WildFire Administrator Guide-6.1

Palo Alto Networks
WildFire Administrators Guide

Version 6.1
Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
http://www.paloaltonetworks.com/contact/contact/
About this Guide
This guide describes the administrative tasks required to use and maintain the Palo Alto Networks WildFire feature.
Topics covered include licensing information, configuring firewalls to forward files for inspection, viewing reports, and
how to configure and manage the WF-500 WildFire appliance.
Refer to the following sources for more information:
For information on the additional capabilities and for instructions on configuring the features on the firewall, refer
to https://www.paloaltonetworks.com/documentation.
For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to
https://live.paloaltonetworks.com.
For contacting support, for information on the support programs, or to manage your account or devices, refer to
https://support.paloaltonetworks.com
For the latest release notes, go to the software downloads page at

https://support.paloaltonetworks.com/Updates/SoftwareUpdates.
To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.
Palo Alto Networks

www.paloaltonetworks.com
2007-2015 Palo Alto Networks. All rights reserved.
Palo Alto Networks and PAN-OS are registered trademarks of Palo Alto Networks, Inc.
Revision Date: February 23, 2015
ii
Table of Contents
Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
WildFire Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
About WildFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
WildFire Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
File/Email Link Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Supported File Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
WildFire Virtual Sandboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
WildFire Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
WildFire Email Link Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
WildFire Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
WildFire Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Malware Test Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
WildFire Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
WildFire Subscription Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Best Practices for Keeping Signatures up to Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Reference: Firewall File Forwarding Capacity by Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
WF-500 Appliance File Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

About the WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configure the WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Prerequisites for Configuring the WF-500 Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Integrate the WF-500 Appliance into a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Verify the WF-500 Appliance Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Set Up the VM Interface on the WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Virtual Machine Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configure the VM Interface on the WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configure the Firewall to Control Traffic for the WF-500 VM Interface . . . . . . . . . . . . . . . . . . . . . . . 32
Manage Content Updates on the WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Install Content Updates Directly from the Update Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Install Content Updates from an SCP-Enabled Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Forward Files to a WF-500 Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Configure a Firewall to Forward Samples to a WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Verify Forwarding to a WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Signature/URL Generation on a WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Enable Signature/URL Generation on the WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configure the Firewall to Retrieve Updates from a WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . 47
Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
WildFire Cloud File Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
GlobalProtect Administrators Guide iii

Forward Samples to the WildFire Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Verify Forwarding to the WildFire Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Upload Files using the WildFire Cloud Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
WildFire Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
WildFire Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Enable Email Header Information in WildFire Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Monitor Submissions Using the WildFire Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Customize WildFire Portal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Add WildFire Portal User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
View WildFire Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
WildFire Report Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Set Up Alerts for Detected Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
WildFire in Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
WildFire API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
About WildFire Subscriptions and API Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Use the WildFire API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
WildFire API File Submission Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Submit a File to the WildFire Cloud Using the Submit File Method . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Submit a File to WildFire Using the Submit URL Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Query for a WildFire PDF or XML Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Use the API to Retrieve a Sample Malware Test File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Use the API to Retrieve a Sample File or PCAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Use the WildFire API on a WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Generate API Keys on the WildFire Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Manage API Keys on the WildFire Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Use the WildFire API on a WildFire Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
WildFire Appliance Software CLI Reference. . . . . . . . . . . . . . . . . . . . . . . . 101

WildFire Appliance Software CLI Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
WildFire Appliance Software CLI Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
WildFire Appliance Software CLI Command Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
WildFire Appliance CLI Command Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Command Option Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Privilege Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
WildFire CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Configuration Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Access the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Establish a Direct Console Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Establish an SSH Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Use the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
iv WildFire Administrators Guide

Access Operational and Configuration Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Display WildFire Appliance Software CLI Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Restrict Command Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Set the Output Format for Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configuration Mode Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
set deviceconfig setting wildfire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
set deviceconfig system update-schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
set deviceconfig system vm-interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Operational Mode Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
create wildfire api-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
delete wildfire api-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
delete wildfire-metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
edit wildfire api-key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
load wildfire api-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
request system raid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
request system wildfire-vm-image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
request wf-content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
save wildfire api-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
set wildfire portal-admin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
show system raid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
show wildfire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
test wildfire registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
WildFire Administrators Guide v

vi WildFire Administrators Guide
WildFire Overview
WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing,
signature-based detection, and blocking of malware. WildFire extends the capabilities of Palo Alto Networks
next-generation firewalls to identify and block targeted and unknown malware.
The following topics describe WildFire and how to integrate it into your environment:
About WildFire
WildFire Concepts
WildFire Deployments
WildFire Subscription Requirements
Best Practices for Keeping Signatures up to Date
Reference: Firewall File Forwarding Capacity by Platform
WildFire Administrators Guide 1

About WildFire WildFire Overview
About WildFire
Modern malware is at the heart of many of today's most sophisticated network attacks and is increasingly
customized to avoid traditional security solutions. Palo Alto Networks has developed an integrated approach
that addresses the full malware life cycle, which includes preventing infections, identifying zero-day malware
(undiscovered malware), or targeted malware (malware targeting a specific industry or corporation), as well as
pinpointing and disrupting active infections.
The Palo Alto Networks WildFire engine exposes zero-day and targeted malware through direct observation in
a virtual environment within the WildFire system. The WildFire feature also makes extensive use of the Palo
Alto Networks App-ID technology by identifying file transfers within all applications, not just email
attachments or browser-based file downloads.
For information on Palo Alto Networks WildFire privacy policy, refer to
https://live.paloaltonetworks.com/docs/DOC-2880.
Figure: High-Level WildFire Decision Workflow illustrates the basic WildFire workflow, Figure: Detailed
WildFire Decision Flow describes the entire WildFire lifecycle from the time a user downloads a malicious file
to the point where WildFire generates a signature to be used by Palo Alto Networks firewalls to protect against
future exposure to the malware.
The the High-Level WildFire Decision Workflow describes the workflow for a file download. The
analysis of an HTTP/HTTPS link contained in an email is very similar, but there are minor
differences. For details on email-links analysis, see WildFire Email Link Analysis.
2 WildFire Administrators Guide

WildFire Overview About WildFire
Figure: High-Level WildFire Decision Workflow

About WildFire WildFire Overview
Figure: Detailed WildFire Decision Flow

WildFire Overview WildFire Concepts
WildFire Concepts
File/Email Link Forwarding
Supported File Types
WildFire Virtual Sandboxes
WildFire Signatures
WildFire Email Link Analysis
WildFire Alerts
WildFire Logging and Reporting
Malware Test Samples
File/Email Link Forwarding
With the integrated solution between WildFire and Palo Alto Networks firewalls, you configure the firewall with
a file blocking profile and attach it to a security policy rule that instructs the firewall to automatically forward
samples to the WildFire system for threat analysis. The samples can be specific file types or HTTP/HTTPS links
contained in SMTP or POP3 messages. If a user downloads a file sample over a session that matches the security
rule, the firewall performs a file hash check with WildFire to determine if WildFire has previously analyzed the
sample. If the file is new, it is forwarded for analysis, even if it is contained within a ZIP file or over compressed
HTTP. In the case of an email link, the firewall will extract HTTP/HTTPS links from SMTP and POP3 email
messages that match the forwarding policy and will forward the link to WildFire (see WildFire Email Link
Analysis. You can also configure the firewall to forward files inside of encrypted SSL sessions if SSL decryption
is enabled.
For information on configuring forwarding, see Forward Files to a WF-500 Appliance or Forward Samples to
the WildFire Cloud.
Supported File Types
WildFire can analyze the following file types:
Email-linkHTTP/HTTPS email links contained in SMTP and POP3 email messages. Note that the
firewall only extracts links and associated session information (sender, recipient, and subject) from the email
messages that traverse the firewall; it does not receive, store, forward, or view the email message. The
WF-500 appliance does not support email link analysis.
FlashAdobe Flash applets and Flash content embedded in web pages
APKAndroid Application Package. Not supported on the WF-500 appliance.
PDFPortable Document Format

WildFire Concepts WildFire Overview
JARJava Applet (JAR/Class files types). The WF-500 appliance will analyze Java content, but will not
generate signatures for malicious samples. You must download the sample from the WildFire Submission
log and upload it to the WildFire cloud for signature generation.
PEPortable Executable, which includes executable files, object code, DLLs, FON (fonts), and others
MS-OfficeMicrosoft Office files including: documents (doc, docx, rtf), workbooks (xls, xlsx), and
PowerPoint (ppt, pptx). As of content update 450, WildFire can generate antivirus signatures for Office
Open XML (OOXML) 2007+ documents that it determines to be malicious and delivers the signatures
through WildFire and antivirus updates, enabling the firewall to alert or block malicious content in these
types of files.
A WildFire subscription is not required on the firewall to forward PE file types to WildFire for
analysis, but is required to analyze all other supported file types.
WildFire Virtual Sandboxes
WildFire executes the suspect files it receives in a virtual environment and observes the behavior for signs of
malicious activities, such as changes to browser security settings, injection of code into other processes,
modification of files in the Windows system folder, or domains that the sample attempted to access. When the
WildFire engine completes the analysis, it generates a detailed forensics report that summarizes the observed
behaviors and assigns a verdict of malware or benign. Similarly, WildFire will extract HTTP/HTTPS links in
SMTP and POP3 emails messages and visits the links to determine if the corresponding web page hosts any
exploits. If WildFire detects malicious behavior, it generates a report and submits the URL to PAN-DB and
categorizes the URL as malware. Note that WildFire does not generate logs for benign email links.
WildFire includes sandbox support for the following operating system environments:
Microsoft Windows XP 32-bit

Microsoft Windows 7 32-bit
Microsoft Windows 7 64-bit
WildFire Signatures
The key benefits of the Palo Alto Networks WildFire feature are that it can discover zero-day malware in web
traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can quickly generate
signatures to protect against future infections from the malware it discovers. WildFire will automatically
generate a signature based on the malware payload of the sample and tests it for accuracy and safety. Because
malware evolves rapidly, the signatures that WildFire generates will address multiple variants of the malware. As
WildFire detects new malware, it generates new signatures within 15-30 minutes. Firewalls equipped with a
WildFire subscription can receive the new signatures within 15 minutes. If you do not have a WildFire
subscription, signatures are made available within 24-48 hours as part of the antivirus update for firewalls
equipped with a Threat Prevention subscription.

As soon as the firewall downloads and installs the new signature, any files that contain that malware (or a variant
of it) will automatically be dropped by the firewall. Information gathered by WildFire during the analysis of
malware is also used to fortify other Threat Prevention features, such as adding malware URLs to PAN-DB,
generating DNS signatures, antivirus, and anti-spyware signatures. Palo Alto Networks also develops signatures
for command and control traffic, enabling immediate disruption in the communications of any malware inside
the network. For details on signatures and the benefits of having a WildFire subscription, see WildFire
Subscription Requirements.
WildFire Email Link Analysis
The firewall not only forwards files to WildFire for threat analysis, it can also extract HTTP/HTTPS links
contained in SMTP and POP3 email messages and forward the links to the WildFire cloud for analysis. This
feature is not supported on the WF-500 appliance. You enable this functionality by configuring the firewall to
forward the email-link file type. Note that the firewall only extracts links and associated session information
(sender, recipient, and subject) from the email messages that traverse the firewall; it does not receive, store,
forward, or view the email message.
After receiving an email link from a firewall, WildFire visits the links to determine if the corresponding web
page hosts any exploits. If WildFire determines that the page itself is benign, it will not generate a log. However,
if it detects malicious behavior on the page, it returns a malicious verdict and:
Generates a detailed analysis report and logs it to the WildFire Submissions log on the firewall that
forwarded the links. This log now includes the email header informationemail sender, recipient, and
subjectso that you can identify the message and delete it from the mail server and/or track down the
recipient and mitigate the threat if the email has already been delivered and/or opened.
Adds the URL to PAN-DB and categorizes the URL as malware.

Note that if the link corresponds to a file download, WildFire does not analyze the file. However, the firewall
will forward the corresponding file to WildFire for analysis if the end user clicks the link to download it as long
as the corresponding file type is enabled for forwarding.
The firewall forwards email links in batches of 100 email links or every two minutes, whichever comes first. Each
batch upload to WildFire counts as one upload toward the upload per-minute capacity for the given firewall
platform (Reference: Firewall File Forwarding Capacity by Platform). To determine if the firewall is forwarding
email links, run the following command from the firewall that is configured to forward to WildFire:
admin@PA-200> show wildfire statistics
View the file type: email-link counter section under Counters for file forwarding.
When email links are forwarded, the following counters will increment:
FWD_CNT_APPENDED_BATCHIndicates the number of email links added to a batch waiting
for upload to WildFire.
FWD_CNT_LOCAL_FILE Indicates the total number of email links uploaded to WildFire.
To ensure that you gain the full benefits of this feature, confirm the following on each firewall that will forward
samples to WildFire.
A valid WildFire subscription is installed.

WildFire content updates are configured to download-and-install frequently (every 15 minutes at

minimum).
PAN-DB is the active URL filtering vendor.
WildFire Alerts
The firewall can provide instant notification whenever it detects malware on your network by sending email
alerts, syslog, or SNMP traps. This enables you to quickly identify the user who downloaded the malware and
eradicate it before it causes extensive damage or propagates to other users. In addition, every signature that
WildFire generates is automatically propagated to all Palo Alto Networks firewalls protected with a Threat
Prevention and/or WildFire subscription, which provides automatic protection from malware discovered on
networks all over the world.
WildFire Logging and Reporting
For each sample that WildFire analyzes, WildFire generates a detailed behavioral report within minutes of the
sample submission. These reports are available in the WildFire Submissions log on the firewall, from the
WildFire portal, or though WildFire API queries. The reports show detailed behavioral information about the
sample, information on the targeted user, the application that delivered the file, and all URLs involved in the
delivery or phone-home activity of the file. For details on how to access the reports and descriptions of the
report fields, see View WildFire Reports.
The following screen capture shows part of a sample report for a file analysis followed by a screen capture for
an email link analysis report.


Malware Test Samples
Palo Alto Networks provides a sample malware system that you can use to test a WildFire configuration. Before
downloading the file to test your configuration, make sure you configure your firewall based on the procedures
described in Forward Files to a WF-500 Appliance or Forward Samples to the WildFire Cloud.
The following lists information about the test file:
Each time you access the test URL, the server generates a unique file named wildfire-test-pe-file.exe and
initiates a download. Each test file also has a unique SHA-256 hash value.
The verdict of the file will always be malicious.
Although WildFire will generate a signature for the test file, the signature is disabled and will not be
distributed to the Palo Alto Networks update server. If signature generation is enabled on a WF-500
appliance, it will not generate a signatures for the test file.
To access the malware test file, highlight the following link and copy and paste it into a browser:
http://wildfire.paloaltonetworks.com/publicapi/test/pe.
If you have enabled decryption on the firewall, you can access the encrypted version of the site by replacing
HTTP with HTTPS.
After downloading the file, check the Data Filtering log on the firewall to see if the file was forwarded and after
about five minutes, look for the results in the WildFire Submissions log. For information on verifying your
WildFire configuration, see Verify Forwarding to a WF-500 Appliance and Verify Forwarding to the WildFire
Cloud.

For WildFire API testing, see Use the API to Retrieve a Sample Malware Test File.

WildFire Deployments WildFire Overview
WildFire Deployments
Palo Alto Networks next-generation firewalls support the following WildFire deployments:
WildFire CloudIn this deployment, a Palo Alto Networks firewall forwards files to the hosted WildFire
environment that Palo Alto Networks owns and maintains. As WildFire detects new malware, it generates
new signatures within 15-30 minutes. Firewalls equipped with a WildFire subscription can receive the new
signatures within 15 minutes; firewalls with only a Threat Prevention subscription will receive the new
signatures in the next antivirus signature update within 24-48 hours.
The available WildFire cloud servers are wildfire-public-cloud for the WildFire cloud server hosted in the
United States and wildfire.paloaltonetworks.jp for the WildFire cloud hosted in Japan. You may want your
firewalls to use the Japan server if you do not want benign files forwarded to the U.S. cloud servers. If a file
is sent to the Japan cloud and WildFire determines its malicious, the Japan cloud forwards it to the U.S. cloud
servers where WildFire analyzes it again to confirm if it is malicious. If your firewalls are located in the Japan
region, you will see faster response time for sample submissions and report generation.
WildFire ApplianceIn this deployment, you install a WF-500 appliance on your corporate network and
configure your Palo Alto Networks firewalls to forward files to the appliance instead of to the Palo Alto
Networks WildFire cloud (the default). This deployment prevents the firewall from having to send any files
outside of your network for analysis. By default, the appliance will not send any files out of your network
unless you explicitly enable the cloud intelligence submit-sample feature. This feature enables the appliance
to forward malware it detects to the Palo Alto Networks WildFire cloud where the files are analyzed and
signatures are generated for malicious samples. The update servers then provides these signatures to all Palo
Alto Networks firewalls with a threat prevention and/or WildFire subscription. The appliance can also be
configured to generate signatures locally based on samples sent to it from your connected firewalls or by
submitting samples using the WildFire XML API. For more information, see Signature/URL Generation on
a WF-500 Appliance. A single WildFire appliance can receive and analyze files from up to 100 Palo Alto
Networks firewalls.
The following lists the main differences between the WildFire cloud and the WildFire appliance deployments:
The WildFire Appliance enables local sandboxing of malware so that benign files never leave your network.
By default, the WildFire appliance does not forward any files to the WildFire cloud, but you can configure
the cloud intelligence option on the appliance to forward malicious samples or reports on malicious samples
to Palo Alto Networks. If you do not want the appliance to send malware samples to Palo Alto Networks, it
is recommended that you at least configure the appliance to send malware reports. The reports will help Palo
Alto Networks gather statistical information about malware to gain a better understanding on how prevalent
the malware is and to gain insight into propagation of the malware.
The WF-500 appliance does not have a WildFire Portal, but you can configure cloud intelligence on the
appliance to automatically submit files to the WildFire cloud. You can also download samples from the
WildFire reports and then upload them to the portal, or use the WildFire XML API to submit files to the
cloud. After manually uploading files to the portal, the samples will appear on the portal as a manual upload
(see Upload Files using the WildFire Cloud Portal). For samples forwarded by a Palo Alto Networks firewall
to a WF-500 appliance or to the WildFire cloud, the reports are always available in the WildFire Submissions
log on the firewall.
Multiple virtual machines run on the WildFire cloud to represent a variety of operating systems and
applications used when running sample files. On the WF-500 appliance, multiple virtual machines are
available, but only one can be active for file analysis. Before selecting the virtual machine to use, review the

WildFire Overview WildFire Deployments
attributes of the available virtual machines and select one that best matches your environment. Although you
configure the WF-500 appliance to use one virtual machine image configuration, the appliance uses multiple
instances of the image to perform file analyses in order to improve performance. For information on viewing
and selecting the virtual machine, see Integrate the WF-500 Appliance into a Network.

WildFire Subscription Requirements WildFire Overview
WildFire Subscription Requirements

WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing
and signature-based detection and blocking of malware. No subscription is required to use WildFire for
sandboxing files sent from Palo Alto Networks firewalls to the WildFire cloud.
For the firewall to perform detection and blocking of known malware discovered by WildFire, the firewall
requires a Threat Prevention and/or WildFire subscription. The Threat Prevention subscription enables the
firewall to receive daily antivirus signature updates, which provide coverage for all malware samples that
WildFire discovers globally. The Threat Prevention subscription also provides access to weekly content updates
that include new vulnerability protection and anti-spyware signatures.
To enable a WF-500 appliance for local analysis, you only need to install a support license. This will enable the
appliance to communicate with the Palo Alto Networks update server to download the operating system images
and daily content updates. The content updates support the ability to generate signatures on the local WF-500
appliance and equip the appliance with the most up-to-date threat information for accurate malware detection
and to improve the ability of the appliance to differentiate the malicious from the benign.
To receive the full benefits of the WildFire service, each firewall must have a WildFire subscription, which
provides the following:
WildFire Dynamic UpdatesProvide new malware signatures on a sub-hourly basis, configurable

through Device > Dynamic Updates. Within 15-30 minutes after WildFire identifies a malicious sample,
WildFire generates a new malware signature and distributes it through the WildFire dynamic updates, which
the firewall can poll every 15, 30, or 60 minutes. You can configure the firewall to take specific actions on
malware signatures separate from the regular antivirus signature actions in the antivirus profile. The WildFire
signatures delivered in the dynamic update include signatures generated for malware detected in files
submitted to WildFire by all Palo Alto Networks WildFire customers, not just the file samples that your
firewalls send to WildFire.
It takes approximately 15 to 30 minutes for WildFire to generate a signature and make it available
for subscribers after discovering malware. Firewalls equipped with a WildFire subscription can
poll for new malware signatures every 15, 30, or 60 minutes. If, for example, the firewall is set to
poll for WildFire signature updates every 30 minutes, it might not receive a signature for a file it
uploaded until the second polling interval after the malware was discovered because of the time
required to generate the signature. If the firewall only has a Threat Prevention subscription, it will
receive signatures generated by WildFire after they are rolled into the antivirus updates, which
occurs approximately every 24-48 hours.
If your firewalls are forwarding files to a WF-500 appliance that has local signature generation
enabled, the appliance can generate signatures within approximately five minutes and you can
configure the firewall to retrieve these signatures every five minutes.
WildFire Advanced File Type SupportIn addition to Portable Executable (PE) files, a subscription
allows the firewall to also forward the following advanced file types: APK (WildFire cloud only), Flash, PDF,
Microsoft Office, and JAR (Java Applet). In addition to these files types, you can also configure the firewall
to extract and forward email links contained in SMTP and POP3 email messages by forwarding the
email-link file type. Note that the firewall only extracts links and associated session information (sender,
recipient, and subject) from the email messages that traverse the firewall; it does not receive, store, forward,
or view the email message.

WildFire Overview WildFire Subscription Requirements
WildFire APIThe WildFire subscription provides access to the WildFire API, which enables direct
programmatic access to the WildFire service on the Palo Alto Networks WildFire cloud or a WildFire
appliance. You can use the WildFire API to submit files and to retrieve reports for the submitted files. The
WildFire API supports up to 1,000 file submissions per day and up to 10,000 queries per day.
WildFire WF-500 ApplianceOnly firewalls with a valid WildFire subscription can forward files to a
WF-500 appliance for analysis. Firewalls that only have a Threat Prevention subscription installed can
forward files to the WildFire cloud, but not to a WF-500 appliance.

Best Practices for Keeping Signatures up to Date WildFire Overview
Best Practices for Keeping Signatures up to Date

This section describes the best practices for keeping a firewall with Threat Prevention and WildFire
subscriptions up-to-date with the latest protection. For a streamlined workflow, use Panorama to push dynamic
update schedules to managed firewalls using Panorama templates. This ensures consistency across all firewalls
and simplifies management of update schedules.
These guidelines provide two schedule options: the minimum recommended schedule and a more aggressive
schedule. Choosing the more aggressive approach causes the device to perform downloads/installs much more
frequently, some of which can be very large (over 100MB for antivirus updates). Also, in rare instances, there
could be errors in signature updates. Therefore, consider delaying new update installations until a certain
number of hours has passed. Use the Threshold (Hours) field to specify how long after a release to wait before
performing a content update.
AntivirusNew antivirus content updates are released by Palo Alto Networks on a daily basis. To get the
latest content, schedule these updates daily at minimum. For a more aggressive schedule, schedule them
hourly.
Applications and ThreatsNew App-ID, vulnerability protection, and anti-spyware signatures are
released by Palo Alto Networks as weekly content updates (normally on Tuesdays). To receive the latest
content, schedule the updates at least weekly. For a more aggressive schedule to ensure that the firewall
receives the latest content soon after the release (including occasional off-schedule emergency content
releases), schedule the firewall to download/install daily.
WildFireNew WildFire antivirus signatures are published every 15 minutes. Depending on when
WildFire discovers new malware within the release cycle, coverage is provided in the form of a WildFire
signature 15-30 minutes after it is discovered. To get the latest WildFire signatures, schedule these updates
every hour or half-hour. For a more aggressive schedule, configure the firewall to check for updates every
15 minutes.
WF-PrivateIf signatures/URL generation (antivirus signatures, DNS signatures, and URL entries for
PAN-DB) is configured on a WF-500, you configure the firewall to download/install the updates using the
WF-Private dynamic update. After the appliance receives a malicious sample, it will generate a signature
within five minutes in most cases. When configuring the firewall to retrieve these updates, set the schedule
to download and install every hour or half-hour. For a more aggressive schedule (recommended),
configure the firewall to download and install the updates every 5 minutes. If you configure your firewalls
to retrieve WF-Private updates, it is highly recommended that the firewalls also download content updates
from Palo Alto Networks (Antivirus, Applications/Threats, and WildFire) to ensure that firewalls have the
latest protection. This is important due to the fact that when the local storage for WF-Private updates on
the appliance is full, new signatures/URL categorizations will overwrite existing ones, beginning with the
oldest ones first. For details on local signatures generation, see Signature/URL Generation on a WF-500
Appliance.

WildFire Overview Reference: Firewall File Forwarding Capacity by Platform
Reference: Firewall File Forwarding Capacity by Platform

This section describes the maximum rate per minute at which each Palo Alto Network firewall platform can
submit files to the WildFire cloud or a WF-500 appliance for analysis. If the per-minute limit is reached, the
firewall queues the samples.
The Reserved Drive Space column in the following table lists the amount of drive space on the firewall that is
reserved for queuing files. If the limit is reached, the firewall cancels forwarding of new files to WildFire until
more space in the queue is available.
The speed at which the firewall can forward files to WildFire also depends on the bandwidth of
the upload link to the WildFire systems.
Platform Maximum Files Per Minute Reserved Drive Space
VM-100 5 100MB
VM-200 10 200MB
VM-300 20 200MB
PA-200 5 100MB
PA-500 10 200MB
PA-2000 Series 20 200MB
PA-3020 50 200MB
PA-3050 50 500MB
PA-3060 50 500MB
PA-4020 20 200MB
PA-4050/4060 50 500MB
PA-5020/5050 50 500MB
PA-5060 100 500MB
PA-7050 100 1GB

Reference: Firewall File Forwarding Capacity by Platform WildFire Overview

WF-500 Appliance File Analysis
This topic describes the WF-500 appliance and how to configure and manage the appliance to prepare it to
receive files for analysis. In addition, this topic provides steps for configuring a Palo Alto Networks firewall to
forward files to a WildFire appliance for file analysis and also describes how to configure the appliance to
provide local signature generation to avoid having to send samples to the WildFire cloud. You can also use the
WildFire API to submit and retrieve content from a WF-500 appliance.
About the WF-500 Appliance
Configure the WF-500 Appliance
Set Up the VM Interface on the WF-500 Appliance
Manage Content Updates on the WF-500 Appliance
Forward Files to a WF-500 Appliance
Signature/URL Generation on a WF-500 Appliance
Configure the Firewall to Retrieve Updates from a WF-500 Appliance
Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support

About the WF-500 Appliance WF-500 Appliance File Analysis
About the WF-500 Appliance

The WF-500 appliance provides an on-premises WildFire private cloud, enabling you to analyze suspicious files
in a sandbox environment without requiring that the firewall sends files outside of the network. To use a WF-500
appliance in place of the WildFire cloud, configure the WildFire server setting on the firewall to point to your
WF-500 appliance rather than to the WildFire public cloud server. The WF-500 appliance sandboxes all files
locally and analyzes them for malicious behaviors using the same engine used by the WildFire cloud system.
Within minutes, the appliance returns the results of the analysis back to the firewall in the WildFire Submissions
logs.
By default, the WF-500 appliance does not send any files to the Palo Alto Networks WildFire cloud for signature
generation. However, you can configure the appliance to generate signatures locally and the connected firewalls
can retrieve the updates directly from the appliance. For information on configuring local signature generation
and to learn about the types of content updates that the appliance can provide, see Signature/URL Generation
on a WF-500 Appliance.
The WF-500 appliance has an automatic submission feature that will enable it to only send confirmed malware
to the public cloud for signature generation. You can also configure this feature (cloud-intelligence) to only send
reports on malware, which will help Palo Alto Networks gather statistics on malware. It is recommended that
you configure the appliance to send malware samples to the WildFire cloud, so signatures are generated and
distributed to all customers. If you do not want to automatically send all detected malware to the WildFire cloud,
you can manually download the malware from the WildFire Analysis Report tab and manually upload to the
WildFire Portal.
You can configure up to 100 Palo Alto Networks firewalls to forward to a single WildFire appliance. Each
firewall must have a valid WildFire subscription to forward files to a WildFire appliance.
The WildFire appliance has two interfaces:
MGTReceives all files forwarded from the firewalls and returns logs detailing the results back to the
firewalls. See Integrate the WF-500 Appliance into a Network.
Virtual Machine Interface (VM interface)Provides network access for the WildFire sandbox systems
to enable sample files to communicate with the Internet, which allows WildFire to better analyze the
behavior of the sample. When the VM interface is configured, WildFire can observe malicious behaviors that
the malware would not normally perform without network access, such as phone-home activity. However,
to prevent malware from entering your network from the sandbox, configure this interface on an isolated
network with an Internet connection. You can also enable the Tor option to hide the public IP addressed
used by your company from malicious sites that are accessed by the sample. For more information on the
VM interface, see Set Up the VM Interface on the WF-500 Appliance.

WF-500 Appliance File Analysis Configure the WF-500 Appliance
Configure the WF-500 Appliance

The following topics describe how to integrate a WildFire appliance into the network:
Prerequisites for Configuring the WF-500 Appliance
Integrate the WF-500 Appliance into a Network
Verify the WF-500 Appliance Configuration
Prerequisites for Configuring the WF-500 Appliance
Rack mount and cable the WF-500 appliance. Refer to the WF-500 WildFire Appliance Hardware
Reference Guide.
Obtain the information required to configure network connectivity on the MGT port and the virtual
machine interface from your network administrator (IP address, subnet mask, gateway, hostname, DNS
server). All communication between the firewalls and the appliance occurs over the MGT port, including
file submissions, WildFire log delivery, and appliance administration. Therefore, ensure that the firewalls
have connectivity to the MGT port on the appliance. In addition, the appliance must be able to connect to
the updates.paloaltonetworks.com site to retrieve its operating system software updates.
Have a computer ready with either a console cable or Ethernet cable to connect to the device for the initial
configuration.

Configure the WF-500 Appliance WF-500 Appliance File Analysis
This section describes the steps required to install a WF-500 appliance on a network and perform basic setup.
Step 1 Connect the management computer to 1. Connect to the console port or the MGT port. Both are located
the appliance using the MGT or Console on the back of the appliance.
port and power on the appliance. Console PortThis is a 9-pin male serial connector. Use the
following settings on the console application: 9600-8-N-1.
Connect the provided cable to the serial port on the
management computer or USB-To-Serial converter.
MGT PortThis is an Ethernet RJ-45 port. By default, the
MGT port IP address is 192.168.1.1. The interface on your
management computer must be on the same subnet as the
MGT port. For example, set the IP address on the
management computer to 192.168.1.5.
2. Power on the appliance.
The appliance will power on as soon as you connect
power to the first power supply and a warning beep will
sound until you connect the second power supply. If the
appliance is already plugged in and is in the shutdown
state, use the power button on the front of the appliance
to power on.
Step 2 Register the WildFire appliance. 1. Obtain the serial number from the S/N tag on the appliance, or
run the following command and refer to the serial field:
admin@WF-500> show system info
2. From a browser, navigate to the Palo Alto Networks Support
site.
3. Register the device as follows:
If this is the first Palo Alto Networks device that you are
registering and you do not yet have a login, click Register on the
right side of the page. To register, provide an email address and
the serial number of the device. When prompted, set up a
username and password for access to the Palo Alto Networks
support community.
For existing accounts, log in and then click My Devices. Scroll
down to the Register Device section at the bottom of the
screen and enter the serial number of the device, the city and
postal code, and then click Register Device.

Integrate the WF-500 Appliance into a Network (Continued)
Step 3 Reset the admin password. 1. Log in to the appliance with an SSH client or by using the
Console port. Enter a username/password of admin/admin.
2. Set a new password by running the command:
admin@WF-500# set password
3. Type the old password, press enter and then enter and confirm
the new password. There is no need to commit the
configuration because this is an operational command.
4. Type exit to log out and then log back in to confirm that the
new password is set.
Step 4 Set the IP information for the MGT 1. Log in to the appliance with an SSH client or by using the
interface and the hostname for the Console port and enter configuration mode:
appliance. All firewalls that will send files admin@WF-500> configure
to the WF-500 appliance will use the 2. Set the IP information:
MGT port, so ensure that this interface is admin@WF-500# set deviceconfig system ip-address
accessible from those firewalls. 10.10.0.5 netmask 255.255.252.0 default-gateway
10.10.0.1 dns-setting servers primary 10.0.0.246
This example uses the following values:
Configure a secondary DNS server by replacing primary
IPv4 address - 10.10.0.5/22
with secondary in the above command, excluding the
Subnet Mask - 255.255.252.0 other IP parameters. For example:
Default Gateway - 10.10.0.1 admin@WF-500# set deviceconfig system
Hostname - wildfire-corp1 dns-setting servers secondary 10.0.0.247
DNS Server - 10.0.0.246 3.Set the hostname (wildfire-corp1 in this example):
admin@WF-500# set deviceconfig system hostname
wildfire-corp1
4. Commit the configuration to activate the new management
(MGT) port configuration:
admin@WF-500# commit
5. Connect the MGT interface port to a network switch.
6. Put the management PC back on your corporate network, or
whatever network is required to access the appliance on the
management network.
7. From your management computer, use an SSH client to connect
to the new IP address or hostname assigned to the MGT port
on the appliance. In this example, the IP address is 10.10.0.5.
Step 5 (Optional) Configure additional user In this example, you will create a superreader account for the user
accounts for managing the WildFire bsimpson:
appliance. You can assign two role types: 1. Enter configuration mode:
superuser and superreader. Superuser is admin@WF-500> configure
equivalent to the admin account, and 2. Create the user account:
superreader only has read access.
admin@WF-500# set mgt-config users bsimpson
<password>
3. Enter and confirm a new password.
4. Assign the superreader role:
admin@WF-500# set mgt-config users bsimpson
permissions role-based superreader yes

Step 6 (Optional) Configure RADIUS 1. Create a RADIUS profile using the following options:
authentication for administrator access. admin@WF-500# set shared server-profile radius
The following steps summarize how to <profile-name>
configure RADIUS on the appliance. (Configure the RADIUS server and other attributes.)
2. Create an authentication profile:
admin@WF-500# set shared authentication-profile
<profile-name> method radius server-profile
<server-profile-name>
3. Assign the profile to a local admin account:
admin@WF-500# set mgt-config users username
authentication-profile authentication-profile-name>
Step 7 Activate the appliance with the WildFire 1. Change to operational mode:
authorization code that you received from admin@WF-500# exit
Palo Alto Networks. 2. Fetch and install the WildFire license:
The WF-500 appliance will admin@WF-500> request license fetch auth-code
function without an auth-code, <auth-code>
but it cannot retrieve software 3. Verify the license:
updates without a valid auth-code. admin@WF-500> request support check
Information about the support site and the support contract
date is displayed. Confirm that the date displayed is valid.
Step 8 Set the current date/time and timezone. 1. Set the date and time:
admin@WF-500> set clock date <YY/MM/DD> time
<hh:mm:ss>
2. Enter configuration mode:
admin@WF-500> configure
3. Set the local time zone:
admin@WF-500# set deviceconfig system timezone
<timezone>
The time stamp that will appear on the WildFire detailed
report will use the time zone set on the appliance. If
administrators in various regions will view reports,
consider setting the time zone to UTC.
Step 9 (Optional) Configure cloud intelligence to 1. To enable cloud intelligence, run the command:
enable the WildFire appliance to forward admin@WF-500# set deviceconfig setting wildfire
files that contain malware to the Palo Alto cloud-intelligence submit-sample yes
Networks WildFire cloud. The WildFire 2. To only send WildFire reports for malware:
cloud system will re-analyze the sample admin@WF-500# set deviceconfig setting wildfire
and will generate a signatures if the cloud-intelligence submit-report yes
sample is malware and will add the If submit-sample is enabled, there is no need to enable
signature to the WildFire signature submit-report because the WildFire cloud re-analyzes
updates. You can also choose to only the sample and generates a new report. If the sample is
submit WildFire reports on malware. In malicious, the cloud will generate a signature.
this case, Palo Alto Networks uses the
3. Confirm the setting by running the following command and
reports for statistical purposes.
then refer to the Submit sample and Submit report fields:
Cloud intelligence is disabled by admin@WF-500> show wildfire status
default.

Step 10 (Optional) Enable benign file logging on 1. Select Device > Setup > WildFire and edit General Settings.
the firewall. This is a good way to confirm 2. Select the Report Benign Files check box to enable and then
that the firewall is forwarding files to click OK to save.
WildFire without having to download real
malware. In this case, the Data Filtering You can run the following CLI command to enable benign logging:
log will contain information on the results admin@WF-500# set deviceconfig setting wildfire
of the WildFire analysis, even if the report-benign-file yes
verdict is benign. To download sample
malware for testing, see Malware Test
Samples.
This option is disabled by default.
Step 11 Set a password for the portal admin 1. To change the WildFire portal admin account password:
account. This account is used when admin@WF-500> set wildfire portal-admin password
accessing WildFire reports from a 2. Press enter and type and confirm the new password.
firewall. The default username and
password is admin/admin.
The portal admin account is the
only account that can be used for
viewing reports from the logs.
Only the password can be changed
for this account and additional
accounts cannot be created for
this purpose. This is not the same
admin account used to manage the
appliance. You can also use the
WildFire API to retrieve logs, but
in that case you use an API key
generated on the WF-500
appliance. See Use the WildFire
API on a WF-500 Appliance.
Step 12 Choose the virtual machine image that the To view a list of available virtual machines to determine which one
appliance will use for file analysis. The best represents your environment:
image should be based on the attributes admin@WF-500> show wildfire vm-images
that best represents the software installed
View the current virtual machine image by running the following
on your end user computers. Each virtual
command and refer to the Selected VM field:
image contains different versions of
admin@WF-500> show wildfire status
operating systems and software, such as
Windows XP or Windows 7 32-bit or Select the image that the appliance will use for analysis:
64-bit and specific versions of Adobe admin@WF-500# set deviceconfig setting wildfire
Reader, and Flash. Although you active-vm <vm-image-number>
configure the appliance to use one virtual For example, to use vm-1:
machine image configuration, the admin@WF-500# set deviceconfig setting wildfire
appliance uses multiple instances of the active-vm vm-1
image to improve performance.

Where to Go Next:
Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support
This topic describes how to verify the configuration of the WildFire appliance to ensure that it is ready to receive
files from a Palo Alto Networks firewall. For more details on the CLI commands referenced in this workflow,
see WildFire Appliance Software CLI Reference.
Step 1 Verify that the appliance is registered and 1. Start an SSH session and connect to the MGT port on the
the license is activated. appliance.
2. View the current support information:
admin@WF-500> request support check
This will display information about the support site and
contract. Confirm that the contract date is valid.
3. Run the following command to check connectivity between the
appliance and the WildFire cloud (needed to forward files to the
cloud):
admin@WF-500> test wildfire registration
The following output indicates that the appliance is registered
with one of the Palo Alto Networks WildFire cloud servers.
Test wildfire
wildfire registration: successful
download server list: successful
select the best server:
cs-s1.wildfire.paloaltonetworks.com

Verify the WF-500 Appliance Configuration (Continued)
Step 2 Check the WildFire server status on the 1. Display WildFire status:
appliance. admin@WF-500> show wildfire status
Connection info:
Wildfire cloud:
wildfire.paloaltonetworks.com
Status: Idle
Submit sample: enabled
Submit report: disabled
Selected VM: vm-5
VM internet connection: disabled
VM network using Tor: disabled
Best server:
s1.wildfire.paloaltonetworks.com
Device registered: yes
Service route IP address: 10.3.4.99
Signature verification: enable
Server selection: enable
Through a proxy: no
In the example output, status Idle indicates that the appliance
is ready to receive files. Submit sample is enabled, which
indicates that the appliance will forward detected malware files
to the WildFire Cloud. The Device registered field displays
yes, which means the appliance is registered with the WildFire
cloud system. The appliance is also configured to use the vm-5
sandbox for sample analysis.
You must have a WildFire cloud server defined even if
you are not forwarding samples to the cloud server. If no
cloud server is defined, the Status field will show
Disabled by cloud server.
2. After configuring your firewalls to forward files to the appliance
as described in Forward Files to a WF-500 Appliance, you can
verify the connectivity status of the firewalls from the appliance.
To verify that the appliance is receiving files from the firewalls
and to verify if the appliance is sending files to the WildFire
cloud for signature generation (if cloud intelligence is enabled),
enter:
admin@WF-500> show wildfire statistics days 7
Last one hour statistics:
Total sessions submitted : 0
Samples submitted : 0
analyzed : 0
pending : 0
malicious : 0
benign : 0
error : 0
Uploaded : 0
Last 7 days statistics:

analyzed : 34
pending : 0
malicious : 2
benign : 32
error : 0
Uploaded : 0
3. (Optional) View more detailed statistics:

admin@WF-500> show wildfire latest [analysis
|samples | sessions | uploads]
For example, to display details about the recent analysis results,
enter:
admin@WF-500> show wildfire latest analysis

Verify the WF-500 Appliance Configuration (Continued)
Step 3 Verify that firewalls configured to forward 1. Display a list of firewalls that have registered with the appliance:
files to the appliance have successfully admin@WF-500> show wildfire
registered with the WildFire appliance. last-device-registration all
The output will include the following information for each
firewall that is registered with the appliance: firewall serial
number, date registered, IP address, software version, hardware
model, and status. If no firewalls are listed, there may be
network connectivity issues between the firewalls and the
appliance. Check the network to confirm that the firewalls and
WildFire appliance can communicate.
You can use ping tests from the appliance to the gateway
address, or to one of the firewalls that you configured to forward
files to the appliance. For example, if the IP address of the
firewall is 10.0.5.254, you will see replies displayed when
running the following CLI command from the appliance:
admin@WF-500> ping host 10.0.5.254
To verify the WildFire configuration on the firewalls that are
forwarding to the appliance, see Verify Forwarding to a WF-500
Appliance.

WF-500 Appliance File Analysis Set Up the VM Interface on the WF-500 Appliance

The virtual machine interface (vm-interface) provides external network connectivity from the sandbox virtual
machines in the WF-500 appliance to enable observation of malicious behaviors in which the file being analyzed
seeks network access. The following sections describe the VM interface and the steps required for configuring
it. You can optionally enable the Tor feature with the VM interface, which will mask any malicious traffic sent
from the WF-500 appliance through the VM interface, so the malware sites that the traffic may be sent to cannot
detect your public-facing IP address.
This section also describes the steps required to connect the VM interface to a dedicated port on a Palo Alto
Networks firewall to enable Internet connectivity.
Virtual Machine Interface Overview
Configure the VM Interface on the WF-500 Appliance
Configure the Firewall to Control Traffic for the WF-500 VM Interface
Virtual Machine Interface Overview
The VM interface (labeled 1 on the back of the appliance) is used by WildFire to improve malware detection
capabilities. The interface allows a file sample running on the WildFire virtual machines to communicate with
the Internet and enables WildFire to better analyze the behavior of the sample file to determine if it exhibits
characteristics of malware.
While it is recommended that you enable the VM interface, it is very important that you do not
connect the interface to a network that allows access to any of your servers/hosts because
malware that runs in the WildFire virtual machines could potentially use this interface to
propagate itself.
This connection can be a dedicated DSL line or a network connection that only allows direct
access from the VM interface to the Internet and restricts any access to internal servers/client
hosts.
The following illustration shows two options for connecting the VM interface to the network.

Set Up the VM Interface on the WF-500 Appliance WF-500 Appliance File Analysis
Virtual Machine Interface Example
Option-1 (recommended)Connect the VM interface to an interface in a dedicated zone on a firewall that

has a policy that only allows access to the Internet. This is important because malware that runs in the
WildFire virtual machines can potentially use this interface to propagate itself. This is the recommended
option because the firewall logs will provide visibility into any traffic that is generated by the VM interface.
Option-2Use a dedicated Internet provider connection, such as a DSL, to connect the VM interface to
the Internet. Ensure that there is no access from this connection to internal servers/hosts. Although this is
a simple solution, traffic generated by the malware out the VM interface will not be logged unless you place
a firewall or a traffic monitoring tool between the WildFire appliance and the DSL connection.
Configure the VM Interface on the WF-500 Appliance
This section describes the steps required to configure the VM interface on the WildFire appliance using the
Option 1 configuration detailed in the Virtual Machine Interface Example. After configuring the VM interface
using this option, you must also configure an interface on a Palo Alto Networks firewall through which traffic
from the VM interface is routed as described in Configure the Firewall to Control Traffic for the WF-500 VM
Interface.
By default, the VM interface has the following settings:
IP Address: 192.168.2.1
Netmask: 255.255.255.0

Default Gateway: 192.168.2.254
DNS: 192.168.2.254
If you plan on enabling this interface, configure it with the appropriate settings for your network. If you do not
plan on using this interface, leave the default settings. Note that this interface must have network values
configured or a commit failure will occur.
Configure the VM Interface
Step 1 Set the IP information for the VM 1. Enter configuration mode:

interface on the WildFire appliance. admin@WF-500> configure
The following settings are used in this 2. Set the IP information for the VM interface:
example:
admin@WF-500# set deviceconfig system vm-interface
IPv4 address - 10.16.0.20/22 ip-address 10.16.0.20 netmask 255.255.252.0
Subnet Mask - 255.255.252.0 default-gateway 10.16.0.1 dns-server 10.0.0.246
Default Gateway - 10.16.0.1 You can only configure one DNS server on the VM
DNS Server - 10.0.0.246 interface. As a best practice, use the DNS server from
The VM interface cannot be on your ISP or an open DNS service.
the same network as the
management interface (MGT).
Step 2 Enable the VM interface. 1. Enable the VM interface:

admin@WF-500# set deviceconfig setting wildfire
vm-network-enable yes
2. Commit the configuration:
Step 3 Test connectivity of the VM interface. Ping a system and specify the VM interface as the source. For
example, if the VM interface IP address is 10.16.0.20, run the
following command where ip-or-hostname is the IP or hostname of a
server/network that has ping enabled:
admin@WF-500> ping source 10.16.0.20 host
ip-or-hostname
For example:
admin@WF-500> ping source 10.16.0.20 host 10.16.0.1
Step 4 (Optional) Enable the Tor network. Enable the Tor network:
When this option is enabled, any 1. admin@WF-500# set deviceconfig setting wildfire
malicious traffic that the malware vm-network-use-tor
generates to the Internet is sent to the Tor 2. Commit the configuration:
network. The Tor network will mask your admin@WF-500# commit
public facing IP address, so the owners of
the malicious site cannot determine the
source of the traffic.
Step 5 Continue to the next section to configure See Configure the Firewall to Control Traffic for the WF-500 VM
the firewall interface that you will use to Interface.
connect the VM interface on the
appliance.

Set Up the VM Interface on the WF-500 Appliance WF-500 Appliance File Analysis
The following example workflow describes how to connect the VM interface to a port on a Palo Alto Networks
firewall. Before connecting the VM interface to the firewall, the firewall must already have an Untrust zone
connected to the Internet. In this example, you configure a new zone named wf-vm-zone that will contain the
interface used to connect the VM interface on the appliance to the firewall. The policy associated with the
wf-vm-zone will only allow communication from the VM interface to the Untrust zone.
Step 1 Configure the interface on the firewall 1. From the web interface on the firewall, select Network >
that the VM interface will connect to and Interfaces and then select an interface, for example
set the virtual router. Ethernet1/3.
The wf-vm-zone should only 2. In the Interface Type drop-down, select Layer3.
contain the interface (ethernet1/3 3. On the Config tab, from the Security Zone drop-down box,
in this example) used to connect select New Zone.
the VM interface on the appliance 4. In the Zone dialog Name field, enter wf-vm-zone and click OK.
to the firewall. This is done to
5. In the Virtual Router drop-down box, select default.
avoid having any traffic generated
by the malware from reaching 6. To assign an IP address to the interface, select the IPv4 tab, click
other networks. Add in the IP section, and enter the IP address and network
mask to assign to the interface, for example 10.16.0.0/22.
7. To save the interface configuration, click OK.
Step 2 Create a security policy on the firewall to 1. Select Policies > Security and click Add
allow access from the VM interface to the 2. In the General tab, enter a Name.
Internet and block all incoming traffic. In
3. In the Source tab, set the Source Zone to wf-vm-zone.
this example, the policy name is WildFire
VM Interface. Because you will not create 4. In the Destination tab, set the Destination Zone to Untrust.
a security policy from the Untrust zone to 5. In the Application and Service/ URL Category tabs, leave the
the wf-vm-interface zone, all inbound default as Any.
traffic is blocked by default. 6. In the Actions tab, set the Action Setting to Allow.
7. Under Log Setting, select the Log at Session End check box.
If there are concerns that someone might inadvertently
add other interfaces to the wf-vm-zone, clone the
WildFire VM Interface security policy and then in the
Action tab for the cloned rule, select Deny. Make sure
this new security policy is listed below the WildFire VM
interface policy. This will override the implicit intra-zone
allow rule that allows communications between
interfaces in the same zone and will deny/block all
intra-zone communication.
Step 3 Connect the cables. Physically connect the VM interface on the WildFire appliance to the
port you configured on the firewall (Ethernet 1/3 in this example)
using a straight through RJ-45 cable. The VM interface is labeled 1
on the back of the appliance.

Configure the Firewall to Control Traffic for the WF-500 VM Interface (Continued)
Step 4 Verify that the VM interface is 1. View the VM interface settings:

transmitting and receiving traffic. admin@WF-500> show interface vm-interface
2. Verify that received/transmitted counters are incrementing. You
can run the following command to generate ping traffic from
the VM interface to an external device:
admin@WF-500> ping source vm-interface-ip host
<gateway-ip>
For example:
admin@WF-500> ping source 10.16.0.20 host 10.16.0.1

Manage Content Updates on the WF-500 Appliance WF-500 Appliance File Analysis
Manage Content Updates on the WF-500 Appliance

Daily content updates for the WF-500 appliance equip the appliance with the most up-to-date threat
information for accurate malware detection and improve the appliance's ability to differentiate the malicious
from the benign. The updates also ensure that the appliance has the most recent information needed to generate
signatures when signature/URL generation is enabled on the appliance. For information on enabling signature
generation, see Signature/URL Generation on a WF-500 Appliance.
Install Content Updates Directly from the Update Server
Install Content Updates from an SCP-Enabled Server
Step 1 Verify connectivity from the appliance to 1. Log in to the WildFire appliance and run the following
the update server and identify the command to display the current content version:
content update to install. admin@wf-500> show system info | match
wf-content-version
2. Confirm that the appliance can communicate with the Palo Alto
Networks Update Server and view available updates:
admin@wf-500> request wf-content upgrade check
The command queries the Palo Alto Networks Update Server
and provides information about available updates and identifies
the version that is currently installed on the appliance.
Version Size Released on Downloaded Installed
---------------------------------------------------------
2-253 57MB 2014/09/20 20:00:08 PDT no no
2-39 44MB 2014/02/12 14:04:27 PST yes current
If the appliance cannot connect to the update server, you will
need to allow connectivity from the appliance to the Palo Alto
Networks Update Server, or download and install the update
using SCP as described in Install Content Updates from an
SCP-Enabled Server.

WF-500 Appliance File Analysis Manage Content Updates on the WF-500 Appliance
Install Content Updates Directly from the Update Server (Continued)
Step 2 Download and install the latest content 1. Download the latest content update:
update. admin@wf-500> request wf-content upgrade download
latest
2. View the status of the download:
admin@wf-500> show jobs all
You can run show jobs pending to view pending jobs. The
following output shows that the download (job id 5) has
finished downloading (Status FIN):
Enqueued ID Type Status Result Completed
---------------------------------------------------------
2014/04/22 03:42:20 5 Downld FIN OK 03:42:23
3. After the download is complete, install the update:
admin@wf-500> request wf-content upgrade install
version latest
Run the show jobs all command again to monitor the status
of the install.
Step 3 Verify the content update. Run the following command and refer to the wf-content-version
field:
admin@wf-500> show system info
The following shows an example output with content update version
2-253 installed:
admin@wf-500> show system info
hostname: wf-500
ip-address: 10.5.164.245
netmask: 255.255.255.0
default-gateway: 10.5.164.1
mac-address: 00:25:90:c3:ed:56
vm-interface-ip-address: 192.168.2.2
vm-interface-netmask: 255.255.255.0
vm-interface-default-gateway: 192.168.2.1
vm-interface-dns-server: 192.168.2.1
time: Mon Apr 21 09:59:07 2014
uptime: 17 days, 23:19:16
family: m
model: WF-500
serial: abcd3333
sw-version: 6.1.0
wf-content-version: 2-253
wfm-release-date: 2014/08/20 20:00:08
logdb-version: 6.1.2
platform-family: m
Step 4 (Optional) Schedule content updates to 1. Schedule the appliance to download and install content updates:
install the latest updates on the firewall at admin@WF-500# set deviceconfig system
a set interval. update-schedule wf-content recurring [daily |
weekly] action [download-and-install |
You can configure the appliance to install download-only]
daily or weekly and either download only For example, to download and install updates daily at 8:00 am:
or download and install the updates. admin@WF-500# set deviceconfig system
update-schedule wf-content recurring daily action
download-and-install at 08:00
2. Commit the configuration

Manage Content Updates on the WF-500 Appliance WF-500 Appliance File Analysis
The following procedure describes how to install content updates on a WildFire appliance that does not have
direct connectivity to the Palo Alto Networks Update Server. You will need a Secure Copy (SCP)-enabled server
that will temporarily store the content update.
Step 1 Retrieve the content update file from the 1. Log in to the Palo Alto Networks Support site and click
update server. Dynamic Updates.
2. In the WildFire Appliance section, locate the latest WF-500
appliance content update and download it.
3. Copy the content update file to an SCP-enabled server and note
the file name and directory path.
Step 2 Install the content update on the WildFire 1. Log in to the WF-500 appliance and download the content
appliance. update file from the SCP server:
admin@WF-500> scp import wf-content from
username@host:path
For example:
admin@WF-500> scp import wf-content from
bart@10.10.10.5:c:/updates/panup-all-wfmeta-2-253.
tgz
If your SCP server is running on a non-standard port or
if you need to specify the source IP, you can also define
those options in the scp import command.
2. Install the update:
admin@WF-500> request wf-content upgrade install
file panup-all-wfmeta-2-253.tgz
View status of the install:
admin@WF-500> show jobs all
Step 3 Verify the content update. Verify the content version:

admin@wf-500> show system info | match
wf-content-version
The following output now shows version 2-253:
wf-content-version: 2-253

WF-500 Appliance File Analysis Forward Files to a WF-500 Appliance

The following topics describe how to configure a firewall to forward files to a WF-500 appliance and how to
verify the configuration. If you configure the WF-500 appliance to generate signatures and URL updates, you
will also want to configure the firewall to retrieve content updates from the appliance. See Signature/URL
Generation on a WF-500 Appliance.
If you are using Panorama to manage your firewalls, simplify WildFire administration by using Panorama
Templates to push the WildFire server information, allowed file size, and the session information settings to the
firewalls. Use Panorama device groups to configure and push file blocking profiles and security policy rules.
Starting with PAN-OS 6.0, the WildFire logs show which WildFire system each firewall used for file analysis
(WildFire cloud, WF-500 appliance, and/or the WildFire Japan cloud). When configuring the WildFire server
on Panorama (Panorama > Setup > WildFire), enter the WildFire server that your firewalls are using. For example,
if your firewalls are forwarding samples to the WildFire cloud, the Panorama setting should point to the cloud
server named wildfire-public-cloud. If your firewalls are forwarding to a WF-500 appliance, the Panorama
setting should point to the IP address or FQDN of the appliance.
Configure a Firewall to Forward Samples to a WF-500 Appliance
Verify Forwarding to a WF-500 Appliance
Perform the following steps on each firewall that will forward samples to the WildFire appliance:
If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud
or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed.
WildFire cloud: Uses port 443 for registration and file submissions.
WildFire appliance: Uses port 443 for registration and 10443 for file submissions.
Step 1 Verify that the firewall has a WildFire 1. Select Device > Licenses and confirm that the firewall has valid
subscription and that dynamic updates WildFire and Threat Prevention subscriptions installed.
are scheduled and are up-to-date. 2. Select Device > Dynamic Updates and click Check Now to
See Best Practices for Keeping Signatures ensure that the firewall has the most recent Antivirus,
up to Date for recommended settings. Applications and Threats, and WildFire updates. If you are using
a WildFire appliance that has Signature/URL generation
enabled, check those updates as well.
3. Confirm and update the dynamic updates as needed. Stagger the
update schedules because the firewall can only perform one
update at a time.
Step 2 Define the WildFire server that the 1. Select Device > Setup > WildFire.
firewall will forward files to for analysis. 2. Click the General Settings edit icon.
3. In the WildFire Server field, enter the IP address or FQDN of
the WF-500 appliance.

Forward Files to a WF-500 Appliance WF-500 Appliance File Analysis
Configure a Firewall to Forward Samples to a WF-500 Appliance (Continued)
Step 3 Configure the file blocking profile to 1. Select Objects > Security Profiles > File Blocking.
define which applications and file types 2. Click Add to add a new profile and enter a Name and
will trigger forwarding to WildFire. Description.
If you choose PE in the objects 3. Click Add in the File Blocking Profile window and then click
profile File Types column to select Add again. Click in the Names field and enter a rule name.
a category of file types, do not also 4. Select the Applications that will match this profile. For example,
add an individual file type that is selecting web-browsing as the application will cause the profile
part of that category because this to match any application traffic identified as web-browsing.
will result in redundant entries in
5. In the File Type field, select the file types that will trigger the
the Data Filtering logs. For
forwarding action. Choose Any to forward all file types
example, if you select PE, there is
supported by WildFire.
no need to select exe because it is
part of the PE category. This also 6. In the Direction field select upload, download, or both.
applies to the zip file type, because Selecting both will trigger forwarding whenever a user attempts
supported file types that are to upload or download a file.
zipped are automatically sent to 7. Define an Action as follows (choose Forward for this example):
WildFire. If you would like to ForwardThe firewall will automatically forward any files
ensure that all supported matching this profile to WildFire for analysis in addition to
Microsoft Office file types are delivering the file to the user.
forwarded, it is recommended that
you choose the category msoffice. Continue-and-forwardThe user is prompted and must
click Continue before the download occurs and the file is
Choosing a category rather than forwarded to WildFire. Because this action requires user
an individual file type also ensures interaction with a web browser, it is only supported for
that as new file type support is web-browsing applications.
added to a given category, they are
automatically made part of the file 8. Click OK to save.
blocking profile. If you select Any,
all supported file types are
forwarded to WildFire.
Step 4 (Optional) If the continue-and-forward 1. Select Network > Network Profiles > Interface Mgmt and
action is configured for any file type, you either add a new profile or edit an existing profile.
must enable the response page option on
2. Select the Response Pages check box.
the ingress interface (the interface that
first receives traffic for your users). 3. Click OK to save the profile.
4. Select Network > Interfaces and then edit the layer 3 interface
or VLAN interface that is your ingress interface.
5. Click the Advanced tab and select the Interface Mgmt profile
that has the response page option enabled and select it from the
drop-down menu.
6. Click OK to save.

Step 5 Enable forwarding of decrypted content. 1. Select Device > Setup > Content-ID.
To forward SSL encrypted files to 2. Click the edit icon for the URL Filtering options and enable
WildFire, the firewall must have a Allow Forwarding of Decrypted Content.
decryption policy and have forwarding of 3. Click OK to save the changes.
decrypted content enabled. If you configured multiple virtual systems on the firewall,
Only a superuser can enable this you must enable this option per VSYS. Select Device >
option. Virtual Systems, click the virtual system you want to
modify and select the Allow Forwarding of Decrypted
Content check box.
Step 6 Attach the file blocking profile to a 1. Select Policies > Security.
security policy. 2. Click Add to create a new policy for the zones that you are
applying WildFire forwarding to, or select an existing security
policy.
3. On the Actions tab, select the File Blocking profile from the
drop-down.
If this security rule does not have any profiles attached to
it, select Profiles from the Profile Type drop-down to
enable selection of a file blocking profile.
Step 7 (Optional) Modify the maximum file size 1. Select Device > Setup > WildFire.
that the firewall can upload to WildFire. 2. Click the General Settings edit icon.
3. Set the maximum file size for each file type. For example, if you
set PDF to 5MB, any PDF larger than 5MB will not be
forwarded.

Step 8 (PA-7050 only) If you are configuring log 1. Select Network > Interfaces and locate an available port on an
forwarding on a PA-7050 firewall, you NPC.
must configure a data port on one of the 2. Select the port and change the Interface Type to Log Card.
NPCs with the interface type Log Card.
3. In the Log Card Forwarding tab, enter IP information (IPv4
This is due to the traffic/logging
and/or IPv6) that will enable the firewall to communicate with
capabilities of the PA-7050 to avoid
your syslog servers and your email servers to enable the firewall
overwhelming the MGT port.
to logs and email alerts. The port will also need to reach the
The log card (LPC) will use this port WildFire cloud or your WildFire appliance to enable file
directly and the port will act as a log forwarding.
forwarding port for syslog, email, and 4. Connect the newly configured port to a switch or router. There
SNMP. The firewall will forward the is no other configuration needed. The PA-7050 firewall will
following log types through this port: automatically use this port as soon as it is activated.
traffic, HIP match, threat, and WildFire
logs. The firewall also uses this port to
forward files/emails links to WildFire for
analysis.
If the port is not configured, a commit
error is displayed. Note that only one data
port can be configured with the Log Card
type. The MGT port cannot be used for
forwarding samples to WildFire, even if
you configure a service route.
The PA-7050 does not forward
logs to Panorama. Panorama will
only query the PA-7050 log card
for log information.
Step 9 (Optional) Modify session options that 1. Click the Session Information Settings edit icon.
define what session information to record 2. By default, all session information items will display in the
in WildFire analysis reports. reports. Clear the check boxes that correspond to any fields to
remove them from the WildFire analysis reports.
3. Click OK to save the changes.
Step 10 Commit the configuration. Click Commit to apply the settings.

During security policy evaluation, all files that meet the criteria
defined in the file blocking policy are forwarded by the firewall to
WildFire. For information on viewing analysis reports, see WildFire
Reporting.
For information on verifying the configuration, see Verify
Forwarding to a WF-500 Appliance.

This topic describes the steps required to verify that the firewall is properly configured to forward samples to a
WF-500 appliance. For information on a test file that you can use to verify the process, see Malware Test
Samples.
Step 1 Check the WildFire and Threat 1. Select Device > Licenses and confirm that a valid WildFire and
Prevention subscriptions and WildFire Threat Prevention subscription is installed. If valid licenses are
registration. not installed, go to the License Management section and click
Retrieve license keys from the license server.
The firewall must have a WildFire
subscription to forward files to a 2. Check that the firewall can communicate with a WildFire server
WildFire appliance. See WildFire for file forwarding:
Subscription Requirements. admin@PA-200> test wildfire registration
In the following output, the firewall is pointing to a WildFire
appliance. If the firewall is pointing to the WildFire cloud, it will
show the hostname of one of the WildFire systems in the
WildFire cloud.
Test wildfire
select the best server: s1.wildfire.paloaltonetworks.com
If problems persist with the licenses, contact your reseller or Palo

Alto Networks System Engineer to confirm each license and to get
a new authorization code if required.
Step 2 Confirm that the firewall is sending files 1. To determine where the firewall is forwarding files (WildFire
to the correct WildFire server. cloud or WildFire appliance), select Device > Setup > WildFire.
2. Click the General Settings edit button.
The U.S.-based WildFire Server is wildfire-public-cloud and the
Japan-based WildFire server is wildfire-paloaltonetworks.jp. If
you configured the firewall to forward to a WF-500 appliance,
the IP address or FQDN of the WildFire appliance is displayed.
If you forget the name of the WildFire public cloud,
clear the WildFire Server field and click OK and the
field will auto populate with the default value for the
WildFire cloud.

Step 3 Check the logs to verify that files are 1. Select Monitor > Logs > Data Filtering.
forwarded to WildFire. 2. View the Action column to determine the forwarding results:
ForwardIndicates that the sample was successfully
forwarded from the dataplane to the management plane on
the firewall by a file blocking profile and a security policy. At
this point, the firewall has not yet forwarded the sample to
the WildFire cloud or a WildFire appliance.
Wildfire-upload-successIndicates that the firewall
forwarded the file to WildFire. This means that a trusted
signer did not sign the file and it has not been previously
analyzed by WildFire.
Wildfire-upload-skipIndicates that the file is eligible to
be sent to WildFire, but did not need to be analyzed because
WildFire has already analyzed it previously.
View the WildFire Logs by selecting Monitor > Logs >
WildFire Submissions. If WildFire logs are listed, the
firewall is successfully forwarding files to WildFire and
WildFire is returning analysis reports.
Step 4 Verify the action setting in the file 1. Select Objects > Security Profiles > File Blocking and click the
blocking profile. file blocking profile to modify it.
2. Confirm that the action is set to forward or
continue-and-forward. If you set to continue-and-forward,
the firewall will only forward http/https traffic because this is
the only type of traffic that will allow the firewall to serve a
response page to the user.
Step 5 Check the security policy. 1. Select Policies > Security and click the security policy rule that
triggers file forwarding to WildFire.
2. Click the Actions tab and ensure that the file blocking profile is
selected in the File Blocking drop-down.

Step 6 Check the WildFire status on the firewall View WildFire status:
and confirm that the Status field is idle admin@PA-200> show wildfire status
and that Device registered and Valid
The following output shows the IP address of the WF-500 appliance
wildfire license is yes. The output also
and that status is Idle, which means the appliance is ready to receive
shows the allowed file size for each file
files.
type that the firewall will forward. Connection info:
Wildfire cloud: 10.3.4.99
Status: Idle
Best server: 10.3.4.99:10443
Valid wildfire license: yes
Through a proxy: no
File size limit info:

pe 10 MB
apk 10 MB
pdf 1000 KB
ms-office 10000 KB
jar 10 MB
flash 5 MB
Forwarding info:
file idle time out (second): 90
total file forwarded: 13
file forwarded in last minute: 0
concurrent files: 0

Step 7 Check WildFire statistics to confirm that The following command displays the output of a working firewall
counters are incrementing. and shows counters for each file type that the firewall forwarded to
WildFire. If the counter fields all show 0, the firewall is not
forwarding files and you should check connectivity between the
firewall and the WF-500 appliance. Also verify that the file blocking
profile on the firewall is configured correctly and the profile is
attached to a security rule that allows file transfers.
Packet based counters:
Total msg rcvd: 4548
Total bytes rcvd: 4337198
Total msg read: 4545
Total bytes read: 4227894
Total msg lost by read: 3
Total DROP_NO_MATCH_FILE 3
Total files received from DP: 86
Counters for file cancellation:
CANCEL_BY_DP 1
CANCEL_FILE_DUP 3
Counters for file forwarding:
file type: apk
file type: pdf
file type: email-link
file type: ms-office
file type: pe
FWD_CNT_LOCAL_FILE 2
FWD_CNT_REMOTE_FILE 2
file type: flash
FWD_CNT_LOCAL_DUP 3
FWD_CNT_REMOTE_DUP_CLEAN 22
FWD_CNT_REMOTE_DUP_MAL 15
file type: jar
file type: unknown
file type: pdns
Error counters:
FWD_ERR_CONN_FAIL 24
Reset counters:
DP receiver reset cnt: 2
File cache reset cnt: 2
Service connection reset cnt: 1
Log cache reset cnt: 2
Report cache reset cnt: 2
Resource meters:
data_buf_meter 0%
msg_buf_meter 0%
ctrl_msg_buf_meter 0%
File forwarding queues:

priority: 1, size: 0
Step 8 Check the dynamic updates status and 1. Select Device > Dynamic Updates.
schedules to ensure that the firewall is 2. Ensure that Antivirus, Applications and Threats, and WildFire
automatically receiving WildFire have the most recent updates and that a schedule is set for each
signatures. item. Stagger the update schedules because the firewall can only
See Best Practices for Keeping Signatures perform one update at a time.
up to Date. 3. Click Check Now at the bottom of the windows to see if any
new updates are available, which also confirms that the firewall
can communicate with updates.paloaltonetworks.com.
If the firewall does not have connectivity to the update server,
download the updates directly from Palo Alto Networks. Log in to
the Palo Alto Networks Support site and select Dynamic Updates.

Step 9 Check the registration status and statistics See Verify the WF-500 Appliance Configuration.
for firewalls forwarding to a WF-500
appliance.

Signature/URL Generation on a WF-500 Appliance WF-500 Appliance File Analysis
Signature/URL Generation on a WF-500 Appliance

The WF-500 appliance can generate signatures locally, eliminating the need to send any data to the public cloud
in order to block malicious content. The appliance can analyze files forwarded to it from Palo Alto Networks
firewalls or from the WildFire API and generate the following types of signatures that block both the malicious
files as well as associated command and control traffic:
Antivirus signaturesDetect and block malicious files. WildFire adds these signatures to WildFire and
Antivirus content updates.
DNS signaturesDetect and block callback domains for command and control traffic associated with
malware. WildFire adds these signatures to WildFire and Antivirus content updates.
URL CategorizationCategorizes callback domains as malware and updates the URL category in
PAN-DB.
Firewalls must be running PAN-OS 6.1 or later to enable dynamic updates from a WF-500 appliance. In
addition, you must configure the firewalls to receive content updates from the WF-500 appliance, which can
occur as frequently as every five minutes. You can optionally send the malware sample file (or only the XML
report) to the WildFire cloud to enable signature generation for distribution through Palo Alto Networks
content releases.
When the local storage on the appliance is full, new signatures/URL categorizations will overwrite existing ones,
beginning with the oldest ones first.
The following topics describe how to enable signature/URL generation on the WF-500 appliance and how to
configure firewalls to retrieve content updates from the appliance:
Enable Signature/URL Generation on the WF-500 Appliance
Enable Signature/URL Generation on the WF-500 Appliance
This workflow describes how to enable a WildFire appliance to generate antivirus signatures, DNS signatures,
and URL categorization updates (PAN-DB only) based on samples that the appliance receives from connected
firewalls and the WildFire XML API.
Enable Signature/URL Generation on the WildFire Appliance
Step 1 Before configuring this feature, verify Follow the procedure described in Manage Content Updates on the
that the WF-500 appliance is configured WF-500 Appliance.
to receive the latest content updates from
Palo Alto Networks. The content updates
will equip the appliance with the most
up-to-date threat information for
accurate malware detection and signature
generation.

WF-500 Appliance File Analysis Signature/URL Generation on a WF-500 Appliance
Enable Signature/URL Generation on the WildFire Appliance
Step 2 Enable signature/URL generation. 1. Log in to the appliance and type configure to enter
configuration mode.
2. Enable all threat prevention options:
signature-generation av yes dns yes url yes
To configure connected firewalls to retrieve updates from the
appliance, see Configure the Firewall to Retrieve Updates from
a WF-500 Appliance.
Step 3 (Optional) Configure the WF-500 1. To auto submit analysis reports:

appliance to forward analysis reports or admin@WF-500# set deviceconfig setting wildfire
malicious samples to the Palo Alto cloud-intelligence submit-report yes
Networks WildFire cloud. If Packet If submit-sample is enabled as described in the following
Captures (PCAPS) are enabled, the PCAP step, there is no need to enable submit-report because
will also be forwarded with the sample the WildFire cloud will re-analyze the sample and will
file. generate a new report and will also generate a signature
for malicious samples.
2. To auto submit file samples:
cloud-intelligence submit-sample yes
If you Enable Signature/URL Generation on the WF-500 Appliance, you can configure your firewalls to retrieve
regular content updates from the appliance. This ensures that your network is protected from threats that
WildFire detects in your local environment. As a best practice, you should configure your firewalls to retrieve
content updates from the Palo Alto Networks Update Servers and from the WildFire cloud. This will ensure
that your firewalls receive signatures based on threats detected world wide, not just signatures generated by your
local WF-500 appliance.
The following workflow describes how to configure a Palo Alto Networks firewall to retrieve content updates
from a WildFire appliance.
Configure the Firewall to Retrieve Updates from the WF-500 Appliance
Step 1 Launch the firewall web interface and go Select Device > Dynamic Updates.
to the Dynamic Updates page.

Signature/URL Generation on a WF-500 Appliance WF-500 Appliance File Analysis
Configure the Firewall to Retrieve Updates from the WF-500 Appliance (Continued)
Step 2 Check for the latest updates. 1. Click Check Now (located in the lower left-hand corner of the
window) to check for the latest updates. The link in the Action
column indicates whether an update is available:
DownloadIndicates that a new update file is available. Click
the link to begin downloading the file directly to the firewall.
After successful download, the link in the Action column
changes from Download to Install.
The following screen capture shows the new WF-Private section
in Dynamic Updates. This is where you will download updates
from the WF-500 appliance.
To check the status of an action, click Tasks (on the lower

right-hand corner of the window).
RevertIndicates that the firewall downloaded the
corresponding update previously. Click Revert to install the
previous version of the update.
Step 3 Install the updates. Click the Install link in the Action column. When the installation
completes, a check mark displays in the Currently Installed column.
Step 4 Schedule the update. 1. Click None to the right of Schedule if no schedule is
configured. If a schedule exists and you would like to modify it,
To receive updates at the minimal
click the defined schedule.
interval, configure the firewall to
download/install updates every 2. Specify how often you want the updates to occur by selecting a
five minutes. See Best Practices for value from the Recurrence drop-down. The WF-500 appliance
Keeping Signatures up to Date. updates are available Every 5 minutes (best practice), Every 15
minutes, Every 30 minutes, or Every Hour.
3. Specify if the firewall will Download And Install the update
(best practice) or Download Only.
4. Specify how long after a content release to wait before
performing a content update by entering the number of hours
to wait in the Threshold (Hours) field. This provides added
protection in the event that there are errors in a content release.
5. Click OK to save the schedule settings.
6. Click Commit to save the settings to the running configuration.

WF-500 Appliance File Analysis Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support
Upgrade the WF-500 Appliance and Enable Windows 7

64-bit Support
This topic describes how to upgrade the WF-500 appliance operating system and how to install and enable the
Windows 7 64-bit Virtual Machine (VM) sandbox environment. Note that when upgrading to version 6.1, you
first download and install the Windows 7 64-bit image before upgrading the WF-500 appliance operating
system. The VM images can be as large as 4GB, so you must download them from the Palo Alto Networks
update servers and then host them on an SCP-enabled server that you provide. You will then use the SCP client
on the appliance to download the images from the SCP-enabled server prior to upgrading the appliance.
The appliance can only use one environment at a time to analyze samples, so after upgrading the appliance,
review the list of available VM images and then choose the image that best fits your environment. In the case
of Windows 7, if your environment has a mix of Windows 7 32-bit and Windows 7 64-bit systems, it is
recommended that you choose the Windows 7 64-bit image, so WildFire will analyze both 32-bit and 64-bit PE
files. Although you configure the appliance to use one virtual machine image configuration, to improve the
appliance uses multiple instances of the image to perform file analyses.
Upgrade the WF-500 appliance before upgrading the firewalls that are configured to forward
samples to it.
If you are upgrading to a 6.1 maintenance release, you do not have to install the Windows 7 64-bit
image. You only need to download the latest image update and then install.
The following workflow describes how to upgrade the WF-500 appliance and enable the Windows 7 64-bit
environment:
WF-500 Appliance Upgrade
Step 1 Determine the upgrade path and 1. Log in to the WF-500 appliance and view system information:
download a base image file if needed. admin@WF-500> show system info
You cannot upgrade directly to the 2. Check the sw-version: field to determine the installed version
WildFire appliance operating and proceed as follows:
system version 6.1 from version If version 6.0.0 or later is installed, continue to step Step 2.
5.1. Although you do not have to
If a version prior to 6.0.0 is installed, continue the steps in
install version 6.0.0 (feature
this section.
release), you must first download
the image and then download and 3. Download the 6.0.0 base image:
install version 6.1.0. All releases admin@WF-500> request system software download
have the requirement to download version 6.0.0
the base image files to skip a 4. Check the status of the download:
feature release. admin@WF-500> show jobs all
5. After the download completes, continue to Step 2.

Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support WF-500 Appliance File Analysis
WF-500 Appliance Upgrade (Continued)
Step 2 Download the required WildFire files to 1. Check the Update Server for the available WildFire operating
prepare for the 6.1.0 upgrade. system software versions:
admin@WF-500> request system software check
In this case, you will need the WildFire
operating system 6.1.0 image file, the In this case, look for version 6.1.0. The Downloaded column
Windows 7 64-bit base image, and the indicates if the image has been downloaded to the appliance or
Windows 7 64-bit add-on image. not. If the image is already downloaded you can proceed. If the
image is not downloaded, run the following command:
admin@WF-500> request system software download
version 6.1.0
2. To download the Windows 7 64-bit images, go to Palo Alto
Networks Support site, click Software Updates and in the
WF-500 Guest VM Images section locate and download the
latest Windows 7 64-bit base image and the Windows 7 64-bit
Add-on image.
The VM files can be as large as 4GB, so ensure that your
Secure Copy (SCP) enabled server software supports file
transfers over 4GB and verify that there is enough free
space to temporarily store the files.
The file names are similar to the following:
Base ImageWFWin7_64Base_m-1.0.0_64base
Add-on ImageWFWin7_64Addon1_m-1.0.0_64addon
3. Move the files to your SCP-enabled server and note the file
name and directory path.
Step 3 Download the VM images to the WF-500 1. Download the base image file from the SCP-enabled server:
appliance. admin@WF-500> scp import wildfire-vm-image from
username@host:path
For example:
admin@WF-500> scp import wildfire-vm-image from
bart@10.43.15.41:c:/scp/WFWin7_64Base_m-1.0.0_64ba
se
The SCP path following the IP or hostname varies
depending on the SCP software that you are using. For
Windows, the path is c:/folder/filename or
//folder/filename; for Unix/Mac systems, the path is
/folder/filename or //folder/filename.
2. Download the add-on image:
username@host:path
For example:
bart@10.43.15.41:c:/scp/WFWin7_64Base_m-1.0.0_64ad
don1

WF-500 Appliance File Analysis Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support
WF-500 Appliance Upgrade (Continued)
Step 4 Install the Windows 7 64-bit VM images. 1. Install the Windows 7 64-bit base image:
admin@WF-500> request system wildfire-vm-image
upgrade install WFWin7_64Base_m-1.0.0_64base
2. Install the Windows 7 64-bit Add-on image:
admin@WF-500> request system wildfire-vm-image
upgrade install WFWin7_64Base_m-1.0.0_64addon1
Step 5 Install the 6.1 operating system image file. Install the WF-500 appliance operating system image that you
downloaded previously:
admin@WF-500> request system software install version
6.1.0
Step 6 Restart the appliance and confirm that the 1. Confirm that the upgrade has completed by running the
installation was successful. following command and look for the job type Install and
status FIN:
admin@WF-500> show jobs all
Enqueued ID Type Status

Result Completed
----------------------------------------------------------
2014/07/30 10:38:48 2 Downld FIN
OK 10:39:08
2. After the upgrade is complete, restart the appliance:

admin@WF-500> request restart system
3. Verify that the sw-version field shows 6.1:
admin@WF-500> show system info | match sw-version
Step 7 (Optional) Enable the Windows 7 64-bit 1. View the active virtual machine image by running the following
sandbox environment. command and refer to the Selected VM field:
2. View a list of available virtual machines images:
admin@WF-500> show wildfire vm-images
The following output shows that vm-5 is the Windows 7 64-bit
image:
vm-5
Windows 7 64bit, Adobe Reader 11, Flash 11, Office
2010. Support PE, PDF, Office 2010 and earlier
3. Select the image to be used for analysis:
active-vm <vm-image-number>
For example, to use vm-5, run the following command:
active-vm vm-5

Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support WF-500 Appliance File Analysis

WildFire Cloud File Analysis
The following topics describe how to configure a Palo Alto Networks firewall to forward files to the WildFire
cloud for analysis and also describes how to manually upload files using the WildFire Portal. You can also use
the WildFire API to submit samples to the WildFire cloud.
Forward Samples to the WildFire Cloud
Verify Forwarding to the WildFire Cloud
Upload Files using the WildFire Cloud Portal

Forward Samples to the WildFire Cloud WildFire Cloud File Analysis
Forward Samples to the WildFire Cloud

To configure a Palo Alto Networks firewall to automatically submit samples to the WildFire cloud to identify
malware, you must configure a file blocking profile with the forward or continue-and-forward action (forward
only for email links) and then attach the profile to the security rule that will trigger inspection for zero-day
malware. The samples can be specific file types or HTTP/HTTPS links contained in SMTP or POP3 messages.
For example, you can configure a policy with a file blocking profile that triggers the firewall to forward a specific
file type (PDF for example) to WildFire, or all supported file types that users attempt to download during a
web-browsing session. The firewall can forward encrypted files if SSL decryption is configured and the option
to forward encrypted files is enabled. To enable WildFire Email Link Analysis, you simply configure the firewall
to forward the file type email-link.
If you are using Panorama to manage your firewalls, simplify WildFire administration by using Panorama
Templates to push the WildFire server information, allowed file size, and the session information settings to the
firewalls. Use Panorama device groups to configure and push file blocking profiles and security policy rules.
Starting with PAN-OS 6.0, the WildFire logs show which WildFire system each firewall used for file analysis
(WildFire cloud, WF-500 appliance, and/or the WildFire Japan cloud). When configuring the WildFire server
on Panorama (Panorama > Setup > WildFire), enter the WildFire server that your firewalls are using. For example,
if your firewalls are forwarding samples to the WildFire cloud, the Panorama setting should point to the cloud
server named wildfire-public-cloud. If your firewalls are forwarding to a WF-500 appliance, the Panorama
setting should point to the IP address or FQDN of the appliance.
If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud
or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed.
WildFire cloud: Uses port 443 for registration and file submissions.
WildFire appliance: Uses port 443 for registration and 10443 for file submissions.
Perform the following steps on each firewall that will forward files to WildFire:
Configure a File Blocking Profile and Add it to a Security Profile
Step 1 Verify that the firewall has valid Threat 1. Select Device > Licenses and confirm that the firewall has valid
Prevention and WildFire subscriptions WildFire and Threat Prevention subscriptions.
and that dynamic updates are scheduled 2. Select Device > Dynamic Updates and click Check Now to
and up-to-date. See Best Practices for ensure that the firewall has the most recent Antivirus,
Keeping Signatures up to Date for Applications and Threats, and WildFire updates.
recommended settings.
3. If the updates are not scheduled, schedule them now. Stagger
Having a WildFire subscription the update schedules because the firewall can only perform one
provides many benefits, such as update at a time.
forwarding of advanced file types
and receiving WildFire signatures
within 15 minutes. For details, see
WildFire Subscription
Requirements.

WildFire Cloud File Analysis Forward Samples to the WildFire Cloud
Configure a File Blocking Profile and Add it to a Security Profile (Continued)
Step 2 Configure the file blocking profile to 1. Select Objects > Security Profiles > File Blocking.
define which applications and file types 2. Click Add to add a new profile and enter a Name and
will trigger forwarding to WildFire. Description.
If you choose PE in the objects 3. Click Add in the File Blocking Profile window and then click
profile File Types column to select Add again. Click in the Names field and enter a rule name.
a category of file types, do not also 4. Select the Applications that will match this profile. For example,
add an individual file type that is selecting web-browsing to match any application traffic
part of that category because this identified as web-browsing.
will result in redundant entries in
5. In the File Type field, select the file types that will trigger the
the Data Filtering logs. For
forwarding action. Choose Any to forward all file types
example, if you select PE, there is
supported by WildFire or select PE to only forward Portable
no need to select exe because it is
Executable files.
part of the PE category. This also
applies to the zip file type, because 6. In the Direction field, select upload, download, or both. The
the firewall will automatically both option will trigger forwarding whenever a user attempts to
forward supported file types that upload or download a file.
are zipped. If you would like to 7. Define an Action as follows:
ensure that all supported ForwardThe firewall will automatically forward any files
Microsoft Office file types are matching this profile to WildFire for analysis in addition to
forwarded, it is recommended that delivering the file to the user.
you choose the category msoffice.
Continue-and-forwardThe user is prompted and must
Choosing a category rather than click continue before the download occurs and the file is
an individual file type also ensures forwarded to WildFire. Because this action requires user
that as new file type support is interaction with a web browser, it is only supported for
added to a given category, they are web-browsing applications.
automatically made part of the file
blocking profile. If you select Any,
all supported file types are
forwarded to WildFire.
Step 3 (Optional) Enable response pages to 1. Select Network > Network Profiles > Interface Mgmt and
allow users to decide whether to forward either add a new profile or edit an existing profile.
a file.
2. Click the Response Pages check box to enable.
If the continue-and-forward 3. Click OK to save the profile.
action is configured for any file 4. Select Network > Interfaces and then edit the Layer 3 interface
type, you must enable the response or VLAN interface that is the ingress interface.
page option on the ingress
interface (the interface that first 5. On the Advanced tab, select the Interface Mgmt profile that has
receives traffic for your users). the response page option enabled.

Forward Samples to the WildFire Cloud WildFire Cloud File Analysis
Step 4 Enable forwarding of decrypted content. 1. Select Device > Setup > Content-ID.
To forward SSL encrypted files to 2. Click the edit icon for the URL Filtering options and enable
WildFire, the firewall must have a Allow Forwarding of Decrypted Content.
decryption policy and have forwarding of 3. Click OK to save the changes.
decrypted content enabled. If the firewall has multiple virtual systems, you must
Only a superuser can enable this enable this option per VSYS. In this situation, select
option. Device > Virtual Systems, click the virtual system to be
modified and select the Allow Forwarding of Decrypted
Content check box.
Step 5 Attach the file blocking profile to a 1. Select Policies > Security.
security policy. 2. Click Add to create a new policy for the zones to which to apply
WildFire forwarding, or select an existing security policy.
3. On the Actions tab, select the File Blocking profile from the
drop-down.
If this security rule does not have any profiles attached to
it, select Profiles from the Profile Type drop-down to
enable selection of a file blocking profile.
Step 6 (Optional) Modify the maximum file size 1. Select Device > Setup > WildFire.
allowed for upload to WildFire. 2. Click the General Settings edit icon.
3. Set the maximum file size for each file type. For example, if you
set PDF to 5MB, any PDF larger than 5MB will not be
forwarded.
Step 7 (Optional) Modify session options that 1. Click the Session Information Settings edit icon.
define what session information to record 2. By default, all session information items will display in the
in WildFire analysis reports. reports. Clear the check boxes that correspond to any fields to
remove from the WildFire analysis reports.

WildFire Cloud File Analysis Forward Samples to the WildFire Cloud
analysis.
query the PA-7050 log card for log
information.
Step 9 Commit the configuration. Click Commit to apply the settings.

During security policy evaluation, all files that meet the criteria
defined in the file blocking policy are forwarded by the firewall to
WildFire. For information on viewing WildFire reports, see WildFire
Reporting.
For information on verifying the configuration, see Verify
Forwarding to the WildFire Cloud.

Verify Forwarding to the WildFire Cloud WildFire Cloud File Analysis

This topic describes the steps required to verify that the firewall is properly configured to forward samples to
the WildFire cloud. For information on a test file that you can use to verify the process, see Malware Test
Samples.
Step 1 Check the WildFire and Threat 1. Select Device > Licenses and confirm that a valid WildFire and
Prevention subscriptions and WildFire Threat Prevention subscription is installed. If valid licenses are
registration. not installed, go to the License Management section and click
Retrieve license keys from the license server.
2. Check that the firewall can communicate with a WildFire server
for file forwarding:
admin@PA-200> test wildfire registration
In the following output, the firewall is pointing to the WildFire
cloud. If the firewall is pointing to a WildFire appliance, it will
show the FQDN or IP address of the appliance.
Test wildfire
select the best server:
s1.wildfire.paloaltonetworks.com
3. If problems persist with the licenses, contact your reseller or

Palo Alto Networks System Engineer to confirm each license
and to get a new authorization code if required.
Step 2 Confirm that the firewall is sending files 1. To determine where the firewall is forwarding files (to the Palo
to the correct WildFire system. Alto Networks WildFire cloud or to a WildFire appliance),
select Device > Setup > WildFire.
2. Click the General Settings edit button.
The U.S.-based WildFire Server is wildfire-public-cloud and the
Japan-based WildFire server is wildfire-paloaltonetworks.jp. If
the firewall is configured to forward to a WF-500 appliance, the
IP address or FQDN of the WildFire appliance is displayed.
If you forget the name of the WildFire public cloud,
clear the WildFire Server field and click OK and the
field will auto populate with the default value for the
WildFire cloud.

WildFire Cloud File Analysis Verify Forwarding to the WildFire Cloud
Step 3 Check the logs to verify that forwarding is 1. Select Monitor > Logs > Data Filtering.
working. 2. View the Action column to determine the forwarding results:
For information on enabling email header ForwardIndicates that the sample was successfully
details in logs, see Enable Email Header forwarded from the dataplane to the management plane on
Information in WildFire Logs. the firewall by a file blocking profile and a security policy. At
this point, the firewall has not yet forwarded the sample to
the WildFire cloud or a WildFire appliance.
Wildfire-upload-successIndicates that the firewall
forwarded the file to WildFire. This means that a trusted
signer did not sign the file and it has not been previously
analyzed by WildFire.
Wildfire-upload-skipIndicates that the file is eligible to
be sent to WildFire, but did not need to be analyzed because
WildFire has already analyzed it previously.
3. View the WildFire logs by selecting Monitor > Logs > WildFire
Submissions. If WildFire logs are listed, the firewall is
successfully forwarding files to WildFire and WildFire is
returning file analysis results.
For more information on WildFire-related logs, see
WildFire Logs.
Step 4 Verify the action setting in the file 1. Select Objects > Security Profiles > File Blocking and click the
blocking profile. file blocking profile.
2. Confirm that the action is set to forward or
continue-and-forward. If you set to continue-and-forward,
the firewall will only forward http/https traffic because this is
the only type of traffic that will allow the firewall to serve a
response page to the user.
Step 5 Verify that the file blocking profile is in 1. Select Policies > Security and click the security policy rule that
the correct security policy. triggers file forwarding to WildFire.
2. Click the Actions tab and ensure that the file blocking profile is
selected in the File Blocking drop-down.

Step 6 Check the WildFire server status on the admin@PA-200> show wildfire status
appliance. When forwarding files to the WildFire cloud, the output should look
similar to the following:
Connection info:
Wildfire cloud: public cloud
Status: Idle
Best server: s1.wildfire.paloaltonetworks.com
Valid wildfire license: yes
Through a proxy: no
Forwarding info:
file size limit for pe (MB): 10
file size limit for jar (MB): 1
file size limit for apk (MB): 2
file size limit for pdf (KB): 500
file size limit for ms-office (KB): 10000
file idle time out (second): 90
total file forwarded: 1
file forwarded in last minute: 0
concurrent files: 0

WildFire Cloud File Analysis Verify Forwarding to the WildFire Cloud
Step 7 Check WildFire statistics to confirm that The following command displays the output of a working firewall
counters are incrementing. and shows counters for each file type that the firewall forwarded to
WildFire. If the counter fields all show 0, the firewall is not
forwarding files and you should check connectivity between the
firewall and the WF-500 appliance. Also verify that the file blocking
profile on the firewall is configured correctly and the profile is
attached to a security rule that allows file transfers.
Packet based counters:
Total msg rcvd: 12011
Total bytes rcvd: 10975328
Total msg read: 11963
Total bytes read: 10647634
Total msg lost by read: 48
Total DROP_NO_MATCH_FILE 48
Total files received from DP: 196
Counters for file cancellation:

CANCEL_FILE_DUP 11
CANCEL_CONCURRENT_LIMIT 7
Counters for file forwarding:
file type: apk
file type: pdf
file type: email-link
file type: ms-office
file type: pe
file type: flash

FWD_CNT_LOCAL_DUP 11
FWD_CNT_REMOTE_DUP_CLEAN 56
FWD_CNT_REMOTE_DUP_TBD 8
FWD_CNT_REMOTE_DUP_MAL 3
file type: jar
file type: unknown
file type: pdns
Error counters:
LOG_ERR_REPORT_CACHE_NOMATCH 880
Reset counters:
DP receiver reset cnt: 2
File cache reset cnt: 2
Service connection reset cnt: 1
Log cache reset cnt: 2
Report cache reset cnt: 2
Resource meters:
data_buf_meter 0%
msg_buf_meter 0%
ctrl_msg_buf_meter 0%
File forwarding queues:


Step 8 Check the dynamic updates status and 1. Select Device > Dynamic Updates.
schedules to ensure that the firewall is 2. Ensure that Antivirus, Applications and Threats, and WildFire
automatically receiving signatures have the most recent updates and that a schedule is set for each
generated by WildFire. See Best Practices item.
for Keeping Signatures up to Date.
3. Click Check Now at the bottom of the windows to see if any
new updates are available, which also confirms that the firewall
can communicate with updates.paloaltonetworks.com.
If the firewall does not have connectivity to the update server,
download the updates directly from Palo Alto Networks. Log in to
the Palo Alto Networks Support site and select Dynamic Updates.

WildFire Cloud File Analysis Upload Files using the WildFire Cloud Portal
Upload Files using the WildFire Cloud Portal

All Palo Alto Networks customers with a support account can manually upload files to the Palo Alto Networks
WildFire portal for analysis. The WildFire portal supports manual uploading of all Supported File Types.
Manual Upload to WildFire
Step 1 Manually upload a file to WildFire for 1. Log in to the WildFire Portal.
analysis. If your firewall is forwarding to the WildFire portal in Japan, use
https://wildfire.paloaltonetworks.jp.
2. Click the Upload Sample button then click Add files.
3. Navigate to the file, highlight it, and then click Open. The file
name will appear below the Add files icon.
4. Click the Start icon to the right of the file, or click the Start
upload button if multiple files are waiting for upload. If the
file(s) upload successfully, Success will appear next to each file.
5. Close the Uploaded File Information pop-up.
Step 2 View the analysis results. It will take 1. Refresh the portal page from your browser.
approximately five minutes for WildFire 2. Click Manual under the source column to view the results of
to complete a file analysis. manual sample upload.
Because a manual upload is not 3. The report page will show a list of all files that have been
associated with a specific firewall, uploaded to your account. Find the file you uploaded and click
manual uploads will appear the detail icon to the left of the date field.
separately from your registered The portal displays a full report of the file analysis detailing the
firewalls and will not show session observed file behavior. If WildFire identifies the file as malware,
information in the reports. it generates a signature, which is then distributed to all Palo Alto
Networks firewalls configured with a WildFire or Threat
Prevention subscription.

Upload Files using the WildFire Cloud Portal WildFire Cloud File Analysis

WildFire Reporting
When malware is discovered on your network, it is important to take quick action to prevent propagation to
other systems on your network. To ensure immediate alerts for malware discovered on your network, configure
your firewalls to send email notifications, SNMP Traps, and/or syslogs whenever WildFire returns a malware
verdict on a sample. This allows you to quickly view the WildFire analysis report and identify the user who
downloaded the malware, determine if the user ran the infected file or accessed a malicious email link, and assess
whether the malware attempted to spread itself to other hosts. If you determine that the user has accessed the
malicious content, you can quickly disconnect the computer from the network to prevent the malware from
spreading and follow incident response and remediation processes as required.
The following topics describe the WildFire reporting and logging system and describes how to use this
information to track down threats and to identify users who have been targeted by malware.
WildFire Logs
Enable Email Header Information in WildFire Logs
Monitor Submissions Using the WildFire Portal
Customize WildFire Portal Settings
Add WildFire Portal User Accounts
View WildFire Reports
WildFire Report Contents
Set Up Alerts for Detected Malware
WildFire in Action

WildFire Logs WildFire Reporting
WildFire Logs
Each firewall that you configure to forward samples to WildFire will log the forward action in the data filtering
logs. After WildFire analyzes the sample, if the verdict is malware, WildFire sends the results back to the
WildFire Submission log on the firewall. You can also configure the firewall to log email header information for
files delivered over email or HTTP/HTTPS links contains in SMTP and POP3 messages. For more
information, see Enable Email Header Information in WildFire Logs.
The detailed analysis report for each file or email link that WildFire analyzes is located in the detailed view of
the WildFire Submissions log. You can also view analysis reports on the WildFire Portal.
If you configure your firewalls to forward samples to a WF-500 appliance, you can only view
analysis results on the firewall that forwarded the file to the appliance or by using the WildFire
XML API to retrieve the report from the appliance.
Forwarding Action LogsThe data filtering logs located in Monitor > Logs > Data Filtering will show the
files that were blocked/forwarded based on the file blocking profile. To determine which files were
forwarded to WildFire, look for the following values in the Action column of the log:
Action Description
wildfire-upload-success The firewall forwarded the sample to the WildFire cloud or WF-500
appliance. This means that a trusted signer did not sign the file and it has not
been previously analyzed by WildFire.
wildfire-upload-skip Displayed for all files identified as eligible to be sent to WildFire by a file
blocking profile/security policy, but did not need to be analyzed by WildFire
because it has already been analyzed previously. In this case, the forward
action will appear in the Data Filtering log because it was a valid forward
action, but it was not sent to WildFire and analyzed because the file has
already been sent to the WildFire cloud or WildFire appliance from another
session, possibly from another firewall.
This action will not occur for email link forwarding.
wildfire-upload-fail The sample could not be uploaded to WildFire. This is typically caused by
network communication issues between the firewall and the WildFire cloud.
Verify connectivity and check DNS.
WildFire LogsThe analysis results for the samples scanned by WildFire are sent back to the firewall logs
after the analysis completes. These logs are written to the firewall that forwarded the sample in Monitor >
Logs > WildFire Submissions. If logs are forwarded from the firewall to Panorama, the logs are written to the
Panorama server in Monitor > Logs > WildFire Submissions. The Category column for the WildFire logs will
either show benign (benign email links are not logged); meaning that the file is safe, or malicious, indicating
that WildFire determined that the sample contains malicious code. If the sample is determined to be
malicious, a signature is generated by the WildFire signature generator. If your firewall is configured to
forward files to a WF-500 appliance, you can configuring the appliance to forward samples to the WildFire
cloud for signature generation or you can Enable Signature/URL Generation on the WF-500 Appliance.
By default, firewalls with a WildFire subscription will only retrieve analysis results from the WildFire cloud
or WF-500 appliance if the sample is identified as malware. To generate logs for benign files, select Device >
Setup > WildFire and edit General Settings and then click the Report Benign Files check box. You can also run
the following CLI command: admin@PA-200# set deviceconfig setting wildfire report-benign-file.

WildFire Reporting WildFire Logs
Benign verdicts for email links are not logged.
To view the detailed report for a sample that has been analyzed by WildFire, locate the log entry in Monitor
> WildFire Submissions, click the icon to the left of the log entry to show log details and then click the WildFire
Analysis Report tab. A login prompt will appear to access the report and after entering the correct credentials
the report is retrieved from the WildFire system and is displayed in your browser. For information on portal
accounts to access the WildFire cloud, see Add WildFire Portal User Accounts. For information on the
admin account that is used to retrieve reports from a WildFire appliance, see Integrate the WF-500
Appliance into a Network and the refer to the step that describes the portal-admin account.

Enable Email Header Information in WildFire Logs WildFire Reporting
Enable Email Header Information in WildFire Logs

The firewall can capture email header informationemail sender, recipient(s), and subjectand sends it along
with the corresponding email attachments and email links that it forwards to WildFire. If WildFire determines
that the email attachment or link is malicious, it includes the email header information in the WildFire
Submissions log that it returns to the firewall. This information can help you to quickly track down and
remediate threats that are detected in emails received by your users. Note that neither the firewall nor WildFire
receive, store, or view the actual email contents.
The following workflow describes how to enable the email header options, how to set the User-ID attribute,
and how to locate log information to help you identify recipients who have downloaded malicious attachments
or received an email containing a malicious links.
Configure the Email Header Option for WildFire Logs
Step 1 Enable the email header option on the 1. Select Device > Setup > WildFire.
firewall that will forward samples to the 2. Edit the Session Information Settings section and enable one or
WildFire. more of the options (Email sender, Email recipient, and Email
subject).
Step 2 (Optional) Configure the User-ID option 1. Select Device > User Identification > Group Mapping Settings.
to enable the firewall to match User-ID 2. Select the desired group mapping profile to modify it.
information with email header
3. In the Server Profile tab in the Mail Domains section, populate
information identified in email links and
the Domain List field:
email attachments forwarded to WildFire.
Mail AttributesThis field is automatically populated after
When a match occurs, the user name in you fill in the Domain List field and click OK. The attributes
the WildFire log email header section will are based on your LDAP server type (Sun/RFC, Active
contain a link that when clicked, will bring Directory, and Novell).
up the ACC filtered by the user or group
of users. Domain ListEnter the list of email domains in your
organization using a comma separated list up to 256
characters.

WildFire Reporting Enable Email Header Information in WildFire Logs
Configure the Email Header Option for WildFire Logs (Continued)
Step 3 Confirm that email header information is 1. Select Monitor > Logs > Data Filtering from the firewall and
appearing in the WildFire reports. locate a log with the Action wildfire-upload-success. The
date/time should be after the date/time in which you enabled
Within approximately 15 minutes after
this option.
the file or link is forwarded, WildFire
generates a log. 2. View the log and analysis report by selecting Monitor > Logs >
WildFire Submissions and locate the corresponding log for the
Benign email links are not logged. link or file attachment.
3. Click the log details icon in the first column. In the Log Info
tab, you will see the new email information in the Email Headers
section.
If User-ID is configured on the firewall, the domain and

user name collected by User-ID are displayed in the
Recipient User-ID field.
Use the email header and User-ID information to track down the
message on the mail server to delete it or use the information to
locate the recipient to remove the threat if the email has already been
opened.

Monitor Submissions Using the WildFire Portal WildFire Reporting
Monitor Submissions Using the WildFire Portal

Browse to the Palo Alto Networks WildFire Portal and log in using your Palo Alto Networks support credentials
or your WildFire account. The portal opens to display the dashboard, which lists summary report information
for all of the firewalls associated with the specific WildFire subscription or support account. For each device
listed, the portal displays statistics for the number of malware files that have been detected, benign samples that
have been analyzed, and the number of pending files that are waiting to be analyzed.
If your firewalls are configured to forward samples to a WF-500 appliance, log results can only be
viewed from the firewall that forwarded the file or by using the WildFire XML API.
For information on configuring additional WildFire accounts that can be used to review report information, see
Add WildFire Portal User Accounts.

WildFire Reporting Customize WildFire Portal Settings
Customize WildFire Portal Settings

This section describes the settings that can be customized for a portal account, such as time zone and email
notifications for each firewall. You can also delete logs stored on the portal for each firewall that forwards
samples to the WildFire cloud.
Customize the WildFire Portal Settings
Step 1 Configure the time zone for the portal 1. Log in to the WildFire Portal using your Palo Alto Networks
account. support login credentials or your WildFire user account.
2. Click the Settings link located at the upper right of the portal
window.
3. Select the time zone from the drop-down and then click Update
Time Zone to save the change.
The time stamp that will appear on the WildFire detailed
report is based on the time zone set in your portal
account.
Step 2 Delete WildFire logs for specific firewalls. 1. In the Delete WildFire Logs drop-down, select the firewall (by
This will delete all logs and notifications serial number).
for the selected firewall. 2. Click the Delete Logs button.
3. Click OK to proceed with the deletion.
Step 3 Configure email notifications that the 1. From the portal settings page, a table is displayed with the
portal will generate based on the results of column headings Device, Malware, and Benign. Check
files submitted to WildFire. The email Malware and/or Benign for each firewall to which you would
notifications are sent to the email account like to receive notifications. Click the Update Notification to
registered in the support account. enable notifications for the selected firewalls.
2. The first row item will show Manual. Select Malware and/or
Benign to receive a notification for files that are manually
uploaded to the WildFire cloud, or that are submitted using the
WildFire API and click Update Notification to save.
Select the check boxes directly below the column
headings Malware and Benign to select all of the check
boxes for the listed devices.

Add WildFire Portal User Accounts WildFire Reporting
Add WildFire Portal User Accounts

WildFire portal accounts are created by a super user (or the registered owner of a Palo Alto Networks device)
to give additional users the ability to log in to the WildFire web portal and view WildFire data for devices
specifically granted by the super user or registered owner. A super user is the person who registered a Palo Alto
Networks firewall and has the main support account for the device(s). The WildFire user can be an existing
support site user that belongs to any account (including the sub-account, parent account, or any other account
in the system), or they may not have a Palo Alto Networks support account at all and can be granted access to
just the WildFire portal and a specific set of firewalls.
If your firewall forwards files to a WF-500 appliance, you cannot view reports for those samples
on the WildFire portal, even when enabling cloud intelligence on the appliance to submit files to
the cloud. The purpose of sending samples from an appliance to the WildFire cloud is so the cloud
will generate signatures for detected malware. Palo Alto Networks will then distribute these
signatures to customer firewalls that have a Threat Prevention or WildFire subscription.
Add WildFire User Accounts
Step 1 Access the manage users and accounts 1. Log in to the Palo Alto Networks Support site.
section on the support site and select an 2. Under Manage Account click on Users and Accounts.
account.
3. Select an existing account or sub-account.
Step 2 Add a WildFire user. 1. Click the Add WildFire User button.
2. Enter the email address for the user recipient would like to add.
The user can be an existing support site user that belongs
to any account (including the sub-account, parent
account, Palo Alto Networks, or any other account in the
system), as well as any email address that does not have
a support account at all. The only restriction is that the
email address cannot be from a free web-based email
account (Gmail, Hotmail, Yahoo, and so on). If an email
address is entered for a domain that is not supported, a
pop-up warning appears.
Step 3 Assign firewalls to the new user account 1. Select the firewall(s) by S/N that you want to grant access to and
and access the WildFire portal. fill out the optional account details.
An email will then be sent to the user. Users with an existing
support account will receive an email with a list of the firewalls
that are now available for WildFire report viewing. If the user
does not have a support account, the portal sends an email with
instructions on how to access the portal and how to set a new
password.
2. The new user can now log in to the WildFire Portal and view
WildFire reports for the firewalls to which they have been
granted access. Users can also configure automatic email alerts
for these devices in order to receive alerts on files analyzed.
They can choose to receive reports on malicious and/or benign
files.

WildFire Reporting View WildFire Reports
View WildFire Reports

The primary method used to view a WildFire reports sent to the WildFire cloud or to a WildFire appliance is
to access the firewall that forwarded the file to WildFire and then select Monitor > Logs > WildFire Submissions
and select the WildFire Analysis Report tab. From here you can view the report directly or download the report
by clicking the Download PDF icon located at the upper right of the report. If the firewall is forwarding logs to
Panorama, the logs can also be accessed from the Panorama logs. You can also retrieve reports from the
WildFire portal or a WF-500 appliance by using WildFire XML API. For more information, see Query for a
WildFire PDF or XML Report.
When submitting files to the WildFire cloud (by firewall forwarding, manual upload, or the WildFire API), you
can access reports from the firewall as well as from the WildFire portal. To access the reports from the portal,
log in to the WildFire portal and click the Reports button at the top of the WildFire portal page. The portal
displays a list showing the date the file was received, the firewall serial number that forwarded the file, the
filename or URL, and the verdict (Malware or Benign). Search is also available at the top of the page and can be
used to search by file name or hash value.
To view an individual report from the portal, click the Reports icon to the left of the report name. To save the
detailed report, click the Download as PDF button on the upper right of the report page. The following shows a
list of sample files submitted by a firewall:

WildFire Report Contents WildFire Reporting
WildFire Report Contents

The WildFire reports will show detailed behavioral information for the sample that was analyzed by WildFire
as well as information on the user who was targeted, email header information (if enabled), the application that
delivered the file, and all URLs involved in the delivery or phone-home activity of the file. The organization of
the report may differ depending on the WildFire system (WildFire Cloud or WF-500 appliance) that analyzed
the sample. The report will contain some or all of the information described in the following table based on the
session information configured on the firewall that forwarded the file and depending on the observed behavior.
When viewing a WildFire report for a file that was manually uploaded to the WildFire portal or by
using the WildFire API, the report will not show session information because the traffic did not
traverse the firewall. For example, the report would not show the Attacker/Source and
Victim/Destination.
Report Heading Description
Download PDF Click the Download PDF icon (located in the upper right) to have the firewall
generate a PDF version of the WildFire report.
File Information File TypeFlash, PE, PDF, APK, JAR/Class, or MS Office. This field is named
URL for HTTP/HTTPS email link reports and will display the URL that was
analyzed.
File SignerThe entity that signed the file for authenticity purposes.
Hash ValueA file hash is much like a fingerprint that uniquely identifies a file
to ensure that the file has not been modified in any way. The following lists the
hash versions that WildFire generates for each file analyzed:
SHA-1Displays the SHA-1 value for the file.
SHA-256Displays the SHA-256 value for the file.
MD5Displays the MD5 information for the file.
File SizeThe size (in bytes) of the file that WildFire analyzed.
First Seen TimestampIf the WildFire system has analyzed the file previously,
this is the date/time that it was first observed.
VerdictDisplays the analysis verdict:
BenignThe file is safe and does not exhibit malicious behavior.
MalwareWildFire identified the file as malware and generates a signature
to protect against future exposure.
Sample FileClick the Download File link to download the sample file to your
local system. Note that you can only download files with the malware verdict, not
benign.

WildFire Reporting WildFire Report Contents
Coverage Status Click the Virus Total link to view endpoint antivirus coverage information for
samples that have already been identified by other vendors. If the file has never
been seen by any of the listed vendors, file not found appears.
In addition, when the report is rendered on the firewall, up-to-date information
about what signature and URL filtering coverage that Palo Alto Networks currently
provides to protect against the threat will also be displayed in this section. Because
this information is retrieved dynamically, it will not appear in the PDF report.
The following screen capture shows coverage status that appears after rendering
the report on the firewall:
The following coverage information is provided for active signatures:

Coverage TypeThe type of protection provided by Palo Alto Networks
(virus, DNS, WildFire, or malware URL).
Signature IDA unique ID number assigned to each signature that Palo Alto
Networks provides.
DetailThe well-known name of the virus.
Date ReleasedThe date that Palo Alto Networks released coverage to
protect against the malware.
Content VersionThe version number for the content release that provides
protection against the malware.
If the firewall is configured to forward files to a WildFire appliance, the
firewall will query the appliance and the WildFire cloud to determine if
coverage information is available. If Coverage Status is available for
both systems (Cloud/Appliance), a separate table will appear for each
system.

Session Information Contains session information based on the traffic as it traversed the firewall that
forwarded the sample. To define the session information that WildFire will include
in the reports, select Device > Setup > WildFire> Session Information Settings.
The following options are available:
Source IP
Source Port
Destination IP
Destination Port
Virtual System (If multi-vsys is configured on the firewall)
Application
User (If User-ID is configured on the firewall)
URL
Filename
Email sender
Email recipient
Email subject
Dynamic Analysis If a file is low risk and WildFire can easily determine that it is safe, only a static
analysis is performed, instead of a dynamic analysis.
When a dynamic analysis is performed, this section contains tabs for each virtual
environment that the sample was run in when it was analyzed in the WildFire cloud.
For example, Virtual Machine 1 tab may have Windows XP, Adobe Reader 9.3.3,
and Office 2003 and Virtual Machine 2 may have similar attributes, but with Office
2007. When a file goes through a full dynamic analysis, it is run in each virtual
machine and the results of each environment can be viewed by clicking any of the
Virtual Machine tabs.
On the WF-500 appliance, only one virtual machine is used for the analysis,
which you select based on virtual environment attributes that best match
your local environment. For example, if most users have Windows 7 32-bit,
that virtual machine would be selected.

WildFire Reporting WildFire Report Contents
Behavior Summary Each Virtual Machine tab summarizes the behavior of the sample file in the specific
environment. Examples include whether the sample created or modified files,
started a process, spawned new processes, modified the registry, or installed
browser helper objects.
The Severity column indicates the severity of each behavior. The severity gauge will
show one bar for low severity and additional bars for higher severity levels. This
information is also added to the dynamic and static analysis sections.
The following describes the various behaviors that are analyzed:

Network ActivityShows network activity performed by the sample, such as
accessing other hosts on the network, DNS queries, and phone-home activity. A
link is provided to download the packet capture.
Host Activity (by process)Lists activities performed on the host, such as
registry keys that were set, modified, or deleted.
Process ActivityLists files that started a parent process, the process name,
and the action the process performed.
FileLists files that started a child processes, the process name, and the action
the process performed.
MutexIf the sample file generates other program threads, the mutex name
and parent process is logged in this field.
Activity TimelineProvides a play-by-play list of all recorded activity of the
sample. This will help in understanding the sequence of events that occurred
during the analysis.
The activity timeline information is only available in the PDF
export of the WildFire reports.
Submit Malware Use this option to manually submit the sample to Palo Alto Networks. The
WildFire cloud will then re-analyze the sample and generate a signatures if it
determines that the sample is malicious. This is useful on a WF-500 appliance that
does not have signature generation or cloud intelligence enabled, which is used to
forward malware from the appliance to the WildFire cloud.

Report Incorrect Verdict Click this link to submit the sample to the Palo Alto Networks threat team if you
feel the verdict is a false positive or false negative. The threat team will perform
further analysis on the sample to determine if it should be reclassified. If a malware
sample is determined to be safe, the signature for the file is disabled in an upcoming
antivirus signature update or if a benign file is determined to be malicious, a new
signature is generated. After the investigation is complete, you will receive an email
describing the action that was taken.

WildFire Reporting Set Up Alerts for Detected Malware
Set Up Alerts for Detected Malware

This section describes the steps required to configure a Palo Alto Networks firewall to send an alert each time
WildFire identifies a malicious file or email link. You can configure alerts for benign files as well, but not benign
email links. Alerts can also be configured from the WildFire portal, see Monitor Submissions Using the WildFire
Portal. This example describes how to configure an email alert; however, you could also configure log
forwarding to receive alerts via syslog, SNMP traps, and/or Panorama.
Set Up Email Alerts for Malware
Step 1 Configure an email server profile if one is 1. Select Device > Server Profiles > Email.
not configured. 2. Click Add and then enter a Name for the profile. For example,
WildFire-Email-Profile.
3. (Optional) Select the virtual system to which this profile applies
from the Location drop-down.
4. Click Add to add a new email server entry and enter the
information required to connect to the Simple Mail Transport
Protocol (SMTP) server and send email (up to four email
servers can be added to the profile):
ServerName to identify the mail server (1-31 characters).
This field is just a label and does not have to be the host name
of an existing SMTP server.
Display NameThe name to show in the From field of the
email.
FromThe email address where notification emails are sent
from.
ToThe email address to which notification emails are sent.
Additional Recipient(s)Enter an email address to send
notifications to a second recipient.
GatewayThe IP address or host name of the SMTP
gateway to use to send the emails.
5. Click OK to save the server profile.
6. Click Commit to save the changes to the running configuration.
Step 2 Test the email server profile. 1. Select Monitor > PDF Reports > Email Scheduler.
2. Click Add and select the new email profile from the Email
Profile drop-down.
3. Click the Send test email button and a test email should be sent
to the recipients defined in the email profile.

Set Up Alerts for Detected Malware WildFire Reporting
Set Up Email Alerts for Malware (Continued)
Step 3 Configure a log forwarding profile to 1. Select Objects > Log Forwarding.
forward WildFire logs to Panorama, an 2. Click Add and name the profile. For example,
email account, SNMP, and/or a syslog WildFire-Log-Forwarding.
server. In this example you will forward
3. In the WildFire Settings section, choose the email profile from
WildFire logs to an email account when
the Email column for Malicious as shown in the screen capture.
the WildFire verdict is Malicious. You can
also enable Benign, which will produce
more activity if you are testing.
To forward logs to Panorama, select the check boxes under

the Panorama column for Benign and/or Malicious. For
SNMP and Syslog, select the drop-down and choose the
appropriate profile or click New to configure a new profile.
Step 4 Apply the log forwarding profile to the 1. Select Policies > Security and click on the policy that is used for
security profile that contains the file WildFire forwarding.
blocking profile. 2. In the Actions tab Log Setting section, click the Log
Forwarding drop-down and select the new log forwarding
profile. In this example, the profile is named
WildFire-Log-Forwarding.
3. Click OK to save the changes and then Commit the
configuration. WildFire logs will now be forwarded to the email
address(s) defined in the email profile.

WildFire Reporting Set Up Alerts for Detected Malware
Set Up Email Alerts for Malware (Continued)
5. Commit the configuration.
analysis.
only query the PA-7050 log card
for log information.

WildFire in Action WildFire Reporting
WildFire in Action
The following example scenario summarizes the full WildFire lifecycle. In this example, a sales representative
from Palo Alto Networks downloads a new software sales tool that a sales partner uploaded to Dropbox. The
sales partner unknowingly uploaded an infected version of the sales tool install file and the sales rep then
downloads the infected file.
This example will demonstrate how a Palo Alto Networks firewall in conjunction with WildFire can discover
zero-day malware downloaded by an end user; even if the traffic is SSL encrypted. After WildFire identifies the
malware a log is sent to the firewall and the firewall alerts the administrator who then contacts the user to
eradicate the malware. WildFire then generates a new signature for the malware and firewalls with a Threat
Prevention or WildFire subscription automatically downloads the signature to protect against future exposure.
Although some file sharing web sites have an antivirus feature that checks files as they are uploaded, they can
only protect against known malware.
For more information on configuring WildFire, see Forward Samples to the WildFire Cloud or Forward Files
to a WF-500 Appliance.
This example uses a web site that uses SSL encryption, so the firewall must have decryption and
Allow forwarding of decrypted content enabled. For information on enabling forwarding of
decrypted content, see Forward Samples to the WildFire Cloud or Forward Files to a WF-500
Appliance.
\
WildFire Example Scenario
Step 1 The sales person from the partner company uploads a sales tool file named sales-tool.exe to his Dropbox
account and then sends an email to the Palo Alto Networks sales person with a link to the file.
Step 2 The Palo Alto sales person receives the email from the sales partner and clicks the download link, which takes
her to the Dropbox site. She then clicks Download to save the file to her desktop.

WildFire Reporting WildFire in Action
Step 3 The firewall that is protecting the Palo Alto sales rep has a file blocking profile attached to a security policy that
will look for files in any application that is used to download or upload any of the supported file type (Flash, PE,
PDF, APK, JAR/Class, or MS Office). Note that the firewall can also be configured to forward the email-link
file type, which enables the firewall to extract HTTP/HTTPS links contained in SMTP and POP3 email
messages. As soon as the sales rep clicks download, the firewall policy forwards the sales-toole.exe file to
WildFire, where the file is analyzed for zero-day malware. Even though the sales rep is using Dropbox, which is
SSL encrypted, the firewall is configured to decrypt traffic, so all traffic can be inspected. The following screen
shots show the File Blocking Profile, the Security Policy configured with the File Blocking profile, and the option
to allow forwarding of decrypted content.

Step 4 At this point, WildFire has received the file and is analyzing it for more than 200 different malicious behaviors.
To see that the file was forwarded successfully, view Monitor > Logs > Data Filtering on the firewall.
Step 5 Within approximately five minutes, WildFire has completed the file analysis and then sends a WildFire log back
to the firewall with the analysis results. In this example, the WildFire log shows that the file is malicious.
Step 6 The firewall is configured with a log forwarding profile that will send WildFire alerts to the security administrator
when malware is discovered.

WildFire Reporting WildFire in Action
Step 7 The security administrator identifies the user by name (if User-ID is configured), or by IP address if User-ID is
not enabled. At this point, the administrator can shut down the network or VPN connection that the sales
representative is using and will then contact the desktop support group to work with the user to check and clean
the system.
By using the WildFire detailed analysis report, the desktop support person can determine if the user system is
infected with malware by looking at the files, processes, and registry information detailed in the WildFire analysis
report. If the user runs the malware, the support person can attempt to clean the system manually or re-image it.
For details on the WildFire report fields, see WildFire Report Contents.
Figure: Partial View of the WildFire Analysis Report in PDF
Step 8 Now that the administrator has identified the malware and the user system is being checked, how do you protect
from future exposure? Answer: In this example, the administrator set a schedule on the firewall to download
and install WildFire signatures every 15 minutes and to download and install Antivirus updates once per day. In
less than an hour and a half after the sales rep downloaded the infected file, WildFire identified the zero-day
malware, generated a signature, added it to the WildFire update signature database provided by Palo Alto
Networks, and the firewall downloaded and installed the new signature. This firewall and any other Palo Alto
Networks firewall configured to download WildFire and antivirus signatures is now protected against this newly
discovered malware. The following screenshot shows the WildFire update schedule:

All of this occurs well before most antivirus vendors are even aware of the zero-day malware. In this example,
within a very short period of time, the malware is no longer considered zero-day because Palo Alto Networks
has already discovered it and has provided protection to customers to prevent future exposure.

WildFire API
The WildFire API enables you to programmatically send file analysis jobs to WildFire and query for report data
through a simple XML API interface and is supported on the WildFire cloud and the WF-500 appliance. All
API functions supported on the WildFire cloud are also supported on the WF-500 appliance, but in the case of
the appliance, you generate the API access keys used to access WildFire on the appliance instead of the Palo
Alto Networks support site. The URL used to access the WildFire cloud and the WildFire appliance are also
different. The examples in this section are based on the WildFire cloud. For an example on using the API on a
WF-500 appliance, see Use the WildFire API on a WF-500 Appliance.
About WildFire Subscriptions and API Keys
Use the WildFire API
WildFire API File Submission Methods
Query for a WildFire PDF or XML Report
Use the API to Retrieve a Sample Malware Test File
Use the API to Retrieve a Sample File or PCAP
Use the WildFire API on a WF-500 Appliance
Category Name 87
About WildFire Subscriptions and API Keys WildFire API
About WildFire Subscriptions and API Keys

Access to the WildFire API key is provided if at least one Palo Alto Networks firewall has an active WildFire
subscription registered to an account holder in your organization. You can share the same API key within your
organization. The API key is displayed in the My Account section of the WildFire web portal, along with statistics,
such as how many uploads and queries have been performed using the key. The key should be considered secret
and should not be shared outside of authorized channels.
When using the WildFire API on a WF-500 appliance, you generate API keys directly on the appliance and there
is no need to generate API keys from the support site. For more information, see Use the WildFire API on a
WF-500 Appliance.
88 Category Name
WildFire API Use the WildFire API
Use the WildFire API

The WildFire API uses standard HTTP requests to send and receive data. API calls can be made directly from
command line utilities such as cURL or using any scripting or application framework that supports REST
services.
The API methods are hosted on the WildFire Portal and the HTTPS protocol (not HTTP) is required in order
to protect your API key and any other data exchanged with the service.
A WildFire API key allows up to 1000 sample uploads per day and up to 10,000 report queries per day.
To use the WildFire API on a WF-500 appliance, you generate an API key from the appliance and use the IP
address or FQDN in the URL used to locate the appliance. All other functions are the same as if you were using
the API on the WildFire cloud. For example, the URL to retrieve a report from the WildFire cloud is
https://wildfire.paloaltonetworks.com/publicapi/get/report. The URL to retrieve a report from a a
WF-500 appliance with the IP address 10.3.4.50, would be as follows: https://10.3.4.50/publicapi/get/report.
For an example, see Use the WildFire API on a WF-500 Appliance.
Category Name 89
WildFire API File Submission Methods WildFire API
WildFire API File Submission Methods

Use the following methods to submit files to WildFire:
Submit a File to the WildFire Cloud Using the Submit File Method
Submit a File to WildFire Using the Submit URL Method
Submit a File to the WildFire Cloud Using the Submit File Method
The WildFire API can be used to submit all Supported File Types. The file along with your API key is required
when submitting to WildFire for analysis. The return code of the submit-file method indicates a success or error
condition. If a 200 OK code is returned, the submission is successful and a result is normally available for query
within five minutes.
The following table describes the API attributes needed to submit files to the WildFire cloud using the submit
file method:
URL https://wildfire.paloaltonetworks.com/publicapi/submit/file
Method POST
Parameters apikey Your WildFire API key
file The sample file to be analyzed

Return 200 OK Indicates success and a report is returned
401 Unauthorized API key invalid
405 Method Not Allowed Method other than POST used
413 Request Entity Too Large Sample file size over max limit
418 Unsupported File Type Sample file type is not supported
419 Max Request Reached Max number of uploads per day exceeded
500 Internal error
513 File upload failed
Submit a File to WildFire Using the Submit URL Method
Use the submit-url method to submit a file for analysis via a URL. This method is identical in interface and
functionality to the submit-file method, except that the file parameter is replaced with a url parameter. The url
parameter must point to an accessible supported file type. If a 200 OK code is returned, the submission is
successful and a result is usually available for query within five minutes.
The following table describes the API attributes needed to submit files to the WildFire cloud using a URL:
90 Category Name
WildFire API WildFire API File Submission Methods
URL https://wildfire.paloaltonetworks.com/publicapi/submit/url
Method POST
Parameters apikey Your WildFire API key
url The URL for the file to be analyzed. The URL must
contain the file name, for example
http://paloaltonetworks.com/folder1/my-file.pdf.
413 Request Entity Too Large Sample file size over max limit
418 Unsupported File Type Sample file type is not supported
419 Max Request Reached Max number of uploads per day exceeded
422 URL download error
500 Internal error
Code Examples for File Submit

The following cURL command demonstrates how to submit a file to WildFire using the submit file method:
curl k -F apikey=yourAPIkey -F file=@local-file-path
https://wildfire.paloaltonetworks.com/publicapi/submit/file
The following shell code example demonstrates a simple script to submit a file to the WildFire API for analysis.
The API key is provided as the first parameter and the path to the file is the second parameter:
#manual upload sample to WildFire with APIKEY
#Parameter 1: APIKEY
#Parameter 2: location of the file
key=$1
file=$2
/usr/bin/curl -i -k -F apikey=$key -F file=@$file

https://wildfire.paloaltonetworks.com/submit/file
The following cURL command demonstrates how to submit a file to WildFire using the submit URL method:
curl k -F apikey=yourAPIkey -F url=URL
https://wildfire.paloaltonetworks.com/publicapi/submit/url
Category Name 91
Query for a WildFire PDF or XML Report WildFire API
Query for a WildFire PDF or XML Report

Use the get report method to query for an XML or PDF report of analysis results for a particular sample. Use
either the MD5, SHA-1, or SHA-256 hash of the sample file as a search query.
The following table describes the API attributes needed to query for reports:
URL https://wildfire.paloaltonetworks.com/publicapi/get/report
Method POST
Parameters hash The MD5, SHA-1, or SHA-256 hash value of the sample
apikey Your WildFire API key
format Report format: PDF or XML

404 Not Found The report was not found
419 Request report quota exceeded
420 Insufficient arguments
421 Invalid arguments
500 Internal error
Example API Query for PDF or XML Report
The following cURL command demonstrates a query for a PDF report using the MD5 hash of a sample file:
curl k -F hash=1234556 -F format=pdf -F apikey=yourAPIkey
https://wildfire.paloaltonetworks.com/publicapi/get/report
To retrieve the XML version of the report, replace format=pdf with format=xml. For example:
curl -k -F hash=1234556 -F format=xml -F apikey=yourAPIkey
https://wildfire.paloaltonetworks.com/publicapi/get/report
92 Category Name
WildFire API Use the API to Retrieve a Sample Malware Test File
Use the API to Retrieve a Sample Malware Test File

The following describes the API syntax to retrieve a sample malware file, which can be used to test end-to-end
WildFire sample processing.
For details on the sample file, see Malware Test Samples.
To retreive the file using the API:
API : GET https://wildfire.paloaltonetworks.com/publicapi/test/pe
This will return a test file and every API call will return a similar file, but with a different SHA256 value.
If there is problem retrieving the file, a 500-Internal Server error is returned.
To retrieve the test file using cURL:
curl k https://wildfire.paloaltonetworks.com/publicapi/test/pe
Use the API to Retrieve a Sample File or PCAP
Use the API to Retrieve a Sample File

Use the API to Retrieve a Packet Capture (PCAP)
Use the API to Retrieve a Sample File
Use the get-sample method to retrieve a particular sample. You can use either the MD5, SHA-1, or SHA-256
hash of the sample file as a search query.
URL https://wildfire.paloaltonetworks.com/publicapi/get/sample
Method POST

Return 200 OK Indicates success and a sample is returned
403 Forbidden Permission Denied
404 Not Found The sample was not found
419 Request sample quota exceeded
500 Internal error
Category Name 93
Use the API to Retrieve a Sample Malware Test File WildFire API
Example API Query for Get-Sample

The following cURL command demonstrates a query for a sample using the sample's MD5 hash:
curl -k -F hash=md5hash -F apikey=yourAPIkey
https://wildfire.paloaltonetworks.com/publicapi/get/sample
Use the API to Retrieve a Packet Capture (PCAP)
Use the get-pcap method to query for a PCAP recorded during analysis of a particular sample. Use either the
MD5, SHA-1, or SHA-256 hash of the sample file as a search query. You can optionally define the platform of
the desired PCAP to specify which PCAP should be returned. If no platform is specified, the method returns
a PCAP from a session that yielded a verdict of Malware.
Samples uploaded prior to August 2014 are not guaranteed to return a PCAP if no platform
parameter is supplied.
The following table describes the available platform parameters:

Platform ID Description
1 Windows XP, Adobe Reader 9.3.3, Office 2003
2 Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007
3 Windows XP, Adobe Reader 11, Flash 11, Office 2010
4 Windows 7 32-bit, Adobe Reader 11, Flash 11, Office 2010
5 Windows 7 64bit, Adobe Reader 11, Flash 11, Office 2010.
201 Android 2.3, API 10, avd2.3.1
The following table describes the API attributes needed to query for pcaps:
URL https://wildfire.paloaltonetworks.com/publicapi/get/pcap
Method POST
platform* Target analysis environment

Return 200 OK Indicates success and a PCAP is returned
94 Category Name
WildFire API Use the API to Retrieve a Sample Malware Test File
403 Forbidden Permission Denied
404 Not Found The PCAP was not found
419 Request sample quota exceeded
500 Internal error
* Optional parameter
Example API Query for Get-PCAP
The following cURL command demonstrates a query for a pcap using the sample's MD5 hash:
curl -k -F hash=md5hash -F apikey=yourAPIkey -F platform=targetPlatform
https://wildfire.paloaltonetworks.com/publicapi/get/pcap
Category Name 95
Use the WildFire API on a WF-500 Appliance WildFire API
Use the WildFire API on a WF-500 Appliance

To use the WildFire XML API on a WF-500 appliance, you must first generate an API key on the appliance and
then use the API key from the host computer that performs the API functions. The URL used to locate the
appliance is based on the IP address or FQDN of the appliance. After the keys are generated and you have the
URL used to locate the appliance, you can then perform all of the same API functions supported on the
WildFire cloud.
The following topics describe how to manage API keys on the appliance and provide an example on using the
WildFire API to submit file samples to the appliance.
Generate API Keys on the WildFire Appliance
Manage API Keys on the WildFire Appliance
Use the WildFire API on a WildFire Appliance
Generate API Keys on the WildFire Appliance
Generate an API Key
Step 1 Generate a new API key on the WildFire 1. Log in to the WildFire appliance CLI.
appliance. The appliance supports up to 2. Generate the API key using one of the following methods:
100 API keys.
Generate a key automatically:
As a best practice, leave out the
admin@WF-500> create wildfire api-key name
key-value option in this step and
key-name
the firewall will generate a key
automatically. If you manually For example, to create a key with the name my-api-key:
enter a key, the key-value must be admin@WF-500> create wildfire api-key name
64 alpha characters (a-z) or my-api-key
numbers (0-9) that you randomly To generate a key manually (where key-value is a 64-bit key):
choose.
my-api-key key key-value
For example:
my-api-key key
0377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F45
5F142494BC43D4A1
Step 2 View the API keys that you generated. View all API keys:
admin@WF-500> show wildfire api-key all
This command also shows the date the key was generated and the last
time the key was used.
In this example, the appliance generated the following key with the
name my-api-key:
0377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F455F1424
94BC43D4A1
96 Category Name
WildFire API Use the WildFire API on a WF-500 Appliance
Manage API Keys on the WildFire Appliance
This section describes some useful commands that you can use to manage WildFire API keys on the appliance
and describes how to export and import the keys. For example, you may want to export all of your keys for
backup purposes or to make it easier to access the keys from the systems that will use the API to perform various
functions on the appliance.
Manage API Keys
Use the following commands to disable API keys Disable or enable an API key:
temporarily, enable keys, or delete keys that are
admin@WF-500> edit wildfire api-key status [disable |
no longer used.
enable] key api-key
For example, to disable the API key used in this example:
admin@WF-500> edit wildfire api-key status disable key
494BC43D4A1
In the above command, you can type the first few unique
digits of the key and then hit tab to fill in the remaining
digits.
Delete an API key:
admin@WF-500> delete wildfire api-key key api-key
For example:
admin@WF-500> delete wildfire api-key key
94BC43D4A1
Category Name 97
Manage API Keys
Use the following commands to import or export Save all API keys to a file to prepare the keys for export:
API keys from the appliance using Secure Copy
admin@WF-500# save wildfire api-key to filename
(SCP).
For example:
admin@WF-500> save wildfire api-key to my-api-keys
To SCP the API key file to an SCP-enabled server:
admin@WF-500> scp export wildfire-api-keys to
username@host:path
For example:
admin@WF-500> scp export wildfire-api-keys to
bart@10.10.10.5:c:/scp/
You can also import the key from an SCP-enabled server:
admin@WF-500> scp import wildfire-api-keys from
bart@10.10.10.5:c:/scp/my-api-keys
After importing API keys, you must load the keys:
admin@WF-500# load wildfire api-key mode [merge |
replace] from my-api-keys
If you leave out the mode option, the default behavior will merge
the new keys. To replace all API keys on the appliance, use the
replace option. For example, to replace all API keys, enter the
command:
admin@WF-500# load wildfire api-key mode replace from
my-api-keys
Confirm that the keys were loaded:
admin@WF-500> show wildfire api-keys all
Use the WildFire API on a WildFire Appliance
The following workflow describes how to use the WildFire API to submit a sample file to a WF-500 appliance
for analysis. After understanding the basic concepts illustrated in this workflow, you can then use any of the API
functions that are available on the WildFire cloud. See WildFire API for links to other WildFire API examples
based on the WildFire cloud. The functions are the same, but in the case of the WF-500 appliance, you will use
the API key generated on the appliance and the URL of the appliance.
This workflow requires a host computer that has the cURL command line tool installed. You will
then send files from the host computer to the WildFire appliance using the URL syntax.
98 Category Name
WildFire API Use the WildFire API on a WF-500 Appliance
Use the WildFire API to Submit a File Sample
Step 1 Generate a WildFire API key for the host computer that will perform API functions on the WildFire appliance.
For details, see Generate API Keys on the WildFire Appliance.
1. Access the CLI on the WildFire appliance and generate an API key:
admin@WF-500> create wildfire api-key name my-api-key
2. View the API keys:
admin@WF-500> show wildfire api-key all
3. Make sure the key status is Enabled and then highlight and copy the key. The following screen capture shows
an example API key named my-api-key.
Step 2 Using the new API key that you generated, submit a sample file to the WildFire appliance.
1. Place a sample file in a folder that can be accessed from the host computer that has the cURL command line
tool installed and note the path of the sample file.
2. Submit the file using cURL:
curl -k -F apikey=your-API-key -F file=@local-file-path --remote-name
https://WF-appliance-IP/publicapi/submit/file
The syntax will vary based on the host that you are using. The following examples shows the syntax using a
Linux host and a Windows host.
From a Linux host:
curl -k -F apikey=87C142CB01CA5BEBE06E226A25C0A473B34050B617073E21E8F1A6BCB8C5C387 -F
file=@test-wf-api.docx --remote-name https://10.3.4.99/publicapi/submit/file
From a Windows host (The only difference is the file path following the @ symbol):
curl -k -F apikey=87C142CB01CA5BEBE06E226A25C0A473B34050B617073E21E8F1A6BCB8C5C387 -F
file=@c://scp/test-wf-api.docx --remote-name https://10.3.4.99/publicapi/submit/file
3. Verify that the API successfully submitted the file to the WildFire appliance. To view a list of recent samples
submitted to the appliance:
admin@WF-500> show wildfire latest samples
The following screen capture shows that the sample file test-wf-api.docx successfully submitted to the
appliance:
If the sample file does not appear on the appliance, verify connectivity between the host computer and the appliance and
confirm that the folder/file path is correct. You can also run show wildfire status (status should show Idle) and
show wildfire statistics to verify that the appliance is ready to analyze files. For more information on
troubleshooting, refer to the Palo Alto Networks WildFire Administrators Guide.
Category Name 99
100 Category Name

WildFire Appliance Software CLI
Reference
This section describes the CLI commands that are specific to the WF-500 appliance software. All other
commands, such as configuring interfaces, committing the configuration, and setting system information are
identical to PAN-OS and are also shown in the hierarchy. For information on the PAN-OS commands, refer to
the Palo Alto Networks PAN-OS Command Line Reference Guide.
WildFire Appliance Software CLI Concepts
WildFire CLI Command Modes
Access the CLI
Use the CLI
Configuration Mode Command Reference
Operational Mode Command Reference

WildFire Appliance Software CLI Concepts WildFire Appliance Software CLI Reference
WildFire Appliance Software CLI Concepts

This section introduces and describes how to use the WildFire appliance software command line interface (CLI):
WildFire Appliance Software CLI Structure
WildFire Appliance Software CLI Command Conventions
WildFire Appliance CLI Command Messages
Command Option Symbols
Privilege Levels
WildFire Appliance Software CLI Structure
The WildFire appliance software CLI is used to manage the appliance. The CLI is the only interface to the
appliance. Use it to view status and configuration information and modify the appliance configuration. Access
the WildFire appliance software CLI over SSH or by direct console access using the console port.
The WildFire appliance software CLI operates in two modes:
Operational modeView the state of the system, navigate the WildFire appliance software CLI, and enter
configuration mode.
Configuration modeView and modify the configuration hierarchy.
WildFire Appliance Software CLI Command Conventions
The basic command prompt incorporates the user name and hostname of the appliance:
username@hostname>
Example:
admin@WF-500>
When entering Configuration mode, the prompt changes from > to #:
username@hostname>(Operational mode)
username@hostname> configure
Entering configuration mode
[edit]
username@hostname# (Configuration mode)
In Configuration mode, the current hierarchy context is shown by the [edit...] banner presented in square
brackets when a command is issued.

WildFire Appliance Software CLI Reference WildFire Appliance Software CLI Concepts
WildFire Appliance CLI Command Messages
Messages may be displayed when issuing a command. The messages provide context information and can help
in correcting invalid commands. In the following examples, the message is shown in bold.
Example: Unknown command
username@hostname# application-group
Unknown command: application-group
[edit network]
username@hostname#
Example: Changing modes
username@hostname# exit
Exiting configuration mode
username@hostname>
Example: Invalid syntax
username@hostname> debug 17
Unrecognized command
Invalid syntax.
username@hostname>
The CLI checks the syntax of each command. If the syntax is correct, it executes the command and the
candidate hierarchy changes are recorded. If the syntax is incorrect, an invalid syntax message is presented, as
in the following example:
username@hostname# set deviceconfig setting wildfire cloud-intelligence
submit-sample yes
Unrecognized command
Invalid syntax.
[edit]
username@hostname#
Command Option Symbols
The symbol preceding an option can provide additional information about command syntax.
Symbol Description
* This option is required.

> There are additional nested options for this command.
+ There are additional command options for this command at this level.
| There is an option to specify an except value or a match value to

restrict the command.

WildFire Appliance Software CLI Concepts WildFire Appliance Software CLI Reference
Symbol Description
Although the double quote is not a command option symbol, it must be

used when entering multi-word phrases in CLI commands. For example,
to create an address group named Test Group and to add the user named
user1 to this group, you must surround the group name with double
quotes as follows:
set address-group Test Group user1.
If you do not put a double quote surrounding the group name, the CLI
would interpret the word Test as the group name and Group as the
username and the following error wold be displayed: test is not a valid
name.
A single quote would also be invalid in this example.
The following examples show how these symbols are used.

Example: In the following command, the keyword from is required:
username@hostname> scp import configuration ?
+ remote-port SSH port number on remote host
* from Source (username@host:path)
username@hostname> scp import configuration
Example: This command output shows options designated with + and >.
username@hostname# set rulebase security rules rule1 ?
+ action action
+ application application
+ destination destination
+ disabled disabled
+ from from
+ log-end log-end
+ log-setting log-setting
+ log-start log-start
+ negate-destination negate-destination
+ negate-source negate-source
+ schedule schedule
+ service service
+ source source
+ to to
> profiles profiles
<Enter> Finish input
[edit]
username@hostname# set rulebase security rules rule1
Each option listed with + can be added to the command.
The profiles keyword (with >) has additional options:
username@hostname# set rulebase security rules rule1 profiles ?

WildFire Appliance Software CLI Reference WildFire Appliance Software CLI Concepts
+ virus Help string for virus

+ spyware Help string for spyware
+ vulnerability Help string for vulnerability
+ group Help string for group
<Enter> Finish input
[edit]
username@hostname# set rulebase security rules rule1 profiles
Privilege Levels
Privilege levels determine which commands the user is permitted to execute and the information the user is
permitted to view.
Level Description
superreader Has complete read-only access to the appliance.
superuser Has complete read-write access to the appliance.

WildFire CLI Command Modes WildFire Appliance Software CLI Reference
WildFire CLI Command Modes

This section describes the modes used to interact with the WildFire appliance software CLI:
Configuration Mode
Operational Mode
Configuration Mode
Entering commands in configuration mode modifies the candidate configuration. The modified candidate
configuration is stored in the appliance memory and maintained while the appliance is running.
Each configuration command involves an action, and may also include keywords, options, and values.
This section describes Configuration mode and the configuration hierarchy:
Configuration Mode Command Usage
Configuration Hierarchy
Navigate the Hierarchy
Configuration Mode Command Usage
Use the following commands to store and apply configuration changes:
saveSaves the candidate configuration in the non-volatile storage on the appliance. The saved
configuration is retained until overwritten by subsequent save commands. Note that this command does not
make the configuration active.
commitApplies the candidate configuration to the appliance. A committed configuration becomes the
active configuration for the device.
setChanges a value in the candidate configuration.
loadAssigns the last saved configuration or a specified configuration to be the candidate configuration.
When exiting configuration mode without issuing the save or commit command, the
configuration changes could be lost if the appliance loses power.

WildFire Appliance Software CLI Reference WildFire CLI Command Modes
Maintaining a candidate configuration and separating the save and commit steps confers important advantages
when compared with traditional CLI architectures:
Distinguishing between the save and commit concepts allows multiple changes to be made at the same time
and reduces system vulnerability.
Commands can easily be adapted for similar functions. For example, when configuring two Ethernet
interfaces, each with a different IP address, you can edit the configuration for the first interface, copy the
command, modify only the interface and IP address, and then apply the change to the second interface.
The command structure is always consistent.

Because the candidate configuration is always unique, all authorized changes to the candidate configuration are
consistent with each other.
Configuration Hierarchy
The configuration for the appliance is organized in a hierarchical structure. To display a segment of the current
hierarchy level, use the show command. Entering show displays the complete hierarchy, while entering show
with keywords displays a segment of the hierarchy. For example, when running the command show from the
top level of configuration mode, the entire configuration is displayed. When running the command edit
mgt-config and you enter show, or by running show mgt-config, only the mgt-config part of the
hierarchy displays.

Hierarchy Paths
When entering commands, the path is traced through the hierarchy as follows:
For example, the following command assigns the primary DNS server 10.0.0.246 for the appliance:
[edit]
username@hostname# set deviceconfig system dns-setting servers primary
10.0.0.246
This command generates a new element in the hierarchy and in the output of the following show command:
[edit]
username@hostname# show deviceconfig system dns-settings
dns-setting {
servers {
primary 10.0.0.246
}
}
[edit]
username@hostname#

WildFire Appliance Software CLI Reference WildFire CLI Command Modes
Navigate the Hierarchy
The [edit...] banner presented below the Configure mode command prompt line shows the current hierarchy
context.
[edit]
indicates that the relative context is the top level of the hierarchy, whereas
[edit deviceconfig]
indicates that the relative context is at the deviceconfig level.
Use the commands listed in to navigate through the configuration hierarchy.
Level Description
edit Sets the context for configuration within the command hierarchy.
up Changes the context to the next higher level in the hierarchy.
top Changes the context to the highest level in the hierarchy.
The set command issued after using the up and top commands starts from the new context.

Operational Mode
At the initial login to the device, the WildFire appliance software CLI opens in Operational mode. Operational
mode commands involve actions that are executed immediately. They do not involve changes to the
configuration, and do not need to be saved or committed.
Operational mode commands are of several types:
Network accessOpen a window to another host. SSH is supported.
Monitoring and troubleshootingPerform diagnosis and analysis. Includes debug and ping commands.
Display commandsDisplay or clear current information. Includes clear and show commands.
WildFire appliance software CLI navigation commandsEnter Configure mode or exit the WildFire
appliance software CLI. Includes configure, exit, and quit commands.
System commandsMake system-level requests or restart. Includes set and request commands.

WildFire Appliance Software CLI Reference Access the CLI
Access the CLI

This section describes how to access and begin using the WildFire appliance software CLI:
Establish a Direct Console Connection
Establish an SSH Connection
Establish a Direct Console Connection
Use the following settings for direct console connection:
Data rate: 9600
Data bits: 8
Parity: none
Stop bits: 1
Flow control: None
Establish an SSH Connection
To access the WildFire appliance software CLI:
Launch the WildFire CLI
1. Use terminal emulation software to establish an SSH console connection with the
WF-500 appliance.
2. Enter the administrative user name. The default is admin.
3. Enter the administrative password. The default is admin.

The WildFire appliance software CLI opens in Operational mode, and the CLI prompt
is displayed:
username@hostname>

Use the CLI WildFire Appliance Software CLI Reference
Use the CLI

Access Operational and Configuration Modes
Display WildFire Appliance Software CLI Command Options
Restrict Command Output
Set the Output Format for Configuration Commands
Access Operational and Configuration Modes
When logging in, the WildFire appliance software CLI opens in Operational mode. You can navigate between
Operational and Configuration modes at any time.
To enter Configuration mode from Operational mode, use the configure command:
username@hostname> configure
Entering configuration mode
[edit]
username@hostname#
To leave Configuration mode and return to Operational mode, use the quit or exit command:
username@hostname# quit
Exiting configuration mode
username@hostname>
To enter an Operational mode command while in Configuration mode, use the run command. For example,
to show system resources from configure mode, use run show system resources.
Display WildFire Appliance Software CLI Command Options
Use ? (or Meta-H) to display a list of command options, based on context:

To display a list of operational commands, enter ? at the command prompt.
username@hostname> ?
clear Clear runtime parameters
configure Manipulate software configuration information
debug Debug and diagnose
exit Exit this session
grep Searches file for lines containing a pattern match
less Examine debug file content
ping Ping hosts and networks
quit Exit this session
request Make system-level requests
scp Use ssh to copy file to another host
set Set operational parameters
show Show operational parameters
ssh Start a secure shell to another host
tail Print the last 10 lines of debug file content

WildFire Appliance Software CLI Reference Use the CLI
username@hostname>
To display the available options for a specified command, enter the command followed by ?.
Example:
username@hostname> ping ?
+ bypass-routing Bypass routing table, use specified interface
+ count Number of requests to send (1..2000000000 packets)
+ do-not-fragment Don't fragment echo request packets (IPv4)
+ inet Force to IPv4 destination
+ interface Source interface (multicast, all-ones, unrouted packets)
+ interval Delay between requests (seconds)
+ no-resolve Don't attempt to print addresses symbolically
+ pattern Hexadecimal fill pattern
+ record-route Record and report packet's path (IPv4)
+ size Size of request packets (0..65468 bytes)
+ source Source address of echo request
+ tos IP type-of-service value (0..255)
+ ttl IP time-to-live value (IPv6 hop-limit value) (0..255 hops)
+ verbose Display detailed output
+ wait Delay after sending last packet (seconds)
<host> Hostname or IP address of remote host
Restrict Command Output
Some operational commands include an option to restrict the displayed output. To restrict the output, enter a
pipe symbol followed by except or match and the value that is to be excluded or included:
Example:
The following sample output is for the show system info command:
username@hostname> show system info
hostname: WF-500
ip-address: 192.168.2.20
netmask: 255.255.255.0
default-gateway: 192.168.2.1
mac-address: 00:25:90:95:84:76
vm-interface-ip-address: 10.16.0.20
vm-interface-netmask: 255.255.252.0
vm-interface-default-gateway: 10.16.0.1
vm-interface-dns-server: 10.0.0.247
time: Mon Apr 15 13:31:39 2013
uptime: 0 days, 0:02:35
family: m
model: WF-500
serial: 009707000118
sw-version: 5.1.0
logdb-version: 5.0.2
platform-family: m
username@hostname>

Use the CLI WildFire Appliance Software CLI Reference
The following sample displays only the system model information:
username@hostname> show system info | match model

model: WF-500
username@hostname>
Set the Output Format for Configuration Commands
Change the output format for the configuration commands by using the set cli config-output-format
command in Operational mode. Options include the default format, json (JavaScript Object Notation), set
format, and XML format. The default format is a hierarchal format where configuration sections are indented
and enclosed in curly brackets.

WildFire Appliance Software CLI Reference Configuration Mode Command Reference
Configuration Mode Command Reference

This section contains command reference information for the following Configuration mode commands that
are specific to the WF-500 appliance software. All other commands that are part of the WildFire appliance
software are identical to PAN-OS as described in the Palo Alto Networks PAN-OS Command Line Reference
Guide.
set deviceconfig setting wildfire
set deviceconfig system update-schedule
set deviceconfig system vm-interface
set deviceconfig setting wildfire
Description
Configure Wildfire settings on the WF-500 appliance. You can configure forwarding of malicious files, define
the cloud server that receives malware infected files, and enable or disable the vm-interface.
Hierarchy Location
set deviceconfig settings
Syntax
wildfire {
active-vm;
cloud-server <value>;
vm-network-enable {no | yes};
vm-network-use-tor {enable | disable};
cloud-intelligence {
submit-report {no | yes};
submit-sample {no | yes};
signature-generation {
av {no | yes};
dns {no | yes};
url {no | yes};
{
{
{

Configuration Mode Command Reference WildFire Appliance Software CLI Reference
Options
+ active-vm Select the virtual machine environment that WildFire will use for sample
analysis. Each vm has a different configuration, such as Windows XP, a specific versions
of Flash, Adobe reader, etc. To view which VM is selected, run the following command:
admin@WF-500> show wildfire status and view the Selected VM field. To view the VM
environment information, run the following command: admin@WF-500> show wildfire
vm-images.
+ cloud-server Hostname for the cloud server that the appliance will forward malicious
samples/reports to for a re-analysis. The default cloud server is
wildfire-public-cloud. To configure forwarding, use the following command: set
deviceconfig setting wildfire cloud-intelligence.
+ vm-network-enable Enable or disable the vm-network. When enabled, sample files
running in the virtual machine sandbox can access the Internet. This helps WildFire
better analyze the behavior of the malware to look for things like phone home activity.
+ vm-network-use-tor Enable or disable the Tor network for the vm-interface. When this
option is enabled, any malicious traffic coming from the sandbox systems on the WF-500
appliance during sample analysis is sent through the Tor network. The Tor network will
mask your public facing IP address, so the owners of the malicious site cannot determine
the source of the traffic.
+ cloud-intelligence Configure the appliance to submit WildFire reports or samples to
the Palo Alto Networks WildFire cloud. The submit report option will send reports for
malicious samples to the cloud for statistical gathering. The submit sample option will
send malicious samples to the cloud. If submit-sample enabled, there is no need to
enable submit-report because the sample is re-analyzed in the cloud and a new report and
signature is generated if the sample is malicious.
+ signature-generation Enable the appliance to generate signatures locally,
eliminating the need to send any data to the public cloud in order to block malicious
content. The WF-500 appliance will analyze files forwarded to it from Palo Alto Networks
firewalls or from the WildFire API and generate antivirus and DNS signatures that block
both the malicious files as well as associated command and control traffic. When the
appliance detects a malicious URL, it sends the URL to PAN-DB and PAN-DB assigns it the
malware category.
Sample Output
The following shows an example output of the WildFire settings.

admin@WF-500# show deviceconfig setting wildfire
wildfire {
active-vm vm-5;
cloud-intelligence {
submit-sample yes;
submit-report no;
}
cloud-server wildfire-public-cloud;
signature-generation {
av yes;
dns yes;
url yes;
}
}

Required Privilege Level
superuser, deviceadmin
Description
Schedule content updates on a WF-500 appliance. These content updates equip the appliance with the most
up-to-date threat information for accurate malware detection and improve the appliance's ability to differentiate
the malicious from the benign.
Hierarchy Location
Syntax
wf-content recurring {
daily at <value> action {download-and-install | download-only};
weekly {
action {download-and-install | download-only};
at <value>;
day-of-week {friday | monday | saturday | sunday | thursday | tuesday | wednesday};
}
}
Options
> wf-content WF-500 content updates

> daily Schedule update every day
+ action Specify the action to take. You can schedule the appliance to download and
install the update or download only and then you install manually
+ at Time specification hh:mm (e.g. 20:10)
> hourly Schedule update every hour
+ at Minutes past the hour
> weekly Schedule update once a week
+ at Time specification hh:mm (e.g. 20:10)
+ day-of-week Day of the week (Friday, Monday, Saturday, Sunday, Thursday, Tuesday,
Wednesday)

Configuration Mode Command Reference WildFire Appliance Software CLI Reference
Sample Output
admin@WF-500# show
update-schedule {
wf-content {
recurring {
weekly {
at 19:00;
action download-and-install;
day-of-week friday;
}
}
}
}
set deviceconfig system vm-interface
Description
The vm-interface is used by malware running on the WF-500 appliance virtual machine sandbox to access the
Internet. Activating this port is recommended and will help WildFire better identify malicious activity if the
malware accesses the Internet for phone-home or other activity. It is important that this interface has an isolated
connection to the Internet. For more information, see Set Up the VM Interface on the WF-500 Appliance.
After configuring the vm-interface, enable it by running the following command:
set deviceconfig setting wildfire vm-network-enable yes
Hierarchy Location
set deviceconfig system
Syntax
set vm-interface {
default-gateway <ip_address>;
dns-server <ip_address>;
ip-address <ip_address>;
link-state;
mtu;
netmask <ip_address>;

speed-duplex;
{
Options
admin@WF-500# set vm-interface

+ default-gateway Default gateway for the VM interface
+ dns-server dns server for the VM interface
+ ip-address IP address for VM interface
+ link-state Set the link state to up or down
+ mtu Maximum Transmission Unit for the VM interface
+ netmask IP netmask for the VM interface
+ speed-duplex Speed and duplex for the VM interface
Sample Output
The following shows a configured vm-interface.

vm-interface {
ip-address 10.16.0.20;
netmask 255.255.252.0;
default-gateway 10.16.0.1;
dns-server 10.0.0.246;
}

Operational Mode Command Reference WildFire Appliance Software CLI Reference
Operational Mode Command Reference

This section contains command reference information for the following Operational mode commands that are
specific to the WF-500 appliance software. All other commands that are part of the WildFire appliance software
are identical to PAN-OS; refer to the Palo Alto Networks PAN-OS Command Line Reference Guide for
information on those commands.
create wildfire api-key
delete wildfire api-key
delete wildfire-metadata
edit wildfire api-key
load wildfire api-key
request system raid
request system wildfire-vm-image
request wf-content
save wildfire api-key
set wildfire portal-admin
show system raid
show wildfire
test wildfire registration
create wildfire api-key
Description
Generate API keys on a WF-500 appliance that you will use on an external system to submit samples to the
appliance, query reports, or retrieve samples and Packet Captures (PCAPS) from the appliance.
Syntax
create {
wildfire {
api-key {
key <value>;
name <value>;
{
{
{

WildFire Appliance Software CLI Reference Operational Mode Command Reference
Options
+ key Create an API key by manually entering a key value. The value must be 64 alpha
characters (a-z) or numbers (0-9). If you do not specify the key option, the appliance
generates a key automatically.
+ name Optionally enter a name for the API key. An API key name is simply used to
label the keys to make it easier to identify keys assigned for specific uses and has no
impact on the functionality of the key.
Sample Output
The following output shows that the appliance has three API keys and one key is named my-api-key.
+------------------------------------------------------------------+------------
----+---------+---------------------+---------------------+
| Apikey | Name
| Status | Create Time | Last Used Time |
+------------------------------------------------------------------+------------
----+---------+---------------------+---------------------+
| C625DE87CBFB6EF0B1A8183A74AB5B61287F7F63B6E14E2FFC704AABF5640D62 | my-api-key
| Enabled | 2014-06-24 16:38:50 | |
| D414CC910E93E9E05942A5E6F94DA36777B444543E71761CF5E9ACFA547F7D6F |
| Enabled | 2014-06-25 09:05:30 | 2014-06-26 14:49:35 |
| 73585ACAFEC0109CB65EB944B8DFC0B341B9B73A6FA7F43AA9862CAD47D0884C |
| Enabled | 2014-08-04 17:00:42 | |
+------------------------------------------------------------------+------------
----+---------+---------------------+---------------------+
delete wildfire api-key
Description
Delete an API key from the WF-500 appliance. Systems configured to use the API to perform API functions
on the appliance will no longer be able to access the appliance after you delete the key.
Syntax
delete {
wildfire {
api-key {
key <value>;
{
{
{

Options
+ key <value> The key value for the key that you want to delete. To view a list of API
keys, run the following command: admin@WF-500> show wildfire api-keys all
Sample Output
admin@WF-500> delete wildfire api-key key

A0418F8EADABA4C78CD3106D71147321462C5AA085B2979136447B1EC334655A
APIKey A0418F8EADABA4C78CD3106D71147321462C5AA085B2979136447B1EC334655A
deleted
delete wildfire-metadata
Description
Delete content updates on the WF-500 appliance. For more information on content updates and how to install
them, see request wf-content.
Syntax
delete {
wildfire-metadata update <value>;
{
Options
+ update <value> Define the content update that you want to delete.
Sample Output
The output that follows shows the deletion of an update named

panup-all-wfmeta-2-181.candidate.tgz.
admin@WF-500> delete wildfire-metadata update panup-all-wfmeta-2-181.candidate.tgz
successfully removed panup-all-wfmeta-2-181.candidate.tgz

edit wildfire api-key
Description
Modify an API key name or the key status (enabled/disabled) on a WF-500 appliance.
Syntax
edit {
wildfire {
api-key [name | status] key <value>;
{
{
Options
+ name Change the name of an API key

+ status Enable or disable an API key
* key Specify the key to modify
Sample Output
The key value in this command is required. For example, to change the name of a key named stu to
stu-key1, enter the following command:
In the following command, you do not need to enter the old key name; only enter the new key
name.
admin@WF-500> edit wildfire api-key name stu-key1 key

B870210A6BDF2615D5A40B2DE515A6F5E66186BE28E4FFAC4405F22E83329288
To change the status of stu-key1 to disabled, enter the following command:
admin@WF-500> edit wildfire api-key status disable key
B870210A6BDF2615D5A40B2DE515A6F5E66186BE28E4FFAC4405F22E83329288
Example output that shows that stu-key1 is disabled:
+------------------------------------------------------------------+----------+----------+---------------------
+---------------------+

| Apikey | Name | Status | Create Time |

Last Used Time |
+------------------------------------------------------------------+----------+----------+---------------------
+---------------------+
|
| B870210A6BDF2615D5A40B2DE515A6F5E66186BE28E4FFAC4405F22E83329288 | stu-key1 | Disabled | 2014-08-21 07:23:34 |
|
+------------------------------------------------------------------+----------+----------+---------------------
+---------------------+
load wildfire api-key
Description
After importing API keys to the WF-500 appliance, you must use the load command to make the keys available
for use. Use this command to replace all existing API keys, or you can merge the keys in the import file with the
existing key database.
Syntax
load {
wildfire {
from <value> mode [merge | replace];
{
{
Options
* from Specify the API key filename that you want to import. The key files use the
.keys file extension. For example, my-api-keys.keys. To view a list of keys that are
available for import, enter the following command:
admin@WF-500> load wildfire api-key from ?
+ mode Optionally enter the mode for the import (merge/replace). For example, to
replace the key database on the appliance with the contents of the contents of the new
key file, enter the following command:
admin@WF-500> load wildfire api-key mode replace from my-api-keys.keys
If you do not specify the mode option, the default action will merge the keys.

request system raid
Description
Use this option to manage the RAID pairs installed in the WildFire appliance. The WF-500 appliance ships with
four drives in the first four drive bays (A1, A2, B1, B2). Drives A1 and A2 are a RAID 1 pair and drives B1 and
B2 are a second RAID 1 pair.
Hierarchy Location
request system
Syntax
raid {
remove <value>;
OR...
copy {
from <value>;
to <value>;
}
OR...
add {
Options
> add Add a drive into the corresponding RAID Disk Pair
> copy Copy and migrate from one drive to other drive in the bay
> remove drive to remove from RAID Disk Pair
Sample Output
The following output shows a WildFire WF-500 appliance with a correctly configured RAID.
admin@WF-500> show system raid
Disk Pair A Available

Disk id A1 Present
Disk id A2 Present
Disk Pair B Available
Disk id B1 Present
Disk id B2 Present

request system wildfire-vm-image
Perform upgrades on the WF-500 appliance virtual machine (VM) sandbox images used to analyze files. To
retrieve new VM images from the Palo Alto Networks Update Server, you must first download the image
manually, host it on an SCP enabled server, and then retrieve the image from the appliance using the SCP client.
After downloading the image to the appliance, you can then install it using this command.
Hierarchy Location
request system
Syntax
request {
system {
wildfire-vm-image {
upgrade install file <value>;
}
}
}
Options
> wildfire-vm-image Install Virtual Machine (VM) images.

+ upgrade install file Perform an upgrade to the VM image. After the file option,
type ? to view a list of available VM images. For example, run the following command to
list available images: admin@WF-500> request system wildfire-vm-image
upgrade install file ?
Sample Output
To list available VM images, run the following command:

admin@WF-500> request system wildfire-vm-image upgrade install file ?
To install a VM image (Windows 7 64-bit in this example), run the following command:
admin@WF-500> request system wildfire-vm-image upgrade install
WFWin7_64Base_m-1.0.0_64base

request wf-content
Perform content updates on a WF-500 appliance. These content updates equip the appliance with the most
up-to-date threat information for accurate malware detection and improve the appliance's ability to differentiate
the malicious from the benign. To schedule content updates to install automatically, see set deviceconfig system
update-schedule and to delete content updates on the WF-500, see delete wildfire-metadata.
Hierarchy Location
request
Syntax
request wf-content
{
downgrade install {previous | <value>};
upgrade
{
check
download latest
info
install {
file <filename>
version latest;
}
}
}
Options
> downgrade Installs a previous content version. Use the previous option to install
the previously installed content package or enter a value to downgrade to a specific
content package number.
> upgrade Performs content upgrade functions
> check Obtain information on available content packages from the Palo Alto Networks
Update Server
> download Download a content package
> info Show information about available content packages
> install Install a content package
> file Specify the name of the file containing the content package
> version Download or upgrade based on the version number of the content package

Sample Output
To list available content updates, run the following command:

admin@WF-500> request wf-content upgrade check
Version Size Released on Downloaded Installed

-------------------------------------------------------------------------
2-217 58MB 2014/07/29 13:04:55 PDT yes current
2-188 58MB 2014/07/01 13:04:48 PDT yes previous
2-221 59MB 2014/08/02 13:04:55 PDT no no
save wildfire api-key
Description
Use the save command to save all API keys on the WF-500 appliance to a file. You can then export the key file
for backup purposes or to modify the keys in bulk. For details on using the WildFire API on a WF-500
appliance, see About WildFire Subscriptions and API Keys.
Hierarchy Location
save
Syntax
save {
wildfire {
api-key to <value>;
{
{
Options
* to Enter the filename for key export. For example, to export all of the API keys on
the WF-500 to a file named my-wf-keys, enter the following command:
admin@WF-500> save wildfire api-key to my-wf-keys

set wildfire portal-admin
Description
Sets the portal admin account password that an administrator will use to view WildFire analysis reports
generated by a WF-500 appliance. The account name (admin) and password is required when viewing the report
on the firewall or from Panorama in Monitor > WildFire Submissions > View WildFire Report. The default
username and password is admin/admin.
The portal admin account is the only account that you configure on the appliance to view reports
from the firewall or Panorama. You cannot create new accounts or change the account name.
This is not the same admin account used to manage the appliance.
Hierarchy Location
set wildfire
Syntax
set {
wildfire {
portal-admin {
password <value>;
}
}
Sample Output
The following shows the ouput of this command.

admin@WF-500> set wildfire portal-admin password
Enter password:
Confirm password:

show system raid
Description
Show the RAID configuration of the appliance. The WF-500 appliance ships with four drives in the first four
drive bays (A1, A2, B1, B2). Drives A1 and A2 are a RAID 1 pair and drives B1 and B2 are a second RAID 1 pair.
Hierarchy Location
show system
Syntax
raid {
detail;
{
Options
No additional options.
Sample Output
The following shows the RAID configuration on a functioning WF-500 appliance.

admin@WF-500> show system raid detail
Disk Pair A Available

Status clean
Disk id A1 Present
model : ST91000640NS
size : 953869 MB
partition_1 : active sync
Disk id A2 Present
size : 953869 MB
Disk Pair B Available
Status clean
Disk id B1 Present
size : 953869 MB


Disk id B2 Present
size : 953869 MB
superuser, superreader
show wildfire
Description
Shows various information about the WildFire appliance, such as available API keys, registration information,
activity, recent samples that the appliance analyzed, and the virtual machine that is selected to perform analysis.
Hierarchy Location
show wildfire
Syntax
api-keys
all {
details;
}
key <value>;
}
last-device-registration all |
latest {
analysis {
filter malicious|benign;
sort-by SHA256|Submit Time|Start Time|Finish Time|Malicious|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
OR...
samples {
sort-by SHA256|Create Time|File Name|File Type|File Size|Malicious|Status;

limit 1-20000;
days 1-7;
}
OR...
sessions {
sort-by SHA256|Create Time|Src IP|Src Port|Dst Ip|Dst Port|File|Device
ID|App|Malicious|Status;
limit 1-20000;
days 1-7;
}
OR...
uploads {
sort-by SHA256|Create Time|Finish Time|Status;
limit 1-20000;
days 1-7;
}
sample-status {
sha256 {
equal <value>;
}
}
statistics days <1-31>;
status |
vm-images |
}
Options
admin@WF-500> show wildfire

> api-keys Show details about the API keys generated on the WF-500 appliance. You can
view the last time the key was used, the key name, status (Enabled or Disabled), and the
date/time the key was generated.
> last-device-registration Show list of latest registration activities.
> latest Show latest 30 activities, which include the last 30 analysis activities, the
last 30 files that were analyzed, network session information on files that were
analyzed and files that were uploaded to the public cloud server.
> sample-status Show wildfire sample status. Enter the SHA or MD5 value of the file to
view the current analysis status.
> statistics Display basic wildfire statistics.
> status Display the status of the appliance as well as configuration information such
as the Virtual Machine (VM) used for sample analysis, whether or not samples/reports are
sent to the cloud, vm network, and registration information.
> vm-images Display the attributes of the available virtual machine images used for
sample analysis. To view the current active image, run the following command:
admin@WF-500> show wildfire status and view the Select VM field.

Sample Output
The following shows the output for this command.

+------------------------------------------------------------------+----------------+-
--------+---------------------+---------------------+
| Apikey | Name |
Status | Create Time | Last Used Time |
+------------------------------------------------------------------+----------------+-
--------+---------------------+---------------------+
| C625DE87CBFB6EF0B1A8183A74AB5B61287F7F63B6E14E2FFC704AABF5640D62 | my-api-key-stu |
Enabled | 2014-06-24 16:38:50 | |
| D414CC910E93E9E05942A5E6F94DA36777B444543E71761CF5E9ACFA547F7D6F | |
Enabled | 2014-06-25 09:05:30 | 2014-06-26 14:49:35 |
+------------------------------------------------------------------+----------------+-
--------+---------------------+---------------------+
admin@WF-500> show wildfire last-device-registration all

+--------------+---------------------+-------------+------------+----------+--------+
| Device ID | Last Registered | Device IP | SW Version | HW Model | Status |
+--------------+---------------------+-------------+------------+----------+--------+
| 001606000114 | 2014-07-31 12:35:53 | 10.43.14.24 | 6.1.0-b14 | PA-200 | OK |
+--------------+---------------------+-------------+------------+----------+--------+
admin@WF-500> show wildfire latest

> analysis Show latest 30 analysis
> samples Show latest 30 samples
> sessions Show latest 30 sessions
> uploads Show latest 30 uploads
admin@WF-500> show wildfire sample-status sha256 equal

809bad2d3fbdf1c18ef47ba9c5a0feca691103f094bc8d7e0cbed480870fd78c
Sample information:
+---------------------+---------------------------------------------------------------
+------------------+-----------+-----------+-------------------+
| Create Time | File Name |
File Type | File Size | Malicious | Status |
+---------------------+---------------------------------------------------------------
+------------------+-----------+-----------+-------------------+
| 2014-08-04 11:49:41 | 25047801_20130919175646000_970x66_Adobe_Marketing_RM_AUTO.swf |
Adobe Flash File | 64502 | No | analysis complete |
+---------------------+---------------------------------------------------------------
+------------------+-----------+-----------+-------------------+
Session information:
+---------------------+---------------+----------+--------------+----------+----------
-----------------------------------------------------+--------------+-------+
-----------+-----------+
| Create Time | Src IP | Src Port | Dst IP | Dst Port | File
| Device ID | App |
Malicious | Status |

+---------------------+---------------+----------+--------------+----------+----------
-----------------------------------------------------+--------------+-------+
-----------+-----------+
| 2014-08-04 11:49:41 | 10.10.10.50 | 80 | 192.168.2.10 | 64108 |
25047801_20130919175646000_970x66_Adobe_Marketing_RM_AUTO.swf | 001606000114 | flash |
No | completed |
+---------------------+---------------+----------+--------------+----------+----------
-----------------------------------------------------+--------------+-------+
-----------+-----------+
Analysis information:
+---------------------+---------------------+---------------------+-----------+-------
----------------------------------------------------+-----------+
| Submit Time | Start Time | Finish Time | Malicious | VM Image
| Status |
+---------------------+---------------------+---------------------+-----------+-------
----------------------------------------------------+-----------+
| 2014-08-04 11:49:41 | 2014-08-04 11:49:41 | 2014-08-04 11:56:52 | No | Windows
7 x64 SP1, Adobe Reader 11, Flash 11, Office 2010 | completed |
+---------------------+---------------------+---------------------+-----------+-------
----------------------------------------------------+-----------+
admin@WF-500> show wildfire statistics
Last one hour statistics :

analyzed : 0
pending : 0
malicious : 0
benign : 0
error : 0
uploaded : 0
Last 24 hours statistics :

analyzed : 13
pending : 0
malicious : 0
benign : 13
error : 0
uploaded : 0
Connection info:
Wildfire cloud: s1.wildfire.paloaltonetworks.com
Status: Idle
Submit sample: disabled
Submit report: disabled
Selected VM: vm-5
VM internet connection: disabled

VM network using Tor: disabled

Best server: s1.wildfire.paloaltonetworks.com
Through a proxy: no
test wildfire registration
Description
Performs a test to check the registration status of a WildFire appliance or Palo Alto Networks firewall to a
WildFire server. If the test is successful, the IP address or server name of the WildFire server is displayed. A
successful registration is required before a WildFire appliance or firewall can forward files to the WildFire server.
Syntax
test {
wildfire {
registration;
}
}
Options
No additional options.
Sample Output
The following shows a successful output on a firewall that can communicate with a WildFire appliance. If this
is a WildFire appliance pointing to the Palo Alto Networks WildFire cloud, the server name of one of the cloud
servers is displayed in the select the best server: field.
Test wildfire
select the best server: ca-s1.wildfire.paloaltonetworks.com


WildFire Administrator Guide-6.1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WildFire Administrator Guide-6.1

Uploaded by

Copyright:

Available Formats

Palo Alto Networks

WildFire Administrators Guide

About this Guide

For the latest release notes, go to the software downloads page at

To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.

Palo Alto Networks

Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

WF-500 Appliance File Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

WildFire Cloud File Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

GlobalProtect Administrators Guide iii

WildFire Appliance Software CLI Reference. . . . . . . . . . . . . . . . . . . . . . . . 101

iv WildFire Administrators Guide

WildFire Administrators Guide v

WildFire Administrators Guide 1

2 WildFire Administrators Guide

Figure: High-Level WildFire Decision Workflow

WildFire Administrators Guide 3

Figure: Detailed WildFire Decision Flow

4 WildFire Administrators Guide

File/Email Link Forwarding

Supported File Types

WildFire can analyze the following file types:

FlashAdobe Flash applets and Flash content embedded in web pages

APKAndroid Application Package. Not supported on the WF-500 appliance.

PDFPortable Document Format

WildFire Administrators Guide 5

WildFire Virtual Sandboxes

Microsoft Windows XP 32-bit

Microsoft Windows 7 64-bit

6 WildFire Administrators Guide

WildFire Email Link Analysis

Adds the URL to PAN-DB and categorizes the URL as malware.

WildFire Administrators Guide 7

WildFire content updates are configured to download-and-install frequently (every 15 minutes at

WildFire Logging and Reporting

8 WildFire Administrators Guide

WildFire Administrators Guide 9

Malware Test Samples

The verdict of the file will always be malicious.

10 WildFire Administrators Guide

WildFire Administrators Guide 11

12 WildFire Administrators Guide

WildFire Administrators Guide 13

WildFire Subscription Requirements

WildFire Dynamic UpdatesProvide new malware signatures on a sub-hourly basis, configurable

14 WildFire Administrators Guide

WildFire Administrators Guide 15

Best Practices for Keeping Signatures up to Date

16 WildFire Administrators Guide

Reference: Firewall File Forwarding Capacity by Platform

Platform Maximum Files Per Minute Reserved Drive Space

PA-2000 Series 20 200MB

PA-5060 100 500MB

PA-7050 100 1GB

WildFire Administrators Guide 17

18 WildFire Administrators Guide

WildFire Administrators Guide 19

About the WF-500 Appliance

20 WildFire Administrators Guide

Configure the WF-500 Appliance

Prerequisites for Configuring the WF-500 Appliance

WildFire Administrators Guide 21

Integrate the WF-500 Appliance into a Network

22 WildFire Administrators Guide