://wildfire.paloaltonetworks.com/publicapi/test/pe.
If you have enabled decryption on the firewall, you can access the encrypted version of the site by replacing
HTTP with HTTPS.
After downloading the file, check the Data Filtering log on the firewall to see if the file was forwarded and after
about five minutes, look for the results in the WildFire Submissions log. For information on verifying your
WildFire configuration, see Verify Forwarding to a WF-500 Appliance and Verify Forwarding to the WildFire
Cloud.
For WildFire API testing, see Use the API to Retrieve a Sample Malware Test File.
WildFire Deployments
Palo Alto Networks next-generation firewalls support the following WildFire deployments:
WildFire CloudIn this deployment, a Palo Alto Networks firewall forwards files to the hosted WildFire
environment that Palo Alto Networks owns and maintains. As WildFire detects new malware, it generates
new signatures within 15-30 minutes. Firewalls equipped with a WildFire subscription can receive the new
signatures within 15 minutes; firewalls with only a Threat Prevention subscription will receive the new
signatures in the next antivirus signature update within 24-48 hours.
The available WildFire cloud servers are wildfire-public-cloud for the WildFire cloud server hosted in the
United States and wildfire.paloaltonetworks.jp for the WildFire cloud hosted in Japan. You may want your
firewalls to use the Japan server if you do not want benign files forwarded to the U.S. cloud servers. If a file
is sent to the Japan cloud and WildFire determines its malicious, the Japan cloud forwards it to the U.S. cloud
servers where WildFire analyzes it again to confirm if it is malicious. If your firewalls are located in the Japan
region, you will see faster response time for sample submissions and report generation.
WildFire ApplianceIn this deployment, you install a WF-500 appliance on your corporate network and
configure your Palo Alto Networks firewalls to forward files to the appliance instead of to the Palo Alto
Networks WildFire cloud (the default). This deployment prevents the firewall from having to send any files
outside of your network for analysis. By default, the appliance will not send any files out of your network
unless you explicitly enable the cloud intelligence submit-sample feature. This feature enables the appliance
to forward malware it detects to the Palo Alto Networks WildFire cloud where the files are analyzed and
signatures are generated for malicious samples. The update servers then provides these signatures to all Palo
Alto Networks firewalls with a threat prevention and/or WildFire subscription. The appliance can also be
configured to generate signatures locally based on samples sent to it from your connected firewalls or by
submitting samples using the WildFire XML API. For more information, see Signature/URL Generation on
a WF-500 Appliance. A single WildFire appliance can receive and analyze files from up to 100 Palo Alto
Networks firewalls.
The following lists the main differences between the WildFire cloud and the WildFire appliance deployments:
The WildFire Appliance enables local sandboxing of malware so that benign files never leave your network.
By default, the WildFire appliance does not forward any files to the WildFire cloud, but you can configure
the cloud intelligence option on the appliance to forward malicious samples or reports on malicious samples
to Palo Alto Networks. If you do not want the appliance to send malware samples to Palo Alto Networks, it
is recommended that you at least configure the appliance to send malware reports. The reports will help Palo
Alto Networks gather statistical information about malware to gain a better understanding on how prevalent
the malware is and to gain insight into propagation of the malware.
The WF-500 appliance does not have a WildFire Portal, but you can configure cloud intelligence on the
appliance to automatically submit files to the WildFire cloud. You can also download samples from the
WildFire reports and then upload them to the portal, or use the WildFire XML API to submit files to the
cloud. After manually uploading files to the portal, the samples will appear on the portal as a manual upload
(see Upload Files using the WildFire Cloud Portal). For samples forwarded by a Palo Alto Networks firewall
to a WF-500 appliance or to the WildFire cloud, the reports are always available in the WildFire Submissions
log on the firewall.
Multiple virtual machines run on the WildFire cloud to represent a variety of operating systems and
applications used when running sample files. On the WF-500 appliance, multiple virtual machines are
available, but only one can be active for file analysis. Before selecting the virtual machine to use, review the
attributes of the available virtual machines and select one that best matches your environment. Although you
configure the WF-500 appliance to use one virtual machine image configuration, the appliance uses multiple
instances of the image to perform file analyses in order to improve performance. For information on viewing
and selecting the virtual machine, see Integrate the WF-500 Appliance into a Network.
It takes approximately 15 to 30 minutes for WildFire to generate a signature and make it available
for subscribers after discovering malware. Firewalls equipped with a WildFire subscription can
poll for new malware signatures every 15, 30, or 60 minutes. If, for example, the firewall is set to
poll for WildFire signature updates every 30 minutes, it might not receive a signature for a file it
uploaded until the second polling interval after the malware was discovered because of the time
required to generate the signature. If the firewall only has a Threat Prevention subscription, it will
receive signatures generated by WildFire after they are rolled into the antivirus updates, which
occurs approximately every 24-48 hours.
If your firewalls are forwarding files to a WF-500 appliance that has local signature generation
enabled, the appliance can generate signatures within approximately five minutes and you can
configure the firewall to retrieve these signatures every five minutes.
WildFire Advanced File Type SupportIn addition to Portable Executable (PE) files, a subscription
allows the firewall to also forward the following advanced file types: APK (WildFire cloud only), Flash, PDF,
Microsoft Office, and JAR (Java Applet). In addition to these files types, you can also configure the firewall
to extract and forward email links contained in SMTP and POP3 email messages by forwarding the
email-link file type. Note that the firewall only extracts links and associated session information (sender,
recipient, and subject) from the email messages that traverse the firewall; it does not receive, store, forward,
or view the email message.
WildFire APIThe WildFire subscription provides access to the WildFire API, which enables direct
programmatic access to the WildFire service on the Palo Alto Networks WildFire cloud or a WildFire
appliance. You can use the WildFire API to submit files and to retrieve reports for the submitted files. The
WildFire API supports up to 1,000 file submissions per day and up to 10,000 queries per day.
WildFire WF-500 ApplianceOnly firewalls with a valid WildFire subscription can forward files to a
WF-500 appliance for analysis. Firewalls that only have a Threat Prevention subscription installed can
forward files to the WildFire cloud, but not to a WF-500 appliance.
The speed at which the firewall can forward files to WildFire also depends on the bandwidth of
the upload link to the WildFire systems.
VM-100 5 100MB
VM-200 10 200MB
VM-300 20 200MB
PA-200 5 100MB
PA-500 10 200MB
PA-3020 50 200MB
PA-3050 50 500MB
PA-3060 50 500MB
PA-4020 20 200MB
PA-4050/4060 50 500MB
PA-5020/5050 50 500MB
MGTReceives all files forwarded from the firewalls and returns logs detailing the results back to the
firewalls. See Integrate the WF-500 Appliance into a Network.
Virtual Machine Interface (VM interface)Provides network access for the WildFire sandbox systems
to enable sample files to communicate with the Internet, which allows WildFire to better analyze the
behavior of the sample. When the VM interface is configured, WildFire can observe malicious behaviors that
the malware would not normally perform without network access, such as phone-home activity. However,
to prevent malware from entering your network from the sandbox, configure this interface on an isolated
network with an Internet connection. You can also enable the Tor option to hide the public IP addressed
used by your company from malicious sites that are accessed by the sample. For more information on the
VM interface, see Set Up the VM Interface on the WF-500 Appliance.
Rack mount and cable the WF-500 appliance. Refer to the WF-500 WildFire Appliance Hardware
Reference Guide.
Obtain the information required to configure network connectivity on the MGT port and the virtual
machine interface from your network administrator (IP address, subnet mask, gateway, hostname, DNS
server). All communication between the firewalls and the appliance occurs over the MGT port, including
file submissions, WildFire log delivery, and appliance administration. Therefore, ensure that the firewalls
have connectivity to the MGT port on the appliance. In addition, the appliance must be able to connect to
the updates.paloaltonetworks.com site to retrieve its operating system software updates.
Have a computer ready with either a console cable or Ethernet cable to connect to the device for the initial
configuration.
This section describes the steps required to install a WF-500 appliance on a network and perform basic setup.
Integrate the WF-500 Appliance into a Network
Step 1 Connect the management computer to 1. Connect to the console port or the MGT port. Both are located
the appliance using the MGT or Console on the back of the appliance.
port and power on the appliance. Console PortThis is a 9-pin male serial connector. Use the
following settings on the console application: 9600-8-N-1.
Connect the provided cable to the serial port on the
management computer or USB-To-Serial converter.
MGT PortThis is an Ethernet RJ-45 port. By default, the
MGT port IP address is 192.168.1.1. The interface on your
management computer must be on the same subnet as the
MGT port. For example, set the IP address on the
management computer to 192.168.1.5.
2. Power on the appliance.
The appliance will power on as soon as you connect
power to the first power supply and a warning beep will
sound until you connect the second power supply. If the
appliance is already plugged in and is in the shutdown
state, use the power button on the front of the appliance
to power on.
Step 2 Register the WildFire appliance. 1. Obtain the serial number from the S/N tag on the appliance, or
run the following command and refer to the serial field:
admin@WF-500> show system info
2. From a browser, navigate to the Palo Alto Networks Support
site.
3. Register the device as follows:
If this is the first Palo Alto Networks device that you are
registering and you do not yet have a login, click Register on the
right side of the page. To register, provide an email address and
the serial number of the device. When prompted, set up a
username and password for access to the Palo Alto Networks
support community.
For existing accounts, log in and then click My Devices. Scroll
down to the Register Device section at the bottom of the
screen and enter the serial number of the device, the city and
postal code, and then click Register Device.
Step 3 Reset the admin password. 1. Log in to the appliance with an SSH client or by using the
Console port. Enter a username/password of admin/admin.
2. Set a new password by running the command:
admin@WF-500# set password
3. Type the old password, press enter and then enter and confirm
the new password. There is no need to commit the
configuration because this is an operational command.
4. Type exit to log out and then log back in to confirm that the
new password is set.
Step 4 Set the IP information for the MGT 1. Log in to the appliance with an SSH client or by using the
interface and the hostname for the Console port and enter configuration mode:
appliance. All firewalls that will send files admin@WF-500> configure
to the WF-500 appliance will use the 2. Set the IP information:
MGT port, so ensure that this interface is admin@WF-500# set deviceconfig system ip-address
accessible from those firewalls. 10.10.0.5 netmask 255.255.252.0 default-gateway
10.10.0.1 dns-setting servers primary 10.0.0.246
This example uses the following values:
Configure a secondary DNS server by replacing primary
IPv4 address - 10.10.0.5/22
with secondary in the above command, excluding the
Subnet Mask - 255.255.252.0 other IP parameters. For example:
Default Gateway - 10.10.0.1 admin@WF-500# set deviceconfig system
Hostname - wildfire-corp1 dns-setting servers secondary 10.0.0.247
DNS Server - 10.0.0.246 3.Set the hostname (wildfire-corp1 in this example):
admin@WF-500# set deviceconfig system hostname
wildfire-corp1
4. Commit the configuration to activate the new management
(MGT) port configuration:
admin@WF-500# commit
5. Connect the MGT interface port to a network switch.
6. Put the management PC back on your corporate network, or
whatever network is required to access the appliance on the
management network.
7. From your management computer, use an SSH client to connect
to the new IP address or hostname assigned to the MGT port
on the appliance. In this example, the IP address is 10.10.0.5.
Step 5 (Optional) Configure additional user In this example, you will create a superreader account for the user
accounts for managing the WildFire bsimpson:
appliance. You can assign two role types: 1. Enter configuration mode:
superuser and superreader. Superuser is admin@WF-500> configure
equivalent to the admin account, and 2. Create the user account:
superreader only has read access.
admin@WF-500# set mgt-config users bsimpson
<password>
3. Enter and confirm a new password.
4. Assign the superreader role:
admin@WF-500# set mgt-config users bsimpson
permissions role-based superreader yes
Step 6 (Optional) Configure RADIUS 1. Create a RADIUS profile using the following options:
authentication for administrator access. admin@WF-500# set shared server-profile radius
The following steps summarize how to <profile-name>
configure RADIUS on the appliance. (Configure the RADIUS server and other attributes.)
2. Create an authentication profile:
admin@WF-500# set shared authentication-profile
<profile-name> method radius server-profile
<server-profile-name>
3. Assign the profile to a local admin account:
admin@WF-500# set mgt-config users username
authentication-profile authentication-profile-name>
Step 7 Activate the appliance with the WildFire 1. Change to operational mode:
authorization code that you received from admin@WF-500# exit
Palo Alto Networks. 2. Fetch and install the WildFire license:
The WF-500 appliance will admin@WF-500> request license fetch auth-code
function without an auth-code, <auth-code>
but it cannot retrieve software 3. Verify the license:
updates without a valid auth-code. admin@WF-500> request support check
Information about the support site and the support contract
date is displayed. Confirm that the date displayed is valid.
Step 8 Set the current date/time and timezone. 1. Set the date and time:
admin@WF-500> set clock date <YY/MM/DD> time
<hh:mm:ss>
2. Enter configuration mode:
admin@WF-500> configure
3. Set the local time zone:
admin@WF-500# set deviceconfig system timezone
<timezone>
The time stamp that will appear on the WildFire detailed
report will use the time zone set on the appliance. If
administrators in various regions will view reports,
consider setting the time zone to UTC.
Step 9 (Optional) Configure cloud intelligence to 1. To enable cloud intelligence, run the command:
enable the WildFire appliance to forward admin@WF-500# set deviceconfig setting wildfire
files that contain malware to the Palo Alto cloud-intelligence submit-sample yes
Networks WildFire cloud. The WildFire 2. To only send WildFire reports for malware:
cloud system will re-analyze the sample admin@WF-500# set deviceconfig setting wildfire
and will generate a signatures if the cloud-intelligence submit-report yes
sample is malware and will add the If submit-sample is enabled, there is no need to enable
signature to the WildFire signature submit-report because the WildFire cloud re-analyzes
updates. You can also choose to only the sample and generates a new report. If the sample is
submit WildFire reports on malware. In malicious, the cloud will generate a signature.
this case, Palo Alto Networks uses the
3. Confirm the setting by running the following command and
reports for statistical purposes.
then refer to the Submit sample and Submit report fields:
Cloud intelligence is disabled by admin@WF-500> show wildfire status
default.
Step 10 (Optional) Enable benign file logging on 1. Select Device > Setup > WildFire and edit General Settings.
the firewall. This is a good way to confirm 2. Select the Report Benign Files check box to enable and then
that the firewall is forwarding files to click OK to save.
WildFire without having to download real
malware. In this case, the Data Filtering You can run the following CLI command to enable benign logging:
log will contain information on the results admin@WF-500# set deviceconfig setting wildfire
of the WildFire analysis, even if the report-benign-file yes
verdict is benign. To download sample
malware for testing, see Malware Test
Samples.
This option is disabled by default.
Step 11 Set a password for the portal admin 1. To change the WildFire portal admin account password:
account. This account is used when admin@WF-500> set wildfire portal-admin password
accessing WildFire reports from a 2. Press enter and type and confirm the new password.
firewall. The default username and
password is admin/admin.
The portal admin account is the
only account that can be used for
viewing reports from the logs.
Only the password can be changed
for this account and additional
accounts cannot be created for
this purpose. This is not the same
admin account used to manage the
appliance. You can also use the
WildFire API to retrieve logs, but
in that case you use an API key
generated on the WF-500
appliance. See Use the WildFire
API on a WF-500 Appliance.
Step 12 Choose the virtual machine image that the To view a list of available virtual machines to determine which one
appliance will use for file analysis. The best represents your environment:
image should be based on the attributes admin@WF-500> show wildfire vm-images
that best represents the software installed
View the current virtual machine image by running the following
on your end user computers. Each virtual
command and refer to the Selected VM field:
image contains different versions of
admin@WF-500> show wildfire status
operating systems and software, such as
Windows XP or Windows 7 32-bit or Select the image that the appliance will use for analysis:
64-bit and specific versions of Adobe admin@WF-500# set deviceconfig setting wildfire
Reader, and Flash. Although you active-vm <vm-image-number>
configure the appliance to use one virtual For example, to use vm-1:
machine image configuration, the admin@WF-500# set deviceconfig setting wildfire
appliance uses multiple instances of the active-vm vm-1
image to improve performance.
Where to Go Next:
Verify the WF-500 Appliance Configuration
Forward Files to a WF-500 Appliance
Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support
Set Up the VM Interface on the WF-500 Appliance
This topic describes how to verify the configuration of the WildFire appliance to ensure that it is ready to receive
files from a Palo Alto Networks firewall. For more details on the CLI commands referenced in this workflow,
see WildFire Appliance Software CLI Reference.
Step 1 Verify that the appliance is registered and 1. Start an SSH session and connect to the MGT port on the
the license is activated. appliance.
2. View the current support information:
admin@WF-500> request support check
This will display information about the support site and
contract. Confirm that the contract date is valid.
3. Run the following command to check connectivity between the
appliance and the WildFire cloud (needed to forward files to the
cloud):
admin@WF-500> test wildfire registration
The following output indicates that the appliance is registered
with one of the Palo Alto Networks WildFire cloud servers.
Test wildfire
wildfire registration: successful
download server list: successful
select the best server:
cs-s1.wildfire.paloaltonetworks.com
Step 2 Check the WildFire server status on the 1. Display WildFire status:
appliance. admin@WF-500> show wildfire status
Connection info:
Wildfire cloud:
wildfire.paloaltonetworks.com
Status: Idle
Submit sample: enabled
Submit report: disabled
Selected VM: vm-5
VM internet connection: disabled
VM network using Tor: disabled
Best server:
s1.wildfire.paloaltonetworks.com
Device registered: yes
Service route IP address: 10.3.4.99
Signature verification: enable
Server selection: enable
Through a proxy: no
In the example output, status Idle indicates that the appliance
is ready to receive files. Submit sample is enabled, which
indicates that the appliance will forward detected malware files
to the WildFire Cloud. The Device registered field displays
yes, which means the appliance is registered with the WildFire
cloud system. The appliance is also configured to use the vm-5
sandbox for sample analysis.
You must have a WildFire cloud server defined even if
you are not forwarding samples to the cloud server. If no
cloud server is defined, the Status field will show
Disabled by cloud server.
2. After configuring your firewalls to forward files to the appliance
as described in Forward Files to a WF-500 Appliance, you can
verify the connectivity status of the firewalls from the appliance.
To verify that the appliance is receiving files from the firewalls
and to verify if the appliance is sending files to the WildFire
cloud for signature generation (if cloud intelligence is enabled),
enter:
admin@WF-500> show wildfire statistics days 7
Last one hour statistics:
Total sessions submitted : 0
Samples submitted : 0
analyzed : 0
pending : 0
malicious : 0
benign : 0
error : 0
Uploaded : 0
Step 3 Verify that firewalls configured to forward 1. Display a list of firewalls that have registered with the appliance:
files to the appliance have successfully admin@WF-500> show wildfire
registered with the WildFire appliance. last-device-registration all
The output will include the following information for each
firewall that is registered with the appliance: firewall serial
number, date registered, IP address, software version, hardware
model, and status. If no firewalls are listed, there may be
network connectivity issues between the firewalls and the
appliance. Check the network to confirm that the firewalls and
WildFire appliance can communicate.
You can use ping tests from the appliance to the gateway
address, or to one of the firewalls that you configured to forward
files to the appliance. For example, if the IP address of the
firewall is 10.0.5.254, you will see replies displayed when
running the following CLI command from the appliance:
admin@WF-500> ping host 10.0.5.254
To verify the WildFire configuration on the firewalls that are
forwarding to the appliance, see Verify Forwarding to a WF-500
Appliance.
The VM interface (labeled 1 on the back of the appliance) is used by WildFire to improve malware detection
capabilities. The interface allows a file sample running on the WildFire virtual machines to communicate with
the Internet and enables WildFire to better analyze the behavior of the sample file to determine if it exhibits
characteristics of malware.
While it is recommended that you enable the VM interface, it is very important that you do not
connect the interface to a network that allows access to any of your servers/hosts because
malware that runs in the WildFire virtual machines could potentially use this interface to
propagate itself.
This connection can be a dedicated DSL line or a network connection that only allows direct
access from the VM interface to the Internet and restricts any access to internal servers/client
hosts.
The following illustration shows two options for connecting the VM interface to the network.
Option-2Use a dedicated Internet provider connection, such as a DSL, to connect the VM interface to
the Internet. Ensure that there is no access from this connection to internal servers/hosts. Although this is
a simple solution, traffic generated by the malware out the VM interface will not be logged unless you place
a firewall or a traffic monitoring tool between the WildFire appliance and the DSL connection.
This section describes the steps required to configure the VM interface on the WildFire appliance using the
Option 1 configuration detailed in the Virtual Machine Interface Example. After configuring the VM interface
using this option, you must also configure an interface on a Palo Alto Networks firewall through which traffic
from the VM interface is routed as described in Configure the Firewall to Control Traffic for the WF-500 VM
Interface.
By default, the VM interface has the following settings:
IP Address: 192.168.2.1
Netmask: 255.255.255.0
DNS: 192.168.2.254
If you plan on enabling this interface, configure it with the appropriate settings for your network. If you do not
plan on using this interface, leave the default settings. Note that this interface must have network values
configured or a commit failure will occur.
Step 3 Test connectivity of the VM interface. Ping a system and specify the VM interface as the source. For
example, if the VM interface IP address is 10.16.0.20, run the
following command where ip-or-hostname is the IP or hostname of a
server/network that has ping enabled:
admin@WF-500> ping source 10.16.0.20 host
ip-or-hostname
For example:
admin@WF-500> ping source 10.16.0.20 host 10.16.0.1
Step 4 (Optional) Enable the Tor network. Enable the Tor network:
When this option is enabled, any 1. admin@WF-500# set deviceconfig setting wildfire
malicious traffic that the malware vm-network-use-tor
generates to the Internet is sent to the Tor 2. Commit the configuration:
network. The Tor network will mask your admin@WF-500# commit
public facing IP address, so the owners of
the malicious site cannot determine the
source of the traffic.
Step 5 Continue to the next section to configure See Configure the Firewall to Control Traffic for the WF-500 VM
the firewall interface that you will use to Interface.
connect the VM interface on the
appliance.
The following example workflow describes how to connect the VM interface to a port on a Palo Alto Networks
firewall. Before connecting the VM interface to the firewall, the firewall must already have an Untrust zone
connected to the Internet. In this example, you configure a new zone named wf-vm-zone that will contain the
interface used to connect the VM interface on the appliance to the firewall. The policy associated with the
wf-vm-zone will only allow communication from the VM interface to the Untrust zone.
Step 1 Configure the interface on the firewall 1. From the web interface on the firewall, select Network >
that the VM interface will connect to and Interfaces and then select an interface, for example
set the virtual router. Ethernet1/3.
The wf-vm-zone should only 2. In the Interface Type drop-down, select Layer3.
contain the interface (ethernet1/3 3. On the Config tab, from the Security Zone drop-down box,
in this example) used to connect select New Zone.
the VM interface on the appliance 4. In the Zone dialog Name field, enter wf-vm-zone and click OK.
to the firewall. This is done to
5. In the Virtual Router drop-down box, select default.
avoid having any traffic generated
by the malware from reaching 6. To assign an IP address to the interface, select the IPv4 tab, click
other networks. Add in the IP section, and enter the IP address and network
mask to assign to the interface, for example 10.16.0.0/22.
7. To save the interface configuration, click OK.
Step 2 Create a security policy on the firewall to 1. Select Policies > Security and click Add
allow access from the VM interface to the 2. In the General tab, enter a Name.
Internet and block all incoming traffic. In
3. In the Source tab, set the Source Zone to wf-vm-zone.
this example, the policy name is WildFire
VM Interface. Because you will not create 4. In the Destination tab, set the Destination Zone to Untrust.
a security policy from the Untrust zone to 5. In the Application and Service/ URL Category tabs, leave the
the wf-vm-interface zone, all inbound default as Any.
traffic is blocked by default. 6. In the Actions tab, set the Action Setting to Allow.
7. Under Log Setting, select the Log at Session End check box.
If there are concerns that someone might inadvertently
add other interfaces to the wf-vm-zone, clone the
WildFire VM Interface security policy and then in the
Action tab for the cloned rule, select Deny. Make sure
this new security policy is listed below the WildFire VM
interface policy. This will override the implicit intra-zone
allow rule that allows communications between
interfaces in the same zone and will deny/block all
intra-zone communication.
Step 3 Connect the cables. Physically connect the VM interface on the WildFire appliance to the
port you configured on the firewall (Ethernet 1/3 in this example)
using a straight through RJ-45 cable. The VM interface is labeled 1
on the back of the appliance.
Configure the Firewall to Control Traffic for the WF-500 VM Interface (Continued)
Step 1 Verify connectivity from the appliance to 1. Log in to the WildFire appliance and run the following
the update server and identify the command to display the current content version:
content update to install. admin@wf-500> show system info | match
wf-content-version
2. Confirm that the appliance can communicate with the Palo Alto
Networks Update Server and view available updates:
admin@wf-500> request wf-content upgrade check
The command queries the Palo Alto Networks Update Server
and provides information about available updates and identifies
the version that is currently installed on the appliance.
Version Size Released on Downloaded Installed
---------------------------------------------------------
2-253 57MB 2014/09/20 20:00:08 PDT no no
2-39 44MB 2014/02/12 14:04:27 PST yes current
If the appliance cannot connect to the update server, you will
need to allow connectivity from the appliance to the Palo Alto
Networks Update Server, or download and install the update
using SCP as described in Install Content Updates from an
SCP-Enabled Server.
Step 2 Download and install the latest content 1. Download the latest content update:
update. admin@wf-500> request wf-content upgrade download
latest
2. View the status of the download:
admin@wf-500> show jobs all
You can run show jobs pending to view pending jobs. The
following output shows that the download (job id 5) has
finished downloading (Status FIN):
Enqueued ID Type Status Result Completed
---------------------------------------------------------
2014/04/22 03:42:20 5 Downld FIN OK 03:42:23
3. After the download is complete, install the update:
admin@wf-500> request wf-content upgrade install
version latest
Run the show jobs all command again to monitor the status
of the install.
Step 3 Verify the content update. Run the following command and refer to the wf-content-version
field:
admin@wf-500> show system info
The following shows an example output with content update version
2-253 installed:
admin@wf-500> show system info
hostname: wf-500
ip-address: 10.5.164.245
netmask: 255.255.255.0
default-gateway: 10.5.164.1
mac-address: 00:25:90:c3:ed:56
vm-interface-ip-address: 192.168.2.2
vm-interface-netmask: 255.255.255.0
vm-interface-default-gateway: 192.168.2.1
vm-interface-dns-server: 192.168.2.1
time: Mon Apr 21 09:59:07 2014
uptime: 17 days, 23:19:16
family: m
model: WF-500
serial: abcd3333
sw-version: 6.1.0
wf-content-version: 2-253
wfm-release-date: 2014/08/20 20:00:08
logdb-version: 6.1.2
platform-family: m
Step 4 (Optional) Schedule content updates to 1. Schedule the appliance to download and install content updates:
install the latest updates on the firewall at admin@WF-500# set deviceconfig system
a set interval. update-schedule wf-content recurring [daily |
weekly] action [download-and-install |
You can configure the appliance to install download-only]
daily or weekly and either download only For example, to download and install updates daily at 8:00 am:
or download and install the updates. admin@WF-500# set deviceconfig system
update-schedule wf-content recurring daily action
download-and-install at 08:00
2. Commit the configuration
admin@WF-500# commit
The following procedure describes how to install content updates on a WildFire appliance that does not have
direct connectivity to the Palo Alto Networks Update Server. You will need a Secure Copy (SCP)-enabled server
that will temporarily store the content update.
Step 1 Retrieve the content update file from the 1. Log in to the Palo Alto Networks Support site and click
update server. Dynamic Updates.
2. In the WildFire Appliance section, locate the latest WF-500
appliance content update and download it.
3. Copy the content update file to an SCP-enabled server and note
the file name and directory path.
Step 2 Install the content update on the WildFire 1. Log in to the WF-500 appliance and download the content
appliance. update file from the SCP server:
admin@WF-500> scp import wf-content from
username@host:path
For example:
admin@WF-500> scp import wf-content from
bart@10.10.10.5:c:/updates/panup-all-wfmeta-2-253.
tgz
If your SCP server is running on a non-standard port or
if you need to specify the source IP, you can also define
those options in the scp import command.
2. Install the update:
admin@WF-500> request wf-content upgrade install
file panup-all-wfmeta-2-253.tgz
View status of the install:
admin@WF-500> show jobs all
Perform the following steps on each firewall that will forward samples to the WildFire appliance:
If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud
or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed.
WildFire cloud: Uses port 443 for registration and file submissions.
WildFire appliance: Uses port 443 for registration and 10443 for file submissions.
Step 1 Verify that the firewall has a WildFire 1. Select Device > Licenses and confirm that the firewall has valid
subscription and that dynamic updates WildFire and Threat Prevention subscriptions installed.
are scheduled and are up-to-date. 2. Select Device > Dynamic Updates and click Check Now to
See Best Practices for Keeping Signatures ensure that the firewall has the most recent Antivirus,
up to Date for recommended settings. Applications and Threats, and WildFire updates. If you are using
a WildFire appliance that has Signature/URL generation
enabled, check those updates as well.
3. Confirm and update the dynamic updates as needed. Stagger the
update schedules because the firewall can only perform one
update at a time.
Step 2 Define the WildFire server that the 1. Select Device > Setup > WildFire.
firewall will forward files to for analysis. 2. Click the General Settings edit icon.
3. In the WildFire Server field, enter the IP address or FQDN of
the WF-500 appliance.
Step 3 Configure the file blocking profile to 1. Select Objects > Security Profiles > File Blocking.
define which applications and file types 2. Click Add to add a new profile and enter a Name and
will trigger forwarding to WildFire. Description.
If you choose PE in the objects 3. Click Add in the File Blocking Profile window and then click
profile File Types column to select Add again. Click in the Names field and enter a rule name.
a category of file types, do not also 4. Select the Applications that will match this profile. For example,
add an individual file type that is selecting web-browsing as the application will cause the profile
part of that category because this to match any application traffic identified as web-browsing.
will result in redundant entries in
5. In the File Type field, select the file types that will trigger the
the Data Filtering logs. For
forwarding action. Choose Any to forward all file types
example, if you select PE, there is
supported by WildFire.
no need to select exe because it is
part of the PE category. This also 6. In the Direction field select upload, download, or both.
applies to the zip file type, because Selecting both will trigger forwarding whenever a user attempts
supported file types that are to upload or download a file.
zipped are automatically sent to 7. Define an Action as follows (choose Forward for this example):
WildFire. If you would like to ForwardThe firewall will automatically forward any files
ensure that all supported matching this profile to WildFire for analysis in addition to
Microsoft Office file types are delivering the file to the user.
forwarded, it is recommended that
you choose the category msoffice. Continue-and-forwardThe user is prompted and must
click Continue before the download occurs and the file is
Choosing a category rather than forwarded to WildFire. Because this action requires user
an individual file type also ensures interaction with a web browser, it is only supported for
that as new file type support is web-browsing applications.
added to a given category, they are
automatically made part of the file 8. Click OK to save.
blocking profile. If you select Any,
all supported file types are
forwarded to WildFire.
Step 4 (Optional) If the continue-and-forward 1. Select Network > Network Profiles > Interface Mgmt and
action is configured for any file type, you either add a new profile or edit an existing profile.
must enable the response page option on
2. Select the Response Pages check box.
the ingress interface (the interface that
first receives traffic for your users). 3. Click OK to save the profile.
4. Select Network > Interfaces and then edit the layer 3 interface
or VLAN interface that is your ingress interface.
5. Click the Advanced tab and select the Interface Mgmt profile
that has the response page option enabled and select it from the
drop-down menu.
6. Click OK to save.
Step 5 Enable forwarding of decrypted content. 1. Select Device > Setup > Content-ID.
To forward SSL encrypted files to 2. Click the edit icon for the URL Filtering options and enable
WildFire, the firewall must have a Allow Forwarding of Decrypted Content.
decryption policy and have forwarding of 3. Click OK to save the changes.
decrypted content enabled. If you configured multiple virtual systems on the firewall,
Only a superuser can enable this you must enable this option per VSYS. Select Device >
option. Virtual Systems, click the virtual system you want to
modify and select the Allow Forwarding of Decrypted
Content check box.
Step 6 Attach the file blocking profile to a 1. Select Policies > Security.
security policy. 2. Click Add to create a new policy for the zones that you are
applying WildFire forwarding to, or select an existing security
policy.
3. On the Actions tab, select the File Blocking profile from the
drop-down.
If this security rule does not have any profiles attached to
it, select Profiles from the Profile Type drop-down to
enable selection of a file blocking profile.
Step 7 (Optional) Modify the maximum file size 1. Select Device > Setup > WildFire.
that the firewall can upload to WildFire. 2. Click the General Settings edit icon.
3. Set the maximum file size for each file type. For example, if you
set PDF to 5MB, any PDF larger than 5MB will not be
forwarded.
Step 8 (PA-7050 only) If you are configuring log 1. Select Network > Interfaces and locate an available port on an
forwarding on a PA-7050 firewall, you NPC.
must configure a data port on one of the 2. Select the port and change the Interface Type to Log Card.
NPCs with the interface type Log Card.
3. In the Log Card Forwarding tab, enter IP information (IPv4
This is due to the traffic/logging
and/or IPv6) that will enable the firewall to communicate with
capabilities of the PA-7050 to avoid
your syslog servers and your email servers to enable the firewall
overwhelming the MGT port.
to logs and email alerts. The port will also need to reach the
The log card (LPC) will use this port WildFire cloud or your WildFire appliance to enable file
directly and the port will act as a log forwarding.
forwarding port for syslog, email, and 4. Connect the newly configured port to a switch or router. There
SNMP. The firewall will forward the is no other configuration needed. The PA-7050 firewall will
following log types through this port: automatically use this port as soon as it is activated.
traffic, HIP match, threat, and WildFire
logs. The firewall also uses this port to
forward files/emails links to WildFire for
analysis.
If the port is not configured, a commit
error is displayed. Note that only one data
port can be configured with the Log Card
type. The MGT port cannot be used for
forwarding samples to WildFire, even if
you configure a service route.
The PA-7050 does not forward
logs to Panorama. Panorama will
only query the PA-7050 log card
for log information.
Step 9 (Optional) Modify session options that 1. Click the Session Information Settings edit icon.
define what session information to record 2. By default, all session information items will display in the
in WildFire analysis reports. reports. Clear the check boxes that correspond to any fields to
remove them from the WildFire analysis reports.
3. Click OK to save the changes.
This topic describes the steps required to verify that the firewall is properly configured to forward samples to a
WF-500 appliance. For information on a test file that you can use to verify the process, see Malware Test
Samples.
Step 1 Check the WildFire and Threat 1. Select Device > Licenses and confirm that a valid WildFire and
Prevention subscriptions and WildFire Threat Prevention subscription is installed. If valid licenses are
registration. not installed, go to the License Management section and click
Retrieve license keys from the license server.
The firewall must have a WildFire
subscription to forward files to a 2. Check that the firewall can communicate with a WildFire server
WildFire appliance. See WildFire for file forwarding:
Subscription Requirements. admin@PA-200> test wildfire registration
In the following output, the firewall is pointing to a WildFire
appliance. If the firewall is pointing to the WildFire cloud, it will
show the hostname of one of the WildFire systems in the
WildFire cloud.
Test wildfire
wildfire registration: successful
download server list: successful
select the best server: s1.wildfire.paloaltonetworks.com
Step 2 Confirm that the firewall is sending files 1. To determine where the firewall is forwarding files (WildFire
to the correct WildFire server. cloud or WildFire appliance), select Device > Setup > WildFire.
2. Click the General Settings edit button.
The U.S.-based WildFire Server is wildfire-public-cloud and the
Japan-based WildFire server is wildfire-paloaltonetworks.jp. If
you configured the firewall to forward to a WF-500 appliance,
the IP address or FQDN of the WildFire appliance is displayed.
If you forget the name of the WildFire public cloud,
clear the WildFire Server field and click OK and the
field will auto populate with the default value for the
WildFire cloud.
Step 3 Check the logs to verify that files are 1. Select Monitor > Logs > Data Filtering.
forwarded to WildFire. 2. View the Action column to determine the forwarding results:
ForwardIndicates that the sample was successfully
forwarded from the dataplane to the management plane on
the firewall by a file blocking profile and a security policy. At
this point, the firewall has not yet forwarded the sample to
the WildFire cloud or a WildFire appliance.
Wildfire-upload-successIndicates that the firewall
forwarded the file to WildFire. This means that a trusted
signer did not sign the file and it has not been previously
analyzed by WildFire.
Wildfire-upload-skipIndicates that the file is eligible to
be sent to WildFire, but did not need to be analyzed because
WildFire has already analyzed it previously.
View the WildFire Logs by selecting Monitor > Logs >
WildFire Submissions. If WildFire logs are listed, the
firewall is successfully forwarding files to WildFire and
WildFire is returning analysis reports.
Step 4 Verify the action setting in the file 1. Select Objects > Security Profiles > File Blocking and click the
blocking profile. file blocking profile to modify it.
2. Confirm that the action is set to forward or
continue-and-forward. If you set to continue-and-forward,
the firewall will only forward http/https traffic because this is
the only type of traffic that will allow the firewall to serve a
response page to the user.
Step 5 Check the security policy. 1. Select Policies > Security and click the security policy rule that
triggers file forwarding to WildFire.
2. Click the Actions tab and ensure that the file blocking profile is
selected in the File Blocking drop-down.
Step 6 Check the WildFire status on the firewall View WildFire status:
and confirm that the Status field is idle admin@PA-200> show wildfire status
and that Device registered and Valid
The following output shows the IP address of the WF-500 appliance
wildfire license is yes. The output also
and that status is Idle, which means the appliance is ready to receive
shows the allowed file size for each file
files.
type that the firewall will forward. Connection info:
Wildfire cloud: 10.3.4.99
Status: Idle
Best server: 10.3.4.99:10443
Device registered: yes
Valid wildfire license: yes
Service route IP address: 10.43.14.24
Signature verification: enable
Server selection: enable
Through a proxy: no
Forwarding info:
file idle time out (second): 90
total file forwarded: 13
file forwarded in last minute: 0
concurrent files: 0
Step 7 Check WildFire statistics to confirm that The following command displays the output of a working firewall
counters are incrementing. and shows counters for each file type that the firewall forwarded to
WildFire. If the counter fields all show 0, the firewall is not
forwarding files and you should check connectivity between the
firewall and the WF-500 appliance. Also verify that the file blocking
profile on the firewall is configured correctly and the profile is
attached to a security rule that allows file transfers.
admin@PA-200> show wildfire statistics
Packet based counters:
Total msg rcvd: 4548
Total bytes rcvd: 4337198
Total msg read: 4545
Total bytes read: 4227894
Total msg lost by read: 3
Total DROP_NO_MATCH_FILE 3
Total files received from DP: 86
Counters for file cancellation:
CANCEL_BY_DP 1
CANCEL_FILE_DUP 3
Counters for file forwarding:
file type: apk
file type: pdf
file type: email-link
file type: ms-office
file type: pe
FWD_CNT_LOCAL_FILE 2
FWD_CNT_REMOTE_FILE 2
file type: flash
FWD_CNT_LOCAL_FILE 80
FWD_CNT_LOCAL_DUP 3
FWD_CNT_REMOTE_FILE 43
FWD_CNT_REMOTE_DUP_CLEAN 22
FWD_CNT_REMOTE_DUP_MAL 15
file type: jar
file type: unknown
file type: pdns
Error counters:
FWD_ERR_CONN_FAIL 24
Reset counters:
DP receiver reset cnt: 2
File cache reset cnt: 2
Service connection reset cnt: 1
Log cache reset cnt: 2
Report cache reset cnt: 2
Resource meters:
data_buf_meter 0%
msg_buf_meter 0%
ctrl_msg_buf_meter 0%
Step 8 Check the dynamic updates status and 1. Select Device > Dynamic Updates.
schedules to ensure that the firewall is 2. Ensure that Antivirus, Applications and Threats, and WildFire
automatically receiving WildFire have the most recent updates and that a schedule is set for each
signatures. item. Stagger the update schedules because the firewall can only
See Best Practices for Keeping Signatures perform one update at a time.
up to Date. 3. Click Check Now at the bottom of the windows to see if any
new updates are available, which also confirms that the firewall
can communicate with updates.paloaltonetworks.com.
If the firewall does not have connectivity to the update server,
download the updates directly from Palo Alto Networks. Log in to
the Palo Alto Networks Support site and select Dynamic Updates.
Step 9 Check the registration status and statistics See Verify the WF-500 Appliance Configuration.
for firewalls forwarding to a WF-500
appliance.
Antivirus signaturesDetect and block malicious files. WildFire adds these signatures to WildFire and
Antivirus content updates.
DNS signaturesDetect and block callback domains for command and control traffic associated with
malware. WildFire adds these signatures to WildFire and Antivirus content updates.
URL CategorizationCategorizes callback domains as malware and updates the URL category in
PAN-DB.
Firewalls must be running PAN-OS 6.1 or later to enable dynamic updates from a WF-500 appliance. In
addition, you must configure the firewalls to receive content updates from the WF-500 appliance, which can
occur as frequently as every five minutes. You can optionally send the malware sample file (or only the XML
report) to the WildFire cloud to enable signature generation for distribution through Palo Alto Networks
content releases.
When the local storage on the appliance is full, new signatures/URL categorizations will overwrite existing ones,
beginning with the oldest ones first.
The following topics describe how to enable signature/URL generation on the WF-500 appliance and how to
configure firewalls to retrieve content updates from the appliance:
Enable Signature/URL Generation on the WF-500 Appliance
Configure the Firewall to Retrieve Updates from a WF-500 Appliance
This workflow describes how to enable a WildFire appliance to generate antivirus signatures, DNS signatures,
and URL categorization updates (PAN-DB only) based on samples that the appliance receives from connected
firewalls and the WildFire XML API.
Step 1 Before configuring this feature, verify Follow the procedure described in Manage Content Updates on the
that the WF-500 appliance is configured WF-500 Appliance.
to receive the latest content updates from
Palo Alto Networks. The content updates
will equip the appliance with the most
up-to-date threat information for
accurate malware detection and signature
generation.
Step 2 Enable signature/URL generation. 1. Log in to the appliance and type configure to enter
configuration mode.
2. Enable all threat prevention options:
admin@WF-500# set deviceconfig setting wildfire
signature-generation av yes dns yes url yes
3. Commit the configuration:
admin@WF-500# commit
To configure connected firewalls to retrieve updates from the
appliance, see Configure the Firewall to Retrieve Updates from
a WF-500 Appliance.
If you Enable Signature/URL Generation on the WF-500 Appliance, you can configure your firewalls to retrieve
regular content updates from the appliance. This ensures that your network is protected from threats that
WildFire detects in your local environment. As a best practice, you should configure your firewalls to retrieve
content updates from the Palo Alto Networks Update Servers and from the WildFire cloud. This will ensure
that your firewalls receive signatures based on threats detected world wide, not just signatures generated by your
local WF-500 appliance.
The following workflow describes how to configure a Palo Alto Networks firewall to retrieve content updates
from a WildFire appliance.
Step 1 Launch the firewall web interface and go Select Device > Dynamic Updates.
to the Dynamic Updates page.
Configure the Firewall to Retrieve Updates from the WF-500 Appliance (Continued)
Step 2 Check for the latest updates. 1. Click Check Now (located in the lower left-hand corner of the
window) to check for the latest updates. The link in the Action
column indicates whether an update is available:
DownloadIndicates that a new update file is available. Click
the link to begin downloading the file directly to the firewall.
After successful download, the link in the Action column
changes from Download to Install.
The following screen capture shows the new WF-Private section
in Dynamic Updates. This is where you will download updates
from the WF-500 appliance.
Step 3 Install the updates. Click the Install link in the Action column. When the installation
completes, a check mark displays in the Currently Installed column.
Step 4 Schedule the update. 1. Click None to the right of Schedule if no schedule is
configured. If a schedule exists and you would like to modify it,
To receive updates at the minimal
click the defined schedule.
interval, configure the firewall to
download/install updates every 2. Specify how often you want the updates to occur by selecting a
five minutes. See Best Practices for value from the Recurrence drop-down. The WF-500 appliance
Keeping Signatures up to Date. updates are available Every 5 minutes (best practice), Every 15
minutes, Every 30 minutes, or Every Hour.
3. Specify if the firewall will Download And Install the update
(best practice) or Download Only.
4. Specify how long after a content release to wait before
performing a content update by entering the number of hours
to wait in the Threshold (Hours) field. This provides added
protection in the event that there are errors in a content release.
5. Click OK to save the schedule settings.
6. Click Commit to save the settings to the running configuration.
Upgrade the WF-500 appliance before upgrading the firewalls that are configured to forward
samples to it.
If you are upgrading to a 6.1 maintenance release, you do not have to install the Windows 7 64-bit
image. You only need to download the latest image update and then install.
The following workflow describes how to upgrade the WF-500 appliance and enable the Windows 7 64-bit
environment:
Step 1 Determine the upgrade path and 1. Log in to the WF-500 appliance and view system information:
download a base image file if needed. admin@WF-500> show system info
You cannot upgrade directly to the 2. Check the sw-version: field to determine the installed version
WildFire appliance operating and proceed as follows:
system version 6.1 from version If version 6.0.0 or later is installed, continue to step Step 2.
5.1. Although you do not have to
If a version prior to 6.0.0 is installed, continue the steps in
install version 6.0.0 (feature
this section.
release), you must first download
the image and then download and 3. Download the 6.0.0 base image:
install version 6.1.0. All releases admin@WF-500> request system software download
have the requirement to download version 6.0.0
the base image files to skip a 4. Check the status of the download:
feature release. admin@WF-500> show jobs all
5. After the download completes, continue to Step 2.
Step 2 Download the required WildFire files to 1. Check the Update Server for the available WildFire operating
prepare for the 6.1.0 upgrade. system software versions:
admin@WF-500> request system software check
In this case, you will need the WildFire
operating system 6.1.0 image file, the In this case, look for version 6.1.0. The Downloaded column
Windows 7 64-bit base image, and the indicates if the image has been downloaded to the appliance or
Windows 7 64-bit add-on image. not. If the image is already downloaded you can proceed. If the
image is not downloaded, run the following command:
admin@WF-500> request system software download
version 6.1.0
2. To download the Windows 7 64-bit images, go to Palo Alto
Networks Support site, click Software Updates and in the
WF-500 Guest VM Images section locate and download the
latest Windows 7 64-bit base image and the Windows 7 64-bit
Add-on image.
The VM files can be as large as 4GB, so ensure that your
Secure Copy (SCP) enabled server software supports file
transfers over 4GB and verify that there is enough free
space to temporarily store the files.
The file names are similar to the following:
Base ImageWFWin7_64Base_m-1.0.0_64base
Add-on ImageWFWin7_64Addon1_m-1.0.0_64addon
3. Move the files to your SCP-enabled server and note the file
name and directory path.
Step 3 Download the VM images to the WF-500 1. Download the base image file from the SCP-enabled server:
appliance. admin@WF-500> scp import wildfire-vm-image from
username@host:path
For example:
admin@WF-500> scp import wildfire-vm-image from
bart@10.43.15.41:c:/scp/WFWin7_64Base_m-1.0.0_64ba
se
The SCP path following the IP or hostname varies
depending on the SCP software that you are using. For
Windows, the path is c:/folder/filename or
//folder/filename; for Unix/Mac systems, the path is
/folder/filename or //folder/filename.
2. Download the add-on image:
admin@WF-500> scp import wildfire-vm-image from
username@host:path
For example:
admin@WF-500> scp import wildfire-vm-image from
bart@10.43.15.41:c:/scp/WFWin7_64Base_m-1.0.0_64ad
don1
Step 4 Install the Windows 7 64-bit VM images. 1. Install the Windows 7 64-bit base image:
admin@WF-500> request system wildfire-vm-image
upgrade install WFWin7_64Base_m-1.0.0_64base
2. Install the Windows 7 64-bit Add-on image:
admin@WF-500> request system wildfire-vm-image
upgrade install WFWin7_64Base_m-1.0.0_64addon1
Step 5 Install the 6.1 operating system image file. Install the WF-500 appliance operating system image that you
downloaded previously:
admin@WF-500> request system software install version
6.1.0
Step 6 Restart the appliance and confirm that the 1. Confirm that the upgrade has completed by running the
installation was successful. following command and look for the job type Install and
status FIN:
admin@WF-500> show jobs all
Step 7 (Optional) Enable the Windows 7 64-bit 1. View the active virtual machine image by running the following
sandbox environment. command and refer to the Selected VM field:
admin@WF-500> show wildfire status
2. View a list of available virtual machines images:
admin@WF-500> show wildfire vm-images
The following output shows that vm-5 is the Windows 7 64-bit
image:
vm-5
Windows 7 64bit, Adobe Reader 11, Flash 11, Office
2010. Support PE, PDF, Office 2010 and earlier
3. Select the image to be used for analysis:
admin@WF-500# set deviceconfig setting wildfire
active-vm <vm-image-number>
For example, to use vm-5, run the following command:
admin@WF-500# set deviceconfig setting wildfire
active-vm vm-5
4. Commit the configuration:
admin@WF-500# commit
If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud
or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed.
WildFire cloud: Uses port 443 for registration and file submissions.
WildFire appliance: Uses port 443 for registration and 10443 for file submissions.
Perform the following steps on each firewall that will forward files to WildFire:
Step 1 Verify that the firewall has valid Threat 1. Select Device > Licenses and confirm that the firewall has valid
Prevention and WildFire subscriptions WildFire and Threat Prevention subscriptions.
and that dynamic updates are scheduled 2. Select Device > Dynamic Updates and click Check Now to
and up-to-date. See Best Practices for ensure that the firewall has the most recent Antivirus,
Keeping Signatures up to Date for Applications and Threats, and WildFire updates.
recommended settings.
3. If the updates are not scheduled, schedule them now. Stagger
Having a WildFire subscription the update schedules because the firewall can only perform one
provides many benefits, such as update at a time.
forwarding of advanced file types
and receiving WildFire signatures
within 15 minutes. For details, see
WildFire Subscription
Requirements.
Step 2 Configure the file blocking profile to 1. Select Objects > Security Profiles > File Blocking.
define which applications and file types 2. Click Add to add a new profile and enter a Name and
will trigger forwarding to WildFire. Description.
If you choose PE in the objects 3. Click Add in the File Blocking Profile window and then click
profile File Types column to select Add again. Click in the Names field and enter a rule name.
a category of file types, do not also 4. Select the Applications that will match this profile. For example,
add an individual file type that is selecting web-browsing to match any application traffic
part of that category because this identified as web-browsing.
will result in redundant entries in
5. In the File Type field, select the file types that will trigger the
the Data Filtering logs. For
forwarding action. Choose Any to forward all file types
example, if you select PE, there is
supported by WildFire or select PE to only forward Portable
no need to select exe because it is
Executable files.
part of the PE category. This also
applies to the zip file type, because 6. In the Direction field, select upload, download, or both. The
the firewall will automatically both option will trigger forwarding whenever a user attempts to
forward supported file types that upload or download a file.
are zipped. If you would like to 7. Define an Action as follows:
ensure that all supported ForwardThe firewall will automatically forward any files
Microsoft Office file types are matching this profile to WildFire for analysis in addition to
forwarded, it is recommended that delivering the file to the user.
you choose the category msoffice.
Continue-and-forwardThe user is prompted and must
Choosing a category rather than click continue before the download occurs and the file is
an individual file type also ensures forwarded to WildFire. Because this action requires user
that as new file type support is interaction with a web browser, it is only supported for
added to a given category, they are web-browsing applications.
automatically made part of the file
8. Click OK to save.
blocking profile. If you select Any,
all supported file types are
forwarded to WildFire.
Step 3 (Optional) Enable response pages to 1. Select Network > Network Profiles > Interface Mgmt and
allow users to decide whether to forward either add a new profile or edit an existing profile.
a file.
2. Click the Response Pages check box to enable.
If the continue-and-forward 3. Click OK to save the profile.
action is configured for any file 4. Select Network > Interfaces and then edit the Layer 3 interface
type, you must enable the response or VLAN interface that is the ingress interface.
page option on the ingress
interface (the interface that first 5. On the Advanced tab, select the Interface Mgmt profile that has
receives traffic for your users). the response page option enabled.
6. Click OK to save.
Step 4 Enable forwarding of decrypted content. 1. Select Device > Setup > Content-ID.
To forward SSL encrypted files to 2. Click the edit icon for the URL Filtering options and enable
WildFire, the firewall must have a Allow Forwarding of Decrypted Content.
decryption policy and have forwarding of 3. Click OK to save the changes.
decrypted content enabled. If the firewall has multiple virtual systems, you must
Only a superuser can enable this enable this option per VSYS. In this situation, select
option. Device > Virtual Systems, click the virtual system to be
modified and select the Allow Forwarding of Decrypted
Content check box.
Step 5 Attach the file blocking profile to a 1. Select Policies > Security.
security policy. 2. Click Add to create a new policy for the zones to which to apply
WildFire forwarding, or select an existing security policy.
3. On the Actions tab, select the File Blocking profile from the
drop-down.
If this security rule does not have any profiles attached to
it, select Profiles from the Profile Type drop-down to
enable selection of a file blocking profile.
Step 6 (Optional) Modify the maximum file size 1. Select Device > Setup > WildFire.
allowed for upload to WildFire. 2. Click the General Settings edit icon.
3. Set the maximum file size for each file type. For example, if you
set PDF to 5MB, any PDF larger than 5MB will not be
forwarded.
Step 7 (Optional) Modify session options that 1. Click the Session Information Settings edit icon.
define what session information to record 2. By default, all session information items will display in the
in WildFire analysis reports. reports. Clear the check boxes that correspond to any fields to
remove from the WildFire analysis reports.
3. Click OK to save the changes.
Step 8 (PA-7050 only) If you are configuring log 1. Select Network > Interfaces and locate an available port on an
forwarding on a PA-7050 firewall, you NPC.
must configure a data port on one of the 2. Select the port and change the Interface Type to Log Card.
NPCs with the interface type Log Card.
3. In the Log Card Forwarding tab, enter IP information (IPv4
This is due to the traffic/logging
and/or IPv6) that will enable the firewall to communicate with
capabilities of the PA-7050 to avoid
your syslog servers and your email servers to enable the firewall
overwhelming the MGT port.
to logs and email alerts. The port will also need to reach the
The log card (LPC) will use this port WildFire cloud or your WildFire appliance to enable file
directly and the port will act as a log forwarding.
forwarding port for syslog, email, and 4. Connect the newly configured port to a switch or router. There
SNMP. The firewall will forward the is no other configuration needed. The PA-7050 firewall will
following log types through this port: automatically use this port as soon as it is activated.
traffic, HIP match, threat, and WildFire
logs. The firewall also uses this port to
forward files/emails links to WildFire for
analysis.
If the port is not configured, a commit
error is displayed. Note that only one data
port can be configured with the Log Card
type. The MGT port cannot be used for
forwarding samples to WildFire, even if
you configure a service route.
The PA-7050 does not forward
logs to Panorama. Panorama will
query the PA-7050 log card for log
information.
Step 1 Check the WildFire and Threat 1. Select Device > Licenses and confirm that a valid WildFire and
Prevention subscriptions and WildFire Threat Prevention subscription is installed. If valid licenses are
registration. not installed, go to the License Management section and click
Retrieve license keys from the license server.
2. Check that the firewall can communicate with a WildFire server
for file forwarding:
admin@PA-200> test wildfire registration
In the following output, the firewall is pointing to the WildFire
cloud. If the firewall is pointing to a WildFire appliance, it will
show the FQDN or IP address of the appliance.
Test wildfire
wildfire registration: successful
download server list: successful
select the best server:
s1.wildfire.paloaltonetworks.com
Step 2 Confirm that the firewall is sending files 1. To determine where the firewall is forwarding files (to the Palo
to the correct WildFire system. Alto Networks WildFire cloud or to a WildFire appliance),
select Device > Setup > WildFire.
2. Click the General Settings edit button.
The U.S.-based WildFire Server is wildfire-public-cloud and the
Japan-based WildFire server is wildfire-paloaltonetworks.jp. If
the firewall is configured to forward to a WF-500 appliance, the
IP address or FQDN of the WildFire appliance is displayed.
If you forget the name of the WildFire public cloud,
clear the WildFire Server field and click OK and the
field will auto populate with the default value for the
WildFire cloud.
Step 3 Check the logs to verify that forwarding is 1. Select Monitor > Logs > Data Filtering.
working. 2. View the Action column to determine the forwarding results:
For information on enabling email header ForwardIndicates that the sample was successfully
details in logs, see Enable Email Header forwarded from the dataplane to the management plane on
Information in WildFire Logs. the firewall by a file blocking profile and a security policy. At
this point, the firewall has not yet forwarded the sample to
the WildFire cloud or a WildFire appliance.
Wildfire-upload-successIndicates that the firewall
forwarded the file to WildFire. This means that a trusted
signer did not sign the file and it has not been previously
analyzed by WildFire.
Wildfire-upload-skipIndicates that the file is eligible to
be sent to WildFire, but did not need to be analyzed because
WildFire has already analyzed it previously.
3. View the WildFire logs by selecting Monitor > Logs > WildFire
Submissions. If WildFire logs are listed, the firewall is
successfully forwarding files to WildFire and WildFire is
returning file analysis results.
For more information on WildFire-related logs, see
WildFire Logs.
Step 4 Verify the action setting in the file 1. Select Objects > Security Profiles > File Blocking and click the
blocking profile. file blocking profile.
2. Confirm that the action is set to forward or
continue-and-forward. If you set to continue-and-forward,
the firewall will only forward http/https traffic because this is
the only type of traffic that will allow the firewall to serve a
response page to the user.
Step 5 Verify that the file blocking profile is in 1. Select Policies > Security and click the security policy rule that
the correct security policy. triggers file forwarding to WildFire.
2. Click the Actions tab and ensure that the file blocking profile is
selected in the File Blocking drop-down.
Step 6 Check the WildFire server status on the admin@PA-200> show wildfire status
appliance. When forwarding files to the WildFire cloud, the output should look
similar to the following:
Connection info:
Wildfire cloud: public cloud
Status: Idle
Best server: s1.wildfire.paloaltonetworks.com
Device registered: yes
Valid wildfire license: yes
Service route IP address: 192.168.2.1
Signature verification: enable
Server selection: enable
Through a proxy: no
Forwarding info:
file size limit for pe (MB): 10
file size limit for jar (MB): 1
file size limit for apk (MB): 2
file size limit for pdf (KB): 500
file size limit for ms-office (KB): 10000
file idle time out (second): 90
total file forwarded: 1
file forwarded in last minute: 0
concurrent files: 0
Step 7 Check WildFire statistics to confirm that The following command displays the output of a working firewall
counters are incrementing. and shows counters for each file type that the firewall forwarded to
WildFire. If the counter fields all show 0, the firewall is not
forwarding files and you should check connectivity between the
firewall and the WF-500 appliance. Also verify that the file blocking
profile on the firewall is configured correctly and the profile is
attached to a security rule that allows file transfers.
admin@PA-200> show wildfire statistics
Packet based counters:
Total msg rcvd: 12011
Total bytes rcvd: 10975328
Total msg read: 11963
Total bytes read: 10647634
Total msg lost by read: 48
Total DROP_NO_MATCH_FILE 48
file type: pe
Error counters:
LOG_ERR_REPORT_CACHE_NOMATCH 880
Reset counters:
DP receiver reset cnt: 2
File cache reset cnt: 2
Service connection reset cnt: 1
Log cache reset cnt: 2
Report cache reset cnt: 2
Resource meters:
data_buf_meter 0%
msg_buf_meter 0%
ctrl_msg_buf_meter 0%
Step 8 Check the dynamic updates status and 1. Select Device > Dynamic Updates.
schedules to ensure that the firewall is 2. Ensure that Antivirus, Applications and Threats, and WildFire
automatically receiving signatures have the most recent updates and that a schedule is set for each
generated by WildFire. See Best Practices item.
for Keeping Signatures up to Date.
3. Click Check Now at the bottom of the windows to see if any
new updates are available, which also confirms that the firewall
can communicate with updates.paloaltonetworks.com.
If the firewall does not have connectivity to the update server,
download the updates directly from Palo Alto Networks. Log in to
the Palo Alto Networks Support site and select Dynamic Updates.
Step 1 Manually upload a file to WildFire for 1. Log in to the WildFire Portal.
analysis. If your firewall is forwarding to the WildFire portal in Japan, use
https://wildfire.paloaltonetworks.jp.
2. Click the Upload Sample button then click Add files.
3. Navigate to the file, highlight it, and then click Open. The file
name will appear below the Add files icon.
4. Click the Start icon to the right of the file, or click the Start
upload button if multiple files are waiting for upload. If the
file(s) upload successfully, Success will appear next to each file.
Step 2 View the analysis results. It will take 1. Refresh the portal page from your browser.
approximately five minutes for WildFire 2. Click Manual under the source column to view the results of
to complete a file analysis. manual sample upload.
Because a manual upload is not 3. The report page will show a list of all files that have been
associated with a specific firewall, uploaded to your account. Find the file you uploaded and click
manual uploads will appear the detail icon to the left of the date field.
separately from your registered The portal displays a full report of the file analysis detailing the
firewalls and will not show session observed file behavior. If WildFire identifies the file as malware,
information in the reports. it generates a signature, which is then distributed to all Palo Alto
Networks firewalls configured with a WildFire or Threat
Prevention subscription.
WildFire Logs
Each firewall that you configure to forward samples to WildFire will log the forward action in the data filtering
logs. After WildFire analyzes the sample, if the verdict is malware, WildFire sends the results back to the
WildFire Submission log on the firewall. You can also configure the firewall to log email header information for
files delivered over email or HTTP/HTTPS links contains in SMTP and POP3 messages. For more
information, see Enable Email Header Information in WildFire Logs.
The detailed analysis report for each file or email link that WildFire analyzes is located in the detailed view of
the WildFire Submissions log. You can also view analysis reports on the WildFire Portal.
If you configure your firewalls to forward samples to a WF-500 appliance, you can only view
analysis results on the firewall that forwarded the file to the appliance or by using the WildFire
XML API to retrieve the report from the appliance.
Forwarding Action LogsThe data filtering logs located in Monitor > Logs > Data Filtering will show the
files that were blocked/forwarded based on the file blocking profile. To determine which files were
forwarded to WildFire, look for the following values in the Action column of the log:
Action Description
wildfire-upload-success The firewall forwarded the sample to the WildFire cloud or WF-500
appliance. This means that a trusted signer did not sign the file and it has not
been previously analyzed by WildFire.
wildfire-upload-skip Displayed for all files identified as eligible to be sent to WildFire by a file
blocking profile/security policy, but did not need to be analyzed by WildFire
because it has already been analyzed previously. In this case, the forward
action will appear in the Data Filtering log because it was a valid forward
action, but it was not sent to WildFire and analyzed because the file has
already been sent to the WildFire cloud or WildFire appliance from another
session, possibly from another firewall.
This action will not occur for email link forwarding.
wildfire-upload-fail The sample could not be uploaded to WildFire. This is typically caused by
network communication issues between the firewall and the WildFire cloud.
Verify connectivity and check DNS.
WildFire LogsThe analysis results for the samples scanned by WildFire are sent back to the firewall logs
after the analysis completes. These logs are written to the firewall that forwarded the sample in Monitor >
Logs > WildFire Submissions. If logs are forwarded from the firewall to Panorama, the logs are written to the
Panorama server in Monitor > Logs > WildFire Submissions. The Category column for the WildFire logs will
either show benign (benign email links are not logged); meaning that the file is safe, or malicious, indicating
that WildFire determined that the sample contains malicious code. If the sample is determined to be
malicious, a signature is generated by the WildFire signature generator. If your firewall is configured to
forward files to a WF-500 appliance, you can configuring the appliance to forward samples to the WildFire
cloud for signature generation or you can Enable Signature/URL Generation on the WF-500 Appliance.
By default, firewalls with a WildFire subscription will only retrieve analysis results from the WildFire cloud
or WF-500 appliance if the sample is identified as malware. To generate logs for benign files, select Device >
Setup > WildFire and edit General Settings and then click the Report Benign Files check box. You can also run
the following CLI command: admin@PA-200# set deviceconfig setting wildfire report-benign-file.
To view the detailed report for a sample that has been analyzed by WildFire, locate the log entry in Monitor
> WildFire Submissions, click the icon to the left of the log entry to show log details and then click the WildFire
Analysis Report tab. A login prompt will appear to access the report and after entering the correct credentials
the report is retrieved from the WildFire system and is displayed in your browser. For information on portal
accounts to access the WildFire cloud, see Add WildFire Portal User Accounts. For information on the
admin account that is used to retrieve reports from a WildFire appliance, see Integrate the WF-500
Appliance into a Network and the refer to the step that describes the portal-admin account.
Step 1 Enable the email header option on the 1. Select Device > Setup > WildFire.
firewall that will forward samples to the 2. Edit the Session Information Settings section and enable one or
WildFire. more of the options (Email sender, Email recipient, and Email
subject).
3. Click OK to save.
Step 2 (Optional) Configure the User-ID option 1. Select Device > User Identification > Group Mapping Settings.
to enable the firewall to match User-ID 2. Select the desired group mapping profile to modify it.
information with email header
3. In the Server Profile tab in the Mail Domains section, populate
information identified in email links and
the Domain List field:
email attachments forwarded to WildFire.
Mail AttributesThis field is automatically populated after
When a match occurs, the user name in you fill in the Domain List field and click OK. The attributes
the WildFire log email header section will are based on your LDAP server type (Sun/RFC, Active
contain a link that when clicked, will bring Directory, and Novell).
up the ACC filtered by the user or group
of users. Domain ListEnter the list of email domains in your
organization using a comma separated list up to 256
characters.
Step 3 Confirm that email header information is 1. Select Monitor > Logs > Data Filtering from the firewall and
appearing in the WildFire reports. locate a log with the Action wildfire-upload-success. The
date/time should be after the date/time in which you enabled
Within approximately 15 minutes after
this option.
the file or link is forwarded, WildFire
generates a log. 2. View the log and analysis report by selecting Monitor > Logs >
WildFire Submissions and locate the corresponding log for the
Benign email links are not logged. link or file attachment.
3. Click the log details icon in the first column. In the Log Info
tab, you will see the new email information in the Email Headers
section.
If your firewalls are configured to forward samples to a WF-500 appliance, log results can only be
viewed from the firewall that forwarded the file or by using the WildFire XML API.
For information on configuring additional WildFire accounts that can be used to review report information, see
Add WildFire Portal User Accounts.
Step 1 Configure the time zone for the portal 1. Log in to the WildFire Portal using your Palo Alto Networks
account. support login credentials or your WildFire user account.
2. Click the Settings link located at the upper right of the portal
window.
3. Select the time zone from the drop-down and then click Update
Time Zone to save the change.
The time stamp that will appear on the WildFire detailed
report is based on the time zone set in your portal
account.
Step 2 Delete WildFire logs for specific firewalls. 1. In the Delete WildFire Logs drop-down, select the firewall (by
This will delete all logs and notifications serial number).
for the selected firewall. 2. Click the Delete Logs button.
3. Click OK to proceed with the deletion.
Step 3 Configure email notifications that the 1. From the portal settings page, a table is displayed with the
portal will generate based on the results of column headings Device, Malware, and Benign. Check
files submitted to WildFire. The email Malware and/or Benign for each firewall to which you would
notifications are sent to the email account like to receive notifications. Click the Update Notification to
registered in the support account. enable notifications for the selected firewalls.
2. The first row item will show Manual. Select Malware and/or
Benign to receive a notification for files that are manually
uploaded to the WildFire cloud, or that are submitted using the
WildFire API and click Update Notification to save.
Select the check boxes directly below the column
headings Malware and Benign to select all of the check
boxes for the listed devices.
If your firewall forwards files to a WF-500 appliance, you cannot view reports for those samples
on the WildFire portal, even when enabling cloud intelligence on the appliance to submit files to
the cloud. The purpose of sending samples from an appliance to the WildFire cloud is so the cloud
will generate signatures for detected malware. Palo Alto Networks will then distribute these
signatures to customer firewalls that have a Threat Prevention or WildFire subscription.
Step 1 Access the manage users and accounts 1. Log in to the Palo Alto Networks Support site.
section on the support site and select an 2. Under Manage Account click on Users and Accounts.
account.
3. Select an existing account or sub-account.
Step 2 Add a WildFire user. 1. Click the Add WildFire User button.
2. Enter the email address for the user recipient would like to add.
The user can be an existing support site user that belongs
to any account (including the sub-account, parent
account, Palo Alto Networks, or any other account in the
system), as well as any email address that does not have
a support account at all. The only restriction is that the
email address cannot be from a free web-based email
account (Gmail, Hotmail, Yahoo, and so on). If an email
address is entered for a domain that is not supported, a
pop-up warning appears.
Step 3 Assign firewalls to the new user account 1. Select the firewall(s) by S/N that you want to grant access to and
and access the WildFire portal. fill out the optional account details.
An email will then be sent to the user. Users with an existing
support account will receive an email with a list of the firewalls
that are now available for WildFire report viewing. If the user
does not have a support account, the portal sends an email with
instructions on how to access the portal and how to set a new
password.
2. The new user can now log in to the WildFire Portal and view
WildFire reports for the firewalls to which they have been
granted access. Users can also configure automatic email alerts
for these devices in order to receive alerts on files analyzed.
They can choose to receive reports on malicious and/or benign
files.
When viewing a WildFire report for a file that was manually uploaded to the WildFire portal or by
using the WildFire API, the report will not show session information because the traffic did not
traverse the firewall. For example, the report would not show the Attacker/Source and
Victim/Destination.
Download PDF Click the Download PDF icon (located in the upper right) to have the firewall
generate a PDF version of the WildFire report.
File Information File TypeFlash, PE, PDF, APK, JAR/Class, or MS Office. This field is named
URL for HTTP/HTTPS email link reports and will display the URL that was
analyzed.
File SignerThe entity that signed the file for authenticity purposes.
Hash ValueA file hash is much like a fingerprint that uniquely identifies a file
to ensure that the file has not been modified in any way. The following lists the
hash versions that WildFire generates for each file analyzed:
SHA-1Displays the SHA-1 value for the file.
SHA-256Displays the SHA-256 value for the file.
MD5Displays the MD5 information for the file.
File SizeThe size (in bytes) of the file that WildFire analyzed.
First Seen TimestampIf the WildFire system has analyzed the file previously,
this is the date/time that it was first observed.
VerdictDisplays the analysis verdict:
BenignThe file is safe and does not exhibit malicious behavior.
MalwareWildFire identified the file as malware and generates a signature
to protect against future exposure.
Sample FileClick the Download File link to download the sample file to your
local system. Note that you can only download files with the malware verdict, not
benign.
Coverage Status Click the Virus Total link to view endpoint antivirus coverage information for
samples that have already been identified by other vendors. If the file has never
been seen by any of the listed vendors, file not found appears.
In addition, when the report is rendered on the firewall, up-to-date information
about what signature and URL filtering coverage that Palo Alto Networks currently
provides to protect against the threat will also be displayed in this section. Because
this information is retrieved dynamically, it will not appear in the PDF report.
The following screen capture shows coverage status that appears after rendering
the report on the firewall:
Session Information Contains session information based on the traffic as it traversed the firewall that
forwarded the sample. To define the session information that WildFire will include
in the reports, select Device > Setup > WildFire> Session Information Settings.
The following options are available:
Source IP
Source Port
Destination IP
Destination Port
Virtual System (If multi-vsys is configured on the firewall)
Application
User (If User-ID is configured on the firewall)
URL
Filename
Email sender
Email recipient
Email subject
Dynamic Analysis If a file is low risk and WildFire can easily determine that it is safe, only a static
analysis is performed, instead of a dynamic analysis.
When a dynamic analysis is performed, this section contains tabs for each virtual
environment that the sample was run in when it was analyzed in the WildFire cloud.
For example, Virtual Machine 1 tab may have Windows XP, Adobe Reader 9.3.3,
and Office 2003 and Virtual Machine 2 may have similar attributes, but with Office
2007. When a file goes through a full dynamic analysis, it is run in each virtual
machine and the results of each environment can be viewed by clicking any of the
Virtual Machine tabs.
On the WF-500 appliance, only one virtual machine is used for the analysis,
which you select based on virtual environment attributes that best match
your local environment. For example, if most users have Windows 7 32-bit,
that virtual machine would be selected.
Behavior Summary Each Virtual Machine tab summarizes the behavior of the sample file in the specific
environment. Examples include whether the sample created or modified files,
started a process, spawned new processes, modified the registry, or installed
browser helper objects.
The Severity column indicates the severity of each behavior. The severity gauge will
show one bar for low severity and additional bars for higher severity levels. This
information is also added to the dynamic and static analysis sections.
Submit Malware Use this option to manually submit the sample to Palo Alto Networks. The
WildFire cloud will then re-analyze the sample and generate a signatures if it
determines that the sample is malicious. This is useful on a WF-500 appliance that
does not have signature generation or cloud intelligence enabled, which is used to
forward malware from the appliance to the WildFire cloud.
Report Incorrect Verdict Click this link to submit the sample to the Palo Alto Networks threat team if you
feel the verdict is a false positive or false negative. The threat team will perform
further analysis on the sample to determine if it should be reclassified. If a malware
sample is determined to be safe, the signature for the file is disabled in an upcoming
antivirus signature update or if a benign file is determined to be malicious, a new
signature is generated. After the investigation is complete, you will receive an email
describing the action that was taken.
Step 1 Configure an email server profile if one is 1. Select Device > Server Profiles > Email.
not configured. 2. Click Add and then enter a Name for the profile. For example,
WildFire-Email-Profile.
3. (Optional) Select the virtual system to which this profile applies
from the Location drop-down.
4. Click Add to add a new email server entry and enter the
information required to connect to the Simple Mail Transport
Protocol (SMTP) server and send email (up to four email
servers can be added to the profile):
ServerName to identify the mail server (1-31 characters).
This field is just a label and does not have to be the host name
of an existing SMTP server.
Display NameThe name to show in the From field of the
email.
FromThe email address where notification emails are sent
from.
ToThe email address to which notification emails are sent.
Additional Recipient(s)Enter an email address to send
notifications to a second recipient.
GatewayThe IP address or host name of the SMTP
gateway to use to send the emails.
5. Click OK to save the server profile.
6. Click Commit to save the changes to the running configuration.
Step 2 Test the email server profile. 1. Select Monitor > PDF Reports > Email Scheduler.
2. Click Add and select the new email profile from the Email
Profile drop-down.
3. Click the Send test email button and a test email should be sent
to the recipients defined in the email profile.
Step 3 Configure a log forwarding profile to 1. Select Objects > Log Forwarding.
forward WildFire logs to Panorama, an 2. Click Add and name the profile. For example,
email account, SNMP, and/or a syslog WildFire-Log-Forwarding.
server. In this example you will forward
3. In the WildFire Settings section, choose the email profile from
WildFire logs to an email account when
the Email column for Malicious as shown in the screen capture.
the WildFire verdict is Malicious. You can
also enable Benign, which will produce
more activity if you are testing.
Step 4 Apply the log forwarding profile to the 1. Select Policies > Security and click on the policy that is used for
security profile that contains the file WildFire forwarding.
blocking profile. 2. In the Actions tab Log Setting section, click the Log
Forwarding drop-down and select the new log forwarding
profile. In this example, the profile is named
WildFire-Log-Forwarding.
3. Click OK to save the changes and then Commit the
configuration. WildFire logs will now be forwarded to the email
address(s) defined in the email profile.
Step 5 (PA-7050 only) If you are configuring log 1. Select Network > Interfaces and locate an available port on an
forwarding on a PA-7050 firewall, you NPC.
must configure a data port on one of the 2. Select the port and change the Interface Type to Log Card.
NPCs with the interface type Log Card.
3. In the Log Card Forwarding tab, enter IP information (IPv4
This is due to the traffic/logging
and/or IPv6) that will enable the firewall to communicate with
capabilities of the PA-7050 to avoid
your syslog servers and your email servers to enable the firewall
overwhelming the MGT port.
to logs and email alerts. The port will also need to reach the
The log card (LPC) will use this port WildFire cloud or your WildFire appliance to enable file
directly and the port will act as a log forwarding.
forwarding port for syslog, email, and 4. Connect the newly configured port to a switch or router. There
SNMP. The firewall will forward the is no other configuration needed. The PA-7050 firewall will
following log types through this port: automatically use this port as soon as it is activated.
traffic, HIP match, threat, and WildFire
5. Commit the configuration.
logs. The firewall also uses this port to
forward files/emails links to WildFire for
analysis.
If the port is not configured, a commit
error is displayed. Note that only one data
port can be configured with the Log Card
type. The MGT port cannot be used for
forwarding samples to WildFire, even if
you configure a service route.
The PA-7050 does not forward
logs to Panorama. Panorama will
only query the PA-7050 log card
for log information.
WildFire in Action
The following example scenario summarizes the full WildFire lifecycle. In this example, a sales representative
from Palo Alto Networks downloads a new software sales tool that a sales partner uploaded to Dropbox. The
sales partner unknowingly uploaded an infected version of the sales tool install file and the sales rep then
downloads the infected file.
This example will demonstrate how a Palo Alto Networks firewall in conjunction with WildFire can discover
zero-day malware downloaded by an end user; even if the traffic is SSL encrypted. After WildFire identifies the
malware a log is sent to the firewall and the firewall alerts the administrator who then contacts the user to
eradicate the malware. WildFire then generates a new signature for the malware and firewalls with a Threat
Prevention or WildFire subscription automatically downloads the signature to protect against future exposure.
Although some file sharing web sites have an antivirus feature that checks files as they are uploaded, they can
only protect against known malware.
For more information on configuring WildFire, see Forward Samples to the WildFire Cloud or Forward Files
to a WF-500 Appliance.
This example uses a web site that uses SSL encryption, so the firewall must have decryption and
Allow forwarding of decrypted content enabled. For information on enabling forwarding of
decrypted content, see Forward Samples to the WildFire Cloud or Forward Files to a WF-500
Appliance.
\
Step 1 The sales person from the partner company uploads a sales tool file named sales-tool.exe to his Dropbox
account and then sends an email to the Palo Alto Networks sales person with a link to the file.
Step 2 The Palo Alto sales person receives the email from the sales partner and clicks the download link, which takes
her to the Dropbox site. She then clicks Download to save the file to her desktop.
Step 3 The firewall that is protecting the Palo Alto sales rep has a file blocking profile attached to a security policy that
will look for files in any application that is used to download or upload any of the supported file type (Flash, PE,
PDF, APK, JAR/Class, or MS Office). Note that the firewall can also be configured to forward the email-link
file type, which enables the firewall to extract HTTP/HTTPS links contained in SMTP and POP3 email
messages. As soon as the sales rep clicks download, the firewall policy forwards the sales-toole.exe file to
WildFire, where the file is analyzed for zero-day malware. Even though the sales rep is using Dropbox, which is
SSL encrypted, the firewall is configured to decrypt traffic, so all traffic can be inspected. The following screen
shots show the File Blocking Profile, the Security Policy configured with the File Blocking profile, and the option
to allow forwarding of decrypted content.
Step 4 At this point, WildFire has received the file and is analyzing it for more than 200 different malicious behaviors.
To see that the file was forwarded successfully, view Monitor > Logs > Data Filtering on the firewall.
Step 5 Within approximately five minutes, WildFire has completed the file analysis and then sends a WildFire log back
to the firewall with the analysis results. In this example, the WildFire log shows that the file is malicious.
Step 6 The firewall is configured with a log forwarding profile that will send WildFire alerts to the security administrator
when malware is discovered.
Step 7 The security administrator identifies the user by name (if User-ID is configured), or by IP address if User-ID is
not enabled. At this point, the administrator can shut down the network or VPN connection that the sales
representative is using and will then contact the desktop support group to work with the user to check and clean
the system.
By using the WildFire detailed analysis report, the desktop support person can determine if the user system is
infected with malware by looking at the files, processes, and registry information detailed in the WildFire analysis
report. If the user runs the malware, the support person can attempt to clean the system manually or re-image it.
For details on the WildFire report fields, see WildFire Report Contents.
Step 8 Now that the administrator has identified the malware and the user system is being checked, how do you protect
from future exposure? Answer: In this example, the administrator set a schedule on the firewall to download
and install WildFire signatures every 15 minutes and to download and install Antivirus updates once per day. In
less than an hour and a half after the sales rep downloaded the infected file, WildFire identified the zero-day
malware, generated a signature, added it to the WildFire update signature database provided by Palo Alto
Networks, and the firewall downloaded and installed the new signature. This firewall and any other Palo Alto
Networks firewall configured to download WildFire and antivirus signatures is now protected against this newly
discovered malware. The following screenshot shows the WildFire update schedule:
All of this occurs well before most antivirus vendors are even aware of the zero-day malware. In this example,
within a very short period of time, the malware is no longer considered zero-day because Palo Alto Networks
has already discovered it and has provided protection to customers to prevent future exposure.
Category Name 87
About WildFire Subscriptions and API Keys WildFire API
88 Category Name
WildFire API Use the WildFire API
Category Name 89
WildFire API File Submission Methods WildFire API
Submit a File to the WildFire Cloud Using the Submit File Method
The WildFire API can be used to submit all Supported File Types. The file along with your API key is required
when submitting to WildFire for analysis. The return code of the submit-file method indicates a success or error
condition. If a 200 OK code is returned, the submission is successful and a result is normally available for query
within five minutes.
The following table describes the API attributes needed to submit files to the WildFire cloud using the submit
file method:
URL https://wildfire.paloaltonetworks.com/publicapi/submit/file
Method POST
Parameters apikey Your WildFire API key
413 Request Entity Too Large Sample file size over max limit
419 Max Request Reached Max number of uploads per day exceeded
Use the submit-url method to submit a file for analysis via a URL. This method is identical in interface and
functionality to the submit-file method, except that the file parameter is replaced with a url parameter. The url
parameter must point to an accessible supported file type. If a 200 OK code is returned, the submission is
successful and a result is usually available for query within five minutes.
The following table describes the API attributes needed to submit files to the WildFire cloud using a URL:
90 Category Name
WildFire API WildFire API File Submission Methods
URL https://wildfire.paloaltonetworks.com/publicapi/submit/url
Method POST
Parameters apikey Your WildFire API key
url The URL for the file to be analyzed. The URL must
contain the file name, for example
http://paloaltonetworks.com/folder1/my-file.pdf.
Return 200 OK Indicates success and a report is returned
413 Request Entity Too Large Sample file size over max limit
419 Max Request Reached Max number of uploads per day exceeded
key=$1
file=$2
The following cURL command demonstrates how to submit a file to WildFire using the submit URL method:
curl k -F apikey=yourAPIkey -F url=URL
https://wildfire.paloaltonetworks.com/publicapi/submit/url
Category Name 91
Query for a WildFire PDF or XML Report WildFire API
URL https://wildfire.paloaltonetworks.com/publicapi/get/report
Method POST
Parameters hash The MD5, SHA-1, or SHA-256 hash value of the sample
The following cURL command demonstrates a query for a PDF report using the MD5 hash of a sample file:
curl k -F hash=1234556 -F format=pdf -F apikey=yourAPIkey
https://wildfire.paloaltonetworks.com/publicapi/get/report
To retrieve the XML version of the report, replace format=pdf with format=xml. For example:
curl -k -F hash=1234556 -F format=xml -F apikey=yourAPIkey
https://wildfire.paloaltonetworks.com/publicapi/get/report
92 Category Name
WildFire API Use the API to Retrieve a Sample Malware Test File
Use the get-sample method to retrieve a particular sample. You can use either the MD5, SHA-1, or SHA-256
hash of the sample file as a search query.
URL https://wildfire.paloaltonetworks.com/publicapi/get/sample
Method POST
Parameters hash The MD5, SHA-1, or SHA-256 hash value of the sample
Category Name 93
Use the API to Retrieve a Sample Malware Test File WildFire API
Use the get-pcap method to query for a PCAP recorded during analysis of a particular sample. Use either the
MD5, SHA-1, or SHA-256 hash of the sample file as a search query. You can optionally define the platform of
the desired PCAP to specify which PCAP should be returned. If no platform is specified, the method returns
a PCAP from a session that yielded a verdict of Malware.
Samples uploaded prior to August 2014 are not guaranteed to return a PCAP if no platform
parameter is supplied.
The following table describes the API attributes needed to query for pcaps:
URL https://wildfire.paloaltonetworks.com/publicapi/get/pcap
Method POST
Parameters hash The MD5, SHA-1, or SHA-256 hash value of the sample
94 Category Name
WildFire API Use the API to Retrieve a Sample Malware Test File
* Optional parameter
Example API Query for Get-PCAP
The following cURL command demonstrates a query for a pcap using the sample's MD5 hash:
curl -k -F hash=md5hash -F apikey=yourAPIkey -F platform=targetPlatform
https://wildfire.paloaltonetworks.com/publicapi/get/pcap
Category Name 95
Use the WildFire API on a WF-500 Appliance WildFire API
Step 1 Generate a new API key on the WildFire 1. Log in to the WildFire appliance CLI.
appliance. The appliance supports up to 2. Generate the API key using one of the following methods:
100 API keys.
Generate a key automatically:
As a best practice, leave out the
admin@WF-500> create wildfire api-key name
key-value option in this step and
key-name
the firewall will generate a key
automatically. If you manually For example, to create a key with the name my-api-key:
enter a key, the key-value must be admin@WF-500> create wildfire api-key name
64 alpha characters (a-z) or my-api-key
numbers (0-9) that you randomly To generate a key manually (where key-value is a 64-bit key):
choose.
admin@WF-500> create wildfire api-key name
my-api-key key key-value
For example:
admin@WF-500> create wildfire api-key name
my-api-key key
0377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F45
5F142494BC43D4A1
Step 2 View the API keys that you generated. View all API keys:
admin@WF-500> show wildfire api-key all
This command also shows the date the key was generated and the last
time the key was used.
In this example, the appliance generated the following key with the
name my-api-key:
0377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F455F1424
94BC43D4A1
96 Category Name
WildFire API Use the WildFire API on a WF-500 Appliance
This section describes some useful commands that you can use to manage WildFire API keys on the appliance
and describes how to export and import the keys. For example, you may want to export all of your keys for
backup purposes or to make it easier to access the keys from the systems that will use the API to perform various
functions on the appliance.
Use the following commands to disable API keys Disable or enable an API key:
temporarily, enable keys, or delete keys that are
admin@WF-500> edit wildfire api-key status [disable |
no longer used.
enable] key api-key
For example, to disable the API key used in this example:
admin@WF-500> edit wildfire api-key status disable key
0377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F455F142
494BC43D4A1
In the above command, you can type the first few unique
digits of the key and then hit tab to fill in the remaining
digits.
Delete an API key:
admin@WF-500> delete wildfire api-key key api-key
For example:
admin@WF-500> delete wildfire api-key key
377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F455F1424
94BC43D4A1
Category Name 97
Use the WildFire API on a WF-500 Appliance WildFire API
Use the following commands to import or export Save all API keys to a file to prepare the keys for export:
API keys from the appliance using Secure Copy
admin@WF-500# save wildfire api-key to filename
(SCP).
For example:
admin@WF-500> save wildfire api-key to my-api-keys
To SCP the API key file to an SCP-enabled server:
admin@WF-500> scp export wildfire-api-keys to
username@host:path
For example:
admin@WF-500> scp export wildfire-api-keys to
bart@10.10.10.5:c:/scp/
You can also import the key from an SCP-enabled server:
admin@WF-500> scp import wildfire-api-keys from
bart@10.10.10.5:c:/scp/my-api-keys
After importing API keys, you must load the keys:
admin@WF-500# load wildfire api-key mode [merge |
replace] from my-api-keys
If you leave out the mode option, the default behavior will merge
the new keys. To replace all API keys on the appliance, use the
replace option. For example, to replace all API keys, enter the
command:
admin@WF-500# load wildfire api-key mode replace from
my-api-keys
Confirm that the keys were loaded:
admin@WF-500> show wildfire api-keys all
The following workflow describes how to use the WildFire API to submit a sample file to a WF-500 appliance
for analysis. After understanding the basic concepts illustrated in this workflow, you can then use any of the API
functions that are available on the WildFire cloud. See WildFire API for links to other WildFire API examples
based on the WildFire cloud. The functions are the same, but in the case of the WF-500 appliance, you will use
the API key generated on the appliance and the URL of the appliance.
This workflow requires a host computer that has the cURL command line tool installed. You will
then send files from the host computer to the WildFire appliance using the URL syntax.
98 Category Name
WildFire API Use the WildFire API on a WF-500 Appliance
Step 1 Generate a WildFire API key for the host computer that will perform API functions on the WildFire appliance.
For details, see Generate API Keys on the WildFire Appliance.
1. Access the CLI on the WildFire appliance and generate an API key:
admin@WF-500> create wildfire api-key name my-api-key
2. View the API keys:
admin@WF-500> show wildfire api-key all
3. Make sure the key status is Enabled and then highlight and copy the key. The following screen capture shows
an example API key named my-api-key.
Step 2 Using the new API key that you generated, submit a sample file to the WildFire appliance.
1. Place a sample file in a folder that can be accessed from the host computer that has the cURL command line
tool installed and note the path of the sample file.
2. Submit the file using cURL:
curl -k -F apikey=your-API-key -F file=@local-file-path --remote-name
https://WF-appliance-IP/publicapi/submit/file
The syntax will vary based on the host that you are using. The following examples shows the syntax using a
Linux host and a Windows host.
From a Linux host:
curl -k -F apikey=87C142CB01CA5BEBE06E226A25C0A473B34050B617073E21E8F1A6BCB8C5C387 -F
file=@test-wf-api.docx --remote-name https://10.3.4.99/publicapi/submit/file
From a Windows host (The only difference is the file path following the @ symbol):
curl -k -F apikey=87C142CB01CA5BEBE06E226A25C0A473B34050B617073E21E8F1A6BCB8C5C387 -F
file=@c://scp/test-wf-api.docx --remote-name https://10.3.4.99/publicapi/submit/file
3. Verify that the API successfully submitted the file to the WildFire appliance. To view a list of recent samples
submitted to the appliance:
admin@WF-500> show wildfire latest samples
The following screen capture shows that the sample file test-wf-api.docx successfully submitted to the
appliance:
If the sample file does not appear on the appliance, verify connectivity between the host computer and the appliance and
confirm that the folder/file path is correct. You can also run show wildfire status (status should show Idle) and
show wildfire statistics to verify that the appliance is ready to analyze files. For more information on
troubleshooting, refer to the Palo Alto Networks WildFire Administrators Guide.
Category Name 99
Use the WildFire API on a WF-500 Appliance WildFire API
The WildFire appliance software CLI is used to manage the appliance. The CLI is the only interface to the
appliance. Use it to view status and configuration information and modify the appliance configuration. Access
the WildFire appliance software CLI over SSH or by direct console access using the console port.
The WildFire appliance software CLI operates in two modes:
Operational modeView the state of the system, navigate the WildFire appliance software CLI, and enter
configuration mode.
The basic command prompt incorporates the user name and hostname of the appliance:
username@hostname>
Example:
admin@WF-500>
When entering Configuration mode, the prompt changes from > to #:
username@hostname>(Operational mode)
username@hostname> configure
Entering configuration mode
[edit]
username@hostname# (Configuration mode)
In Configuration mode, the current hierarchy context is shown by the [edit...] banner presented in square
brackets when a command is issued.
Messages may be displayed when issuing a command. The messages provide context information and can help
in correcting invalid commands. In the following examples, the message is shown in bold.
Example: Unknown command
username@hostname# application-group
Unknown command: application-group
[edit network]
username@hostname#
Example: Changing modes
username@hostname# exit
Exiting configuration mode
username@hostname>
Example: Invalid syntax
username@hostname> debug 17
Unrecognized command
Invalid syntax.
username@hostname>
The CLI checks the syntax of each command. If the syntax is correct, it executes the command and the
candidate hierarchy changes are recorded. If the syntax is incorrect, an invalid syntax message is presented, as
in the following example:
username@hostname# set deviceconfig setting wildfire cloud-intelligence
submit-sample yes
Unrecognized command
Invalid syntax.
[edit]
username@hostname#
The symbol preceding an option can provide additional information about command syntax.
Symbol Description
+ There are additional command options for this command at this level.
Symbol Description
If you do not put a double quote surrounding the group name, the CLI
would interpret the word Test as the group name and Group as the
username and the following error wold be displayed: test is not a valid
name.
Privilege Levels
Privilege levels determine which commands the user is permitted to execute and the information the user is
permitted to view.
Level Description
Configuration Mode
Entering commands in configuration mode modifies the candidate configuration. The modified candidate
configuration is stored in the appliance memory and maintained while the appliance is running.
Each configuration command involves an action, and may also include keywords, options, and values.
This section describes Configuration mode and the configuration hierarchy:
Configuration Mode Command Usage
Configuration Hierarchy
Navigate the Hierarchy
saveSaves the candidate configuration in the non-volatile storage on the appliance. The saved
configuration is retained until overwritten by subsequent save commands. Note that this command does not
make the configuration active.
commitApplies the candidate configuration to the appliance. A committed configuration becomes the
active configuration for the device.
setChanges a value in the candidate configuration.
loadAssigns the last saved configuration or a specified configuration to be the candidate configuration.
When exiting configuration mode without issuing the save or commit command, the
configuration changes could be lost if the appliance loses power.
Maintaining a candidate configuration and separating the save and commit steps confers important advantages
when compared with traditional CLI architectures:
Distinguishing between the save and commit concepts allows multiple changes to be made at the same time
and reduces system vulnerability.
Commands can easily be adapted for similar functions. For example, when configuring two Ethernet
interfaces, each with a different IP address, you can edit the configuration for the first interface, copy the
command, modify only the interface and IP address, and then apply the change to the second interface.
Configuration Hierarchy
The configuration for the appliance is organized in a hierarchical structure. To display a segment of the current
hierarchy level, use the show command. Entering show displays the complete hierarchy, while entering show
with keywords displays a segment of the hierarchy. For example, when running the command show from the
top level of configuration mode, the entire configuration is displayed. When running the command edit
mgt-config and you enter show, or by running show mgt-config, only the mgt-config part of the
hierarchy displays.
Hierarchy Paths
When entering commands, the path is traced through the hierarchy as follows:
For example, the following command assigns the primary DNS server 10.0.0.246 for the appliance:
[edit]
username@hostname# set deviceconfig system dns-setting servers primary
10.0.0.246
This command generates a new element in the hierarchy and in the output of the following show command:
[edit]
username@hostname# show deviceconfig system dns-settings
dns-setting {
servers {
primary 10.0.0.246
}
}
[edit]
username@hostname#
The [edit...] banner presented below the Configure mode command prompt line shows the current hierarchy
context.
[edit]
indicates that the relative context is the top level of the hierarchy, whereas
[edit deviceconfig]
indicates that the relative context is at the deviceconfig level.
Use the commands listed in to navigate through the configuration hierarchy.
Level Description
edit Sets the context for configuration within the command hierarchy.
The set command issued after using the up and top commands starts from the new context.
Operational Mode
At the initial login to the device, the WildFire appliance software CLI opens in Operational mode. Operational
mode commands involve actions that are executed immediately. They do not involve changes to the
configuration, and do not need to be saved or committed.
Operational mode commands are of several types:
Monitoring and troubleshootingPerform diagnosis and analysis. Includes debug and ping commands.
Display commandsDisplay or clear current information. Includes clear and show commands.
WildFire appliance software CLI navigation commandsEnter Configure mode or exit the WildFire
appliance software CLI. Includes configure, exit, and quit commands.
System commandsMake system-level requests or restart. Includes set and request commands.
Data bits: 8
Parity: none
Stop bits: 1
1. Use terminal emulation software to establish an SSH console connection with the
WF-500 appliance.
When logging in, the WildFire appliance software CLI opens in Operational mode. You can navigate between
Operational and Configuration modes at any time.
To enter Configuration mode from Operational mode, use the configure command:
username@hostname> configure
Entering configuration mode
[edit]
username@hostname#
To leave Configuration mode and return to Operational mode, use the quit or exit command:
username@hostname# quit
Exiting configuration mode
username@hostname>
To enter an Operational mode command while in Configuration mode, use the run command. For example,
to show system resources from configure mode, use run show system resources.
username@hostname>
To display the available options for a specified command, enter the command followed by ?.
Example:
username@hostname> ping ?
+ bypass-routing Bypass routing table, use specified interface
+ count Number of requests to send (1..2000000000 packets)
+ do-not-fragment Don't fragment echo request packets (IPv4)
+ inet Force to IPv4 destination
+ interface Source interface (multicast, all-ones, unrouted packets)
+ interval Delay between requests (seconds)
+ no-resolve Don't attempt to print addresses symbolically
+ pattern Hexadecimal fill pattern
+ record-route Record and report packet's path (IPv4)
+ size Size of request packets (0..65468 bytes)
+ source Source address of echo request
+ tos IP type-of-service value (0..255)
+ ttl IP time-to-live value (IPv6 hop-limit value) (0..255 hops)
+ verbose Display detailed output
+ wait Delay after sending last packet (seconds)
<host> Hostname or IP address of remote host
Some operational commands include an option to restrict the displayed output. To restrict the output, enter a
pipe symbol followed by except or match and the value that is to be excluded or included:
Example:
The following sample output is for the show system info command:
username@hostname> show system info
hostname: WF-500
ip-address: 192.168.2.20
netmask: 255.255.255.0
default-gateway: 192.168.2.1
mac-address: 00:25:90:95:84:76
vm-interface-ip-address: 10.16.0.20
vm-interface-netmask: 255.255.252.0
vm-interface-default-gateway: 10.16.0.1
vm-interface-dns-server: 10.0.0.247
time: Mon Apr 15 13:31:39 2013
uptime: 0 days, 0:02:35
family: m
model: WF-500
serial: 009707000118
sw-version: 5.1.0
logdb-version: 5.0.2
platform-family: m
username@hostname>
username@hostname>
Change the output format for the configuration commands by using the set cli config-output-format
command in Operational mode. Options include the default format, json (JavaScript Object Notation), set
format, and XML format. The default format is a hierarchal format where configuration sections are indented
and enclosed in curly brackets.
Description
Configure Wildfire settings on the WF-500 appliance. You can configure forwarding of malicious files, define
the cloud server that receives malware infected files, and enable or disable the vm-interface.
Hierarchy Location
Syntax
wildfire {
active-vm;
cloud-server <value>;
vm-network-enable {no | yes};
vm-network-use-tor {enable | disable};
cloud-intelligence {
submit-report {no | yes};
submit-sample {no | yes};
signature-generation {
av {no | yes};
dns {no | yes};
url {no | yes};
{
{
{
Options
+ active-vm Select the virtual machine environment that WildFire will use for sample
analysis. Each vm has a different configuration, such as Windows XP, a specific versions
of Flash, Adobe reader, etc. To view which VM is selected, run the following command:
admin@WF-500> show wildfire status and view the Selected VM field. To view the VM
environment information, run the following command: admin@WF-500> show wildfire
vm-images.
+ cloud-server Hostname for the cloud server that the appliance will forward malicious
samples/reports to for a re-analysis. The default cloud server is
wildfire-public-cloud. To configure forwarding, use the following command: set
deviceconfig setting wildfire cloud-intelligence.
+ vm-network-enable Enable or disable the vm-network. When enabled, sample files
running in the virtual machine sandbox can access the Internet. This helps WildFire
better analyze the behavior of the malware to look for things like phone home activity.
+ vm-network-use-tor Enable or disable the Tor network for the vm-interface. When this
option is enabled, any malicious traffic coming from the sandbox systems on the WF-500
appliance during sample analysis is sent through the Tor network. The Tor network will
mask your public facing IP address, so the owners of the malicious site cannot determine
the source of the traffic.
+ cloud-intelligence Configure the appliance to submit WildFire reports or samples to
the Palo Alto Networks WildFire cloud. The submit report option will send reports for
malicious samples to the cloud for statistical gathering. The submit sample option will
send malicious samples to the cloud. If submit-sample enabled, there is no need to
enable submit-report because the sample is re-analyzed in the cloud and a new report and
signature is generated if the sample is malicious.
+ signature-generation Enable the appliance to generate signatures locally,
eliminating the need to send any data to the public cloud in order to block malicious
content. The WF-500 appliance will analyze files forwarded to it from Palo Alto Networks
firewalls or from the WildFire API and generate antivirus and DNS signatures that block
both the malicious files as well as associated command and control traffic. When the
appliance detects a malicious URL, it sends the URL to PAN-DB and PAN-DB assigns it the
malware category.
Sample Output
superuser, deviceadmin
Description
Schedule content updates on a WF-500 appliance. These content updates equip the appliance with the most
up-to-date threat information for accurate malware detection and improve the appliance's ability to differentiate
the malicious from the benign.
Hierarchy Location
Syntax
wf-content recurring {
daily at <value> action {download-and-install | download-only};
weekly {
action {download-and-install | download-only};
at <value>;
day-of-week {friday | monday | saturday | sunday | thursday | tuesday | wednesday};
}
}
Options
Sample Output
admin@WF-500# show
update-schedule {
wf-content {
recurring {
weekly {
at 19:00;
action download-and-install;
day-of-week friday;
}
}
}
}
superuser, deviceadmin
Description
The vm-interface is used by malware running on the WF-500 appliance virtual machine sandbox to access the
Internet. Activating this port is recommended and will help WildFire better identify malicious activity if the
malware accesses the Internet for phone-home or other activity. It is important that this interface has an isolated
connection to the Internet. For more information, see Set Up the VM Interface on the WF-500 Appliance.
After configuring the vm-interface, enable it by running the following command:
set deviceconfig setting wildfire vm-network-enable yes
Hierarchy Location
Syntax
set vm-interface {
default-gateway <ip_address>;
dns-server <ip_address>;
ip-address <ip_address>;
link-state;
mtu;
netmask <ip_address>;
speed-duplex;
{
Options
Sample Output
superuser, deviceadmin
Description
Generate API keys on a WF-500 appliance that you will use on an external system to submit samples to the
appliance, query reports, or retrieve samples and Packet Captures (PCAPS) from the appliance.
Syntax
create {
wildfire {
api-key {
key <value>;
name <value>;
{
{
{
Options
+ key Create an API key by manually entering a key value. The value must be 64 alpha
characters (a-z) or numbers (0-9). If you do not specify the key option, the appliance
generates a key automatically.
+ name Optionally enter a name for the API key. An API key name is simply used to
label the keys to make it easier to identify keys assigned for specific uses and has no
impact on the functionality of the key.
Sample Output
The following output shows that the appliance has three API keys and one key is named my-api-key.
admin@WF-500> show wildfire api-keys all
+------------------------------------------------------------------+------------
----+---------+---------------------+---------------------+
| Apikey | Name
| Status | Create Time | Last Used Time |
+------------------------------------------------------------------+------------
----+---------+---------------------+---------------------+
| C625DE87CBFB6EF0B1A8183A74AB5B61287F7F63B6E14E2FFC704AABF5640D62 | my-api-key
| Enabled | 2014-06-24 16:38:50 | |
| D414CC910E93E9E05942A5E6F94DA36777B444543E71761CF5E9ACFA547F7D6F |
| Enabled | 2014-06-25 09:05:30 | 2014-06-26 14:49:35 |
| 73585ACAFEC0109CB65EB944B8DFC0B341B9B73A6FA7F43AA9862CAD47D0884C |
| Enabled | 2014-08-04 17:00:42 | |
+------------------------------------------------------------------+------------
----+---------+---------------------+---------------------+
superuser, deviceadmin
Description
Delete an API key from the WF-500 appliance. Systems configured to use the API to perform API functions
on the appliance will no longer be able to access the appliance after you delete the key.
Syntax
delete {
wildfire {
api-key {
key <value>;
{
{
{
Options
+ key <value> The key value for the key that you want to delete. To view a list of API
keys, run the following command: admin@WF-500> show wildfire api-keys all
Sample Output
APIKey A0418F8EADABA4C78CD3106D71147321462C5AA085B2979136447B1EC334655A
deleted
superuser, deviceadmin
delete wildfire-metadata
Description
Delete content updates on the WF-500 appliance. For more information on content updates and how to install
them, see request wf-content.
Syntax
delete {
wildfire-metadata update <value>;
{
Options
+ update <value> Define the content update that you want to delete.
Sample Output
superuser, deviceadmin
Description
Modify an API key name or the key status (enabled/disabled) on a WF-500 appliance.
Syntax
edit {
wildfire {
api-key [name | status] key <value>;
{
{
Options
Sample Output
The key value in this command is required. For example, to change the name of a key named stu to
stu-key1, enter the following command:
In the following command, you do not need to enter the old key name; only enter the new key
name.
superuser, deviceadmin
Description
After importing API keys to the WF-500 appliance, you must use the load command to make the keys available
for use. Use this command to replace all existing API keys, or you can merge the keys in the import file with the
existing key database.
Syntax
load {
wildfire {
from <value> mode [merge | replace];
{
{
Options
* from Specify the API key filename that you want to import. The key files use the
.keys file extension. For example, my-api-keys.keys. To view a list of keys that are
available for import, enter the following command:
admin@WF-500> load wildfire api-key from ?
+ mode Optionally enter the mode for the import (merge/replace). For example, to
replace the key database on the appliance with the contents of the contents of the new
key file, enter the following command:
admin@WF-500> load wildfire api-key mode replace from my-api-keys.keys
If you do not specify the mode option, the default action will merge the keys.
superuser, deviceadmin
Description
Use this option to manage the RAID pairs installed in the WildFire appliance. The WF-500 appliance ships with
four drives in the first four drive bays (A1, A2, B1, B2). Drives A1 and A2 are a RAID 1 pair and drives B1 and
B2 are a second RAID 1 pair.
Hierarchy Location
request system
Syntax
raid {
remove <value>;
OR...
copy {
from <value>;
to <value>;
}
OR...
add {
Options
> add Add a drive into the corresponding RAID Disk Pair
> copy Copy and migrate from one drive to other drive in the bay
> remove drive to remove from RAID Disk Pair
Sample Output
The following output shows a WildFire WF-500 appliance with a correctly configured RAID.
admin@WF-500> show system raid
superuser, deviceadmin
Perform upgrades on the WF-500 appliance virtual machine (VM) sandbox images used to analyze files. To
retrieve new VM images from the Palo Alto Networks Update Server, you must first download the image
manually, host it on an SCP enabled server, and then retrieve the image from the appliance using the SCP client.
After downloading the image to the appliance, you can then install it using this command.
Hierarchy Location
request system
Syntax
request {
system {
wildfire-vm-image {
upgrade install file <value>;
}
}
}
Options
Sample Output
To install a VM image (Windows 7 64-bit in this example), run the following command:
admin@WF-500> request system wildfire-vm-image upgrade install
WFWin7_64Base_m-1.0.0_64base
superuser, deviceadmin
request wf-content
Perform content updates on a WF-500 appliance. These content updates equip the appliance with the most
up-to-date threat information for accurate malware detection and improve the appliance's ability to differentiate
the malicious from the benign. To schedule content updates to install automatically, see set deviceconfig system
update-schedule and to delete content updates on the WF-500, see delete wildfire-metadata.
Hierarchy Location
request
Syntax
request wf-content
{
downgrade install {previous | <value>};
upgrade
{
check
download latest
info
install {
file <filename>
version latest;
}
}
}
Options
> downgrade Installs a previous content version. Use the previous option to install
the previously installed content package or enter a value to downgrade to a specific
content package number.
> upgrade Performs content upgrade functions
> check Obtain information on available content packages from the Palo Alto Networks
Update Server
> download Download a content package
> info Show information about available content packages
> install Install a content package
> file Specify the name of the file containing the content package
> version Download or upgrade based on the version number of the content package
Sample Output
superuser, deviceadmin
Description
Use the save command to save all API keys on the WF-500 appliance to a file. You can then export the key file
for backup purposes or to modify the keys in bulk. For details on using the WildFire API on a WF-500
appliance, see About WildFire Subscriptions and API Keys.
Hierarchy Location
save
Syntax
save {
wildfire {
api-key to <value>;
{
{
Options
* to Enter the filename for key export. For example, to export all of the API keys on
the WF-500 to a file named my-wf-keys, enter the following command:
admin@WF-500> save wildfire api-key to my-wf-keys
superuser, deviceadmin
Description
Sets the portal admin account password that an administrator will use to view WildFire analysis reports
generated by a WF-500 appliance. The account name (admin) and password is required when viewing the report
on the firewall or from Panorama in Monitor > WildFire Submissions > View WildFire Report. The default
username and password is admin/admin.
The portal admin account is the only account that you configure on the appliance to view reports
from the firewall or Panorama. You cannot create new accounts or change the account name.
This is not the same admin account used to manage the appliance.
Hierarchy Location
set wildfire
Syntax
set {
wildfire {
portal-admin {
password <value>;
}
}
Sample Output
superuser, deviceadmin
Description
Show the RAID configuration of the appliance. The WF-500 appliance ships with four drives in the first four
drive bays (A1, A2, B1, B2). Drives A1 and A2 are a RAID 1 pair and drives B1 and B2 are a second RAID 1 pair.
Hierarchy Location
show system
Syntax
raid {
detail;
{
Options
No additional options.
Sample Output
superuser, superreader
show wildfire
Description
Shows various information about the WildFire appliance, such as available API keys, registration information,
activity, recent samples that the appliance analyzed, and the virtual machine that is selected to perform analysis.
Hierarchy Location
show wildfire
Syntax
api-keys
all {
details;
}
key <value>;
}
last-device-registration all |
latest {
analysis {
filter malicious|benign;
sort-by SHA256|Submit Time|Start Time|Finish Time|Malicious|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
OR...
samples {
filter malicious|benign;
sort-by SHA256|Create Time|File Name|File Type|File Size|Malicious|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
OR...
sessions {
filter malicious|benign;
sort-by SHA256|Create Time|Src IP|Src Port|Dst Ip|Dst Port|File|Device
ID|App|Malicious|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
OR...
uploads {
sort-by SHA256|Create Time|Finish Time|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
sample-status {
sha256 {
equal <value>;
}
}
statistics days <1-31>;
status |
vm-images |
}
Options
Sample Output
Sample information:
+---------------------+---------------------------------------------------------------
+------------------+-----------+-----------+-------------------+
| Create Time | File Name |
File Type | File Size | Malicious | Status |
+---------------------+---------------------------------------------------------------
+------------------+-----------+-----------+-------------------+
| 2014-08-04 11:49:41 | 25047801_20130919175646000_970x66_Adobe_Marketing_RM_AUTO.swf |
Adobe Flash File | 64502 | No | analysis complete |
+---------------------+---------------------------------------------------------------
+------------------+-----------+-----------+-------------------+
Session information:
+---------------------+---------------+----------+--------------+----------+----------
-----------------------------------------------------+--------------+-------+
-----------+-----------+
| Create Time | Src IP | Src Port | Dst IP | Dst Port | File
| Device ID | App |
Malicious | Status |
+---------------------+---------------+----------+--------------+----------+----------
-----------------------------------------------------+--------------+-------+
-----------+-----------+
| 2014-08-04 11:49:41 | 10.10.10.50 | 80 | 192.168.2.10 | 64108 |
25047801_20130919175646000_970x66_Adobe_Marketing_RM_AUTO.swf | 001606000114 | flash |
No | completed |
+---------------------+---------------+----------+--------------+----------+----------
-----------------------------------------------------+--------------+-------+
-----------+-----------+
Analysis information:
+---------------------+---------------------+---------------------+-----------+-------
----------------------------------------------------+-----------+
| Submit Time | Start Time | Finish Time | Malicious | VM Image
| Status |
+---------------------+---------------------+---------------------+-----------+-------
----------------------------------------------------+-----------+
| 2014-08-04 11:49:41 | 2014-08-04 11:49:41 | 2014-08-04 11:56:52 | No | Windows
7 x64 SP1, Adobe Reader 11, Flash 11, Office 2010 | completed |
+---------------------+---------------------+---------------------+-----------+-------
----------------------------------------------------+-----------+
Connection info:
Wildfire cloud: s1.wildfire.paloaltonetworks.com
Status: Idle
Submit sample: disabled
Submit report: disabled
Selected VM: vm-5
VM internet connection: disabled
superuser, superreader
Description
Performs a test to check the registration status of a WildFire appliance or Palo Alto Networks firewall to a
WildFire server. If the test is successful, the IP address or server name of the WildFire server is displayed. A
successful registration is required before a WildFire appliance or firewall can forward files to the WildFire server.
Syntax
test {
wildfire {
registration;
}
}
Options
No additional options.
Sample Output
The following shows a successful output on a firewall that can communicate with a WildFire appliance. If this
is a WildFire appliance pointing to the Palo Alto Networks WildFire cloud, the server name of one of the cloud
servers is displayed in the select the best server: field.
Test wildfire
wildfire registration: successful
download server list: successful
select the best server: ca-s1.wildfire.paloaltonetworks.com
superuser, superreader