Sunteți pe pagina 1din 142

Palo Alto Networks

WildFire Administrators Guide


Version 6.1

Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
http://www.paloaltonetworks.com/contact/contact/

About this Guide


This guide describes the administrative tasks required to use and maintain the Palo Alto Networks WildFire feature.
Topics covered include licensing information, configuring firewalls to forward files for inspection, viewing reports, and
how to configure and manage the WF-500 WildFire appliance.
Refer to the following sources for more information:

For information on the additional capabilities and for instructions on configuring the features on the firewall, refer
to https://www.paloaltonetworks.com/documentation.

For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to
https://live.paloaltonetworks.com.

For contacting support, for information on the support programs, or to manage your account or devices, refer to
https://support.paloaltonetworks.com

For the latest release notes, go to the software downloads page at


https://support.paloaltonetworks.com/Updates/SoftwareUpdates.

To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.

Palo Alto Networks


www.paloaltonetworks.com
2007-2015 Palo Alto Networks. All rights reserved.
Palo Alto Networks and PAN-OS are registered trademarks of Palo Alto Networks, Inc.
Revision Date: February 23, 2015

ii

Table of Contents
Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
WildFire Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
About WildFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
WildFire Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
File/Email Link Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Supported File Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
WildFire Virtual Sandboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
WildFire Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
WildFire Email Link Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
WildFire Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
WildFire Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Malware Test Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
WildFire Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
WildFire Subscription Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Best Practices for Keeping Signatures up to Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Reference: Firewall File Forwarding Capacity by Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

WF-500 Appliance File Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19


About the WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configure the WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Prerequisites for Configuring the WF-500 Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Integrate the WF-500 Appliance into a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Verify the WF-500 Appliance Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Set Up the VM Interface on the WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Virtual Machine Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configure the VM Interface on the WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configure the Firewall to Control Traffic for the WF-500 VM Interface . . . . . . . . . . . . . . . . . . . . . . . 32
Manage Content Updates on the WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Install Content Updates Directly from the Update Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Install Content Updates from an SCP-Enabled Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Forward Files to a WF-500 Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Configure a Firewall to Forward Samples to a WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Verify Forwarding to a WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Signature/URL Generation on a WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Enable Signature/URL Generation on the WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configure the Firewall to Retrieve Updates from a WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . 47
Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

WildFire Cloud File Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

GlobalProtect Administrators Guide

iii

Forward Samples to the WildFire Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54


Verify Forwarding to the WildFire Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Upload Files using the WildFire Cloud Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

WildFire Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
WildFire Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Enable Email Header Information in WildFire Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Monitor Submissions Using the WildFire Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Customize WildFire Portal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Add WildFire Portal User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
View WildFire Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
WildFire Report Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Set Up Alerts for Detected Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
WildFire in Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

WildFire API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
About WildFire Subscriptions and API Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Use the WildFire API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
WildFire API File Submission Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Submit a File to the WildFire Cloud Using the Submit File Method . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Submit a File to WildFire Using the Submit URL Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Query for a WildFire PDF or XML Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Use the API to Retrieve a Sample Malware Test File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Use the API to Retrieve a Sample File or PCAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Use the WildFire API on a WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generate API Keys on the WildFire Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage API Keys on the WildFire Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use the WildFire API on a WildFire Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

96
96
97
98

WildFire Appliance Software CLI Reference. . . . . . . . . . . . . . . . . . . . . . . . 101


WildFire Appliance Software CLI Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WildFire Appliance Software CLI Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WildFire Appliance Software CLI Command Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WildFire Appliance CLI Command Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Command Option Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Privilege Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

102
102
102
103
103
105

WildFire CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106


Configuration Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Access the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Establish a Direct Console Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Establish an SSH Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Use the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

iv

WildFire Administrators Guide

Access Operational and Configuration Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112


Display WildFire Appliance Software CLI Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Restrict Command Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Set the Output Format for Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configuration Mode Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
set deviceconfig setting wildfire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
set deviceconfig system update-schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
set deviceconfig system vm-interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Operational Mode Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
create wildfire api-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
delete wildfire api-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
delete wildfire-metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
edit wildfire api-key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
load wildfire api-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
request system raid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
request system wildfire-vm-image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
request wf-content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
save wildfire api-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
set wildfire portal-admin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
show system raid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
show wildfire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
test wildfire registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

WildFire Administrators Guide

vi

WildFire Administrators Guide

WildFire Overview
WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing,
signature-based detection, and blocking of malware. WildFire extends the capabilities of Palo Alto Networks
next-generation firewalls to identify and block targeted and unknown malware.
The following topics describe WildFire and how to integrate it into your environment:

About WildFire

WildFire Concepts

WildFire Deployments

WildFire Subscription Requirements

Best Practices for Keeping Signatures up to Date

Reference: Firewall File Forwarding Capacity by Platform

WildFire Administrators Guide

About WildFire

WildFire Overview

About WildFire
Modern malware is at the heart of many of today's most sophisticated network attacks and is increasingly
customized to avoid traditional security solutions. Palo Alto Networks has developed an integrated approach
that addresses the full malware life cycle, which includes preventing infections, identifying zero-day malware
(undiscovered malware), or targeted malware (malware targeting a specific industry or corporation), as well as
pinpointing and disrupting active infections.
The Palo Alto Networks WildFire engine exposes zero-day and targeted malware through direct observation in
a virtual environment within the WildFire system. The WildFire feature also makes extensive use of the Palo
Alto Networks App-ID technology by identifying file transfers within all applications, not just email
attachments or browser-based file downloads.
For information on Palo Alto Networks WildFire privacy policy, refer to
https://live.paloaltonetworks.com/docs/DOC-2880.
Figure: High-Level WildFire Decision Workflow illustrates the basic WildFire workflow, Figure: Detailed
WildFire Decision Flow describes the entire WildFire lifecycle from the time a user downloads a malicious file
to the point where WildFire generates a signature to be used by Palo Alto Networks firewalls to protect against
future exposure to the malware.
The the High-Level WildFire Decision Workflow describes the workflow for a file download. The
analysis of an HTTP/HTTPS link contained in an email is very similar, but there are minor
differences. For details on email-links analysis, see WildFire Email Link Analysis.

WildFire Administrators Guide

WildFire Overview

About WildFire

Figure: High-Level WildFire Decision Workflow

WildFire Administrators Guide

About WildFire

WildFire Overview

Figure: Detailed WildFire Decision Flow

WildFire Administrators Guide

WildFire Overview

WildFire Concepts

WildFire Concepts

File/Email Link Forwarding

Supported File Types

WildFire Virtual Sandboxes

WildFire Signatures

WildFire Email Link Analysis

WildFire Alerts

WildFire Logging and Reporting

Malware Test Samples

File/Email Link Forwarding


With the integrated solution between WildFire and Palo Alto Networks firewalls, you configure the firewall with
a file blocking profile and attach it to a security policy rule that instructs the firewall to automatically forward
samples to the WildFire system for threat analysis. The samples can be specific file types or HTTP/HTTPS links
contained in SMTP or POP3 messages. If a user downloads a file sample over a session that matches the security
rule, the firewall performs a file hash check with WildFire to determine if WildFire has previously analyzed the
sample. If the file is new, it is forwarded for analysis, even if it is contained within a ZIP file or over compressed
HTTP. In the case of an email link, the firewall will extract HTTP/HTTPS links from SMTP and POP3 email
messages that match the forwarding policy and will forward the link to WildFire (see WildFire Email Link
Analysis. You can also configure the firewall to forward files inside of encrypted SSL sessions if SSL decryption
is enabled.
For information on configuring forwarding, see Forward Files to a WF-500 Appliance or Forward Samples to
the WildFire Cloud.

Supported File Types


WildFire can analyze the following file types:

Email-linkHTTP/HTTPS email links contained in SMTP and POP3 email messages. Note that the
firewall only extracts links and associated session information (sender, recipient, and subject) from the email
messages that traverse the firewall; it does not receive, store, forward, or view the email message. The
WF-500 appliance does not support email link analysis.

FlashAdobe Flash applets and Flash content embedded in web pages

APKAndroid Application Package. Not supported on the WF-500 appliance.

PDFPortable Document Format

WildFire Administrators Guide

WildFire Concepts

WildFire Overview

JARJava Applet (JAR/Class files types). The WF-500 appliance will analyze Java content, but will not
generate signatures for malicious samples. You must download the sample from the WildFire Submission
log and upload it to the WildFire cloud for signature generation.

PEPortable Executable, which includes executable files, object code, DLLs, FON (fonts), and others

MS-OfficeMicrosoft Office files including: documents (doc, docx, rtf), workbooks (xls, xlsx), and
PowerPoint (ppt, pptx). As of content update 450, WildFire can generate antivirus signatures for Office
Open XML (OOXML) 2007+ documents that it determines to be malicious and delivers the signatures
through WildFire and antivirus updates, enabling the firewall to alert or block malicious content in these
types of files.
A WildFire subscription is not required on the firewall to forward PE file types to WildFire for
analysis, but is required to analyze all other supported file types.

WildFire Virtual Sandboxes


WildFire executes the suspect files it receives in a virtual environment and observes the behavior for signs of
malicious activities, such as changes to browser security settings, injection of code into other processes,
modification of files in the Windows system folder, or domains that the sample attempted to access. When the
WildFire engine completes the analysis, it generates a detailed forensics report that summarizes the observed
behaviors and assigns a verdict of malware or benign. Similarly, WildFire will extract HTTP/HTTPS links in
SMTP and POP3 emails messages and visits the links to determine if the corresponding web page hosts any
exploits. If WildFire detects malicious behavior, it generates a report and submits the URL to PAN-DB and
categorizes the URL as malware. Note that WildFire does not generate logs for benign email links.
WildFire includes sandbox support for the following operating system environments:

Microsoft Windows XP 32-bit

Microsoft Windows 7 32-bit

Microsoft Windows 7 64-bit

WildFire Signatures
The key benefits of the Palo Alto Networks WildFire feature are that it can discover zero-day malware in web
traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can quickly generate
signatures to protect against future infections from the malware it discovers. WildFire will automatically
generate a signature based on the malware payload of the sample and tests it for accuracy and safety. Because
malware evolves rapidly, the signatures that WildFire generates will address multiple variants of the malware. As
WildFire detects new malware, it generates new signatures within 15-30 minutes. Firewalls equipped with a
WildFire subscription can receive the new signatures within 15 minutes. If you do not have a WildFire
subscription, signatures are made available within 24-48 hours as part of the antivirus update for firewalls
equipped with a Threat Prevention subscription.

WildFire Administrators Guide

WildFire Overview

WildFire Concepts

As soon as the firewall downloads and installs the new signature, any files that contain that malware (or a variant
of it) will automatically be dropped by the firewall. Information gathered by WildFire during the analysis of
malware is also used to fortify other Threat Prevention features, such as adding malware URLs to PAN-DB,
generating DNS signatures, antivirus, and anti-spyware signatures. Palo Alto Networks also develops signatures
for command and control traffic, enabling immediate disruption in the communications of any malware inside
the network. For details on signatures and the benefits of having a WildFire subscription, see WildFire
Subscription Requirements.

WildFire Email Link Analysis


The firewall not only forwards files to WildFire for threat analysis, it can also extract HTTP/HTTPS links
contained in SMTP and POP3 email messages and forward the links to the WildFire cloud for analysis. This
feature is not supported on the WF-500 appliance. You enable this functionality by configuring the firewall to
forward the email-link file type. Note that the firewall only extracts links and associated session information
(sender, recipient, and subject) from the email messages that traverse the firewall; it does not receive, store,
forward, or view the email message.
After receiving an email link from a firewall, WildFire visits the links to determine if the corresponding web
page hosts any exploits. If WildFire determines that the page itself is benign, it will not generate a log. However,
if it detects malicious behavior on the page, it returns a malicious verdict and:

Generates a detailed analysis report and logs it to the WildFire Submissions log on the firewall that
forwarded the links. This log now includes the email header informationemail sender, recipient, and
subjectso that you can identify the message and delete it from the mail server and/or track down the
recipient and mitigate the threat if the email has already been delivered and/or opened.

Adds the URL to PAN-DB and categorizes the URL as malware.

Note that if the link corresponds to a file download, WildFire does not analyze the file. However, the firewall
will forward the corresponding file to WildFire for analysis if the end user clicks the link to download it as long
as the corresponding file type is enabled for forwarding.
The firewall forwards email links in batches of 100 email links or every two minutes, whichever comes first. Each
batch upload to WildFire counts as one upload toward the upload per-minute capacity for the given firewall
platform (Reference: Firewall File Forwarding Capacity by Platform). To determine if the firewall is forwarding
email links, run the following command from the firewall that is configured to forward to WildFire:
admin@PA-200> show wildfire statistics

View the file type: email-link counter section under Counters for file forwarding.
When email links are forwarded, the following counters will increment:

FWD_CNT_APPENDED_BATCHIndicates the number of email links added to a batch waiting


for upload to WildFire.

FWD_CNT_LOCAL_FILE Indicates the total number of email links uploaded to WildFire.

To ensure that you gain the full benefits of this feature, confirm the following on each firewall that will forward
samples to WildFire.

A valid WildFire subscription is installed.

WildFire Administrators Guide

WildFire Concepts

WildFire Overview

WildFire content updates are configured to download-and-install frequently (every 15 minutes at


minimum).

PAN-DB is the active URL filtering vendor.

WildFire Alerts
The firewall can provide instant notification whenever it detects malware on your network by sending email
alerts, syslog, or SNMP traps. This enables you to quickly identify the user who downloaded the malware and
eradicate it before it causes extensive damage or propagates to other users. In addition, every signature that
WildFire generates is automatically propagated to all Palo Alto Networks firewalls protected with a Threat
Prevention and/or WildFire subscription, which provides automatic protection from malware discovered on
networks all over the world.

WildFire Logging and Reporting


For each sample that WildFire analyzes, WildFire generates a detailed behavioral report within minutes of the
sample submission. These reports are available in the WildFire Submissions log on the firewall, from the
WildFire portal, or though WildFire API queries. The reports show detailed behavioral information about the
sample, information on the targeted user, the application that delivered the file, and all URLs involved in the
delivery or phone-home activity of the file. For details on how to access the reports and descriptions of the
report fields, see View WildFire Reports.
The following screen capture shows part of a sample report for a file analysis followed by a screen capture for
an email link analysis report.

WildFire Administrators Guide

WildFire Overview

WildFire Administrators Guide

WildFire Concepts

WildFire Concepts

WildFire Overview

Malware Test Samples


Palo Alto Networks provides a sample malware system that you can use to test a WildFire configuration. Before
downloading the file to test your configuration, make sure you configure your firewall based on the procedures
described in Forward Files to a WF-500 Appliance or Forward Samples to the WildFire Cloud.
The following lists information about the test file:

Each time you access the test URL, the server generates a unique file named wildfire-test-pe-file.exe and
initiates a download. Each test file also has a unique SHA-256 hash value.

The verdict of the file will always be malicious.

Although WildFire will generate a signature for the test file, the signature is disabled and will not be
distributed to the Palo Alto Networks update server. If signature generation is enabled on a WF-500
appliance, it will not generate a signatures for the test file.

To access the malware test file, highlight the following link and copy and paste it into a browser:
http://wildfire.paloaltonetworks.com/publicapi/test/pe.
If you have enabled decryption on the firewall, you can access the encrypted version of the site by replacing
HTTP with HTTPS.
After downloading the file, check the Data Filtering log on the firewall to see if the file was forwarded and after
about five minutes, look for the results in the WildFire Submissions log. For information on verifying your
WildFire configuration, see Verify Forwarding to a WF-500 Appliance and Verify Forwarding to the WildFire
Cloud.

10

WildFire Administrators Guide

WildFire Overview

WildFire Concepts

For WildFire API testing, see Use the API to Retrieve a Sample Malware Test File.

WildFire Administrators Guide

11

WildFire Deployments

WildFire Overview

WildFire Deployments
Palo Alto Networks next-generation firewalls support the following WildFire deployments:

WildFire CloudIn this deployment, a Palo Alto Networks firewall forwards files to the hosted WildFire
environment that Palo Alto Networks owns and maintains. As WildFire detects new malware, it generates
new signatures within 15-30 minutes. Firewalls equipped with a WildFire subscription can receive the new
signatures within 15 minutes; firewalls with only a Threat Prevention subscription will receive the new
signatures in the next antivirus signature update within 24-48 hours.
The available WildFire cloud servers are wildfire-public-cloud for the WildFire cloud server hosted in the
United States and wildfire.paloaltonetworks.jp for the WildFire cloud hosted in Japan. You may want your
firewalls to use the Japan server if you do not want benign files forwarded to the U.S. cloud servers. If a file
is sent to the Japan cloud and WildFire determines its malicious, the Japan cloud forwards it to the U.S. cloud
servers where WildFire analyzes it again to confirm if it is malicious. If your firewalls are located in the Japan
region, you will see faster response time for sample submissions and report generation.

WildFire ApplianceIn this deployment, you install a WF-500 appliance on your corporate network and
configure your Palo Alto Networks firewalls to forward files to the appliance instead of to the Palo Alto
Networks WildFire cloud (the default). This deployment prevents the firewall from having to send any files
outside of your network for analysis. By default, the appliance will not send any files out of your network
unless you explicitly enable the cloud intelligence submit-sample feature. This feature enables the appliance
to forward malware it detects to the Palo Alto Networks WildFire cloud where the files are analyzed and
signatures are generated for malicious samples. The update servers then provides these signatures to all Palo
Alto Networks firewalls with a threat prevention and/or WildFire subscription. The appliance can also be
configured to generate signatures locally based on samples sent to it from your connected firewalls or by
submitting samples using the WildFire XML API. For more information, see Signature/URL Generation on
a WF-500 Appliance. A single WildFire appliance can receive and analyze files from up to 100 Palo Alto
Networks firewalls.

The following lists the main differences between the WildFire cloud and the WildFire appliance deployments:

The WildFire Appliance enables local sandboxing of malware so that benign files never leave your network.
By default, the WildFire appliance does not forward any files to the WildFire cloud, but you can configure
the cloud intelligence option on the appliance to forward malicious samples or reports on malicious samples
to Palo Alto Networks. If you do not want the appliance to send malware samples to Palo Alto Networks, it
is recommended that you at least configure the appliance to send malware reports. The reports will help Palo
Alto Networks gather statistical information about malware to gain a better understanding on how prevalent
the malware is and to gain insight into propagation of the malware.

The WF-500 appliance does not have a WildFire Portal, but you can configure cloud intelligence on the
appliance to automatically submit files to the WildFire cloud. You can also download samples from the
WildFire reports and then upload them to the portal, or use the WildFire XML API to submit files to the
cloud. After manually uploading files to the portal, the samples will appear on the portal as a manual upload
(see Upload Files using the WildFire Cloud Portal). For samples forwarded by a Palo Alto Networks firewall
to a WF-500 appliance or to the WildFire cloud, the reports are always available in the WildFire Submissions
log on the firewall.

Multiple virtual machines run on the WildFire cloud to represent a variety of operating systems and
applications used when running sample files. On the WF-500 appliance, multiple virtual machines are
available, but only one can be active for file analysis. Before selecting the virtual machine to use, review the

12

WildFire Administrators Guide

WildFire Overview

WildFire Deployments

attributes of the available virtual machines and select one that best matches your environment. Although you
configure the WF-500 appliance to use one virtual machine image configuration, the appliance uses multiple
instances of the image to perform file analyses in order to improve performance. For information on viewing
and selecting the virtual machine, see Integrate the WF-500 Appliance into a Network.

WildFire Administrators Guide

13

WildFire Subscription Requirements

WildFire Overview

WildFire Subscription Requirements


WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing
and signature-based detection and blocking of malware. No subscription is required to use WildFire for
sandboxing files sent from Palo Alto Networks firewalls to the WildFire cloud.
For the firewall to perform detection and blocking of known malware discovered by WildFire, the firewall
requires a Threat Prevention and/or WildFire subscription. The Threat Prevention subscription enables the
firewall to receive daily antivirus signature updates, which provide coverage for all malware samples that
WildFire discovers globally. The Threat Prevention subscription also provides access to weekly content updates
that include new vulnerability protection and anti-spyware signatures.
To enable a WF-500 appliance for local analysis, you only need to install a support license. This will enable the
appliance to communicate with the Palo Alto Networks update server to download the operating system images
and daily content updates. The content updates support the ability to generate signatures on the local WF-500
appliance and equip the appliance with the most up-to-date threat information for accurate malware detection
and to improve the ability of the appliance to differentiate the malicious from the benign.
To receive the full benefits of the WildFire service, each firewall must have a WildFire subscription, which
provides the following:

WildFire Dynamic UpdatesProvide new malware signatures on a sub-hourly basis, configurable


through Device > Dynamic Updates. Within 15-30 minutes after WildFire identifies a malicious sample,
WildFire generates a new malware signature and distributes it through the WildFire dynamic updates, which
the firewall can poll every 15, 30, or 60 minutes. You can configure the firewall to take specific actions on
malware signatures separate from the regular antivirus signature actions in the antivirus profile. The WildFire
signatures delivered in the dynamic update include signatures generated for malware detected in files
submitted to WildFire by all Palo Alto Networks WildFire customers, not just the file samples that your
firewalls send to WildFire.
It takes approximately 15 to 30 minutes for WildFire to generate a signature and make it available
for subscribers after discovering malware. Firewalls equipped with a WildFire subscription can
poll for new malware signatures every 15, 30, or 60 minutes. If, for example, the firewall is set to
poll for WildFire signature updates every 30 minutes, it might not receive a signature for a file it
uploaded until the second polling interval after the malware was discovered because of the time
required to generate the signature. If the firewall only has a Threat Prevention subscription, it will
receive signatures generated by WildFire after they are rolled into the antivirus updates, which
occurs approximately every 24-48 hours.
If your firewalls are forwarding files to a WF-500 appliance that has local signature generation
enabled, the appliance can generate signatures within approximately five minutes and you can
configure the firewall to retrieve these signatures every five minutes.

14

WildFire Advanced File Type SupportIn addition to Portable Executable (PE) files, a subscription
allows the firewall to also forward the following advanced file types: APK (WildFire cloud only), Flash, PDF,
Microsoft Office, and JAR (Java Applet). In addition to these files types, you can also configure the firewall
to extract and forward email links contained in SMTP and POP3 email messages by forwarding the
email-link file type. Note that the firewall only extracts links and associated session information (sender,
recipient, and subject) from the email messages that traverse the firewall; it does not receive, store, forward,
or view the email message.

WildFire Administrators Guide

WildFire Overview

WildFire Subscription Requirements

WildFire APIThe WildFire subscription provides access to the WildFire API, which enables direct
programmatic access to the WildFire service on the Palo Alto Networks WildFire cloud or a WildFire
appliance. You can use the WildFire API to submit files and to retrieve reports for the submitted files. The
WildFire API supports up to 1,000 file submissions per day and up to 10,000 queries per day.

WildFire WF-500 ApplianceOnly firewalls with a valid WildFire subscription can forward files to a
WF-500 appliance for analysis. Firewalls that only have a Threat Prevention subscription installed can
forward files to the WildFire cloud, but not to a WF-500 appliance.

WildFire Administrators Guide

15

Best Practices for Keeping Signatures up to Date

WildFire Overview

Best Practices for Keeping Signatures up to Date


This section describes the best practices for keeping a firewall with Threat Prevention and WildFire
subscriptions up-to-date with the latest protection. For a streamlined workflow, use Panorama to push dynamic
update schedules to managed firewalls using Panorama templates. This ensures consistency across all firewalls
and simplifies management of update schedules.
These guidelines provide two schedule options: the minimum recommended schedule and a more aggressive
schedule. Choosing the more aggressive approach causes the device to perform downloads/installs much more
frequently, some of which can be very large (over 100MB for antivirus updates). Also, in rare instances, there
could be errors in signature updates. Therefore, consider delaying new update installations until a certain
number of hours has passed. Use the Threshold (Hours) field to specify how long after a release to wait before
performing a content update.

AntivirusNew antivirus content updates are released by Palo Alto Networks on a daily basis. To get the
latest content, schedule these updates daily at minimum. For a more aggressive schedule, schedule them
hourly.

Applications and ThreatsNew App-ID, vulnerability protection, and anti-spyware signatures are
released by Palo Alto Networks as weekly content updates (normally on Tuesdays). To receive the latest
content, schedule the updates at least weekly. For a more aggressive schedule to ensure that the firewall
receives the latest content soon after the release (including occasional off-schedule emergency content
releases), schedule the firewall to download/install daily.

WildFireNew WildFire antivirus signatures are published every 15 minutes. Depending on when
WildFire discovers new malware within the release cycle, coverage is provided in the form of a WildFire
signature 15-30 minutes after it is discovered. To get the latest WildFire signatures, schedule these updates
every hour or half-hour. For a more aggressive schedule, configure the firewall to check for updates every
15 minutes.

WF-PrivateIf signatures/URL generation (antivirus signatures, DNS signatures, and URL entries for
PAN-DB) is configured on a WF-500, you configure the firewall to download/install the updates using the
WF-Private dynamic update. After the appliance receives a malicious sample, it will generate a signature
within five minutes in most cases. When configuring the firewall to retrieve these updates, set the schedule
to download and install every hour or half-hour. For a more aggressive schedule (recommended),
configure the firewall to download and install the updates every 5 minutes. If you configure your firewalls
to retrieve WF-Private updates, it is highly recommended that the firewalls also download content updates
from Palo Alto Networks (Antivirus, Applications/Threats, and WildFire) to ensure that firewalls have the
latest protection. This is important due to the fact that when the local storage for WF-Private updates on
the appliance is full, new signatures/URL categorizations will overwrite existing ones, beginning with the
oldest ones first. For details on local signatures generation, see Signature/URL Generation on a WF-500
Appliance.

16

WildFire Administrators Guide

WildFire Overview

Reference: Firewall File Forwarding Capacity by Platform

Reference: Firewall File Forwarding Capacity by Platform


This section describes the maximum rate per minute at which each Palo Alto Network firewall platform can
submit files to the WildFire cloud or a WF-500 appliance for analysis. If the per-minute limit is reached, the
firewall queues the samples.
The Reserved Drive Space column in the following table lists the amount of drive space on the firewall that is
reserved for queuing files. If the limit is reached, the firewall cancels forwarding of new files to WildFire until
more space in the queue is available.
The speed at which the firewall can forward files to WildFire also depends on the bandwidth of
the upload link to the WildFire systems.

Platform

Maximum Files Per Minute

Reserved Drive Space

VM-100

100MB

VM-200

10

200MB

VM-300

20

200MB

PA-200

100MB

PA-500

10

200MB

PA-2000 Series

20

200MB

PA-3020

50

200MB

PA-3050

50

500MB

PA-3060

50

500MB

PA-4020

20

200MB

PA-4050/4060

50

500MB

PA-5020/5050

50

500MB

PA-5060

100

500MB

PA-7050

100

1GB

WildFire Administrators Guide

17

Reference: Firewall File Forwarding Capacity by Platform

18

WildFire Overview

WildFire Administrators Guide

WF-500 Appliance File Analysis


This topic describes the WF-500 appliance and how to configure and manage the appliance to prepare it to
receive files for analysis. In addition, this topic provides steps for configuring a Palo Alto Networks firewall to
forward files to a WildFire appliance for file analysis and also describes how to configure the appliance to
provide local signature generation to avoid having to send samples to the WildFire cloud. You can also use the
WildFire API to submit and retrieve content from a WF-500 appliance.

About the WF-500 Appliance

Configure the WF-500 Appliance

Set Up the VM Interface on the WF-500 Appliance

Manage Content Updates on the WF-500 Appliance

Forward Files to a WF-500 Appliance

Signature/URL Generation on a WF-500 Appliance

Configure the Firewall to Retrieve Updates from a WF-500 Appliance

Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support

WildFire Administrators Guide

19

About the WF-500 Appliance

WF-500 Appliance File Analysis

About the WF-500 Appliance


The WF-500 appliance provides an on-premises WildFire private cloud, enabling you to analyze suspicious files
in a sandbox environment without requiring that the firewall sends files outside of the network. To use a WF-500
appliance in place of the WildFire cloud, configure the WildFire server setting on the firewall to point to your
WF-500 appliance rather than to the WildFire public cloud server. The WF-500 appliance sandboxes all files
locally and analyzes them for malicious behaviors using the same engine used by the WildFire cloud system.
Within minutes, the appliance returns the results of the analysis back to the firewall in the WildFire Submissions
logs.
By default, the WF-500 appliance does not send any files to the Palo Alto Networks WildFire cloud for signature
generation. However, you can configure the appliance to generate signatures locally and the connected firewalls
can retrieve the updates directly from the appliance. For information on configuring local signature generation
and to learn about the types of content updates that the appliance can provide, see Signature/URL Generation
on a WF-500 Appliance.
The WF-500 appliance has an automatic submission feature that will enable it to only send confirmed malware
to the public cloud for signature generation. You can also configure this feature (cloud-intelligence) to only send
reports on malware, which will help Palo Alto Networks gather statistics on malware. It is recommended that
you configure the appliance to send malware samples to the WildFire cloud, so signatures are generated and
distributed to all customers. If you do not want to automatically send all detected malware to the WildFire cloud,
you can manually download the malware from the WildFire Analysis Report tab and manually upload to the
WildFire Portal.
You can configure up to 100 Palo Alto Networks firewalls to forward to a single WildFire appliance. Each
firewall must have a valid WildFire subscription to forward files to a WildFire appliance.
The WildFire appliance has two interfaces:

MGTReceives all files forwarded from the firewalls and returns logs detailing the results back to the
firewalls. See Integrate the WF-500 Appliance into a Network.

Virtual Machine Interface (VM interface)Provides network access for the WildFire sandbox systems
to enable sample files to communicate with the Internet, which allows WildFire to better analyze the
behavior of the sample. When the VM interface is configured, WildFire can observe malicious behaviors that
the malware would not normally perform without network access, such as phone-home activity. However,
to prevent malware from entering your network from the sandbox, configure this interface on an isolated
network with an Internet connection. You can also enable the Tor option to hide the public IP addressed
used by your company from malicious sites that are accessed by the sample. For more information on the
VM interface, see Set Up the VM Interface on the WF-500 Appliance.

20

WildFire Administrators Guide

WF-500 Appliance File Analysis

Configure the WF-500 Appliance

Configure the WF-500 Appliance


The following topics describe how to integrate a WildFire appliance into the network:

Prerequisites for Configuring the WF-500 Appliance

Integrate the WF-500 Appliance into a Network

Verify the WF-500 Appliance Configuration

Prerequisites for Configuring the WF-500 Appliance

Rack mount and cable the WF-500 appliance. Refer to the WF-500 WildFire Appliance Hardware
Reference Guide.

Obtain the information required to configure network connectivity on the MGT port and the virtual
machine interface from your network administrator (IP address, subnet mask, gateway, hostname, DNS
server). All communication between the firewalls and the appliance occurs over the MGT port, including
file submissions, WildFire log delivery, and appliance administration. Therefore, ensure that the firewalls
have connectivity to the MGT port on the appliance. In addition, the appliance must be able to connect to
the updates.paloaltonetworks.com site to retrieve its operating system software updates.

Have a computer ready with either a console cable or Ethernet cable to connect to the device for the initial
configuration.

WildFire Administrators Guide

21

Configure the WF-500 Appliance

WF-500 Appliance File Analysis

Integrate the WF-500 Appliance into a Network


This section describes the steps required to install a WF-500 appliance on a network and perform basic setup.
Integrate the WF-500 Appliance into a Network

Step 1

Connect the management computer to


1.
the appliance using the MGT or Console
port and power on the appliance.

Connect to the console port or the MGT port. Both are located
on the back of the appliance.
Console PortThis is a 9-pin male serial connector. Use the
following settings on the console application: 9600-8-N-1.
Connect the provided cable to the serial port on the
management computer or USB-To-Serial converter.
MGT PortThis is an Ethernet RJ-45 port. By default, the
MGT port IP address is 192.168.1.1. The interface on your
management computer must be on the same subnet as the
MGT port. For example, set the IP address on the
management computer to 192.168.1.5.

2.

Power on the appliance.


The appliance will power on as soon as you connect
power to the first power supply and a warning beep will
sound until you connect the second power supply. If the
appliance is already plugged in and is in the shutdown
state, use the power button on the front of the appliance
to power on.

Step 2

Register the WildFire appliance.

1.

Obtain the serial number from the S/N tag on the appliance, or
run the following command and refer to the serial field:
admin@WF-500> show system info

2.

From a browser, navigate to the Palo Alto Networks Support


site.

3.

Register the device as follows:


If this is the first Palo Alto Networks device that you are
registering and you do not yet have a login, click Register on the
right side of the page. To register, provide an email address and
the serial number of the device. When prompted, set up a
username and password for access to the Palo Alto Networks
support community.
For existing accounts, log in and then click My Devices. Scroll
down to the Register Device section at the bottom of the
screen and enter the serial number of the device, the city and
postal code, and then click Register Device.

22

WildFire Administrators Guide

WF-500 Appliance File Analysis

Configure the WF-500 Appliance

Integrate the WF-500 Appliance into a Network (Continued)

Step 3

Reset the admin password.

1.

Log in to the appliance with an SSH client or by using the


Console port. Enter a username/password of admin/admin.

2.

Set a new password by running the command:

3.

Type the old password, press enter and then enter and confirm
the new password. There is no need to commit the
configuration because this is an operational command.

4.

Type exit to log out and then log back in to confirm that the
new password is set.

admin@WF-500# set password

Step 4

1.
Set the IP information for the MGT
interface and the hostname for the
appliance. All firewalls that will send files
to the WF-500 appliance will use the
2.
MGT port, so ensure that this interface is
accessible from those firewalls.
This example uses the following values:

Log in to the appliance with an SSH client or by using the


Console port and enter configuration mode:
admin@WF-500> configure

Set the IP information:


admin@WF-500# set deviceconfig system ip-address
10.10.0.5 netmask 255.255.252.0 default-gateway
10.10.0.1 dns-setting servers primary 10.0.0.246

Configure a secondary DNS server by replacing primary


with secondary in the above command, excluding the
other IP parameters. For example:

IPv4 address - 10.10.0.5/22


Subnet Mask - 255.255.252.0
Default Gateway - 10.10.0.1
Hostname - wildfire-corp1
DNS Server - 10.0.0.246

admin@WF-500# set deviceconfig system


dns-setting servers secondary 10.0.0.247

3.Set the hostname (wildfire-corp1 in this example):


admin@WF-500# set deviceconfig system hostname
wildfire-corp1

4.

Commit the configuration to activate the new management


(MGT) port configuration:

5.

Connect the MGT interface port to a network switch.

6.

Put the management PC back on your corporate network, or


whatever network is required to access the appliance on the
management network.

7.

From your management computer, use an SSH client to connect


to the new IP address or hostname assigned to the MGT port
on the appliance. In this example, the IP address is 10.10.0.5.

admin@WF-500# commit

Step 5

(Optional) Configure additional user


accounts for managing the WildFire
appliance. You can assign two role types:
superuser and superreader. Superuser is
equivalent to the admin account, and
superreader only has read access.

In this example, you will create a superreader account for the user
bsimpson:
1. Enter configuration mode:
admin@WF-500> configure

2.

Create the user account:


admin@WF-500# set mgt-config users bsimpson
<password>

3.

Enter and confirm a new password.

4.

Assign the superreader role:


admin@WF-500# set mgt-config users bsimpson
permissions role-based superreader yes

WildFire Administrators Guide

23

Configure the WF-500 Appliance

WF-500 Appliance File Analysis

Integrate the WF-500 Appliance into a Network (Continued)

Step 6

(Optional) Configure RADIUS


authentication for administrator access.
The following steps summarize how to
configure RADIUS on the appliance.

1.

Create a RADIUS profile using the following options:


admin@WF-500# set shared server-profile radius
<profile-name>

(Configure the RADIUS server and other attributes.)


2.

Create an authentication profile:


admin@WF-500# set shared authentication-profile
<profile-name> method radius server-profile
<server-profile-name>

3.

Assign the profile to a local admin account:


admin@WF-500# set mgt-config users username
authentication-profile authentication-profile-name>

Step 7

Activate the appliance with the WildFire 1.


authorization code that you received from
Palo Alto Networks.
2.
The WF-500 appliance will
function without an auth-code,
3.
but it cannot retrieve software
updates without a valid auth-code.

Change to operational mode:


admin@WF-500# exit

Fetch and install the WildFire license:


admin@WF-500> request license fetch auth-code
<auth-code>

Verify the license:


admin@WF-500> request support check

Information about the support site and the support contract


date is displayed. Confirm that the date displayed is valid.
Step 8

Set the current date/time and timezone.

1.

Set the date and time:


admin@WF-500> set clock date <YY/MM/DD> time
<hh:mm:ss>

2.

Enter configuration mode:


admin@WF-500> configure

3.

Set the local time zone:


admin@WF-500# set deviceconfig system timezone
<timezone>

The time stamp that will appear on the WildFire detailed


report will use the time zone set on the appliance. If
administrators in various regions will view reports,
consider setting the time zone to UTC.
Step 9

(Optional) Configure cloud intelligence to 1.


enable the WildFire appliance to forward
files that contain malware to the Palo Alto
Networks WildFire cloud. The WildFire 2.
cloud system will re-analyze the sample
and will generate a signatures if the
sample is malware and will add the
signature to the WildFire signature
updates. You can also choose to only
submit WildFire reports on malware. In
this case, Palo Alto Networks uses the
3.
reports for statistical purposes.
Cloud intelligence is disabled by
default.

24

To enable cloud intelligence, run the command:


admin@WF-500# set deviceconfig setting wildfire
cloud-intelligence submit-sample yes

To only send WildFire reports for malware:


admin@WF-500# set deviceconfig setting wildfire
cloud-intelligence submit-report yes

If submit-sample is enabled, there is no need to enable


submit-report because the WildFire cloud re-analyzes
the sample and generates a new report. If the sample is
malicious, the cloud will generate a signature.
Confirm the setting by running the following command and
then refer to the Submit sample and Submit report fields:
admin@WF-500> show wildfire status

WildFire Administrators Guide

WF-500 Appliance File Analysis

Configure the WF-500 Appliance

Integrate the WF-500 Appliance into a Network (Continued)

Step 10 (Optional) Enable benign file logging on


the firewall. This is a good way to confirm
that the firewall is forwarding files to
WildFire without having to download real
malware. In this case, the Data Filtering
log will contain information on the results
of the WildFire analysis, even if the
verdict is benign. To download sample
malware for testing, see Malware Test
Samples.

1.

Select Device > Setup > WildFire and edit General Settings.

2.

Select the Report Benign Files check box to enable and then
click OK to save.

You can run the following CLI command to enable benign logging:
admin@WF-500# set deviceconfig setting wildfire
report-benign-file yes

This option is disabled by default.

Step 11 Set a password for the portal admin


account. This account is used when
accessing WildFire reports from a
firewall. The default username and
password is admin/admin.

1.

To change the WildFire portal admin account password:


admin@WF-500> set wildfire portal-admin password

2.

Press enter and type and confirm the new password.

The portal admin account is the


only account that can be used for
viewing reports from the logs.
Only the password can be changed
for this account and additional
accounts cannot be created for
this purpose. This is not the same
admin account used to manage the
appliance. You can also use the
WildFire API to retrieve logs, but
in that case you use an API key
generated on the WF-500
appliance. See Use the WildFire
API on a WF-500 Appliance.
Step 12 Choose the virtual machine image that the
appliance will use for file analysis. The
image should be based on the attributes
that best represents the software installed
on your end user computers. Each virtual
image contains different versions of
operating systems and software, such as
Windows XP or Windows 7 32-bit or
64-bit and specific versions of Adobe
Reader, and Flash. Although you
configure the appliance to use one virtual
machine image configuration, the
appliance uses multiple instances of the
image to improve performance.

WildFire Administrators Guide

To view a list of available virtual machines to determine which one


best represents your environment:
admin@WF-500> show wildfire vm-images

View the current virtual machine image by running the following


command and refer to the Selected VM field:
admin@WF-500> show wildfire status

Select the image that the appliance will use for analysis:
admin@WF-500# set deviceconfig setting wildfire
active-vm <vm-image-number>

For example, to use vm-1:


admin@WF-500# set deviceconfig setting wildfire
active-vm vm-1

25

Configure the WF-500 Appliance

WF-500 Appliance File Analysis

Where to Go Next:

Verify the WF-500 Appliance Configuration


Forward Files to a WF-500 Appliance
Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support
Set Up the VM Interface on the WF-500 Appliance

Verify the WF-500 Appliance Configuration


This topic describes how to verify the configuration of the WildFire appliance to ensure that it is ready to receive
files from a Palo Alto Networks firewall. For more details on the CLI commands referenced in this workflow,
see WildFire Appliance Software CLI Reference.
Verify the WF-500 Appliance Configuration

Step 1

Verify that the appliance is registered and 1.


the license is activated.
2.

Start an SSH session and connect to the MGT port on the


appliance.
View the current support information:
admin@WF-500> request support check

This will display information about the support site and


contract. Confirm that the contract date is valid.
3.

Run the following command to check connectivity between the


appliance and the WildFire cloud (needed to forward files to the
cloud):
admin@WF-500> test wildfire registration

The following output indicates that the appliance is registered


with one of the Palo Alto Networks WildFire cloud servers.
Test wildfire
wildfire registration: successful
download server list: successful
select the best server:
cs-s1.wildfire.paloaltonetworks.com

26

WildFire Administrators Guide

WF-500 Appliance File Analysis

Configure the WF-500 Appliance

Verify the WF-500 Appliance Configuration (Continued)

Step 2

Check the WildFire server status on the


appliance.

1.

Display WildFire status:


admin@WF-500> show wildfire status
Connection info:
Wildfire cloud:
wildfire.paloaltonetworks.com
Status:
Idle
Submit sample:
enabled
Submit report:
disabled
Selected VM:
vm-5
VM internet connection:
disabled
VM network using Tor:
disabled
Best server:
s1.wildfire.paloaltonetworks.com
Device registered:
yes
Service route IP address:
10.3.4.99
Signature verification:
enable
Server selection:
enable
Through a proxy:
no

In the example output, status Idle indicates that the appliance


is ready to receive files. Submit sample is enabled, which
indicates that the appliance will forward detected malware files
to the WildFire Cloud. The Device registered field displays
yes, which means the appliance is registered with the WildFire
cloud system. The appliance is also configured to use the vm-5
sandbox for sample analysis.
You must have a WildFire cloud server defined even if
you are not forwarding samples to the cloud server. If no
cloud server is defined, the Status field will show
Disabled by cloud server.
2.

After configuring your firewalls to forward files to the appliance


as described in Forward Files to a WF-500 Appliance, you can
verify the connectivity status of the firewalls from the appliance.
To verify that the appliance is receiving files from the firewalls
and to verify if the appliance is sending files to the WildFire
cloud for signature generation (if cloud intelligence is enabled),
enter:
admin@WF-500> show wildfire statistics days 7

3.

Last one hour statistics:


Total sessions submitted
Samples submitted
analyzed
pending
malicious
benign
error
Uploaded

:
:
:
:
:
:
:
:

0
0
0
0
0
0
0
0

Last 7 days statistics:


Total sessions submitted
Samples submitted
analyzed
pending
malicious
benign
error
Uploaded

:
:
:
:
:
:
:
:

66
34
34
0
2
32
0
0

(Optional) View more detailed statistics:


admin@WF-500> show wildfire latest [analysis
|samples | sessions | uploads]

For example, to display details about the recent analysis results,


enter:
admin@WF-500> show wildfire latest analysis

WildFire Administrators Guide

27

Configure the WF-500 Appliance

WF-500 Appliance File Analysis

Verify the WF-500 Appliance Configuration (Continued)

Step 3

Verify that firewalls configured to forward 1.


files to the appliance have successfully
registered with the WildFire appliance.

Display a list of firewalls that have registered with the appliance:


admin@WF-500> show wildfire
last-device-registration all

The output will include the following information for each


firewall that is registered with the appliance: firewall serial
number, date registered, IP address, software version, hardware
model, and status. If no firewalls are listed, there may be
network connectivity issues between the firewalls and the
appliance. Check the network to confirm that the firewalls and
WildFire appliance can communicate.
You can use ping tests from the appliance to the gateway
address, or to one of the firewalls that you configured to forward
files to the appliance. For example, if the IP address of the
firewall is 10.0.5.254, you will see replies displayed when
running the following CLI command from the appliance:
admin@WF-500> ping host 10.0.5.254

To verify the WildFire configuration on the firewalls that are


forwarding to the appliance, see Verify Forwarding to a WF-500
Appliance.

28

WildFire Administrators Guide

WF-500 Appliance File Analysis

Set Up the VM Interface on the WF-500 Appliance

Set Up the VM Interface on the WF-500 Appliance


The virtual machine interface (vm-interface) provides external network connectivity from the sandbox virtual
machines in the WF-500 appliance to enable observation of malicious behaviors in which the file being analyzed
seeks network access. The following sections describe the VM interface and the steps required for configuring
it. You can optionally enable the Tor feature with the VM interface, which will mask any malicious traffic sent
from the WF-500 appliance through the VM interface, so the malware sites that the traffic may be sent to cannot
detect your public-facing IP address.
This section also describes the steps required to connect the VM interface to a dedicated port on a Palo Alto
Networks firewall to enable Internet connectivity.

Virtual Machine Interface Overview

Configure the VM Interface on the WF-500 Appliance

Configure the Firewall to Control Traffic for the WF-500 VM Interface

Virtual Machine Interface Overview


The VM interface (labeled 1 on the back of the appliance) is used by WildFire to improve malware detection
capabilities. The interface allows a file sample running on the WildFire virtual machines to communicate with
the Internet and enables WildFire to better analyze the behavior of the sample file to determine if it exhibits
characteristics of malware.
While it is recommended that you enable the VM interface, it is very important that you do not
connect the interface to a network that allows access to any of your servers/hosts because
malware that runs in the WildFire virtual machines could potentially use this interface to
propagate itself.
This connection can be a dedicated DSL line or a network connection that only allows direct
access from the VM interface to the Internet and restricts any access to internal servers/client
hosts.

The following illustration shows two options for connecting the VM interface to the network.

WildFire Administrators Guide

29

Set Up the VM Interface on the WF-500 Appliance

WF-500 Appliance File Analysis

Virtual Machine Interface Example

Option-1 (recommended)Connect the VM interface to an interface in a dedicated zone on a firewall that


has a policy that only allows access to the Internet. This is important because malware that runs in the
WildFire virtual machines can potentially use this interface to propagate itself. This is the recommended
option because the firewall logs will provide visibility into any traffic that is generated by the VM interface.

Option-2Use a dedicated Internet provider connection, such as a DSL, to connect the VM interface to

the Internet. Ensure that there is no access from this connection to internal servers/hosts. Although this is
a simple solution, traffic generated by the malware out the VM interface will not be logged unless you place
a firewall or a traffic monitoring tool between the WildFire appliance and the DSL connection.

Configure the VM Interface on the WF-500 Appliance


This section describes the steps required to configure the VM interface on the WildFire appliance using the
Option 1 configuration detailed in the Virtual Machine Interface Example. After configuring the VM interface
using this option, you must also configure an interface on a Palo Alto Networks firewall through which traffic
from the VM interface is routed as described in Configure the Firewall to Control Traffic for the WF-500 VM
Interface.
By default, the VM interface has the following settings:

IP Address: 192.168.2.1

Netmask: 255.255.255.0

30

WildFire Administrators Guide

WF-500 Appliance File Analysis

Default Gateway: 192.168.2.254

DNS: 192.168.2.254

Set Up the VM Interface on the WF-500 Appliance

If you plan on enabling this interface, configure it with the appropriate settings for your network. If you do not
plan on using this interface, leave the default settings. Note that this interface must have network values
configured or a commit failure will occur.
Configure the VM Interface

Step 1

Set the IP information for the VM


interface on the WildFire appliance.
The following settings are used in this
example:
IPv4 address - 10.16.0.20/22
Subnet Mask - 255.255.252.0
Default Gateway - 10.16.0.1
DNS Server - 10.0.0.246

1.

admin@WF-500> configure

2.

Enable the VM interface.

Set the IP information for the VM interface:


admin@WF-500# set deviceconfig system vm-interface
ip-address 10.16.0.20 netmask 255.255.252.0
default-gateway 10.16.0.1 dns-server 10.0.0.246

You can only configure one DNS server on the VM


interface. As a best practice, use the DNS server from
your ISP or an open DNS service.

The VM interface cannot be on


the same network as the
management interface (MGT).
Step 2

Enter configuration mode:

1.

Enable the VM interface:


admin@WF-500# set deviceconfig setting wildfire
vm-network-enable yes

2.

Commit the configuration:


admin@WF-500# commit

Step 3

Test connectivity of the VM interface.

Ping a system and specify the VM interface as the source. For


example, if the VM interface IP address is 10.16.0.20, run the
following command where ip-or-hostname is the IP or hostname of a
server/network that has ping enabled:
admin@WF-500> ping source 10.16.0.20 host
ip-or-hostname

For example:
admin@WF-500> ping source 10.16.0.20 host 10.16.0.1

Step 4

Enable the Tor network:


(Optional) Enable the Tor network.
1. admin@WF-500# set deviceconfig setting wildfire
When this option is enabled, any
vm-network-use-tor
malicious traffic that the malware
2.
Commit the configuration:
generates to the Internet is sent to the Tor
network. The Tor network will mask your
admin@WF-500# commit
public facing IP address, so the owners of
the malicious site cannot determine the
source of the traffic.

Step 5

Continue to the next section to configure See Configure the Firewall to Control Traffic for the WF-500 VM
the firewall interface that you will use to Interface.
connect the VM interface on the
appliance.

WildFire Administrators Guide

31

Set Up the VM Interface on the WF-500 Appliance

WF-500 Appliance File Analysis

Configure the Firewall to Control Traffic for the WF-500 VM Interface


The following example workflow describes how to connect the VM interface to a port on a Palo Alto Networks
firewall. Before connecting the VM interface to the firewall, the firewall must already have an Untrust zone
connected to the Internet. In this example, you configure a new zone named wf-vm-zone that will contain the
interface used to connect the VM interface on the appliance to the firewall. The policy associated with the
wf-vm-zone will only allow communication from the VM interface to the Untrust zone.
Configure the Firewall to Control Traffic for the WF-500 VM Interface

Step 1

1.
Configure the interface on the firewall
that the VM interface will connect to and
set the virtual router.
The wf-vm-zone should only
contain the interface (ethernet1/3
in this example) used to connect
the VM interface on the appliance
to the firewall. This is done to
avoid having any traffic generated
by the malware from reaching
other networks.

Step 2

Create a security policy on the firewall to


allow access from the VM interface to the
Internet and block all incoming traffic. In
this example, the policy name is WildFire
VM Interface. Because you will not create
a security policy from the Untrust zone to
the wf-vm-interface zone, all inbound
traffic is blocked by default.

From the web interface on the firewall, select Network >


Interfaces and then select an interface, for example
Ethernet1/3.

2.

In the Interface Type drop-down, select Layer3.

3.

On the Config tab, from the Security Zone drop-down box,


select New Zone.

4.

In the Zone dialog Name field, enter wf-vm-zone and click OK.

5.

In the Virtual Router drop-down box, select default.

6.

To assign an IP address to the interface, select the IPv4 tab, click


Add in the IP section, and enter the IP address and network
mask to assign to the interface, for example 10.16.0.0/22.

7.

To save the interface configuration, click OK.

1.

Select Policies > Security and click Add

2.

In the General tab, enter a Name.

3.

In the Source tab, set the Source Zone to wf-vm-zone.

4.

In the Destination tab, set the Destination Zone to Untrust.

5.

In the Application and Service/ URL Category tabs, leave the


default as Any.

6.

In the Actions tab, set the Action Setting to Allow.

7.

Under Log Setting, select the Log at Session End check box.
If there are concerns that someone might inadvertently
add other interfaces to the wf-vm-zone, clone the
WildFire VM Interface security policy and then in the
Action tab for the cloned rule, select Deny. Make sure
this new security policy is listed below the WildFire VM
interface policy. This will override the implicit intra-zone
allow rule that allows communications between
interfaces in the same zone and will deny/block all
intra-zone communication.

Step 3

32

Connect the cables.

Physically connect the VM interface on the WildFire appliance to the


port you configured on the firewall (Ethernet 1/3 in this example)
using a straight through RJ-45 cable. The VM interface is labeled 1
on the back of the appliance.

WildFire Administrators Guide

WF-500 Appliance File Analysis

Set Up the VM Interface on the WF-500 Appliance

Configure the Firewall to Control Traffic for the WF-500 VM Interface (Continued)

Step 4

Verify that the VM interface is


transmitting and receiving traffic.

1.

View the VM interface settings:


admin@WF-500> show interface vm-interface

2.

Verify that received/transmitted counters are incrementing. You


can run the following command to generate ping traffic from
the VM interface to an external device:
admin@WF-500> ping source vm-interface-ip host
<gateway-ip>

For example:
admin@WF-500> ping source 10.16.0.20 host 10.16.0.1

WildFire Administrators Guide

33

Manage Content Updates on the WF-500 Appliance

WF-500 Appliance File Analysis

Manage Content Updates on the WF-500 Appliance


Daily content updates for the WF-500 appliance equip the appliance with the most up-to-date threat
information for accurate malware detection and improve the appliance's ability to differentiate the malicious
from the benign. The updates also ensure that the appliance has the most recent information needed to generate
signatures when signature/URL generation is enabled on the appliance. For information on enabling signature
generation, see Signature/URL Generation on a WF-500 Appliance.

Install Content Updates Directly from the Update Server

Install Content Updates from an SCP-Enabled Server

Install Content Updates Directly from the Update Server


Install Content Updates Directly from the Update Server

Step 1

Verify connectivity from the appliance to 1.


the update server and identify the
content update to install.
2.

Log in to the WildFire appliance and run the following


command to display the current content version:
admin@wf-500> show system info | match
wf-content-version

Confirm that the appliance can communicate with the Palo Alto
Networks Update Server and view available updates:
admin@wf-500> request wf-content upgrade check

The command queries the Palo Alto Networks Update Server


and provides information about available updates and identifies
the version that is currently installed on the appliance.
Version Size Released on
Downloaded Installed
--------------------------------------------------------2-253
57MB 2014/09/20 20:00:08 PDT no
no
2-39
44MB 2014/02/12 14:04:27 PST yes
current

If the appliance cannot connect to the update server, you will


need to allow connectivity from the appliance to the Palo Alto
Networks Update Server, or download and install the update
using SCP as described in Install Content Updates from an
SCP-Enabled Server.

34

WildFire Administrators Guide

WF-500 Appliance File Analysis

Manage Content Updates on the WF-500 Appliance

Install Content Updates Directly from the Update Server (Continued)

Step 2

Download and install the latest content


update.

1.

Download the latest content update:


admin@wf-500> request wf-content upgrade download
latest

2.

View the status of the download:


admin@wf-500> show jobs all

You can run show jobs pending to view pending jobs. The
following output shows that the download (job id 5) has
finished downloading (Status FIN):
Enqueued
ID Type
Status Result Completed
--------------------------------------------------------2014/04/22 03:42:20 5 Downld
FIN
OK
03:42:23

3.

After the download is complete, install the update:


admin@wf-500> request wf-content upgrade install
version latest

Run the show jobs all command again to monitor the status
of the install.
Step 3

Verify the content update.

Run the following command and refer to the wf-content-version


field:
admin@wf-500> show system info

The following shows an example output with content update version


2-253 installed:
admin@wf-500> show system info
hostname: wf-500
ip-address: 10.5.164.245
netmask: 255.255.255.0
default-gateway: 10.5.164.1
mac-address: 00:25:90:c3:ed:56
vm-interface-ip-address: 192.168.2.2
vm-interface-netmask: 255.255.255.0
vm-interface-default-gateway: 192.168.2.1
vm-interface-dns-server: 192.168.2.1
time: Mon Apr 21 09:59:07 2014
uptime: 17 days, 23:19:16
family: m
model: WF-500
serial: abcd3333
sw-version: 6.1.0
wf-content-version: 2-253
wfm-release-date: 2014/08/20 20:00:08
logdb-version: 6.1.2
platform-family: m

Step 4

(Optional) Schedule content updates to 1.


install the latest updates on the firewall at
a set interval.
You can configure the appliance to install
daily or weekly and either download only
or download and install the updates.

Schedule the appliance to download and install content updates:


admin@WF-500# set deviceconfig system
update-schedule wf-content recurring [daily |
weekly] action [download-and-install |
download-only]

For example, to download and install updates daily at 8:00 am:


admin@WF-500# set deviceconfig system
update-schedule wf-content recurring daily action
download-and-install at 08:00

2.

Commit the configuration


admin@WF-500# commit

WildFire Administrators Guide

35

Manage Content Updates on the WF-500 Appliance

WF-500 Appliance File Analysis

Install Content Updates from an SCP-Enabled Server


The following procedure describes how to install content updates on a WildFire appliance that does not have
direct connectivity to the Palo Alto Networks Update Server. You will need a Secure Copy (SCP)-enabled server
that will temporarily store the content update.
Install Content Updates from an SCP-Enabled Server

Step 1

Step 2

Retrieve the content update file from the 1.


update server.

Log in to the Palo Alto Networks Support site and click


Dynamic Updates.

2.

In the WildFire Appliance section, locate the latest WF-500


appliance content update and download it.

3.

Copy the content update file to an SCP-enabled server and note


the file name and directory path.

Install the content update on the WildFire 1.


appliance.

Log in to the WF-500 appliance and download the content


update file from the SCP server:
admin@WF-500> scp import wf-content from
username@host:path

For example:
admin@WF-500> scp import wf-content from
bart@10.10.10.5:c:/updates/panup-all-wfmeta-2-253.
tgz

If your SCP server is running on a non-standard port or


if you need to specify the source IP, you can also define
those options in the scp import command.
2.

Install the update:


admin@WF-500> request wf-content upgrade install
file panup-all-wfmeta-2-253.tgz

View status of the install:


admin@WF-500> show jobs all

Step 3

Verify the content update.

Verify the content version:


admin@wf-500> show system info | match
wf-content-version

The following output now shows version 2-253:


wf-content-version: 2-253

36

WildFire Administrators Guide

WF-500 Appliance File Analysis

Forward Files to a WF-500 Appliance

Forward Files to a WF-500 Appliance


The following topics describe how to configure a firewall to forward files to a WF-500 appliance and how to
verify the configuration. If you configure the WF-500 appliance to generate signatures and URL updates, you
will also want to configure the firewall to retrieve content updates from the appliance. See Signature/URL
Generation on a WF-500 Appliance.
If you are using Panorama to manage your firewalls, simplify WildFire administration by using Panorama
Templates to push the WildFire server information, allowed file size, and the session information settings to the
firewalls. Use Panorama device groups to configure and push file blocking profiles and security policy rules.
Starting with PAN-OS 6.0, the WildFire logs show which WildFire system each firewall used for file analysis
(WildFire cloud, WF-500 appliance, and/or the WildFire Japan cloud). When configuring the WildFire server
on Panorama (Panorama > Setup > WildFire), enter the WildFire server that your firewalls are using. For example,
if your firewalls are forwarding samples to the WildFire cloud, the Panorama setting should point to the cloud
server named wildfire-public-cloud. If your firewalls are forwarding to a WF-500 appliance, the Panorama
setting should point to the IP address or FQDN of the appliance.

Configure a Firewall to Forward Samples to a WF-500 Appliance

Verify Forwarding to a WF-500 Appliance

Configure a Firewall to Forward Samples to a WF-500 Appliance


Perform the following steps on each firewall that will forward samples to the WildFire appliance:
If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud
or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed.

WildFire cloud: Uses port 443 for registration and file submissions.
WildFire appliance: Uses port 443 for registration and 10443 for file submissions.

Configure a Firewall to Forward Samples to a WF-500 Appliance

Step 1

Verify that the firewall has a WildFire


subscription and that dynamic updates
are scheduled and are up-to-date.

1.

Select Device > Licenses and confirm that the firewall has valid
WildFire and Threat Prevention subscriptions installed.

2.

Select Device > Dynamic Updates and click Check Now to


ensure that the firewall has the most recent Antivirus,
Applications and Threats, and WildFire updates. If you are using
a WildFire appliance that has Signature/URL generation
enabled, check those updates as well.

3.

Confirm and update the dynamic updates as needed. Stagger the


update schedules because the firewall can only perform one
update at a time.

1.

Select Device > Setup > WildFire.

2.

Click the General Settings edit icon.

3.

In the WildFire Server field, enter the IP address or FQDN of


the WF-500 appliance.

See Best Practices for Keeping Signatures


up to Date for recommended settings.

Step 2

Define the WildFire server that the


firewall will forward files to for analysis.

WildFire Administrators Guide

37

Forward Files to a WF-500 Appliance

WF-500 Appliance File Analysis

Configure a Firewall to Forward Samples to a WF-500 Appliance (Continued)

Step 3

Configure the file blocking profile to


define which applications and file types
will trigger forwarding to WildFire.
If you choose PE in the objects
profile File Types column to select
a category of file types, do not also
add an individual file type that is
part of that category because this
will result in redundant entries in
the Data Filtering logs. For
example, if you select PE, there is
no need to select exe because it is
part of the PE category. This also
applies to the zip file type, because
supported file types that are
zipped are automatically sent to
WildFire. If you would like to
ensure that all supported
Microsoft Office file types are
forwarded, it is recommended that
you choose the category msoffice.

1.

Select Objects > Security Profiles > File Blocking.

2.

Click Add to add a new profile and enter a Name and


Description.

3.

Click Add in the File Blocking Profile window and then click
Add again. Click in the Names field and enter a rule name.

4.

Select the Applications that will match this profile. For example,
selecting web-browsing as the application will cause the profile
to match any application traffic identified as web-browsing.

5.

In the File Type field, select the file types that will trigger the
forwarding action. Choose Any to forward all file types
supported by WildFire.

6.

In the Direction field select upload, download, or both.


Selecting both will trigger forwarding whenever a user attempts
to upload or download a file.

7.

Define an Action as follows (choose Forward for this example):


ForwardThe firewall will automatically forward any files
matching this profile to WildFire for analysis in addition to
delivering the file to the user.

Choosing a category rather than


an individual file type also ensures
that as new file type support is
added to a given category, they are
automatically made part of the file 8.
blocking profile. If you select Any,
all supported file types are
forwarded to WildFire.
Step 4

38

(Optional) If the continue-and-forward 1.


action is configured for any file type, you
must enable the response page option on
2.
the ingress interface (the interface that
3.
first receives traffic for your users).
4.

Continue-and-forwardThe user is prompted and must


click Continue before the download occurs and the file is
forwarded to WildFire. Because this action requires user
interaction with a web browser, it is only supported for
web-browsing applications.
Click OK to save.

Select Network > Network Profiles > Interface Mgmt and


either add a new profile or edit an existing profile.
Select the Response Pages check box.
Click OK to save the profile.
Select Network > Interfaces and then edit the layer 3 interface
or VLAN interface that is your ingress interface.

5.

Click the Advanced tab and select the Interface Mgmt profile
that has the response page option enabled and select it from the
drop-down menu.

6.

Click OK to save.

WildFire Administrators Guide

WF-500 Appliance File Analysis

Forward Files to a WF-500 Appliance

Configure a Firewall to Forward Samples to a WF-500 Appliance (Continued)

Step 5

Enable forwarding of decrypted content. 1.

Select Device > Setup > Content-ID.

2.
To forward SSL encrypted files to
WildFire, the firewall must have a
decryption policy and have forwarding of 3.
decrypted content enabled.

Click the edit icon for the URL Filtering options and enable
Allow Forwarding of Decrypted Content.

Only a superuser can enable this


option.

Step 6

Attach the file blocking profile to a


security policy.

Click OK to save the changes.


If you configured multiple virtual systems on the firewall,
you must enable this option per VSYS. Select Device >
Virtual Systems, click the virtual system you want to
modify and select the Allow Forwarding of Decrypted
Content check box.

1.

Select Policies > Security.

2.

Click Add to create a new policy for the zones that you are
applying WildFire forwarding to, or select an existing security
policy.

3.

On the Actions tab, select the File Blocking profile from the
drop-down.
If this security rule does not have any profiles attached to
it, select Profiles from the Profile Type drop-down to
enable selection of a file blocking profile.

Step 7

(Optional) Modify the maximum file size 1.


that the firewall can upload to WildFire. 2.
3.

WildFire Administrators Guide

Select Device > Setup > WildFire.


Click the General Settings edit icon.
Set the maximum file size for each file type. For example, if you
set PDF to 5MB, any PDF larger than 5MB will not be
forwarded.

39

Forward Files to a WF-500 Appliance

WF-500 Appliance File Analysis

Configure a Firewall to Forward Samples to a WF-500 Appliance (Continued)

Step 8

(PA-7050 only) If you are configuring log 1.


forwarding on a PA-7050 firewall, you
must configure a data port on one of the 2.
NPCs with the interface type Log Card.
3.
This is due to the traffic/logging
capabilities of the PA-7050 to avoid
overwhelming the MGT port.
The log card (LPC) will use this port
directly and the port will act as a log
forwarding port for syslog, email, and
4.
SNMP. The firewall will forward the
following log types through this port:
traffic, HIP match, threat, and WildFire
logs. The firewall also uses this port to
forward files/emails links to WildFire for
analysis.

Select Network > Interfaces and locate an available port on an


NPC.
Select the port and change the Interface Type to Log Card.
In the Log Card Forwarding tab, enter IP information (IPv4
and/or IPv6) that will enable the firewall to communicate with
your syslog servers and your email servers to enable the firewall
to logs and email alerts. The port will also need to reach the
WildFire cloud or your WildFire appliance to enable file
forwarding.
Connect the newly configured port to a switch or router. There
is no other configuration needed. The PA-7050 firewall will
automatically use this port as soon as it is activated.

If the port is not configured, a commit


error is displayed. Note that only one data
port can be configured with the Log Card
type. The MGT port cannot be used for
forwarding samples to WildFire, even if
you configure a service route.
The PA-7050 does not forward
logs to Panorama. Panorama will
only query the PA-7050 log card
for log information.
Step 9

1.
(Optional) Modify session options that
define what session information to record 2.
in WildFire analysis reports.
3.

Step 10 Commit the configuration.

Click the Session Information Settings edit icon.


By default, all session information items will display in the
reports. Clear the check boxes that correspond to any fields to
remove them from the WildFire analysis reports.
Click OK to save the changes.

Click Commit to apply the settings.


During security policy evaluation, all files that meet the criteria
defined in the file blocking policy are forwarded by the firewall to
WildFire. For information on viewing analysis reports, see WildFire
Reporting.
For information on verifying the configuration, see Verify
Forwarding to a WF-500 Appliance.

40

WildFire Administrators Guide

WF-500 Appliance File Analysis

Forward Files to a WF-500 Appliance

Verify Forwarding to a WF-500 Appliance


This topic describes the steps required to verify that the firewall is properly configured to forward samples to a
WF-500 appliance. For information on a test file that you can use to verify the process, see Malware Test
Samples.
Verify Forwarding to a WF-500 Appliance

Step 1

Check the WildFire and Threat


Prevention subscriptions and WildFire
registration.

1.

The firewall must have a WildFire


subscription to forward files to a 2.
WildFire appliance. See WildFire
Subscription Requirements.

Select Device > Licenses and confirm that a valid WildFire and
Threat Prevention subscription is installed. If valid licenses are
not installed, go to the License Management section and click
Retrieve license keys from the license server.
Check that the firewall can communicate with a WildFire server
for file forwarding:
admin@PA-200> test wildfire registration

In the following output, the firewall is pointing to a WildFire


appliance. If the firewall is pointing to the WildFire cloud, it will
show the hostname of one of the WildFire systems in the
WildFire cloud.
Test wildfire
wildfire registration: successful
download server list: successful
select the best server: s1.wildfire.paloaltonetworks.com

If problems persist with the licenses, contact your reseller or Palo


Alto Networks System Engineer to confirm each license and to get
a new authorization code if required.
Step 2

Confirm that the firewall is sending files


to the correct WildFire server.

1.

To determine where the firewall is forwarding files (WildFire


cloud or WildFire appliance), select Device > Setup > WildFire.

2.

Click the General Settings edit button.


The U.S.-based WildFire Server is wildfire-public-cloud and the
Japan-based WildFire server is wildfire-paloaltonetworks.jp. If
you configured the firewall to forward to a WF-500 appliance,
the IP address or FQDN of the WildFire appliance is displayed.
If you forget the name of the WildFire public cloud,
clear the WildFire Server field and click OK and the
field will auto populate with the default value for the
WildFire cloud.

WildFire Administrators Guide

41

Forward Files to a WF-500 Appliance

WF-500 Appliance File Analysis

Verify Forwarding to a WF-500 Appliance

Step 3

Check the logs to verify that files are


forwarded to WildFire.

1.
2.

Select Monitor > Logs > Data Filtering.


View the Action column to determine the forwarding results:
ForwardIndicates that the sample was successfully
forwarded from the dataplane to the management plane on
the firewall by a file blocking profile and a security policy. At
this point, the firewall has not yet forwarded the sample to
the WildFire cloud or a WildFire appliance.
Wildfire-upload-successIndicates that the firewall
forwarded the file to WildFire. This means that a trusted
signer did not sign the file and it has not been previously
analyzed by WildFire.
Wildfire-upload-skipIndicates that the file is eligible to
be sent to WildFire, but did not need to be analyzed because
WildFire has already analyzed it previously.
View the WildFire Logs by selecting Monitor > Logs >
WildFire Submissions. If WildFire logs are listed, the
firewall is successfully forwarding files to WildFire and
WildFire is returning analysis reports.

Step 4

Step 5

42

Verify the action setting in the file


blocking profile.

Check the security policy.

1.

Select Objects > Security Profiles > File Blocking and click the
file blocking profile to modify it.

2.

Confirm that the action is set to forward or


continue-and-forward. If you set to continue-and-forward,
the firewall will only forward http/https traffic because this is
the only type of traffic that will allow the firewall to serve a
response page to the user.

1.

Select Policies > Security and click the security policy rule that
triggers file forwarding to WildFire.

2.

Click the Actions tab and ensure that the file blocking profile is
selected in the File Blocking drop-down.

WildFire Administrators Guide

WF-500 Appliance File Analysis

Forward Files to a WF-500 Appliance

Verify Forwarding to a WF-500 Appliance

Step 6

Check the WildFire status on the firewall


and confirm that the Status field is idle
and that Device registered and Valid
wildfire license is yes. The output also
shows the allowed file size for each file
type that the firewall will forward.

View WildFire status:


admin@PA-200> show wildfire status

The following output shows the IP address of the WF-500 appliance


and that status is Idle, which means the appliance is ready to receive
files.
Connection info:
Wildfire cloud:
Status:
Best server:
Device registered:
Valid wildfire license:
Service route IP address:
Signature verification:
Server selection:
Through a proxy:
File size limit info:
pe
apk
pdf
ms-office
jar
flash
Forwarding info:
file idle time out (second):
total file forwarded:
file forwarded in last minute:
concurrent files:

WildFire Administrators Guide

10.3.4.99
Idle
10.3.4.99:10443
yes
yes
10.43.14.24
enable
enable
no
10
10
1000
10000
10
5

MB
MB
KB
KB
MB
MB
90
13
0
0

43

Forward Files to a WF-500 Appliance

WF-500 Appliance File Analysis

Verify Forwarding to a WF-500 Appliance

Step 7

Check WildFire statistics to confirm that The following command displays the output of a working firewall
counters are incrementing.
and shows counters for each file type that the firewall forwarded to
WildFire. If the counter fields all show 0, the firewall is not
forwarding files and you should check connectivity between the
firewall and the WF-500 appliance. Also verify that the file blocking
profile on the firewall is configured correctly and the profile is
attached to a security rule that allows file transfers.
admin@PA-200> show wildfire statistics
Packet based counters:
Total msg rcvd:
Total bytes rcvd:
Total msg read:
Total bytes read:
Total msg lost by read:
Total DROP_NO_MATCH_FILE
Total files received from DP: 86
Counters for file cancellation:
CANCEL_BY_DP
CANCEL_FILE_DUP
Counters for file forwarding:
file type: apk
file type: pdf
file type: email-link
file type: ms-office
file type: pe
FWD_CNT_LOCAL_FILE
FWD_CNT_REMOTE_FILE
file type: flash
FWD_CNT_LOCAL_FILE
FWD_CNT_LOCAL_DUP
FWD_CNT_REMOTE_FILE
FWD_CNT_REMOTE_DUP_CLEAN
FWD_CNT_REMOTE_DUP_MAL
file type: jar
file type: unknown
file type: pdns
Error counters:
FWD_ERR_CONN_FAIL
Reset counters:
DP receiver reset cnt:
File cache reset cnt:
Service connection reset cnt:
Log cache reset cnt:
Report cache reset cnt:
Resource meters:
data_buf_meter
msg_buf_meter
ctrl_msg_buf_meter

4548
4337198
4545
4227894
3
3
1
3

2
2
80
3
43
22
15

24
2
2
1
2
2
0%
0%
0%

File forwarding queues:


priority: 1, size: 0
priority: 2, size: 0
priority: 3, size: 0

Step 8

Check the dynamic updates status and


schedules to ensure that the firewall is
automatically receiving WildFire
signatures.

1.

Select Device > Dynamic Updates.

2.

Ensure that Antivirus, Applications and Threats, and WildFire


have the most recent updates and that a schedule is set for each
item. Stagger the update schedules because the firewall can only
perform one update at a time.

See Best Practices for Keeping Signatures


up to Date.
3.

Click Check Now at the bottom of the windows to see if any


new updates are available, which also confirms that the firewall
can communicate with updates.paloaltonetworks.com.

If the firewall does not have connectivity to the update server,


download the updates directly from Palo Alto Networks. Log in to
the Palo Alto Networks Support site and select Dynamic Updates.

44

WildFire Administrators Guide

WF-500 Appliance File Analysis

Forward Files to a WF-500 Appliance

Verify Forwarding to a WF-500 Appliance

Step 9

Check the registration status and statistics See Verify the WF-500 Appliance Configuration.
for firewalls forwarding to a WF-500
appliance.

WildFire Administrators Guide

45

Signature/URL Generation on a WF-500 Appliance

WF-500 Appliance File Analysis

Signature/URL Generation on a WF-500 Appliance


The WF-500 appliance can generate signatures locally, eliminating the need to send any data to the public cloud
in order to block malicious content. The appliance can analyze files forwarded to it from Palo Alto Networks
firewalls or from the WildFire API and generate the following types of signatures that block both the malicious
files as well as associated command and control traffic:

Antivirus signaturesDetect and block malicious files. WildFire adds these signatures to WildFire and
Antivirus content updates.

DNS signaturesDetect and block callback domains for command and control traffic associated with
malware. WildFire adds these signatures to WildFire and Antivirus content updates.

URL CategorizationCategorizes callback domains as malware and updates the URL category in
PAN-DB.

Firewalls must be running PAN-OS 6.1 or later to enable dynamic updates from a WF-500 appliance. In
addition, you must configure the firewalls to receive content updates from the WF-500 appliance, which can
occur as frequently as every five minutes. You can optionally send the malware sample file (or only the XML
report) to the WildFire cloud to enable signature generation for distribution through Palo Alto Networks
content releases.
When the local storage on the appliance is full, new signatures/URL categorizations will overwrite existing ones,
beginning with the oldest ones first.
The following topics describe how to enable signature/URL generation on the WF-500 appliance and how to
configure firewalls to retrieve content updates from the appliance:

Enable Signature/URL Generation on the WF-500 Appliance

Configure the Firewall to Retrieve Updates from a WF-500 Appliance

Enable Signature/URL Generation on the WF-500 Appliance


This workflow describes how to enable a WildFire appliance to generate antivirus signatures, DNS signatures,
and URL categorization updates (PAN-DB only) based on samples that the appliance receives from connected
firewalls and the WildFire XML API.
Enable Signature/URL Generation on the WildFire Appliance

Step 1

46

Follow the procedure described in Manage Content Updates on the


Before configuring this feature, verify
that the WF-500 appliance is configured WF-500 Appliance.
to receive the latest content updates from
Palo Alto Networks. The content updates
will equip the appliance with the most
up-to-date threat information for
accurate malware detection and signature
generation.

WildFire Administrators Guide

WF-500 Appliance File Analysis

Signature/URL Generation on a WF-500 Appliance

Enable Signature/URL Generation on the WildFire Appliance

Step 2

Enable signature/URL generation.

1.
2.

Log in to the appliance and type configure to enter


configuration mode.
Enable all threat prevention options:
admin@WF-500# set deviceconfig setting wildfire
signature-generation av yes dns yes url yes

3.

Commit the configuration:


admin@WF-500# commit

To configure connected firewalls to retrieve updates from the


appliance, see Configure the Firewall to Retrieve Updates from
a WF-500 Appliance.
Step 3

1.
(Optional) Configure the WF-500
appliance to forward analysis reports or
malicious samples to the Palo Alto
Networks WildFire cloud. If Packet
Captures (PCAPS) are enabled, the PCAP
will also be forwarded with the sample
file.
2.

To auto submit analysis reports:


admin@WF-500# set deviceconfig setting wildfire
cloud-intelligence submit-report yes

If submit-sample is enabled as described in the following


step, there is no need to enable submit-report because
the WildFire cloud will re-analyze the sample and will
generate a new report and will also generate a signature
for malicious samples.
To auto submit file samples:
admin@WF-500# set deviceconfig setting wildfire
cloud-intelligence submit-sample yes

3.

Commit the configuration:


admin@WF-500# commit

Configure the Firewall to Retrieve Updates from a WF-500 Appliance


If you Enable Signature/URL Generation on the WF-500 Appliance, you can configure your firewalls to retrieve
regular content updates from the appliance. This ensures that your network is protected from threats that
WildFire detects in your local environment. As a best practice, you should configure your firewalls to retrieve
content updates from the Palo Alto Networks Update Servers and from the WildFire cloud. This will ensure
that your firewalls receive signatures based on threats detected world wide, not just signatures generated by your
local WF-500 appliance.
The following workflow describes how to configure a Palo Alto Networks firewall to retrieve content updates
from a WildFire appliance.
Configure the Firewall to Retrieve Updates from the WF-500 Appliance

Step 1

Launch the firewall web interface and go Select Device > Dynamic Updates.
to the Dynamic Updates page.

WildFire Administrators Guide

47

Signature/URL Generation on a WF-500 Appliance

WF-500 Appliance File Analysis

Configure the Firewall to Retrieve Updates from the WF-500 Appliance (Continued)

Step 2

Check for the latest updates.

1.

Click Check Now (located in the lower left-hand corner of the


window) to check for the latest updates. The link in the Action
column indicates whether an update is available:
DownloadIndicates that a new update file is available. Click
the link to begin downloading the file directly to the firewall.
After successful download, the link in the Action column
changes from Download to Install.
The following screen capture shows the new WF-Private section
in Dynamic Updates. This is where you will download updates
from the WF-500 appliance.

To check the status of an action, click Tasks (on the lower


right-hand corner of the window).
RevertIndicates that the firewall downloaded the
corresponding update previously. Click Revert to install the
previous version of the update.
Step 3

Install the updates.

Click the Install link in the Action column. When the installation
completes, a check mark displays in the Currently Installed column.

Step 4

Schedule the update.

1.

To receive updates at the minimal


interval, configure the firewall to
2.
download/install updates every
five minutes. See Best Practices for
Keeping Signatures up to Date.

48

Click None to the right of Schedule if no schedule is


configured. If a schedule exists and you would like to modify it,
click the defined schedule.
Specify how often you want the updates to occur by selecting a
value from the Recurrence drop-down. The WF-500 appliance
updates are available Every 5 minutes (best practice), Every 15
minutes, Every 30 minutes, or Every Hour.

3.

Specify if the firewall will Download And Install the update


(best practice) or Download Only.

4.

Specify how long after a content release to wait before


performing a content update by entering the number of hours
to wait in the Threshold (Hours) field. This provides added
protection in the event that there are errors in a content release.

5.

Click OK to save the schedule settings.

6.

Click Commit to save the settings to the running configuration.

WildFire Administrators Guide

WF-500 Appliance File Analysis

Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support

Upgrade the WF-500 Appliance and Enable Windows 7


64-bit Support
This topic describes how to upgrade the WF-500 appliance operating system and how to install and enable the
Windows 7 64-bit Virtual Machine (VM) sandbox environment. Note that when upgrading to version 6.1, you
first download and install the Windows 7 64-bit image before upgrading the WF-500 appliance operating
system. The VM images can be as large as 4GB, so you must download them from the Palo Alto Networks
update servers and then host them on an SCP-enabled server that you provide. You will then use the SCP client
on the appliance to download the images from the SCP-enabled server prior to upgrading the appliance.
The appliance can only use one environment at a time to analyze samples, so after upgrading the appliance,
review the list of available VM images and then choose the image that best fits your environment. In the case
of Windows 7, if your environment has a mix of Windows 7 32-bit and Windows 7 64-bit systems, it is
recommended that you choose the Windows 7 64-bit image, so WildFire will analyze both 32-bit and 64-bit PE
files. Although you configure the appliance to use one virtual machine image configuration, to improve the
appliance uses multiple instances of the image to perform file analyses.
Upgrade the WF-500 appliance before upgrading the firewalls that are configured to forward
samples to it.
If you are upgrading to a 6.1 maintenance release, you do not have to install the Windows 7 64-bit
image. You only need to download the latest image update and then install.

The following workflow describes how to upgrade the WF-500 appliance and enable the Windows 7 64-bit
environment:
WF-500 Appliance Upgrade

Step 1

1.

Log in to the WF-500 appliance and view system information:

You cannot upgrade directly to the 2.


WildFire appliance operating
system version 6.1 from version
5.1. Although you do not have to
install version 6.0.0 (feature
release), you must first download
the image and then download and 3.
install version 6.1.0. All releases
have the requirement to download
4.
the base image files to skip a
feature release.
5.

Check the sw-version: field to determine the installed version


and proceed as follows:

Determine the upgrade path and


download a base image file if needed.

WildFire Administrators Guide

admin@WF-500> show system info

If version 6.0.0 or later is installed, continue to step Step 2.


If a version prior to 6.0.0 is installed, continue the steps in
this section.
Download the 6.0.0 base image:
admin@WF-500> request system software download
version 6.0.0

Check the status of the download:


admin@WF-500> show jobs all

After the download completes, continue to Step 2.

49

Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support

WF-500 Appliance File Analysis

WF-500 Appliance Upgrade (Continued)

Step 2

Download the required WildFire files to


prepare for the 6.1.0 upgrade.

1.

Check the Update Server for the available WildFire operating


system software versions:
admin@WF-500> request system software check

In this case, you will need the WildFire


operating system 6.1.0 image file, the
Windows 7 64-bit base image, and the
Windows 7 64-bit add-on image.

In this case, look for version 6.1.0. The Downloaded column


indicates if the image has been downloaded to the appliance or
not. If the image is already downloaded you can proceed. If the
image is not downloaded, run the following command:
admin@WF-500> request system software download
version 6.1.0

2.

To download the Windows 7 64-bit images, go to Palo Alto


Networks Support site, click Software Updates and in the
WF-500 Guest VM Images section locate and download the
latest Windows 7 64-bit base image and the Windows 7 64-bit
Add-on image.
The VM files can be as large as 4GB, so ensure that your
Secure Copy (SCP) enabled server software supports file
transfers over 4GB and verify that there is enough free
space to temporarily store the files.
The file names are similar to the following:
Base ImageWFWin7_64Base_m-1.0.0_64base
Add-on ImageWFWin7_64Addon1_m-1.0.0_64addon

3.
Step 3

Download the VM images to the WF-500 1.


appliance.

Move the files to your SCP-enabled server and note the file
name and directory path.
Download the base image file from the SCP-enabled server:
admin@WF-500> scp import wildfire-vm-image from
username@host:path
For example:
admin@WF-500> scp import wildfire-vm-image from
bart@10.43.15.41:c:/scp/WFWin7_64Base_m-1.0.0_64ba
se

The SCP path following the IP or hostname varies


depending on the SCP software that you are using. For
Windows, the path is c:/folder/filename or
//folder/filename; for Unix/Mac systems, the path is
/folder/filename or //folder/filename.
2.

Download the add-on image:


admin@WF-500> scp import wildfire-vm-image from
username@host:path

For example:
admin@WF-500> scp import wildfire-vm-image from
bart@10.43.15.41:c:/scp/WFWin7_64Base_m-1.0.0_64ad
don1

50

WildFire Administrators Guide

WF-500 Appliance File Analysis

Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support

WF-500 Appliance Upgrade (Continued)

Step 4

Install the Windows 7 64-bit VM images. 1.

Install the Windows 7 64-bit base image:


admin@WF-500> request system wildfire-vm-image
upgrade install WFWin7_64Base_m-1.0.0_64base

2.

Install the Windows 7 64-bit Add-on image:


admin@WF-500> request system wildfire-vm-image
upgrade install WFWin7_64Base_m-1.0.0_64addon1

Step 5

Install the 6.1 operating system image file. Install the WF-500 appliance operating system image that you
downloaded previously:
admin@WF-500> request system software install version
6.1.0

Step 6

Restart the appliance and confirm that the 1.


installation was successful.

Confirm that the upgrade has completed by running the


following command and look for the job type Install and
status FIN:
admin@WF-500> show jobs all
Enqueued
ID
Type
Status
Result Completed
---------------------------------------------------------2014/07/30 10:38:48
2
Downld
FIN
OK 10:39:08

2.

After the upgrade is complete, restart the appliance:


admin@WF-500> request restart system

3.

Verify that the sw-version field shows 6.1:


admin@WF-500> show system info | match sw-version

Step 7

(Optional) Enable the Windows 7 64-bit 1.


sandbox environment.

View the active virtual machine image by running the following


command and refer to the Selected VM field:
admin@WF-500> show wildfire status

2.

View a list of available virtual machines images:


admin@WF-500> show wildfire vm-images

The following output shows that vm-5 is the Windows 7 64-bit


image:
vm-5
Windows 7 64bit, Adobe Reader 11, Flash 11, Office
2010. Support PE, PDF, Office 2010 and earlier

3.

Select the image to be used for analysis:


admin@WF-500# set deviceconfig setting wildfire
active-vm <vm-image-number>

For example, to use vm-5, run the following command:


admin@WF-500# set deviceconfig setting wildfire
active-vm vm-5

4.

Commit

the configuration:

admin@WF-500# commit

WildFire Administrators Guide

51

Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support

52

WF-500 Appliance File Analysis

WildFire Administrators Guide

WildFire Cloud File Analysis


The following topics describe how to configure a Palo Alto Networks firewall to forward files to the WildFire
cloud for analysis and also describes how to manually upload files using the WildFire Portal. You can also use
the WildFire API to submit samples to the WildFire cloud.

Forward Samples to the WildFire Cloud

Verify Forwarding to the WildFire Cloud

Upload Files using the WildFire Cloud Portal

WildFire Administrators Guide

53

Forward Samples to the WildFire Cloud

WildFire Cloud File Analysis

Forward Samples to the WildFire Cloud


To configure a Palo Alto Networks firewall to automatically submit samples to the WildFire cloud to identify
malware, you must configure a file blocking profile with the forward or continue-and-forward action (forward
only for email links) and then attach the profile to the security rule that will trigger inspection for zero-day
malware. The samples can be specific file types or HTTP/HTTPS links contained in SMTP or POP3 messages.
For example, you can configure a policy with a file blocking profile that triggers the firewall to forward a specific
file type (PDF for example) to WildFire, or all supported file types that users attempt to download during a
web-browsing session. The firewall can forward encrypted files if SSL decryption is configured and the option
to forward encrypted files is enabled. To enable WildFire Email Link Analysis, you simply configure the firewall
to forward the file type email-link.
If you are using Panorama to manage your firewalls, simplify WildFire administration by using Panorama
Templates to push the WildFire server information, allowed file size, and the session information settings to the
firewalls. Use Panorama device groups to configure and push file blocking profiles and security policy rules.
Starting with PAN-OS 6.0, the WildFire logs show which WildFire system each firewall used for file analysis
(WildFire cloud, WF-500 appliance, and/or the WildFire Japan cloud). When configuring the WildFire server
on Panorama (Panorama > Setup > WildFire), enter the WildFire server that your firewalls are using. For example,
if your firewalls are forwarding samples to the WildFire cloud, the Panorama setting should point to the cloud
server named wildfire-public-cloud. If your firewalls are forwarding to a WF-500 appliance, the Panorama
setting should point to the IP address or FQDN of the appliance.
If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud
or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed.

WildFire cloud: Uses port 443 for registration and file submissions.
WildFire appliance: Uses port 443 for registration and 10443 for file submissions.

Perform the following steps on each firewall that will forward files to WildFire:
Configure a File Blocking Profile and Add it to a Security Profile

Step 1

Verify that the firewall has valid Threat


Prevention and WildFire subscriptions
and that dynamic updates are scheduled
and up-to-date. See Best Practices for
Keeping Signatures up to Date for
recommended settings.
Having a WildFire subscription
provides many benefits, such as
forwarding of advanced file types
and receiving WildFire signatures
within 15 minutes. For details, see
WildFire Subscription
Requirements.

54

1.

Select Device > Licenses and confirm that the firewall has valid
WildFire and Threat Prevention subscriptions.

2.

Select Device > Dynamic Updates and click Check Now to


ensure that the firewall has the most recent Antivirus,
Applications and Threats, and WildFire updates.

3.

If the updates are not scheduled, schedule them now. Stagger


the update schedules because the firewall can only perform one
update at a time.

WildFire Administrators Guide

WildFire Cloud File Analysis

Forward Samples to the WildFire Cloud

Configure a File Blocking Profile and Add it to a Security Profile (Continued)

Step 2

Configure the file blocking profile to


define which applications and file types
will trigger forwarding to WildFire.
If you choose PE in the objects
profile File Types column to select
a category of file types, do not also
add an individual file type that is
part of that category because this
will result in redundant entries in
the Data Filtering logs. For
example, if you select PE, there is
no need to select exe because it is
part of the PE category. This also
applies to the zip file type, because
the firewall will automatically
forward supported file types that
are zipped. If you would like to
ensure that all supported
Microsoft Office file types are
forwarded, it is recommended that
you choose the category msoffice.

1.

Select Objects > Security Profiles > File Blocking.

2.

Click Add to add a new profile and enter a Name and


Description.

3.

Click Add in the File Blocking Profile window and then click
Add again. Click in the Names field and enter a rule name.

4.

Select the Applications that will match this profile. For example,
selecting web-browsing to match any application traffic
identified as web-browsing.

5.

In the File Type field, select the file types that will trigger the
forwarding action. Choose Any to forward all file types
supported by WildFire or select PE to only forward Portable
Executable files.

6.

In the Direction field, select upload, download, or both. The


both option will trigger forwarding whenever a user attempts to
upload or download a file.

7.

Choosing a category rather than


an individual file type also ensures
that as new file type support is
added to a given category, they are
automatically made part of the file
8.
blocking profile. If you select Any,
all supported file types are
forwarded to WildFire.
Step 3

(Optional) Enable response pages to


1.
allow users to decide whether to forward
a file.
2.
If the continue-and-forward
3.
action is configured for any file
4.
type, you must enable the response
page option on the ingress
5.
interface (the interface that first
receives traffic for your users).
6.

WildFire Administrators Guide

Define an Action as follows:


ForwardThe firewall will automatically forward any files
matching this profile to WildFire for analysis in addition to
delivering the file to the user.
Continue-and-forwardThe user is prompted and must
click continue before the download occurs and the file is
forwarded to WildFire. Because this action requires user
interaction with a web browser, it is only supported for
web-browsing applications.
Click OK to save.

Select Network > Network Profiles > Interface Mgmt and


either add a new profile or edit an existing profile.
Click the Response Pages check box to enable.
Click OK to save the profile.
Select Network > Interfaces and then edit the Layer 3 interface
or VLAN interface that is the ingress interface.
On the Advanced tab, select the Interface Mgmt profile that has
the response page option enabled.
Click OK to save.

55

Forward Samples to the WildFire Cloud

WildFire Cloud File Analysis

Configure a File Blocking Profile and Add it to a Security Profile (Continued)

Step 4

Enable forwarding of decrypted content. 1.

Select Device > Setup > Content-ID.

2.
To forward SSL encrypted files to
WildFire, the firewall must have a
decryption policy and have forwarding of 3.
decrypted content enabled.

Click the edit icon for the URL Filtering options and enable
Allow Forwarding of Decrypted Content.

Only a superuser can enable this


option.

Step 5

Attach the file blocking profile to a


security policy.

Click OK to save the changes.


If the firewall has multiple virtual systems, you must
enable this option per VSYS. In this situation, select
Device > Virtual Systems, click the virtual system to be
modified and select the Allow Forwarding of Decrypted
Content check box.

1.

Select Policies > Security.

2.

Click Add to create a new policy for the zones to which to apply
WildFire forwarding, or select an existing security policy.

3.

On the Actions tab, select the File Blocking profile from the
drop-down.
If this security rule does not have any profiles attached to
it, select Profiles from the Profile Type drop-down to
enable selection of a file blocking profile.

Step 6

(Optional) Modify the maximum file size 1.


allowed for upload to WildFire.
2.
3.

Step 7

(Optional) Modify session options that


1.
define what session information to record 2.
in WildFire analysis reports.
3.

56

Select Device > Setup > WildFire.


Click the General Settings edit icon.
Set the maximum file size for each file type. For example, if you
set PDF to 5MB, any PDF larger than 5MB will not be
forwarded.
Click the Session Information Settings edit icon.
By default, all session information items will display in the
reports. Clear the check boxes that correspond to any fields to
remove from the WildFire analysis reports.
Click OK to save the changes.

WildFire Administrators Guide

WildFire Cloud File Analysis

Forward Samples to the WildFire Cloud

Configure a File Blocking Profile and Add it to a Security Profile (Continued)

Step 8

(PA-7050 only) If you are configuring log 1.


forwarding on a PA-7050 firewall, you
must configure a data port on one of the 2.
NPCs with the interface type Log Card.
3.
This is due to the traffic/logging
capabilities of the PA-7050 to avoid
overwhelming the MGT port.
The log card (LPC) will use this port
directly and the port will act as a log
forwarding port for syslog, email, and
4.
SNMP. The firewall will forward the
following log types through this port:
traffic, HIP match, threat, and WildFire
logs. The firewall also uses this port to
forward files/emails links to WildFire for
analysis.

Select Network > Interfaces and locate an available port on an


NPC.
Select the port and change the Interface Type to Log Card.
In the Log Card Forwarding tab, enter IP information (IPv4
and/or IPv6) that will enable the firewall to communicate with
your syslog servers and your email servers to enable the firewall
to logs and email alerts. The port will also need to reach the
WildFire cloud or your WildFire appliance to enable file
forwarding.
Connect the newly configured port to a switch or router. There
is no other configuration needed. The PA-7050 firewall will
automatically use this port as soon as it is activated.

If the port is not configured, a commit


error is displayed. Note that only one data
port can be configured with the Log Card
type. The MGT port cannot be used for
forwarding samples to WildFire, even if
you configure a service route.
The PA-7050 does not forward
logs to Panorama. Panorama will
query the PA-7050 log card for log
information.
Step 9

Commit the configuration.

Click Commit to apply the settings.


During security policy evaluation, all files that meet the criteria
defined in the file blocking policy are forwarded by the firewall to
WildFire. For information on viewing WildFire reports, see WildFire
Reporting.
For information on verifying the configuration, see Verify
Forwarding to the WildFire Cloud.

WildFire Administrators Guide

57

Verify Forwarding to the WildFire Cloud

WildFire Cloud File Analysis

Verify Forwarding to the WildFire Cloud


This topic describes the steps required to verify that the firewall is properly configured to forward samples to
the WildFire cloud. For information on a test file that you can use to verify the process, see Malware Test
Samples.
Verify Forwarding to the WildFire Cloud

Step 1

Check the WildFire and Threat


Prevention subscriptions and WildFire
registration.

1.

Select Device > Licenses and confirm that a valid WildFire and
Threat Prevention subscription is installed. If valid licenses are
not installed, go to the License Management section and click
Retrieve license keys from the license server.

2.

Check that the firewall can communicate with a WildFire server


for file forwarding:
admin@PA-200> test wildfire registration

In the following output, the firewall is pointing to the WildFire


cloud. If the firewall is pointing to a WildFire appliance, it will
show the FQDN or IP address of the appliance.
Test wildfire
wildfire registration: successful
download server list: successful
select the best server:
s1.wildfire.paloaltonetworks.com

Step 2

Confirm that the firewall is sending files


to the correct WildFire system.

3.

If problems persist with the licenses, contact your reseller or


Palo Alto Networks System Engineer to confirm each license
and to get a new authorization code if required.

1.

To determine where the firewall is forwarding files (to the Palo


Alto Networks WildFire cloud or to a WildFire appliance),
select Device > Setup > WildFire.

2.

Click the General Settings edit button.


The U.S.-based WildFire Server is wildfire-public-cloud and the
Japan-based WildFire server is wildfire-paloaltonetworks.jp. If
the firewall is configured to forward to a WF-500 appliance, the
IP address or FQDN of the WildFire appliance is displayed.
If you forget the name of the WildFire public cloud,
clear the WildFire Server field and click OK and the
field will auto populate with the default value for the
WildFire cloud.

58

WildFire Administrators Guide

WildFire Cloud File Analysis

Verify Forwarding to the WildFire Cloud

Verify Forwarding to the WildFire Cloud

Step 3

Check the logs to verify that forwarding is 1.


working.
2.
For information on enabling email header
details in logs, see Enable Email Header
Information in WildFire Logs.

Select Monitor > Logs > Data Filtering.


View the Action column to determine the forwarding results:
ForwardIndicates that the sample was successfully
forwarded from the dataplane to the management plane on
the firewall by a file blocking profile and a security policy. At
this point, the firewall has not yet forwarded the sample to
the WildFire cloud or a WildFire appliance.
Wildfire-upload-successIndicates that the firewall
forwarded the file to WildFire. This means that a trusted
signer did not sign the file and it has not been previously
analyzed by WildFire.
Wildfire-upload-skipIndicates that the file is eligible to
be sent to WildFire, but did not need to be analyzed because
WildFire has already analyzed it previously.

3.

View the WildFire logs by selecting Monitor > Logs > WildFire
Submissions. If WildFire logs are listed, the firewall is
successfully forwarding files to WildFire and WildFire is
returning file analysis results.
For more information on WildFire-related logs, see
WildFire Logs.

Step 4

Step 5

Verify the action setting in the file


blocking profile.

Verify that the file blocking profile is in


the correct security policy.

WildFire Administrators Guide

1.

Select Objects > Security Profiles > File Blocking and click the
file blocking profile.

2.

Confirm that the action is set to forward or


continue-and-forward. If you set to continue-and-forward,
the firewall will only forward http/https traffic because this is
the only type of traffic that will allow the firewall to serve a
response page to the user.

1.

Select Policies > Security and click the security policy rule that
triggers file forwarding to WildFire.

2.

Click the Actions tab and ensure that the file blocking profile is
selected in the File Blocking drop-down.

59

Verify Forwarding to the WildFire Cloud

WildFire Cloud File Analysis

Verify Forwarding to the WildFire Cloud

Step 6

Check the WildFire server status on the


appliance.

admin@PA-200> show wildfire status

When forwarding files to the WildFire cloud, the output should look
similar to the following:
Connection info:
Wildfire cloud:
Status:
Best server:
Device registered:
Valid wildfire license:
Service route IP address:
Signature verification:
Server selection:
Through a proxy:

public cloud
Idle
s1.wildfire.paloaltonetworks.com
yes
yes
192.168.2.1
enable
enable
no

Forwarding info:
file size limit for pe (MB):
file size limit for jar (MB):
file size limit for apk (MB):
file size limit for pdf (KB):
file size limit for ms-office (KB):
file idle time out (second):
total file forwarded:
file forwarded in last minute:
concurrent files:

60

10
1
2
500
10000
90
1
0
0

WildFire Administrators Guide

WildFire Cloud File Analysis

Verify Forwarding to the WildFire Cloud

Verify Forwarding to the WildFire Cloud

Step 7

Check WildFire statistics to confirm that The following command displays the output of a working firewall
counters are incrementing.
and shows counters for each file type that the firewall forwarded to
WildFire. If the counter fields all show 0, the firewall is not
forwarding files and you should check connectivity between the
firewall and the WF-500 appliance. Also verify that the file blocking
profile on the firewall is configured correctly and the profile is
attached to a security rule that allows file transfers.
admin@PA-200> show wildfire statistics
Packet based counters:
Total msg rcvd:
Total bytes rcvd:
Total msg read:
Total bytes read:
Total msg lost by read:
Total DROP_NO_MATCH_FILE

12011
10975328
11963
10647634
48
48

Total files received from DP: 196


Counters for file cancellation:
CANCEL_FILE_DUP
CANCEL_CONCURRENT_LIMIT

11
7

Counters for file forwarding:


file type: apk
file type: pdf
file type: email-link
file type: ms-office
file type: pe
file type: flash
FWD_CNT_LOCAL_FILE
FWD_CNT_LOCAL_DUP
FWD_CNT_REMOTE_FILE
FWD_CNT_REMOTE_DUP_CLEAN
FWD_CNT_REMOTE_DUP_TBD
FWD_CNT_REMOTE_DUP_MAL

178
11
121
56
8
3

file type: jar


file type: unknown
file type: pdns
Error counters:
LOG_ERR_REPORT_CACHE_NOMATCH

880

Reset counters:
DP receiver reset cnt:
File cache reset cnt:
Service connection reset cnt:
Log cache reset cnt:
Report cache reset cnt:

2
2
1
2
2

Resource meters:
data_buf_meter
msg_buf_meter
ctrl_msg_buf_meter

0%
0%
0%

File forwarding queues:


priority: 1, size: 0
priority: 2, size: 0
priority: 3, size: 0

WildFire Administrators Guide

61

Verify Forwarding to the WildFire Cloud

WildFire Cloud File Analysis

Verify Forwarding to the WildFire Cloud

Step 8

1.
Check the dynamic updates status and
schedules to ensure that the firewall is
2.
automatically receiving signatures
generated by WildFire. See Best Practices
for Keeping Signatures up to Date.
3.

Select Device > Dynamic Updates.


Ensure that Antivirus, Applications and Threats, and WildFire
have the most recent updates and that a schedule is set for each
item.
Click Check Now at the bottom of the windows to see if any
new updates are available, which also confirms that the firewall
can communicate with updates.paloaltonetworks.com.

If the firewall does not have connectivity to the update server,


download the updates directly from Palo Alto Networks. Log in to
the Palo Alto Networks Support site and select Dynamic Updates.

62

WildFire Administrators Guide

WildFire Cloud File Analysis

Upload Files using the WildFire Cloud Portal

Upload Files using the WildFire Cloud Portal


All Palo Alto Networks customers with a support account can manually upload files to the Palo Alto Networks
WildFire portal for analysis. The WildFire portal supports manual uploading of all Supported File Types.
Manual Upload to WildFire

Step 1

Step 2

Manually upload a file to WildFire for


analysis.

View the analysis results. It will take


approximately five minutes for WildFire
to complete a file analysis.

1.

If your firewall is forwarding to the WildFire portal in Japan, use


https://wildfire.paloaltonetworks.jp.
2.

Click the Upload Sample button then click Add files.

3.

Navigate to the file, highlight it, and then click Open. The file
name will appear below the Add files icon.

4.

Click the Start icon to the right of the file, or click the Start
upload button if multiple files are waiting for upload. If the
file(s) upload successfully, Success will appear next to each file.

5.

Close the Uploaded File Information pop-up.

1.

Refresh the portal page from your browser.

2.

Click Manual under the source column to view the results of


manual sample upload.

Because a manual upload is not


3.
associated with a specific firewall,
manual uploads will appear
separately from your registered
firewalls and will not show session
information in the reports.

WildFire Administrators Guide

Log in to the WildFire Portal.

The report page will show a list of all files that have been
uploaded to your account. Find the file you uploaded and click
the detail icon to the left of the date field.
The portal displays a full report of the file analysis detailing the
observed file behavior. If WildFire identifies the file as malware,
it generates a signature, which is then distributed to all Palo Alto
Networks firewalls configured with a WildFire or Threat
Prevention subscription.

63

Upload Files using the WildFire Cloud Portal

WildFire Cloud File Analysis

64

WildFire Administrators Guide

WildFire Reporting
When malware is discovered on your network, it is important to take quick action to prevent propagation to
other systems on your network. To ensure immediate alerts for malware discovered on your network, configure
your firewalls to send email notifications, SNMP Traps, and/or syslogs whenever WildFire returns a malware
verdict on a sample. This allows you to quickly view the WildFire analysis report and identify the user who
downloaded the malware, determine if the user ran the infected file or accessed a malicious email link, and assess
whether the malware attempted to spread itself to other hosts. If you determine that the user has accessed the
malicious content, you can quickly disconnect the computer from the network to prevent the malware from
spreading and follow incident response and remediation processes as required.
The following topics describe the WildFire reporting and logging system and describes how to use this
information to track down threats and to identify users who have been targeted by malware.

WildFire Logs

Enable Email Header Information in WildFire Logs

Monitor Submissions Using the WildFire Portal

Customize WildFire Portal Settings

Add WildFire Portal User Accounts

View WildFire Reports

WildFire Report Contents

Set Up Alerts for Detected Malware

WildFire in Action

WildFire Administrators Guide

65

WildFire Logs

WildFire Reporting

WildFire Logs
Each firewall that you configure to forward samples to WildFire will log the forward action in the data filtering
logs. After WildFire analyzes the sample, if the verdict is malware, WildFire sends the results back to the
WildFire Submission log on the firewall. You can also configure the firewall to log email header information for
files delivered over email or HTTP/HTTPS links contains in SMTP and POP3 messages. For more
information, see Enable Email Header Information in WildFire Logs.
The detailed analysis report for each file or email link that WildFire analyzes is located in the detailed view of
the WildFire Submissions log. You can also view analysis reports on the WildFire Portal.
If you configure your firewalls to forward samples to a WF-500 appliance, you can only view
analysis results on the firewall that forwarded the file to the appliance or by using the WildFire
XML API to retrieve the report from the appliance.

Forwarding Action LogsThe data filtering logs located in Monitor > Logs > Data Filtering will show the
files that were blocked/forwarded based on the file blocking profile. To determine which files were
forwarded to WildFire, look for the following values in the Action column of the log:
Action

Description

wildfire-upload-success

The firewall forwarded the sample to the WildFire cloud or WF-500


appliance. This means that a trusted signer did not sign the file and it has not
been previously analyzed by WildFire.

wildfire-upload-skip

Displayed for all files identified as eligible to be sent to WildFire by a file


blocking profile/security policy, but did not need to be analyzed by WildFire
because it has already been analyzed previously. In this case, the forward
action will appear in the Data Filtering log because it was a valid forward
action, but it was not sent to WildFire and analyzed because the file has
already been sent to the WildFire cloud or WildFire appliance from another
session, possibly from another firewall.
This action will not occur for email link forwarding.

wildfire-upload-fail

66

The sample could not be uploaded to WildFire. This is typically caused by


network communication issues between the firewall and the WildFire cloud.
Verify connectivity and check DNS.

WildFire LogsThe analysis results for the samples scanned by WildFire are sent back to the firewall logs
after the analysis completes. These logs are written to the firewall that forwarded the sample in Monitor >
Logs > WildFire Submissions. If logs are forwarded from the firewall to Panorama, the logs are written to the
Panorama server in Monitor > Logs > WildFire Submissions. The Category column for the WildFire logs will
either show benign (benign email links are not logged); meaning that the file is safe, or malicious, indicating
that WildFire determined that the sample contains malicious code. If the sample is determined to be
malicious, a signature is generated by the WildFire signature generator. If your firewall is configured to
forward files to a WF-500 appliance, you can configuring the appliance to forward samples to the WildFire
cloud for signature generation or you can Enable Signature/URL Generation on the WF-500 Appliance.
By default, firewalls with a WildFire subscription will only retrieve analysis results from the WildFire cloud
or WF-500 appliance if the sample is identified as malware. To generate logs for benign files, select Device >
Setup > WildFire and edit General Settings and then click the Report Benign Files check box. You can also run
the following CLI command: admin@PA-200# set deviceconfig setting wildfire report-benign-file.

WildFire Administrators Guide

WildFire Reporting

WildFire Logs

Benign verdicts for email links are not logged.

To view the detailed report for a sample that has been analyzed by WildFire, locate the log entry in Monitor
> WildFire Submissions, click the icon to the left of the log entry to show log details and then click the WildFire
Analysis Report tab. A login prompt will appear to access the report and after entering the correct credentials
the report is retrieved from the WildFire system and is displayed in your browser. For information on portal
accounts to access the WildFire cloud, see Add WildFire Portal User Accounts. For information on the
admin account that is used to retrieve reports from a WildFire appliance, see Integrate the WF-500
Appliance into a Network and the refer to the step that describes the portal-admin account.

WildFire Administrators Guide

67

Enable Email Header Information in WildFire Logs

WildFire Reporting

Enable Email Header Information in WildFire Logs


The firewall can capture email header informationemail sender, recipient(s), and subjectand sends it along
with the corresponding email attachments and email links that it forwards to WildFire. If WildFire determines
that the email attachment or link is malicious, it includes the email header information in the WildFire
Submissions log that it returns to the firewall. This information can help you to quickly track down and
remediate threats that are detected in emails received by your users. Note that neither the firewall nor WildFire
receive, store, or view the actual email contents.
The following workflow describes how to enable the email header options, how to set the User-ID attribute,
and how to locate log information to help you identify recipients who have downloaded malicious attachments
or received an email containing a malicious links.
Configure the Email Header Option for WildFire Logs

Step 1

Step 2

Enable the email header option on the


firewall that will forward samples to the
WildFire.

Select Device > Setup > WildFire.


Edit the Session Information Settings section and enable one or
more of the options (Email sender, Email recipient, and Email
subject).

3.

Click OK to save.

(Optional) Configure the User-ID option 1.


to enable the firewall to match User-ID 2.
information with email header
3.
information identified in email links and
email attachments forwarded to WildFire.
When a match occurs, the user name in
the WildFire log email header section will
contain a link that when clicked, will bring
up the ACC filtered by the user or group
of users.

68

1.
2.

Select Device > User Identification > Group Mapping Settings.


Select the desired group mapping profile to modify it.
In the Server Profile tab in the Mail Domains section, populate
the Domain List field:
Mail AttributesThis field is automatically populated after
you fill in the Domain List field and click OK. The attributes
are based on your LDAP server type (Sun/RFC, Active
Directory, and Novell).
Domain ListEnter the list of email domains in your
organization using a comma separated list up to 256
characters.

WildFire Administrators Guide

WildFire Reporting

Enable Email Header Information in WildFire Logs

Configure the Email Header Option for WildFire Logs (Continued)

Step 3

Confirm that email header information is 1.


appearing in the WildFire reports.
Within approximately 15 minutes after
the file or link is forwarded, WildFire
generates a log.

Select Monitor > Logs > Data Filtering from the firewall and
locate a log with the Action wildfire-upload-success. The
date/time should be after the date/time in which you enabled
this option.

2.

View the log and analysis report by selecting Monitor > Logs >
WildFire Submissions and locate the corresponding log for the
link or file attachment.

3.

Click the log details icon in the first column. In the Log Info
tab, you will see the new email information in the Email Headers
section.

Benign email links are not logged.

If User-ID is configured on the firewall, the domain and


user name collected by User-ID are displayed in the
Recipient User-ID field.
Use the email header and User-ID information to track down the
message on the mail server to delete it or use the information to
locate the recipient to remove the threat if the email has already been
opened.

WildFire Administrators Guide

69

Monitor Submissions Using the WildFire Portal

WildFire Reporting

Monitor Submissions Using the WildFire Portal


Browse to the Palo Alto Networks WildFire Portal and log in using your Palo Alto Networks support credentials
or your WildFire account. The portal opens to display the dashboard, which lists summary report information
for all of the firewalls associated with the specific WildFire subscription or support account. For each device
listed, the portal displays statistics for the number of malware files that have been detected, benign samples that
have been analyzed, and the number of pending files that are waiting to be analyzed.
If your firewalls are configured to forward samples to a WF-500 appliance, log results can only be
viewed from the firewall that forwarded the file or by using the WildFire XML API.

For information on configuring additional WildFire accounts that can be used to review report information, see
Add WildFire Portal User Accounts.

70

WildFire Administrators Guide

WildFire Reporting

Customize WildFire Portal Settings

Customize WildFire Portal Settings


This section describes the settings that can be customized for a portal account, such as time zone and email
notifications for each firewall. You can also delete logs stored on the portal for each firewall that forwards
samples to the WildFire cloud.
Customize the WildFire Portal Settings

Step 1

Configure the time zone for the portal


account.

1.

Log in to the WildFire Portal using your Palo Alto Networks


support login credentials or your WildFire user account.

2.

Click the Settings link located at the upper right of the portal
window.

3.

Select the time zone from the drop-down and then click Update
Time Zone to save the change.

The time stamp that will appear on the WildFire detailed


report is based on the time zone set in your portal
account.
Step 2

Delete WildFire logs for specific firewalls. 1.


This will delete all logs and notifications
for the selected firewall.
2.
3.

Step 3

In the Delete WildFire Logs drop-down, select the firewall (by


serial number).
Click the Delete Logs button.
Click OK to proceed with the deletion.

1.
Configure email notifications that the
portal will generate based on the results of
files submitted to WildFire. The email
notifications are sent to the email account
registered in the support account.

From the portal settings page, a table is displayed with the


column headings Device, Malware, and Benign. Check
Malware and/or Benign for each firewall to which you would
like to receive notifications. Click the Update Notification to
enable notifications for the selected firewalls.

2.

The first row item will show Manual. Select Malware and/or
Benign to receive a notification for files that are manually
uploaded to the WildFire cloud, or that are submitted using the
WildFire API and click Update Notification to save.
Select the check boxes directly below the column
headings Malware and Benign to select all of the check
boxes for the listed devices.

WildFire Administrators Guide

71

Add WildFire Portal User Accounts

WildFire Reporting

Add WildFire Portal User Accounts


WildFire portal accounts are created by a super user (or the registered owner of a Palo Alto Networks device)
to give additional users the ability to log in to the WildFire web portal and view WildFire data for devices
specifically granted by the super user or registered owner. A super user is the person who registered a Palo Alto
Networks firewall and has the main support account for the device(s). The WildFire user can be an existing
support site user that belongs to any account (including the sub-account, parent account, or any other account
in the system), or they may not have a Palo Alto Networks support account at all and can be granted access to
just the WildFire portal and a specific set of firewalls.
If your firewall forwards files to a WF-500 appliance, you cannot view reports for those samples
on the WildFire portal, even when enabling cloud intelligence on the appliance to submit files to
the cloud. The purpose of sending samples from an appliance to the WildFire cloud is so the cloud
will generate signatures for detected malware. Palo Alto Networks will then distribute these
signatures to customer firewalls that have a Threat Prevention or WildFire subscription.

Add WildFire User Accounts

Step 1

Step 2

Access the manage users and accounts


section on the support site and select an
account.
Add a WildFire user.

1.

Log in to the Palo Alto Networks Support site.

2.

Under Manage Account click on Users and Accounts.

3.

Select an existing account or sub-account.

1.

Click the Add WildFire User button.

2.

Enter the email address for the user recipient would like to add.
The user can be an existing support site user that belongs
to any account (including the sub-account, parent
account, Palo Alto Networks, or any other account in the
system), as well as any email address that does not have
a support account at all. The only restriction is that the
email address cannot be from a free web-based email
account (Gmail, Hotmail, Yahoo, and so on). If an email
address is entered for a domain that is not supported, a
pop-up warning appears.

Step 3

Assign firewalls to the new user account


and access the WildFire portal.

1.

Select the firewall(s) by S/N that you want to grant access to and
fill out the optional account details.
An email will then be sent to the user. Users with an existing
support account will receive an email with a list of the firewalls
that are now available for WildFire report viewing. If the user
does not have a support account, the portal sends an email with
instructions on how to access the portal and how to set a new
password.

2.

72

The new user can now log in to the WildFire Portal and view
WildFire reports for the firewalls to which they have been
granted access. Users can also configure automatic email alerts
for these devices in order to receive alerts on files analyzed.
They can choose to receive reports on malicious and/or benign
files.

WildFire Administrators Guide

WildFire Reporting

View WildFire Reports

View WildFire Reports


The primary method used to view a WildFire reports sent to the WildFire cloud or to a WildFire appliance is
to access the firewall that forwarded the file to WildFire and then select Monitor > Logs > WildFire Submissions
and select the WildFire Analysis Report tab. From here you can view the report directly or download the report
by clicking the Download PDF icon located at the upper right of the report. If the firewall is forwarding logs to
Panorama, the logs can also be accessed from the Panorama logs. You can also retrieve reports from the
WildFire portal or a WF-500 appliance by using WildFire XML API. For more information, see Query for a
WildFire PDF or XML Report.
When submitting files to the WildFire cloud (by firewall forwarding, manual upload, or the WildFire API), you
can access reports from the firewall as well as from the WildFire portal. To access the reports from the portal,
log in to the WildFire portal and click the Reports button at the top of the WildFire portal page. The portal
displays a list showing the date the file was received, the firewall serial number that forwarded the file, the
filename or URL, and the verdict (Malware or Benign). Search is also available at the top of the page and can be
used to search by file name or hash value.
To view an individual report from the portal, click the Reports icon to the left of the report name. To save the
detailed report, click the Download as PDF button on the upper right of the report page. The following shows a
list of sample files submitted by a firewall:

WildFire Administrators Guide

73

WildFire Report Contents

WildFire Reporting

WildFire Report Contents


The WildFire reports will show detailed behavioral information for the sample that was analyzed by WildFire
as well as information on the user who was targeted, email header information (if enabled), the application that
delivered the file, and all URLs involved in the delivery or phone-home activity of the file. The organization of
the report may differ depending on the WildFire system (WildFire Cloud or WF-500 appliance) that analyzed
the sample. The report will contain some or all of the information described in the following table based on the
session information configured on the firewall that forwarded the file and depending on the observed behavior.
When viewing a WildFire report for a file that was manually uploaded to the WildFire portal or by
using the WildFire API, the report will not show session information because the traffic did not
traverse the firewall. For example, the report would not show the Attacker/Source and
Victim/Destination.

Report Heading

Description

Download PDF

Click the Download PDF icon (located in the upper right) to have the firewall
generate a PDF version of the WildFire report.

File Information

File TypeFlash, PE, PDF, APK, JAR/Class, or MS Office. This field is named
URL for HTTP/HTTPS email link reports and will display the URL that was
analyzed.
File SignerThe entity that signed the file for authenticity purposes.
Hash ValueA file hash is much like a fingerprint that uniquely identifies a file
to ensure that the file has not been modified in any way. The following lists the
hash versions that WildFire generates for each file analyzed:
SHA-1Displays the SHA-1 value for the file.
SHA-256Displays the SHA-256 value for the file.
MD5Displays the MD5 information for the file.
File SizeThe size (in bytes) of the file that WildFire analyzed.
First Seen TimestampIf the WildFire system has analyzed the file previously,
this is the date/time that it was first observed.
VerdictDisplays the analysis verdict:
BenignThe file is safe and does not exhibit malicious behavior.
MalwareWildFire identified the file as malware and generates a signature
to protect against future exposure.
Sample FileClick the Download File link to download the sample file to your
local system. Note that you can only download files with the malware verdict, not
benign.

74

WildFire Administrators Guide

WildFire Reporting

WildFire Report Contents

Report Heading

Description

Coverage Status

Click the Virus Total link to view endpoint antivirus coverage information for
samples that have already been identified by other vendors. If the file has never
been seen by any of the listed vendors, file not found appears.
In addition, when the report is rendered on the firewall, up-to-date information
about what signature and URL filtering coverage that Palo Alto Networks currently
provides to protect against the threat will also be displayed in this section. Because
this information is retrieved dynamically, it will not appear in the PDF report.
The following screen capture shows coverage status that appears after rendering
the report on the firewall:

The following coverage information is provided for active signatures:


Coverage TypeThe type of protection provided by Palo Alto Networks
(virus, DNS, WildFire, or malware URL).
Signature IDA unique ID number assigned to each signature that Palo Alto
Networks provides.
DetailThe well-known name of the virus.
Date ReleasedThe date that Palo Alto Networks released coverage to
protect against the malware.
Content VersionThe version number for the content release that provides
protection against the malware.
If the firewall is configured to forward files to a WildFire appliance, the
firewall will query the appliance and the WildFire cloud to determine if
coverage information is available. If Coverage Status is available for
both systems (Cloud/Appliance), a separate table will appear for each
system.

WildFire Administrators Guide

75

WildFire Report Contents

WildFire Reporting

Report Heading

Description

Session Information

Contains session information based on the traffic as it traversed the firewall that
forwarded the sample. To define the session information that WildFire will include
in the reports, select Device > Setup > WildFire> Session Information Settings.
The following options are available:
Source IP
Source Port
Destination IP
Destination Port
Virtual System (If multi-vsys is configured on the firewall)
Application
User (If User-ID is configured on the firewall)
URL
Filename
Email sender
Email recipient
Email subject

Dynamic Analysis

If a file is low risk and WildFire can easily determine that it is safe, only a static
analysis is performed, instead of a dynamic analysis.
When a dynamic analysis is performed, this section contains tabs for each virtual
environment that the sample was run in when it was analyzed in the WildFire cloud.
For example, Virtual Machine 1 tab may have Windows XP, Adobe Reader 9.3.3,
and Office 2003 and Virtual Machine 2 may have similar attributes, but with Office
2007. When a file goes through a full dynamic analysis, it is run in each virtual
machine and the results of each environment can be viewed by clicking any of the
Virtual Machine tabs.
On the WF-500 appliance, only one virtual machine is used for the analysis,
which you select based on virtual environment attributes that best match
your local environment. For example, if most users have Windows 7 32-bit,
that virtual machine would be selected.

76

WildFire Administrators Guide

WildFire Reporting

WildFire Report Contents

Report Heading

Description

Behavior Summary

Each Virtual Machine tab summarizes the behavior of the sample file in the specific
environment. Examples include whether the sample created or modified files,
started a process, spawned new processes, modified the registry, or installed
browser helper objects.
The Severity column indicates the severity of each behavior. The severity gauge will
show one bar for low severity and additional bars for higher severity levels. This
information is also added to the dynamic and static analysis sections.

The following describes the various behaviors that are analyzed:


Network ActivityShows network activity performed by the sample, such as
accessing other hosts on the network, DNS queries, and phone-home activity. A
link is provided to download the packet capture.
Host Activity (by process)Lists activities performed on the host, such as
registry keys that were set, modified, or deleted.
Process ActivityLists files that started a parent process, the process name,
and the action the process performed.
FileLists files that started a child processes, the process name, and the action
the process performed.
MutexIf the sample file generates other program threads, the mutex name
and parent process is logged in this field.
Activity TimelineProvides a play-by-play list of all recorded activity of the
sample. This will help in understanding the sequence of events that occurred
during the analysis.

The activity timeline information is only available in the PDF


export of the WildFire reports.

Submit Malware

WildFire Administrators Guide

Use this option to manually submit the sample to Palo Alto Networks. The
WildFire cloud will then re-analyze the sample and generate a signatures if it
determines that the sample is malicious. This is useful on a WF-500 appliance that
does not have signature generation or cloud intelligence enabled, which is used to
forward malware from the appliance to the WildFire cloud.

77

WildFire Report Contents

WildFire Reporting

Report Heading

Description

Report Incorrect Verdict

Click this link to submit the sample to the Palo Alto Networks threat team if you
feel the verdict is a false positive or false negative. The threat team will perform
further analysis on the sample to determine if it should be reclassified. If a malware
sample is determined to be safe, the signature for the file is disabled in an upcoming
antivirus signature update or if a benign file is determined to be malicious, a new
signature is generated. After the investigation is complete, you will receive an email
describing the action that was taken.

78

WildFire Administrators Guide

WildFire Reporting

Set Up Alerts for Detected Malware

Set Up Alerts for Detected Malware


This section describes the steps required to configure a Palo Alto Networks firewall to send an alert each time
WildFire identifies a malicious file or email link. You can configure alerts for benign files as well, but not benign
email links. Alerts can also be configured from the WildFire portal, see Monitor Submissions Using the WildFire
Portal. This example describes how to configure an email alert; however, you could also configure log
forwarding to receive alerts via syslog, SNMP traps, and/or Panorama.
Set Up Email Alerts for Malware

Step 1

Configure an email server profile if one is 1.


not configured.
2.

Select Device > Server Profiles > Email.


Click Add and then enter a Name for the profile. For example,
WildFire-Email-Profile.

3.

(Optional) Select the virtual system to which this profile applies


from the Location drop-down.

4.

Click Add to add a new email server entry and enter the
information required to connect to the Simple Mail Transport
Protocol (SMTP) server and send email (up to four email
servers can be added to the profile):
ServerName to identify the mail server (1-31 characters).
This field is just a label and does not have to be the host name
of an existing SMTP server.
Display NameThe name to show in the From field of the
email.
FromThe email address where notification emails are sent
from.
ToThe email address to which notification emails are sent.
Additional Recipient(s)Enter an email address to send
notifications to a second recipient.
GatewayThe IP address or host name of the SMTP
gateway to use to send the emails.

Step 2

Test the email server profile.

WildFire Administrators Guide

5.

Click OK to save the server profile.

6.

Click Commit to save the changes to the running configuration.

1.

Select Monitor > PDF Reports > Email Scheduler.

2.

Click Add and select the new email profile from the Email
Profile drop-down.

3.

Click the Send test email button and a test email should be sent
to the recipients defined in the email profile.

79

Set Up Alerts for Detected Malware

WildFire Reporting

Set Up Email Alerts for Malware (Continued)

Step 3

1.
Configure a log forwarding profile to
forward WildFire logs to Panorama, an
2.
email account, SNMP, and/or a syslog
server. In this example you will forward
3.
WildFire logs to an email account when
the WildFire verdict is Malicious. You can
also enable Benign, which will produce
more activity if you are testing.

4.
Step 4

80

Apply the log forwarding profile to the


security profile that contains the file
blocking profile.

Select Objects > Log Forwarding.


Click Add and name the profile. For example,
WildFire-Log-Forwarding.
In the WildFire Settings section, choose the email profile from
the Email column for Malicious as shown in the screen capture.

To forward logs to Panorama, select the check boxes under


the Panorama column for Benign and/or Malicious. For
SNMP and Syslog, select the drop-down and choose the
appropriate profile or click New to configure a new profile.
Click OK to save the changes.

1.

Select Policies > Security and click on the policy that is used for
WildFire forwarding.

2.

In the Actions tab Log Setting section, click the Log


Forwarding drop-down and select the new log forwarding
profile. In this example, the profile is named
WildFire-Log-Forwarding.

3.

Click OK to save the changes and then Commit the


configuration. WildFire logs will now be forwarded to the email
address(s) defined in the email profile.

WildFire Administrators Guide

WildFire Reporting

Set Up Alerts for Detected Malware

Set Up Email Alerts for Malware (Continued)

Step 5

(PA-7050 only) If you are configuring log 1.


forwarding on a PA-7050 firewall, you
must configure a data port on one of the 2.
NPCs with the interface type Log Card.
3.
This is due to the traffic/logging
capabilities of the PA-7050 to avoid
overwhelming the MGT port.
The log card (LPC) will use this port
directly and the port will act as a log
forwarding port for syslog, email, and
4.
SNMP. The firewall will forward the
following log types through this port:
traffic, HIP match, threat, and WildFire
5.
logs. The firewall also uses this port to
forward files/emails links to WildFire for
analysis.

Select Network > Interfaces and locate an available port on an


NPC.
Select the port and change the Interface Type to Log Card.
In the Log Card Forwarding tab, enter IP information (IPv4
and/or IPv6) that will enable the firewall to communicate with
your syslog servers and your email servers to enable the firewall
to logs and email alerts. The port will also need to reach the
WildFire cloud or your WildFire appliance to enable file
forwarding.
Connect the newly configured port to a switch or router. There
is no other configuration needed. The PA-7050 firewall will
automatically use this port as soon as it is activated.
Commit the configuration.

If the port is not configured, a commit


error is displayed. Note that only one data
port can be configured with the Log Card
type. The MGT port cannot be used for
forwarding samples to WildFire, even if
you configure a service route.
The PA-7050 does not forward
logs to Panorama. Panorama will
only query the PA-7050 log card
for log information.

WildFire Administrators Guide

81

WildFire in Action

WildFire Reporting

WildFire in Action
The following example scenario summarizes the full WildFire lifecycle. In this example, a sales representative
from Palo Alto Networks downloads a new software sales tool that a sales partner uploaded to Dropbox. The
sales partner unknowingly uploaded an infected version of the sales tool install file and the sales rep then
downloads the infected file.
This example will demonstrate how a Palo Alto Networks firewall in conjunction with WildFire can discover
zero-day malware downloaded by an end user; even if the traffic is SSL encrypted. After WildFire identifies the
malware a log is sent to the firewall and the firewall alerts the administrator who then contacts the user to
eradicate the malware. WildFire then generates a new signature for the malware and firewalls with a Threat
Prevention or WildFire subscription automatically downloads the signature to protect against future exposure.
Although some file sharing web sites have an antivirus feature that checks files as they are uploaded, they can
only protect against known malware.
For more information on configuring WildFire, see Forward Samples to the WildFire Cloud or Forward Files
to a WF-500 Appliance.
This example uses a web site that uses SSL encryption, so the firewall must have decryption and
Allow forwarding of decrypted content enabled. For information on enabling forwarding of
decrypted content, see Forward Samples to the WildFire Cloud or Forward Files to a WF-500
Appliance.
\

WildFire Example Scenario

Step 1

The sales person from the partner company uploads a sales tool file named sales-tool.exe to his Dropbox
account and then sends an email to the Palo Alto Networks sales person with a link to the file.

Step 2

The Palo Alto sales person receives the email from the sales partner and clicks the download link, which takes
her to the Dropbox site. She then clicks Download to save the file to her desktop.

82

WildFire Administrators Guide

WildFire Reporting

WildFire in Action

WildFire Example Scenario

Step 3

The firewall that is protecting the Palo Alto sales rep has a file blocking profile attached to a security policy that
will look for files in any application that is used to download or upload any of the supported file type (Flash, PE,
PDF, APK, JAR/Class, or MS Office). Note that the firewall can also be configured to forward the email-link
file type, which enables the firewall to extract HTTP/HTTPS links contained in SMTP and POP3 email
messages. As soon as the sales rep clicks download, the firewall policy forwards the sales-toole.exe file to
WildFire, where the file is analyzed for zero-day malware. Even though the sales rep is using Dropbox, which is
SSL encrypted, the firewall is configured to decrypt traffic, so all traffic can be inspected. The following screen
shots show the File Blocking Profile, the Security Policy configured with the File Blocking profile, and the option
to allow forwarding of decrypted content.

WildFire Administrators Guide

83

WildFire in Action

WildFire Reporting

WildFire Example Scenario

Step 4

At this point, WildFire has received the file and is analyzing it for more than 200 different malicious behaviors.
To see that the file was forwarded successfully, view Monitor > Logs > Data Filtering on the firewall.

Step 5

Within approximately five minutes, WildFire has completed the file analysis and then sends a WildFire log back
to the firewall with the analysis results. In this example, the WildFire log shows that the file is malicious.

Step 6

The firewall is configured with a log forwarding profile that will send WildFire alerts to the security administrator
when malware is discovered.

84

WildFire Administrators Guide

WildFire Reporting

WildFire in Action

WildFire Example Scenario

Step 7

The security administrator identifies the user by name (if User-ID is configured), or by IP address if User-ID is
not enabled. At this point, the administrator can shut down the network or VPN connection that the sales
representative is using and will then contact the desktop support group to work with the user to check and clean
the system.
By using the WildFire detailed analysis report, the desktop support person can determine if the user system is
infected with malware by looking at the files, processes, and registry information detailed in the WildFire analysis
report. If the user runs the malware, the support person can attempt to clean the system manually or re-image it.
For details on the WildFire report fields, see WildFire Report Contents.

Figure: Partial View of the WildFire Analysis Report in PDF

Step 8

Now that the administrator has identified the malware and the user system is being checked, how do you protect
from future exposure? Answer: In this example, the administrator set a schedule on the firewall to download
and install WildFire signatures every 15 minutes and to download and install Antivirus updates once per day. In
less than an hour and a half after the sales rep downloaded the infected file, WildFire identified the zero-day
malware, generated a signature, added it to the WildFire update signature database provided by Palo Alto
Networks, and the firewall downloaded and installed the new signature. This firewall and any other Palo Alto
Networks firewall configured to download WildFire and antivirus signatures is now protected against this newly
discovered malware. The following screenshot shows the WildFire update schedule:

WildFire Administrators Guide

85

WildFire in Action

WildFire Reporting

WildFire Example Scenario

All of this occurs well before most antivirus vendors are even aware of the zero-day malware. In this example,
within a very short period of time, the malware is no longer considered zero-day because Palo Alto Networks
has already discovered it and has provided protection to customers to prevent future exposure.

86

WildFire Administrators Guide

WildFire API
The WildFire API enables you to programmatically send file analysis jobs to WildFire and query for report data
through a simple XML API interface and is supported on the WildFire cloud and the WF-500 appliance. All
API functions supported on the WildFire cloud are also supported on the WF-500 appliance, but in the case of
the appliance, you generate the API access keys used to access WildFire on the appliance instead of the Palo
Alto Networks support site. The URL used to access the WildFire cloud and the WildFire appliance are also
different. The examples in this section are based on the WildFire cloud. For an example on using the API on a
WF-500 appliance, see Use the WildFire API on a WF-500 Appliance.

About WildFire Subscriptions and API Keys

Use the WildFire API

WildFire API File Submission Methods

Query for a WildFire PDF or XML Report

Use the API to Retrieve a Sample Malware Test File

Use the API to Retrieve a Sample File or PCAP

Use the WildFire API on a WF-500 Appliance

Category Name

87

About WildFire Subscriptions and API Keys

WildFire API

About WildFire Subscriptions and API Keys


Access to the WildFire API key is provided if at least one Palo Alto Networks firewall has an active WildFire
subscription registered to an account holder in your organization. You can share the same API key within your
organization. The API key is displayed in the My Account section of the WildFire web portal, along with statistics,
such as how many uploads and queries have been performed using the key. The key should be considered secret
and should not be shared outside of authorized channels.
When using the WildFire API on a WF-500 appliance, you generate API keys directly on the appliance and there
is no need to generate API keys from the support site. For more information, see Use the WildFire API on a
WF-500 Appliance.

88

Category Name

WildFire API

Use the WildFire API

Use the WildFire API


The WildFire API uses standard HTTP requests to send and receive data. API calls can be made directly from
command line utilities such as cURL or using any scripting or application framework that supports REST
services.
The API methods are hosted on the WildFire Portal and the HTTPS protocol (not HTTP) is required in order
to protect your API key and any other data exchanged with the service.
A WildFire API key allows up to 1000 sample uploads per day and up to 10,000 report queries per day.
To use the WildFire API on a WF-500 appliance, you generate an API key from the appliance and use the IP
address or FQDN in the URL used to locate the appliance. All other functions are the same as if you were using
the API on the WildFire cloud. For example, the URL to retrieve a report from the WildFire cloud is
https://wildfire.paloaltonetworks.com/publicapi/get/report. The URL to retrieve a report from a a
WF-500 appliance with the IP address 10.3.4.50, would be as follows: https://10.3.4.50/publicapi/get/report.
For an example, see Use the WildFire API on a WF-500 Appliance.

Category Name

89

WildFire API File Submission Methods

WildFire API

WildFire API File Submission Methods


Use the following methods to submit files to WildFire:

Submit a File to the WildFire Cloud Using the Submit File Method

Submit a File to WildFire Using the Submit URL Method

Submit a File to the WildFire Cloud Using the Submit File Method
The WildFire API can be used to submit all Supported File Types. The file along with your API key is required
when submitting to WildFire for analysis. The return code of the submit-file method indicates a success or error
condition. If a 200 OK code is returned, the submission is successful and a result is normally available for query
within five minutes.
The following table describes the API attributes needed to submit files to the WildFire cloud using the submit
file method:
URL

https://wildfire.paloaltonetworks.com/publicapi/submit/file

Method

POST

Parameters

apikey

Your WildFire API key

file

The sample file to be analyzed

200 OK

Indicates success and a report is returned

401 Unauthorized

API key invalid

405 Method Not Allowed

Method other than POST used

413 Request Entity Too Large

Sample file size over max limit

418 Unsupported File Type

Sample file type is not supported

419 Max Request Reached

Max number of uploads per day exceeded

500

Internal error

513

File upload failed

Return

Submit a File to WildFire Using the Submit URL Method


Use the submit-url method to submit a file for analysis via a URL. This method is identical in interface and
functionality to the submit-file method, except that the file parameter is replaced with a url parameter. The url
parameter must point to an accessible supported file type. If a 200 OK code is returned, the submission is
successful and a result is usually available for query within five minutes.
The following table describes the API attributes needed to submit files to the WildFire cloud using a URL:

90

Category Name

WildFire API

WildFire API File Submission Methods

URL

https://wildfire.paloaltonetworks.com/publicapi/submit/url

Method

POST

Parameters

apikey

Your WildFire API key

url

The URL for the file to be analyzed. The URL must


contain the file name, for example
http://paloaltonetworks.com/folder1/my-file.pdf.

200 OK

Indicates success and a report is returned

401 Unauthorized

API key invalid

405 Method Not Allowed

Method other than POST used

413 Request Entity Too Large

Sample file size over max limit

418 Unsupported File Type

Sample file type is not supported

419 Max Request Reached

Max number of uploads per day exceeded

422

URL download error

500

Internal error

Return

Code Examples for File Submit


The following cURL command demonstrates how to submit a file to WildFire using the submit file method:
curl k -F apikey=yourAPIkey -F file=@local-file-path
https://wildfire.paloaltonetworks.com/publicapi/submit/file

The following shell code example demonstrates a simple script to submit a file to the WildFire API for analysis.
The API key is provided as the first parameter and the path to the file is the second parameter:
#manual upload sample to WildFire with APIKEY
#Parameter 1: APIKEY
#Parameter 2: location of the file
key=$1
file=$2
/usr/bin/curl -i -k -F apikey=$key -F file=@$file
https://wildfire.paloaltonetworks.com/submit/file

The following cURL command demonstrates how to submit a file to WildFire using the submit URL method:
curl k -F apikey=yourAPIkey -F url=URL
https://wildfire.paloaltonetworks.com/publicapi/submit/url

Category Name

91

Query for a WildFire PDF or XML Report

WildFire API

Query for a WildFire PDF or XML Report


Use the get report method to query for an XML or PDF report of analysis results for a particular sample. Use
either the MD5, SHA-1, or SHA-256 hash of the sample file as a search query.
The following table describes the API attributes needed to query for reports:
URL

https://wildfire.paloaltonetworks.com/publicapi/get/report

Method

POST

Parameters

hash

The MD5, SHA-1, or SHA-256 hash value of the sample

apikey

Your WildFire API key

format

Report format: PDF or XML

200 OK

Indicates success and a report is returned

401 Unauthorized

API key invalid

404 Not Found

The report was not found

405 Method Not Allowed

Method other than POST used

419

Request report quota exceeded

420

Insufficient arguments

421

Invalid arguments

500

Internal error

Return

Example API Query for PDF or XML Report


The following cURL command demonstrates a query for a PDF report using the MD5 hash of a sample file:
curl k -F hash=1234556 -F format=pdf -F apikey=yourAPIkey
https://wildfire.paloaltonetworks.com/publicapi/get/report
To retrieve the XML version of the report, replace format=pdf with format=xml. For example:
curl -k -F hash=1234556 -F format=xml -F apikey=yourAPIkey
https://wildfire.paloaltonetworks.com/publicapi/get/report

92

Category Name

WildFire API

Use the API to Retrieve a Sample Malware Test File

Use the API to Retrieve a Sample Malware Test File


The following describes the API syntax to retrieve a sample malware file, which can be used to test end-to-end
WildFire sample processing.
For details on the sample file, see Malware Test Samples.
To retreive the file using the API:
API : GET https://wildfire.paloaltonetworks.com/publicapi/test/pe
This will return a test file and every API call will return a similar file, but with a different SHA256 value.
If there is problem retrieving the file, a 500-Internal Server error is returned.
To retrieve the test file using cURL:
curl k https://wildfire.paloaltonetworks.com/publicapi/test/pe

Use the API to Retrieve a Sample File or PCAP

Use the API to Retrieve a Sample File

Use the API to Retrieve a Packet Capture (PCAP)

Use the API to Retrieve a Sample File


Use the get-sample method to retrieve a particular sample. You can use either the MD5, SHA-1, or SHA-256
hash of the sample file as a search query.
URL

https://wildfire.paloaltonetworks.com/publicapi/get/sample

Method

POST

Parameters

hash

The MD5, SHA-1, or SHA-256 hash value of the sample

apikey

Your WildFire API key

200 OK

Indicates success and a sample is returned

401 Unauthorized

API key invalid

403 Forbidden

Permission Denied

404 Not Found

The sample was not found

405 Method Not Allowed

Method other than POST used

419

Request sample quota exceeded

420

Insufficient arguments

421

Invalid arguments

500

Internal error

Return

Category Name

93

Use the API to Retrieve a Sample Malware Test File

WildFire API

Example API Query for Get-Sample


The following cURL command demonstrates a query for a sample using the sample's MD5 hash:
curl -k -F hash=md5hash -F apikey=yourAPIkey
https://wildfire.paloaltonetworks.com/publicapi/get/sample

Use the API to Retrieve a Packet Capture (PCAP)


Use the get-pcap method to query for a PCAP recorded during analysis of a particular sample. Use either the
MD5, SHA-1, or SHA-256 hash of the sample file as a search query. You can optionally define the platform of
the desired PCAP to specify which PCAP should be returned. If no platform is specified, the method returns
a PCAP from a session that yielded a verdict of Malware.
Samples uploaded prior to August 2014 are not guaranteed to return a PCAP if no platform
parameter is supplied.

The following table describes the available platform parameters:


Platform ID

Description

Windows XP, Adobe Reader 9.3.3, Office 2003

Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007

Windows XP, Adobe Reader 11, Flash 11, Office 2010

Windows 7 32-bit, Adobe Reader 11, Flash 11, Office 2010

Windows 7 64bit, Adobe Reader 11, Flash 11, Office 2010.

201

Android 2.3, API 10, avd2.3.1

The following table describes the API attributes needed to query for pcaps:
URL

https://wildfire.paloaltonetworks.com/publicapi/get/pcap

Method

POST

Parameters

hash

The MD5, SHA-1, or SHA-256 hash value of the sample

apikey

Your WildFire API key

platform*

Target analysis environment

200 OK

Indicates success and a PCAP is returned

Return

94

Category Name

WildFire API

Use the API to Retrieve a Sample Malware Test File

401 Unauthorized

API key invalid

403 Forbidden

Permission Denied

404 Not Found

The PCAP was not found

405 Method Not Allowed

Method other than POST used

419

Request sample quota exceeded

420

Insufficient arguments

421

Invalid arguments

500

Internal error

* Optional parameter

Example API Query for Get-PCAP


The following cURL command demonstrates a query for a pcap using the sample's MD5 hash:
curl -k -F hash=md5hash -F apikey=yourAPIkey -F platform=targetPlatform
https://wildfire.paloaltonetworks.com/publicapi/get/pcap

Category Name

95

Use the WildFire API on a WF-500 Appliance

WildFire API

Use the WildFire API on a WF-500 Appliance


To use the WildFire XML API on a WF-500 appliance, you must first generate an API key on the appliance and
then use the API key from the host computer that performs the API functions. The URL used to locate the
appliance is based on the IP address or FQDN of the appliance. After the keys are generated and you have the
URL used to locate the appliance, you can then perform all of the same API functions supported on the
WildFire cloud.
The following topics describe how to manage API keys on the appliance and provide an example on using the
WildFire API to submit file samples to the appliance.

Generate API Keys on the WildFire Appliance

Manage API Keys on the WildFire Appliance

Use the WildFire API on a WildFire Appliance

Generate API Keys on the WildFire Appliance


Generate an API Key

Step 1

Generate a new API key on the WildFire 1.


appliance. The appliance supports up to 2.
100 API keys.
As a best practice, leave out the
key-value option in this step and
the firewall will generate a key
automatically. If you manually
enter a key, the key-value must be
64 alpha characters (a-z) or
numbers (0-9) that you randomly
choose.

Log in to the WildFire appliance CLI.


Generate the API key using one of the following methods:
Generate a key automatically:
admin@WF-500> create wildfire api-key name
key-name

For example, to create a key with the name my-api-key:


admin@WF-500> create wildfire api-key name
my-api-key

To generate a key manually (where key-value is a 64-bit key):


admin@WF-500> create wildfire api-key name
my-api-key key

key-value

For example:
admin@WF-500> create wildfire api-key name
my-api-key key
0377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F45
5F142494BC43D4A1

Step 2

View the API keys that you generated.

View all API keys:


admin@WF-500> show wildfire api-key all

This command also shows the date the key was generated and the last
time the key was used.
In this example, the appliance generated the following key with the
name my-api-key:
0377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F455F1424
94BC43D4A1

96

Category Name

WildFire API

Use the WildFire API on a WF-500 Appliance

Manage API Keys on the WildFire Appliance


This section describes some useful commands that you can use to manage WildFire API keys on the appliance
and describes how to export and import the keys. For example, you may want to export all of your keys for
backup purposes or to make it easier to access the keys from the systems that will use the API to perform various
functions on the appliance.
Manage API Keys

Use the following commands to disable API keys Disable or enable an API key:
temporarily, enable keys, or delete keys that are
admin@WF-500> edit wildfire api-key status [disable |
no longer used.
enable] key api-key
For example, to disable the API key used in this example:
admin@WF-500> edit wildfire api-key status disable key
0377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F455F142
494BC43D4A1

In the above command, you can type the first few unique
digits of the key and then hit tab to fill in the remaining
digits.
Delete an API key:
admin@WF-500> delete wildfire api-key key api-key

For example:
admin@WF-500> delete wildfire api-key key
377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F455F1424
94BC43D4A1

Category Name

97

Use the WildFire API on a WF-500 Appliance

WildFire API

Manage API Keys

Use the following commands to import or export Save all API keys to a file to prepare the keys for export:
API keys from the appliance using Secure Copy
admin@WF-500# save wildfire api-key to filename
(SCP).
For example:
admin@WF-500> save wildfire api-key to my-api-keys

To SCP the API key file to an SCP-enabled server:


admin@WF-500> scp export wildfire-api-keys to
username@host:path

For example:
admin@WF-500> scp export wildfire-api-keys to
bart@10.10.10.5:c:/scp/

You can also import the key from an SCP-enabled server:


admin@WF-500> scp import wildfire-api-keys from
bart@10.10.10.5:c:/scp/my-api-keys

After importing API keys, you must load the keys:


admin@WF-500# load wildfire api-key mode [merge |
replace] from my-api-keys

If you leave out the mode option, the default behavior will merge
the new keys. To replace all API keys on the appliance, use the
replace option. For example, to replace all API keys, enter the
command:
admin@WF-500# load wildfire api-key mode replace from
my-api-keys

Confirm that the keys were loaded:


admin@WF-500> show wildfire api-keys all

Use the WildFire API on a WildFire Appliance


The following workflow describes how to use the WildFire API to submit a sample file to a WF-500 appliance
for analysis. After understanding the basic concepts illustrated in this workflow, you can then use any of the API
functions that are available on the WildFire cloud. See WildFire API for links to other WildFire API examples
based on the WildFire cloud. The functions are the same, but in the case of the WF-500 appliance, you will use
the API key generated on the appliance and the URL of the appliance.
This workflow requires a host computer that has the cURL command line tool installed. You will
then send files from the host computer to the WildFire appliance using the URL syntax.

98

Category Name

WildFire API

Use the WildFire API on a WF-500 Appliance

Use the WildFire API to Submit a File Sample

Step 1

Generate a WildFire API key for the host computer that will perform API functions on the WildFire appliance.
For details, see Generate API Keys on the WildFire Appliance.
1. Access the CLI on the WildFire appliance and generate an API key:
admin@WF-500> create wildfire api-key name

my-api-key

2. View the API keys:


admin@WF-500> show wildfire api-key all

3. Make sure the key status is Enabled and then highlight and copy the key. The following screen capture shows
an example API key named my-api-key.

Step 2

Using the new API key that you generated, submit a sample file to the WildFire appliance.
1. Place a sample file in a folder that can be accessed from the host computer that has the cURL command line
tool installed and note the path of the sample file.
2. Submit the file using cURL:
curl -k -F apikey=your-API-key -F file=@local-file-path --remote-name
https://WF-appliance-IP/publicapi/submit/file

The syntax will vary based on the host that you are using. The following examples shows the syntax using a
Linux host and a Windows host.
From a Linux host:
curl -k -F apikey=87C142CB01CA5BEBE06E226A25C0A473B34050B617073E21E8F1A6BCB8C5C387 -F
file=@test-wf-api.docx --remote-name https://10.3.4.99/publicapi/submit/file

From a Windows host (The only difference is the file path following the @ symbol):
curl -k -F apikey=87C142CB01CA5BEBE06E226A25C0A473B34050B617073E21E8F1A6BCB8C5C387 -F
file=@c://scp/test-wf-api.docx --remote-name https://10.3.4.99/publicapi/submit/file

3. Verify that the API successfully submitted the file to the WildFire appliance. To view a list of recent samples
submitted to the appliance:
admin@WF-500> show wildfire latest samples

The following screen capture shows that the sample file test-wf-api.docx successfully submitted to the
appliance:

If the sample file does not appear on the appliance, verify connectivity between the host computer and the appliance and
confirm that the folder/file path is correct. You can also run show wildfire status (status should show Idle) and
show wildfire statistics to verify that the appliance is ready to analyze files. For more information on
troubleshooting, refer to the Palo Alto Networks WildFire Administrators Guide.

Category Name

99

Use the WildFire API on a WF-500 Appliance

100

WildFire API

Category Name

WildFire Appliance Software CLI


Reference
This section describes the CLI commands that are specific to the WF-500 appliance software. All other
commands, such as configuring interfaces, committing the configuration, and setting system information are
identical to PAN-OS and are also shown in the hierarchy. For information on the PAN-OS commands, refer to
the Palo Alto Networks PAN-OS Command Line Reference Guide.

WildFire Appliance Software CLI Concepts

WildFire CLI Command Modes

Access the CLI

Use the CLI

Configuration Mode Command Reference

Operational Mode Command Reference

WildFire Administrators Guide

101

WildFire Appliance Software CLI Concepts

WildFire Appliance Software CLI Reference

WildFire Appliance Software CLI Concepts


This section introduces and describes how to use the WildFire appliance software command line interface (CLI):

WildFire Appliance Software CLI Structure

WildFire Appliance Software CLI Command Conventions

WildFire Appliance CLI Command Messages

Command Option Symbols

Privilege Levels

WildFire Appliance Software CLI Structure


The WildFire appliance software CLI is used to manage the appliance. The CLI is the only interface to the
appliance. Use it to view status and configuration information and modify the appliance configuration. Access
the WildFire appliance software CLI over SSH or by direct console access using the console port.
The WildFire appliance software CLI operates in two modes:

Operational modeView the state of the system, navigate the WildFire appliance software CLI, and enter
configuration mode.

Configuration modeView and modify the configuration hierarchy.

WildFire Appliance Software CLI Command Conventions


The basic command prompt incorporates the user name and hostname of the appliance:
username@hostname>

Example:
admin@WF-500>

When entering Configuration mode, the prompt changes from > to #:


username@hostname>(Operational mode)
username@hostname> configure
Entering configuration mode
[edit]
username@hostname# (Configuration mode)

In Configuration mode, the current hierarchy context is shown by the [edit...] banner presented in square
brackets when a command is issued.

102

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

WildFire Appliance Software CLI Concepts

WildFire Appliance CLI Command Messages


Messages may be displayed when issuing a command. The messages provide context information and can help
in correcting invalid commands. In the following examples, the message is shown in bold.
Example: Unknown command
username@hostname# application-group
Unknown command: application-group
[edit network]
username@hostname#

Example: Changing modes


username@hostname# exit
Exiting configuration mode
username@hostname>

Example: Invalid syntax


username@hostname> debug 17
Unrecognized command
Invalid syntax.
username@hostname>

The CLI checks the syntax of each command. If the syntax is correct, it executes the command and the
candidate hierarchy changes are recorded. If the syntax is incorrect, an invalid syntax message is presented, as
in the following example:
username@hostname# set deviceconfig setting wildfire cloud-intelligence
submit-sample yes
Unrecognized command
Invalid syntax.
[edit]
username@hostname#

Command Option Symbols


The symbol preceding an option can provide additional information about command syntax.
Symbol

Description

This option is required.

>

There are additional nested options for this command.

There are additional command options for this command at this level.

There is an option to specify an except value or a match value to


restrict the command.

WildFire Administrators Guide

103

WildFire Appliance Software CLI Concepts

WildFire Appliance Software CLI Reference

Symbol

Description

Although the double quote is not a command option symbol, it must be


used when entering multi-word phrases in CLI commands. For example,
to create an address group named Test Group and to add the user named
user1 to this group, you must surround the group name with double
quotes as follows:
set address-group Test Group user1.
If you do not put a double quote surrounding the group name, the CLI
would interpret the word Test as the group name and Group as the
username and the following error wold be displayed: test is not a valid
name.
A single quote would also be invalid in this example.

The following examples show how these symbols are used.


Example: In the following command, the keyword from is required:
username@hostname> scp import configuration ?
+ remote-port
SSH port number on remote host
* from
Source (username@host:path)
username@hostname> scp import configuration
Example: This command output shows options designated with + and >.
username@hostname# set rulebase security rules rule1 ?
+ action
action
+ application
application
+ destination
destination
+ disabled
disabled
+ from
from
+ log-end
log-end
+ log-setting
log-setting
+ log-start
log-start
+ negate-destination
negate-destination
+ negate-source
negate-source
+ schedule
schedule
+ service
service
+ source
source
+ to
to
> profiles
profiles
<Enter>
Finish input
[edit]
username@hostname# set rulebase security rules rule1

Each option listed with + can be added to the command.


The profiles keyword (with >) has additional options:
username@hostname# set rulebase security rules rule1 profiles ?

104

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

WildFire Appliance Software CLI Concepts

+
+
+
+

virus
Help string for virus
spyware
Help string for spyware
vulnerability
Help string for vulnerability
group
Help string for group
<Enter>
Finish input
[edit]
username@hostname# set rulebase security rules rule1 profiles

Privilege Levels
Privilege levels determine which commands the user is permitted to execute and the information the user is
permitted to view.
Level

Description

superreader

Has complete read-only access to the appliance.

superuser

Has complete read-write access to the appliance.

WildFire Administrators Guide

105

WildFire CLI Command Modes

WildFire Appliance Software CLI Reference

WildFire CLI Command Modes


This section describes the modes used to interact with the WildFire appliance software CLI:

Configuration Mode

Operational Mode

Configuration Mode
Entering commands in configuration mode modifies the candidate configuration. The modified candidate
configuration is stored in the appliance memory and maintained while the appliance is running.
Each configuration command involves an action, and may also include keywords, options, and values.
This section describes Configuration mode and the configuration hierarchy:

Configuration Mode Command Usage

Configuration Hierarchy

Navigate the Hierarchy

Configuration Mode Command Usage


Use the following commands to store and apply configuration changes:

saveSaves the candidate configuration in the non-volatile storage on the appliance. The saved
configuration is retained until overwritten by subsequent save commands. Note that this command does not
make the configuration active.

commitApplies the candidate configuration to the appliance. A committed configuration becomes the
active configuration for the device.

setChanges a value in the candidate configuration.

loadAssigns the last saved configuration or a specified configuration to be the candidate configuration.
When exiting configuration mode without issuing the save or commit command, the
configuration changes could be lost if the appliance loses power.

106

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

WildFire CLI Command Modes

Maintaining a candidate configuration and separating the save and commit steps confers important advantages
when compared with traditional CLI architectures:

Distinguishing between the save and commit concepts allows multiple changes to be made at the same time
and reduces system vulnerability.

Commands can easily be adapted for similar functions. For example, when configuring two Ethernet
interfaces, each with a different IP address, you can edit the configuration for the first interface, copy the
command, modify only the interface and IP address, and then apply the change to the second interface.

The command structure is always consistent.

Because the candidate configuration is always unique, all authorized changes to the candidate configuration are
consistent with each other.

Configuration Hierarchy
The configuration for the appliance is organized in a hierarchical structure. To display a segment of the current
hierarchy level, use the show command. Entering show displays the complete hierarchy, while entering show
with keywords displays a segment of the hierarchy. For example, when running the command show from the
top level of configuration mode, the entire configuration is displayed. When running the command edit
mgt-config and you enter show, or by running show mgt-config, only the mgt-config part of the
hierarchy displays.

WildFire Administrators Guide

107

WildFire CLI Command Modes

WildFire Appliance Software CLI Reference

Hierarchy Paths
When entering commands, the path is traced through the hierarchy as follows:

For example, the following command assigns the primary DNS server 10.0.0.246 for the appliance:
[edit]
username@hostname# set deviceconfig system dns-setting servers primary
10.0.0.246

This command generates a new element in the hierarchy and in the output of the following show command:
[edit]
username@hostname# show deviceconfig system dns-settings
dns-setting {
servers {
primary 10.0.0.246
}
}
[edit]
username@hostname#

108

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

WildFire CLI Command Modes

Navigate the Hierarchy


The [edit...] banner presented below the Configure mode command prompt line shows the current hierarchy
context.
[edit]

indicates that the relative context is the top level of the hierarchy, whereas
[edit deviceconfig]

indicates that the relative context is at the deviceconfig level.


Use the commands listed in to navigate through the configuration hierarchy.
Level

Description

edit

Sets the context for configuration within the command hierarchy.

up

Changes the context to the next higher level in the hierarchy.

top

Changes the context to the highest level in the hierarchy.


The set command issued after using the up and top commands starts from the new context.

WildFire Administrators Guide

109

WildFire CLI Command Modes

WildFire Appliance Software CLI Reference

Operational Mode
At the initial login to the device, the WildFire appliance software CLI opens in Operational mode. Operational
mode commands involve actions that are executed immediately. They do not involve changes to the
configuration, and do not need to be saved or committed.
Operational mode commands are of several types:

Network accessOpen a window to another host. SSH is supported.

Monitoring and troubleshootingPerform diagnosis and analysis. Includes debug and ping commands.

Display commandsDisplay or clear current information. Includes clear and show commands.

WildFire appliance software CLI navigation commandsEnter Configure mode or exit the WildFire
appliance software CLI. Includes configure, exit, and quit commands.

System commandsMake system-level requests or restart. Includes set and request commands.

110

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

Access the CLI

Access the CLI


This section describes how to access and begin using the WildFire appliance software CLI:

Establish a Direct Console Connection

Establish an SSH Connection

Establish a Direct Console Connection


Use the following settings for direct console connection:

Data rate: 9600

Data bits: 8

Parity: none

Stop bits: 1

Flow control: None

Establish an SSH Connection


To access the WildFire appliance software CLI:
Launch the WildFire CLI

1.

Use terminal emulation software to establish an SSH console connection with the
WF-500 appliance.

2.

Enter the administrative user name. The default is admin.

3.

Enter the administrative password. The default is admin.


The WildFire appliance software CLI opens in Operational mode, and the CLI prompt
is displayed:
username@hostname>

WildFire Administrators Guide

111

Use the CLI

WildFire Appliance Software CLI Reference

Use the CLI

Access Operational and Configuration Modes

Display WildFire Appliance Software CLI Command Options

Restrict Command Output

Set the Output Format for Configuration Commands

Access Operational and Configuration Modes


When logging in, the WildFire appliance software CLI opens in Operational mode. You can navigate between
Operational and Configuration modes at any time.
To enter Configuration mode from Operational mode, use the configure command:

username@hostname> configure
Entering configuration mode
[edit]
username@hostname#

To leave Configuration mode and return to Operational mode, use the quit or exit command:

username@hostname# quit
Exiting configuration mode
username@hostname>

To enter an Operational mode command while in Configuration mode, use the run command. For example,
to show system resources from configure mode, use run show system resources.

Display WildFire Appliance Software CLI Command Options


Use ? (or Meta-H) to display a list of command options, based on context:
To display a list of operational commands, enter ? at the command prompt.

username@hostname> ?
clear
Clear runtime parameters
configure
Manipulate software configuration information
debug
Debug and diagnose
exit
Exit this session
grep
Searches file for lines containing a pattern match
less
Examine debug file content
ping
Ping hosts and networks
quit
Exit this session
request
Make system-level requests
scp
Use ssh to copy file to another host
set
Set operational parameters
show
Show operational parameters
ssh
Start a secure shell to another host
tail
Print the last 10 lines of debug file content

112

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

Use the CLI

username@hostname>

To display the available options for a specified command, enter the command followed by ?.

Example:
username@hostname> ping ?
+ bypass-routing
Bypass routing table, use specified interface
+ count
Number of requests to send (1..2000000000 packets)
+ do-not-fragment
Don't fragment echo request packets (IPv4)
+ inet
Force to IPv4 destination
+ interface
Source interface (multicast, all-ones, unrouted packets)
+ interval
Delay between requests (seconds)
+ no-resolve
Don't attempt to print addresses symbolically
+ pattern
Hexadecimal fill pattern
+ record-route
Record and report packet's path (IPv4)
+ size
Size of request packets (0..65468 bytes)
+ source
Source address of echo request
+ tos
IP type-of-service value (0..255)
+ ttl
IP time-to-live value (IPv6 hop-limit value) (0..255 hops)
+ verbose
Display detailed output
+ wait
Delay after sending last packet (seconds)
<host>
Hostname or IP address of remote host

Restrict Command Output


Some operational commands include an option to restrict the displayed output. To restrict the output, enter a
pipe symbol followed by except or match and the value that is to be excluded or included:
Example:
The following sample output is for the show system info command:
username@hostname> show system info
hostname: WF-500
ip-address: 192.168.2.20
netmask: 255.255.255.0
default-gateway: 192.168.2.1
mac-address: 00:25:90:95:84:76
vm-interface-ip-address: 10.16.0.20
vm-interface-netmask: 255.255.252.0
vm-interface-default-gateway: 10.16.0.1
vm-interface-dns-server: 10.0.0.247
time: Mon Apr 15 13:31:39 2013
uptime: 0 days, 0:02:35
family: m
model: WF-500
serial: 009707000118
sw-version: 5.1.0
logdb-version: 5.0.2
platform-family: m
username@hostname>

WildFire Administrators Guide

113

Use the CLI

WildFire Appliance Software CLI Reference

The following sample displays only the system model information:


username@hostname> show system info | match model
model: WF-500
username@hostname>

Set the Output Format for Configuration Commands


Change the output format for the configuration commands by using the set cli config-output-format
command in Operational mode. Options include the default format, json (JavaScript Object Notation), set
format, and XML format. The default format is a hierarchal format where configuration sections are indented
and enclosed in curly brackets.

114

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

Configuration Mode Command Reference

Configuration Mode Command Reference


This section contains command reference information for the following Configuration mode commands that
are specific to the WF-500 appliance software. All other commands that are part of the WildFire appliance
software are identical to PAN-OS as described in the Palo Alto Networks PAN-OS Command Line Reference
Guide.

set deviceconfig setting wildfire

set deviceconfig system update-schedule

set deviceconfig system vm-interface

set deviceconfig setting wildfire


Description
Configure Wildfire settings on the WF-500 appliance. You can configure forwarding of malicious files, define
the cloud server that receives malware infected files, and enable or disable the vm-interface.

Hierarchy Location
set deviceconfig settings

Syntax
wildfire {
active-vm;
cloud-server <value>;
vm-network-enable {no | yes};
vm-network-use-tor {enable | disable};
cloud-intelligence {
submit-report {no | yes};
submit-sample {no | yes};
signature-generation {
av {no | yes};
dns {no | yes};
url {no | yes};
{
{
{

WildFire Administrators Guide

115

Configuration Mode Command Reference

WildFire Appliance Software CLI Reference

Options
+ active-vm Select the virtual machine environment that WildFire will use for sample
analysis. Each vm has a different configuration, such as Windows XP, a specific versions
of Flash, Adobe reader, etc. To view which VM is selected, run the following command:
admin@WF-500> show wildfire status and view the Selected VM field. To view the VM
environment information, run the following command: admin@WF-500> show wildfire
vm-images.
+ cloud-server Hostname for the cloud server that the appliance will forward malicious
samples/reports to for a re-analysis. The default cloud server is
wildfire-public-cloud. To configure forwarding, use the following command: set
deviceconfig setting wildfire cloud-intelligence.
+ vm-network-enable Enable or disable the vm-network. When enabled, sample files
running in the virtual machine sandbox can access the Internet. This helps WildFire
better analyze the behavior of the malware to look for things like phone home activity.
+ vm-network-use-tor Enable or disable the Tor network for the vm-interface. When this
option is enabled, any malicious traffic coming from the sandbox systems on the WF-500
appliance during sample analysis is sent through the Tor network. The Tor network will
mask your public facing IP address, so the owners of the malicious site cannot determine
the source of the traffic.
+ cloud-intelligence Configure the appliance to submit WildFire reports or samples to
the Palo Alto Networks WildFire cloud. The submit report option will send reports for
malicious samples to the cloud for statistical gathering. The submit sample option will
send malicious samples to the cloud. If submit-sample enabled, there is no need to
enable submit-report because the sample is re-analyzed in the cloud and a new report and
signature is generated if the sample is malicious.
+ signature-generation Enable the appliance to generate signatures locally,
eliminating the need to send any data to the public cloud in order to block malicious
content. The WF-500 appliance will analyze files forwarded to it from Palo Alto Networks
firewalls or from the WildFire API and generate antivirus and DNS signatures that block
both the malicious files as well as associated command and control traffic. When the
appliance detects a malicious URL, it sends the URL to PAN-DB and PAN-DB assigns it the
malware category.

Sample Output
The following shows an example output of the WildFire settings.
admin@WF-500# show deviceconfig setting wildfire
wildfire {
active-vm vm-5;
cloud-intelligence {
submit-sample yes;
submit-report no;
}
cloud-server wildfire-public-cloud;
signature-generation {
av yes;
dns yes;
url yes;
}
}

116

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

Configuration Mode Command Reference

Required Privilege Level

superuser, deviceadmin

set deviceconfig system update-schedule


Description
Schedule content updates on a WF-500 appliance. These content updates equip the appliance with the most
up-to-date threat information for accurate malware detection and improve the appliance's ability to differentiate
the malicious from the benign.

Hierarchy Location
set deviceconfig system update-schedule

Syntax
wf-content recurring {
daily at <value> action {download-and-install | download-only};
weekly {
action {download-and-install | download-only};
at <value>;
day-of-week {friday | monday | saturday | sunday | thursday | tuesday | wednesday};
}
}

Options
> wf-content WF-500 content updates
> daily Schedule update every day
+ action Specify the action to take. You can schedule the appliance to download and
install the update or download only and then you install manually
+ at Time specification hh:mm (e.g. 20:10)
> hourly Schedule update every hour
+ action Specify the action to take. You can schedule the appliance to download and
install the update or download only and then you install manually
+ at Minutes past the hour
> weekly Schedule update once a week
+ action Specify the action to take. You can schedule the appliance to download and
install the update or download only and then you install manually
+ at Time specification hh:mm (e.g. 20:10)
+ day-of-week Day of the week (Friday, Monday, Saturday, Sunday, Thursday, Tuesday,
Wednesday)

WildFire Administrators Guide

117

Configuration Mode Command Reference

WildFire Appliance Software CLI Reference

Sample Output
admin@WF-500# show
update-schedule {
wf-content {
recurring {
weekly {
at 19:00;
action download-and-install;
day-of-week friday;
}
}
}
}

Required Privilege Level


superuser, deviceadmin

set deviceconfig system vm-interface


Description
The vm-interface is used by malware running on the WF-500 appliance virtual machine sandbox to access the
Internet. Activating this port is recommended and will help WildFire better identify malicious activity if the
malware accesses the Internet for phone-home or other activity. It is important that this interface has an isolated
connection to the Internet. For more information, see Set Up the VM Interface on the WF-500 Appliance.
After configuring the vm-interface, enable it by running the following command:
set deviceconfig setting wildfire vm-network-enable yes

Hierarchy Location
set deviceconfig system

Syntax
set vm-interface {
default-gateway <ip_address>;
dns-server <ip_address>;
ip-address <ip_address>;
link-state;
mtu;
netmask <ip_address>;

118

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

Configuration Mode Command Reference

speed-duplex;
{

Options
admin@WF-500# set vm-interface
+ default-gateway Default gateway for the VM interface
+ dns-server dns server for the VM interface
+ ip-address IP address for VM interface
+ link-state Set the link state to up or down
+ mtu Maximum Transmission Unit for the VM interface
+ netmask IP netmask for the VM interface
+ speed-duplex Speed and duplex for the VM interface

Sample Output
The following shows a configured vm-interface.
vm-interface {
ip-address 10.16.0.20;
netmask 255.255.252.0;
default-gateway 10.16.0.1;
dns-server 10.0.0.246;
}

Required Privilege Level


superuser, deviceadmin

WildFire Administrators Guide

119

Operational Mode Command Reference

WildFire Appliance Software CLI Reference

Operational Mode Command Reference


This section contains command reference information for the following Operational mode commands that are
specific to the WF-500 appliance software. All other commands that are part of the WildFire appliance software
are identical to PAN-OS; refer to the Palo Alto Networks PAN-OS Command Line Reference Guide for
information on those commands.

create wildfire api-key

delete wildfire api-key

delete wildfire-metadata

edit wildfire api-key

load wildfire api-key

request system raid

request system wildfire-vm-image

request wf-content

save wildfire api-key

set wildfire portal-admin

show system raid

show wildfire

test wildfire registration

create wildfire api-key


Description
Generate API keys on a WF-500 appliance that you will use on an external system to submit samples to the
appliance, query reports, or retrieve samples and Packet Captures (PCAPS) from the appliance.

Syntax
create {
wildfire {
api-key {
key <value>;
name <value>;
{
{
{

120

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

Operational Mode Command Reference

Options
+ key Create an API key by manually entering a key value. The value must be 64 alpha
characters (a-z) or numbers (0-9). If you do not specify the key option, the appliance
generates a key automatically.
+ name Optionally enter a name for the API key. An API key name is simply used to
label the keys to make it easier to identify keys assigned for specific uses and has no
impact on the functionality of the key.

Sample Output
The following output shows that the appliance has three API keys and one key is named my-api-key.
admin@WF-500> show wildfire api-keys all
+------------------------------------------------------------------+---------------+---------+---------------------+---------------------+
| Apikey
| Name
| Status | Create Time
| Last Used Time
|
+------------------------------------------------------------------+---------------+---------+---------------------+---------------------+
| C625DE87CBFB6EF0B1A8183A74AB5B61287F7F63B6E14E2FFC704AABF5640D62 | my-api-key
| Enabled | 2014-06-24 16:38:50 |
|
| D414CC910E93E9E05942A5E6F94DA36777B444543E71761CF5E9ACFA547F7D6F |
| Enabled | 2014-06-25 09:05:30 | 2014-06-26 14:49:35 |
| 73585ACAFEC0109CB65EB944B8DFC0B341B9B73A6FA7F43AA9862CAD47D0884C |
| Enabled | 2014-08-04 17:00:42 |
|
+------------------------------------------------------------------+---------------+---------+---------------------+---------------------+

Required Privilege Level


superuser, deviceadmin

delete wildfire api-key


Description
Delete an API key from the WF-500 appliance. Systems configured to use the API to perform API functions
on the appliance will no longer be able to access the appliance after you delete the key.

Syntax
delete {
wildfire {
api-key {
key <value>;
{
{
{

WildFire Administrators Guide

121

Operational Mode Command Reference

WildFire Appliance Software CLI Reference

Options
+ key <value> The key value for the key that you want to delete. To view a list of API
keys, run the following command: admin@WF-500> show wildfire api-keys all

Sample Output
admin@WF-500> delete wildfire api-key key
A0418F8EADABA4C78CD3106D71147321462C5AA085B2979136447B1EC334655A
APIKey A0418F8EADABA4C78CD3106D71147321462C5AA085B2979136447B1EC334655A
deleted

Required Privilege Level


superuser, deviceadmin

delete wildfire-metadata
Description
Delete content updates on the WF-500 appliance. For more information on content updates and how to install
them, see request wf-content.

Syntax
delete {
wildfire-metadata update <value>;
{

Options
+ update <value> Define the content update that you want to delete.

Sample Output
The output that follows shows the deletion of an update named
panup-all-wfmeta-2-181.candidate.tgz.
admin@WF-500> delete wildfire-metadata update panup-all-wfmeta-2-181.candidate.tgz
successfully removed panup-all-wfmeta-2-181.candidate.tgz

122

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

Operational Mode Command Reference

Required Privilege Level


superuser, deviceadmin

edit wildfire api-key


Description
Modify an API key name or the key status (enabled/disabled) on a WF-500 appliance.

Syntax
edit {
wildfire {
api-key [name | status] key <value>;
{
{

Options
+ name Change the name of an API key
+ status Enable or disable an API key
* key Specify the key to modify

Sample Output
The key value in this command is required. For example, to change the name of a key named stu to
stu-key1, enter the following command:
In the following command, you do not need to enter the old key name; only enter the new key
name.

admin@WF-500> edit wildfire api-key name stu-key1 key


B870210A6BDF2615D5A40B2DE515A6F5E66186BE28E4FFAC4405F22E83329288

To change the status of stu-key1 to disabled, enter the following command:


admin@WF-500> edit wildfire api-key status disable key
B870210A6BDF2615D5A40B2DE515A6F5E66186BE28E4FFAC4405F22E83329288

Example output that shows that stu-key1 is disabled:


admin@WF-500> show wildfire api-keys all
+------------------------------------------------------------------+----------+----------+--------------------+---------------------+

WildFire Administrators Guide

123

Operational Mode Command Reference

WildFire Appliance Software CLI Reference

| Apikey
| Name
| Status
| Create Time
|
Last Used Time
|
+------------------------------------------------------------------+----------+----------+--------------------+---------------------+
|
| B870210A6BDF2615D5A40B2DE515A6F5E66186BE28E4FFAC4405F22E83329288 | stu-key1 | Disabled | 2014-08-21 07:23:34 |
|
+------------------------------------------------------------------+----------+----------+--------------------+---------------------+

Required Privilege Level


superuser, deviceadmin

load wildfire api-key


Description
After importing API keys to the WF-500 appliance, you must use the load command to make the keys available
for use. Use this command to replace all existing API keys, or you can merge the keys in the import file with the
existing key database.

Syntax
load {
wildfire {
from <value> mode [merge | replace];
{
{

Options
* from Specify the API key filename that you want to import. The key files use the
.keys file extension. For example, my-api-keys.keys. To view a list of keys that are
available for import, enter the following command:
admin@WF-500> load wildfire api-key from ?
+ mode Optionally enter the mode for the import (merge/replace). For example, to
replace the key database on the appliance with the contents of the contents of the new
key file, enter the following command:
admin@WF-500> load wildfire api-key mode replace from my-api-keys.keys

If you do not specify the mode option, the default action will merge the keys.

Required Privilege Level


superuser, deviceadmin

124

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

Operational Mode Command Reference

request system raid


Description
Use this option to manage the RAID pairs installed in the WildFire appliance. The WF-500 appliance ships with
four drives in the first four drive bays (A1, A2, B1, B2). Drives A1 and A2 are a RAID 1 pair and drives B1 and
B2 are a second RAID 1 pair.

Hierarchy Location
request system

Syntax
raid {
remove <value>;
OR...
copy {
from <value>;
to <value>;
}
OR...
add {

Options
> add
> copy
> remove

Add a drive into the corresponding RAID Disk Pair


Copy and migrate from one drive to other drive in the bay
drive to remove from RAID Disk Pair

Sample Output
The following output shows a WildFire WF-500 appliance with a correctly configured RAID.
admin@WF-500> show system raid
Disk Pair A
Disk id A1
Disk id A2
Disk Pair B
Disk id B1
Disk id B2

WildFire Administrators Guide

Available
Present
Present
Available
Present
Present

125

Operational Mode Command Reference

WildFire Appliance Software CLI Reference

Required Privilege Level


superuser, deviceadmin

request system wildfire-vm-image


Perform upgrades on the WF-500 appliance virtual machine (VM) sandbox images used to analyze files. To
retrieve new VM images from the Palo Alto Networks Update Server, you must first download the image
manually, host it on an SCP enabled server, and then retrieve the image from the appliance using the SCP client.
After downloading the image to the appliance, you can then install it using this command.

Hierarchy Location
request system

Syntax
request {
system {
wildfire-vm-image {
upgrade install file <value>;
}
}
}

Options
> wildfire-vm-image Install Virtual Machine (VM) images.
+ upgrade install file Perform an upgrade to the VM image. After the file option,
type ? to view a list of available VM images. For example, run the following command to
list available images: admin@WF-500> request system wildfire-vm-image

upgrade install file ?

Sample Output
To list available VM images, run the following command:
admin@WF-500> request system wildfire-vm-image upgrade install file ?

To install a VM image (Windows 7 64-bit in this example), run the following command:
admin@WF-500> request system wildfire-vm-image upgrade install
WFWin7_64Base_m-1.0.0_64base

126

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

Operational Mode Command Reference

Required Privilege Level


superuser, deviceadmin

request wf-content
Perform content updates on a WF-500 appliance. These content updates equip the appliance with the most
up-to-date threat information for accurate malware detection and improve the appliance's ability to differentiate
the malicious from the benign. To schedule content updates to install automatically, see set deviceconfig system
update-schedule and to delete content updates on the WF-500, see delete wildfire-metadata.

Hierarchy Location
request

Syntax
request wf-content
{
downgrade install {previous | <value>};
upgrade
{
check
download latest
info
install {
file <filename>
version latest;
}
}
}

Options
> downgrade Installs a previous content version. Use the previous option to install
the previously installed content package or enter a value to downgrade to a specific
content package number.
> upgrade Performs content upgrade functions
> check Obtain information on available content packages from the Palo Alto Networks
Update Server
> download Download a content package
> info Show information about available content packages
> install Install a content package
> file Specify the name of the file containing the content package
> version Download or upgrade based on the version number of the content package

WildFire Administrators Guide

127

Operational Mode Command Reference

WildFire Appliance Software CLI Reference

Sample Output
To list available content updates, run the following command:
admin@WF-500> request wf-content upgrade check
Version
Size
Released on Downloaded Installed
------------------------------------------------------------------------2-217
58MB 2014/07/29 13:04:55 PDT
yes
current
2-188
58MB 2014/07/01 13:04:48 PDT
yes
previous
2-221
59MB 2014/08/02 13:04:55 PDT
no
no

Required Privilege Level


superuser, deviceadmin

save wildfire api-key


Description
Use the save command to save all API keys on the WF-500 appliance to a file. You can then export the key file
for backup purposes or to modify the keys in bulk. For details on using the WildFire API on a WF-500
appliance, see About WildFire Subscriptions and API Keys.

Hierarchy Location
save

Syntax
save {
wildfire {
api-key to <value>;
{
{

Options
* to Enter the filename for key export. For example, to export all of the API keys on
the WF-500 to a file named my-wf-keys, enter the following command:
admin@WF-500> save wildfire api-key to my-wf-keys

128

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

Operational Mode Command Reference

Required Privilege Level


superuser, deviceadmin

set wildfire portal-admin


Description
Sets the portal admin account password that an administrator will use to view WildFire analysis reports
generated by a WF-500 appliance. The account name (admin) and password is required when viewing the report
on the firewall or from Panorama in Monitor > WildFire Submissions > View WildFire Report. The default
username and password is admin/admin.
The portal admin account is the only account that you configure on the appliance to view reports
from the firewall or Panorama. You cannot create new accounts or change the account name.
This is not the same admin account used to manage the appliance.

Hierarchy Location
set wildfire

Syntax
set {
wildfire {
portal-admin {
password <value>;
}
}

Sample Output
The following shows the ouput of this command.
admin@WF-500> set wildfire portal-admin password
Enter password:
Confirm password:

Required Privilege Level


superuser, deviceadmin

WildFire Administrators Guide

129

Operational Mode Command Reference

WildFire Appliance Software CLI Reference

show system raid


Description
Show the RAID configuration of the appliance. The WF-500 appliance ships with four drives in the first four
drive bays (A1, A2, B1, B2). Drives A1 and A2 are a RAID 1 pair and drives B1 and B2 are a second RAID 1 pair.

Hierarchy Location
show system

Syntax
raid {
detail;
{

Options
No additional options.

Sample Output
The following shows the RAID configuration on a functioning WF-500 appliance.
admin@WF-500> show system raid detail
Disk Pair A
Status
Disk id A1
model
size
partition_1
partition_2
Disk id A2
model
size
partition_1
partition_2
Disk Pair B
Status
Disk id B1
model
size
partition_1

130

Available
clean
Present
:
:
:
:

ST91000640NS
953869 MB
active sync
active sync

:
:
:
:

ST91000640NS
953869 MB
active sync
active sync

Present

Available
clean
Present
: ST91000640NS
: 953869 MB
: active sync

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

partition_2
Disk id B2
model
size
partition_1
partition_2

Operational Mode Command Reference

: active sync
Present
:
:
:
:

ST91000640NS
953869 MB
active sync
active sync

Required Privilege Level


superuser, superreader

show wildfire
Description
Shows various information about the WildFire appliance, such as available API keys, registration information,
activity, recent samples that the appliance analyzed, and the virtual machine that is selected to perform analysis.

Hierarchy Location
show wildfire

Syntax
api-keys
all {
details;
}
key <value>;
}
last-device-registration all |
latest {
analysis {
filter malicious|benign;
sort-by SHA256|Submit Time|Start Time|Finish Time|Malicious|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
OR...
samples {
filter malicious|benign;
sort-by SHA256|Create Time|File Name|File Type|File Size|Malicious|Status;
sort-direction asc|desc;

WildFire Administrators Guide

131

Operational Mode Command Reference

WildFire Appliance Software CLI Reference

limit 1-20000;
days 1-7;
}
OR...
sessions {
filter malicious|benign;
sort-by SHA256|Create Time|Src IP|Src Port|Dst Ip|Dst Port|File|Device
ID|App|Malicious|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
OR...
uploads {
sort-by SHA256|Create Time|Finish Time|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
sample-status {
sha256 {
equal <value>;
}
}
statistics days <1-31>;
status |
vm-images |
}

Options
admin@WF-500> show wildfire
> api-keys Show details about the API keys generated on the WF-500 appliance. You can
view the last time the key was used, the key name, status (Enabled or Disabled), and the
date/time the key was generated.
> last-device-registration Show list of latest registration activities.
> latest Show latest 30 activities, which include the last 30 analysis activities, the
last 30 files that were analyzed, network session information on files that were
analyzed and files that were uploaded to the public cloud server.
> sample-status Show wildfire sample status. Enter the SHA or MD5 value of the file to
view the current analysis status.
> statistics Display basic wildfire statistics.
> status Display the status of the appliance as well as configuration information such
as the Virtual Machine (VM) used for sample analysis, whether or not samples/reports are
sent to the cloud, vm network, and registration information.
> vm-images Display the attributes of the available virtual machine images used for
sample analysis. To view the current active image, run the following command:
admin@WF-500> show wildfire status and view the Select VM field.

132

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

Operational Mode Command Reference

Sample Output
The following shows the output for this command.
admin@WF-500> show wildfire api-keys all
+------------------------------------------------------------------+----------------+--------+---------------------+---------------------+
| Apikey
| Name
|
Status | Create Time
| Last Used Time
|
+------------------------------------------------------------------+----------------+--------+---------------------+---------------------+
| C625DE87CBFB6EF0B1A8183A74AB5B61287F7F63B6E14E2FFC704AABF5640D62 | my-api-key-stu |
Enabled | 2014-06-24 16:38:50 |
|
| D414CC910E93E9E05942A5E6F94DA36777B444543E71761CF5E9ACFA547F7D6F |
|
Enabled | 2014-06-25 09:05:30 | 2014-06-26 14:49:35 |
+------------------------------------------------------------------+----------------+--------+---------------------+---------------------+
admin@WF-500> show wildfire last-device-registration all
+--------------+---------------------+-------------+------------+----------+--------+
| Device ID
| Last Registered
| Device IP
| SW Version | HW Model | Status |
+--------------+---------------------+-------------+------------+----------+--------+
| 001606000114 | 2014-07-31 12:35:53 | 10.43.14.24 | 6.1.0-b14 | PA-200
| OK
|
+--------------+---------------------+-------------+------------+----------+--------+
admin@WF-500> show wildfire
> analysis
Show latest 30
> samples
Show latest 30
> sessions
Show latest 30
> uploads
Show latest 30

latest
analysis
samples
sessions
uploads

admin@WF-500> show wildfire sample-status sha256 equal


809bad2d3fbdf1c18ef47ba9c5a0feca691103f094bc8d7e0cbed480870fd78c
Sample information:
+---------------------+--------------------------------------------------------------+------------------+-----------+-----------+-------------------+
| Create Time
| File Name
|
File Type
| File Size | Malicious | Status
|
+---------------------+--------------------------------------------------------------+------------------+-----------+-----------+-------------------+
| 2014-08-04 11:49:41 | 25047801_20130919175646000_970x66_Adobe_Marketing_RM_AUTO.swf |
Adobe Flash File | 64502
| No
| analysis complete |
+---------------------+--------------------------------------------------------------+------------------+-----------+-----------+-------------------+
Session information:
+---------------------+---------------+----------+--------------+----------+--------------------------------------------------------------+--------------+-------+
-----------+-----------+
| Create Time
| Src IP
| Src Port | Dst IP
| Dst Port | File
| Device ID
| App
|
Malicious | Status
|

WildFire Administrators Guide

133

Operational Mode Command Reference

WildFire Appliance Software CLI Reference

+---------------------+---------------+----------+--------------+----------+--------------------------------------------------------------+--------------+-------+
-----------+-----------+
| 2014-08-04 11:49:41 | 10.10.10.50 | 80
| 192.168.2.10 | 64108
|
25047801_20130919175646000_970x66_Adobe_Marketing_RM_AUTO.swf | 001606000114 | flash |
No
| completed |
+---------------------+---------------+----------+--------------+----------+--------------------------------------------------------------+--------------+-------+
-----------+-----------+
Analysis information:
+---------------------+---------------------+---------------------+-----------+----------------------------------------------------------+-----------+
| Submit Time
| Start Time
| Finish Time
| Malicious | VM Image
| Status
|
+---------------------+---------------------+---------------------+-----------+----------------------------------------------------------+-----------+
| 2014-08-04 11:49:41 | 2014-08-04 11:49:41 | 2014-08-04 11:56:52 | No
| Windows
7 x64 SP1, Adobe Reader 11, Flash 11, Office 2010 | completed |
+---------------------+---------------------+---------------------+-----------+----------------------------------------------------------+-----------+
admin@WF-500> show wildfire statistics
Last one hour statistics
Total sessions submitted
Samples submitted
analyzed
pending
malicious
benign
error
uploaded

:
:
:
:
:
:
:
:
:

0
0
0
0
0
0
0
0

Last 24 hours statistics


Total sessions submitted
Samples submitted
analyzed
pending
malicious
benign
error
uploaded

:
:
:
:
:
:
:
:
:

13
13
13
0
0
13
0
0

admin@WF-500> show wildfire status


Connection info:
Wildfire cloud:
Status:
Submit sample:
Submit report:
Selected VM:
VM internet connection:

134

s1.wildfire.paloaltonetworks.com
Idle
disabled
disabled
vm-5
disabled

WildFire Administrators Guide

WildFire Appliance Software CLI Reference

VM network using Tor:


Best server:
Device registered:
Service route IP address:
Signature verification:
Server selection:
Through a proxy:

Operational Mode Command Reference

disabled
s1.wildfire.paloaltonetworks.com
yes
10.3.4.99
enable
enable
no

Required Privilege Level


superuser, superreader

test wildfire registration


Description
Performs a test to check the registration status of a WildFire appliance or Palo Alto Networks firewall to a
WildFire server. If the test is successful, the IP address or server name of the WildFire server is displayed. A
successful registration is required before a WildFire appliance or firewall can forward files to the WildFire server.

Syntax
test {
wildfire {
registration;
}
}

Options
No additional options.

Sample Output
The following shows a successful output on a firewall that can communicate with a WildFire appliance. If this
is a WildFire appliance pointing to the Palo Alto Networks WildFire cloud, the server name of one of the cloud
servers is displayed in the select the best server: field.
Test wildfire
wildfire registration:
download server list:
select the best server:

WildFire Administrators Guide

successful
successful
ca-s1.wildfire.paloaltonetworks.com

135

Operational Mode Command Reference

WildFire Appliance Software CLI Reference

Required Privilege Level


superuser, superreader

136

WildFire Administrators Guide

S-ar putea să vă placă și