Documente Academic
Documente Profesional
Documente Cultură
Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
http://www.paloaltonetworks.com/contact/contact/
For information on the additional capabilities and for instructions on configuring the features on the firewall, refer
to https://www.paloaltonetworks.com/documentation.
For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to
https://live.paloaltonetworks.com.
For contacting support, for information on the support programs, or to manage your account or devices, refer to
https://support.paloaltonetworks.com
ii
Table of Contents
Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
WildFire Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
About WildFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
WildFire Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
File/Email Link Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Supported File Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
WildFire Virtual Sandboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
WildFire Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
WildFire Email Link Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
WildFire Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
WildFire Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Malware Test Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
WildFire Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
WildFire Subscription Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Best Practices for Keeping Signatures up to Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Reference: Firewall File Forwarding Capacity by Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
iii
WildFire Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
WildFire Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Enable Email Header Information in WildFire Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Monitor Submissions Using the WildFire Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Customize WildFire Portal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Add WildFire Portal User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
View WildFire Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
WildFire Report Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Set Up Alerts for Detected Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
WildFire in Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
WildFire API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
About WildFire Subscriptions and API Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Use the WildFire API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
WildFire API File Submission Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Submit a File to the WildFire Cloud Using the Submit File Method . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Submit a File to WildFire Using the Submit URL Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Query for a WildFire PDF or XML Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Use the API to Retrieve a Sample Malware Test File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Use the API to Retrieve a Sample File or PCAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Use the WildFire API on a WF-500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generate API Keys on the WildFire Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage API Keys on the WildFire Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use the WildFire API on a WildFire Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
96
96
97
98
102
102
102
103
103
105
iv
vi
WildFire Overview
WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing,
signature-based detection, and blocking of malware. WildFire extends the capabilities of Palo Alto Networks
next-generation firewalls to identify and block targeted and unknown malware.
The following topics describe WildFire and how to integrate it into your environment:
About WildFire
WildFire Concepts
WildFire Deployments
About WildFire
WildFire Overview
About WildFire
Modern malware is at the heart of many of today's most sophisticated network attacks and is increasingly
customized to avoid traditional security solutions. Palo Alto Networks has developed an integrated approach
that addresses the full malware life cycle, which includes preventing infections, identifying zero-day malware
(undiscovered malware), or targeted malware (malware targeting a specific industry or corporation), as well as
pinpointing and disrupting active infections.
The Palo Alto Networks WildFire engine exposes zero-day and targeted malware through direct observation in
a virtual environment within the WildFire system. The WildFire feature also makes extensive use of the Palo
Alto Networks App-ID technology by identifying file transfers within all applications, not just email
attachments or browser-based file downloads.
For information on Palo Alto Networks WildFire privacy policy, refer to
https://live.paloaltonetworks.com/docs/DOC-2880.
Figure: High-Level WildFire Decision Workflow illustrates the basic WildFire workflow, Figure: Detailed
WildFire Decision Flow describes the entire WildFire lifecycle from the time a user downloads a malicious file
to the point where WildFire generates a signature to be used by Palo Alto Networks firewalls to protect against
future exposure to the malware.
The the High-Level WildFire Decision Workflow describes the workflow for a file download. The
analysis of an HTTP/HTTPS link contained in an email is very similar, but there are minor
differences. For details on email-links analysis, see WildFire Email Link Analysis.
WildFire Overview
About WildFire
About WildFire
WildFire Overview
WildFire Overview
WildFire Concepts
WildFire Concepts
WildFire Signatures
WildFire Alerts
Email-linkHTTP/HTTPS email links contained in SMTP and POP3 email messages. Note that the
firewall only extracts links and associated session information (sender, recipient, and subject) from the email
messages that traverse the firewall; it does not receive, store, forward, or view the email message. The
WF-500 appliance does not support email link analysis.
WildFire Concepts
WildFire Overview
JARJava Applet (JAR/Class files types). The WF-500 appliance will analyze Java content, but will not
generate signatures for malicious samples. You must download the sample from the WildFire Submission
log and upload it to the WildFire cloud for signature generation.
PEPortable Executable, which includes executable files, object code, DLLs, FON (fonts), and others
MS-OfficeMicrosoft Office files including: documents (doc, docx, rtf), workbooks (xls, xlsx), and
PowerPoint (ppt, pptx). As of content update 450, WildFire can generate antivirus signatures for Office
Open XML (OOXML) 2007+ documents that it determines to be malicious and delivers the signatures
through WildFire and antivirus updates, enabling the firewall to alert or block malicious content in these
types of files.
A WildFire subscription is not required on the firewall to forward PE file types to WildFire for
analysis, but is required to analyze all other supported file types.
WildFire Signatures
The key benefits of the Palo Alto Networks WildFire feature are that it can discover zero-day malware in web
traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can quickly generate
signatures to protect against future infections from the malware it discovers. WildFire will automatically
generate a signature based on the malware payload of the sample and tests it for accuracy and safety. Because
malware evolves rapidly, the signatures that WildFire generates will address multiple variants of the malware. As
WildFire detects new malware, it generates new signatures within 15-30 minutes. Firewalls equipped with a
WildFire subscription can receive the new signatures within 15 minutes. If you do not have a WildFire
subscription, signatures are made available within 24-48 hours as part of the antivirus update for firewalls
equipped with a Threat Prevention subscription.
WildFire Overview
WildFire Concepts
As soon as the firewall downloads and installs the new signature, any files that contain that malware (or a variant
of it) will automatically be dropped by the firewall. Information gathered by WildFire during the analysis of
malware is also used to fortify other Threat Prevention features, such as adding malware URLs to PAN-DB,
generating DNS signatures, antivirus, and anti-spyware signatures. Palo Alto Networks also develops signatures
for command and control traffic, enabling immediate disruption in the communications of any malware inside
the network. For details on signatures and the benefits of having a WildFire subscription, see WildFire
Subscription Requirements.
Generates a detailed analysis report and logs it to the WildFire Submissions log on the firewall that
forwarded the links. This log now includes the email header informationemail sender, recipient, and
subjectso that you can identify the message and delete it from the mail server and/or track down the
recipient and mitigate the threat if the email has already been delivered and/or opened.
Note that if the link corresponds to a file download, WildFire does not analyze the file. However, the firewall
will forward the corresponding file to WildFire for analysis if the end user clicks the link to download it as long
as the corresponding file type is enabled for forwarding.
The firewall forwards email links in batches of 100 email links or every two minutes, whichever comes first. Each
batch upload to WildFire counts as one upload toward the upload per-minute capacity for the given firewall
platform (Reference: Firewall File Forwarding Capacity by Platform). To determine if the firewall is forwarding
email links, run the following command from the firewall that is configured to forward to WildFire:
admin@PA-200> show wildfire statistics
View the file type: email-link counter section under Counters for file forwarding.
When email links are forwarded, the following counters will increment:
To ensure that you gain the full benefits of this feature, confirm the following on each firewall that will forward
samples to WildFire.
WildFire Concepts
WildFire Overview
WildFire Alerts
The firewall can provide instant notification whenever it detects malware on your network by sending email
alerts, syslog, or SNMP traps. This enables you to quickly identify the user who downloaded the malware and
eradicate it before it causes extensive damage or propagates to other users. In addition, every signature that
WildFire generates is automatically propagated to all Palo Alto Networks firewalls protected with a Threat
Prevention and/or WildFire subscription, which provides automatic protection from malware discovered on
networks all over the world.
WildFire Overview
WildFire Concepts
WildFire Concepts
WildFire Overview
Each time you access the test URL, the server generates a unique file named wildfire-test-pe-file.exe and
initiates a download. Each test file also has a unique SHA-256 hash value.
Although WildFire will generate a signature for the test file, the signature is disabled and will not be
distributed to the Palo Alto Networks update server. If signature generation is enabled on a WF-500
appliance, it will not generate a signatures for the test file.
To access the malware test file, highlight the following link and copy and paste it into a browser:
http://wildfire.paloaltonetworks.com/publicapi/test/pe.
If you have enabled decryption on the firewall, you can access the encrypted version of the site by replacing
HTTP with HTTPS.
After downloading the file, check the Data Filtering log on the firewall to see if the file was forwarded and after
about five minutes, look for the results in the WildFire Submissions log. For information on verifying your
WildFire configuration, see Verify Forwarding to a WF-500 Appliance and Verify Forwarding to the WildFire
Cloud.
10
WildFire Overview
WildFire Concepts
For WildFire API testing, see Use the API to Retrieve a Sample Malware Test File.
11
WildFire Deployments
WildFire Overview
WildFire Deployments
Palo Alto Networks next-generation firewalls support the following WildFire deployments:
WildFire CloudIn this deployment, a Palo Alto Networks firewall forwards files to the hosted WildFire
environment that Palo Alto Networks owns and maintains. As WildFire detects new malware, it generates
new signatures within 15-30 minutes. Firewalls equipped with a WildFire subscription can receive the new
signatures within 15 minutes; firewalls with only a Threat Prevention subscription will receive the new
signatures in the next antivirus signature update within 24-48 hours.
The available WildFire cloud servers are wildfire-public-cloud for the WildFire cloud server hosted in the
United States and wildfire.paloaltonetworks.jp for the WildFire cloud hosted in Japan. You may want your
firewalls to use the Japan server if you do not want benign files forwarded to the U.S. cloud servers. If a file
is sent to the Japan cloud and WildFire determines its malicious, the Japan cloud forwards it to the U.S. cloud
servers where WildFire analyzes it again to confirm if it is malicious. If your firewalls are located in the Japan
region, you will see faster response time for sample submissions and report generation.
WildFire ApplianceIn this deployment, you install a WF-500 appliance on your corporate network and
configure your Palo Alto Networks firewalls to forward files to the appliance instead of to the Palo Alto
Networks WildFire cloud (the default). This deployment prevents the firewall from having to send any files
outside of your network for analysis. By default, the appliance will not send any files out of your network
unless you explicitly enable the cloud intelligence submit-sample feature. This feature enables the appliance
to forward malware it detects to the Palo Alto Networks WildFire cloud where the files are analyzed and
signatures are generated for malicious samples. The update servers then provides these signatures to all Palo
Alto Networks firewalls with a threat prevention and/or WildFire subscription. The appliance can also be
configured to generate signatures locally based on samples sent to it from your connected firewalls or by
submitting samples using the WildFire XML API. For more information, see Signature/URL Generation on
a WF-500 Appliance. A single WildFire appliance can receive and analyze files from up to 100 Palo Alto
Networks firewalls.
The following lists the main differences between the WildFire cloud and the WildFire appliance deployments:
The WildFire Appliance enables local sandboxing of malware so that benign files never leave your network.
By default, the WildFire appliance does not forward any files to the WildFire cloud, but you can configure
the cloud intelligence option on the appliance to forward malicious samples or reports on malicious samples
to Palo Alto Networks. If you do not want the appliance to send malware samples to Palo Alto Networks, it
is recommended that you at least configure the appliance to send malware reports. The reports will help Palo
Alto Networks gather statistical information about malware to gain a better understanding on how prevalent
the malware is and to gain insight into propagation of the malware.
The WF-500 appliance does not have a WildFire Portal, but you can configure cloud intelligence on the
appliance to automatically submit files to the WildFire cloud. You can also download samples from the
WildFire reports and then upload them to the portal, or use the WildFire XML API to submit files to the
cloud. After manually uploading files to the portal, the samples will appear on the portal as a manual upload
(see Upload Files using the WildFire Cloud Portal). For samples forwarded by a Palo Alto Networks firewall
to a WF-500 appliance or to the WildFire cloud, the reports are always available in the WildFire Submissions
log on the firewall.
Multiple virtual machines run on the WildFire cloud to represent a variety of operating systems and
applications used when running sample files. On the WF-500 appliance, multiple virtual machines are
available, but only one can be active for file analysis. Before selecting the virtual machine to use, review the
12
WildFire Overview
WildFire Deployments
attributes of the available virtual machines and select one that best matches your environment. Although you
configure the WF-500 appliance to use one virtual machine image configuration, the appliance uses multiple
instances of the image to perform file analyses in order to improve performance. For information on viewing
and selecting the virtual machine, see Integrate the WF-500 Appliance into a Network.
13
WildFire Overview
14
WildFire Advanced File Type SupportIn addition to Portable Executable (PE) files, a subscription
allows the firewall to also forward the following advanced file types: APK (WildFire cloud only), Flash, PDF,
Microsoft Office, and JAR (Java Applet). In addition to these files types, you can also configure the firewall
to extract and forward email links contained in SMTP and POP3 email messages by forwarding the
email-link file type. Note that the firewall only extracts links and associated session information (sender,
recipient, and subject) from the email messages that traverse the firewall; it does not receive, store, forward,
or view the email message.
WildFire Overview
WildFire APIThe WildFire subscription provides access to the WildFire API, which enables direct
programmatic access to the WildFire service on the Palo Alto Networks WildFire cloud or a WildFire
appliance. You can use the WildFire API to submit files and to retrieve reports for the submitted files. The
WildFire API supports up to 1,000 file submissions per day and up to 10,000 queries per day.
WildFire WF-500 ApplianceOnly firewalls with a valid WildFire subscription can forward files to a
WF-500 appliance for analysis. Firewalls that only have a Threat Prevention subscription installed can
forward files to the WildFire cloud, but not to a WF-500 appliance.
15
WildFire Overview
AntivirusNew antivirus content updates are released by Palo Alto Networks on a daily basis. To get the
latest content, schedule these updates daily at minimum. For a more aggressive schedule, schedule them
hourly.
Applications and ThreatsNew App-ID, vulnerability protection, and anti-spyware signatures are
released by Palo Alto Networks as weekly content updates (normally on Tuesdays). To receive the latest
content, schedule the updates at least weekly. For a more aggressive schedule to ensure that the firewall
receives the latest content soon after the release (including occasional off-schedule emergency content
releases), schedule the firewall to download/install daily.
WildFireNew WildFire antivirus signatures are published every 15 minutes. Depending on when
WildFire discovers new malware within the release cycle, coverage is provided in the form of a WildFire
signature 15-30 minutes after it is discovered. To get the latest WildFire signatures, schedule these updates
every hour or half-hour. For a more aggressive schedule, configure the firewall to check for updates every
15 minutes.
WF-PrivateIf signatures/URL generation (antivirus signatures, DNS signatures, and URL entries for
PAN-DB) is configured on a WF-500, you configure the firewall to download/install the updates using the
WF-Private dynamic update. After the appliance receives a malicious sample, it will generate a signature
within five minutes in most cases. When configuring the firewall to retrieve these updates, set the schedule
to download and install every hour or half-hour. For a more aggressive schedule (recommended),
configure the firewall to download and install the updates every 5 minutes. If you configure your firewalls
to retrieve WF-Private updates, it is highly recommended that the firewalls also download content updates
from Palo Alto Networks (Antivirus, Applications/Threats, and WildFire) to ensure that firewalls have the
latest protection. This is important due to the fact that when the local storage for WF-Private updates on
the appliance is full, new signatures/URL categorizations will overwrite existing ones, beginning with the
oldest ones first. For details on local signatures generation, see Signature/URL Generation on a WF-500
Appliance.
16
WildFire Overview
Platform
VM-100
100MB
VM-200
10
200MB
VM-300
20
200MB
PA-200
100MB
PA-500
10
200MB
PA-2000 Series
20
200MB
PA-3020
50
200MB
PA-3050
50
500MB
PA-3060
50
500MB
PA-4020
20
200MB
PA-4050/4060
50
500MB
PA-5020/5050
50
500MB
PA-5060
100
500MB
PA-7050
100
1GB
17
18
WildFire Overview
19
MGTReceives all files forwarded from the firewalls and returns logs detailing the results back to the
firewalls. See Integrate the WF-500 Appliance into a Network.
Virtual Machine Interface (VM interface)Provides network access for the WildFire sandbox systems
to enable sample files to communicate with the Internet, which allows WildFire to better analyze the
behavior of the sample. When the VM interface is configured, WildFire can observe malicious behaviors that
the malware would not normally perform without network access, such as phone-home activity. However,
to prevent malware from entering your network from the sandbox, configure this interface on an isolated
network with an Internet connection. You can also enable the Tor option to hide the public IP addressed
used by your company from malicious sites that are accessed by the sample. For more information on the
VM interface, see Set Up the VM Interface on the WF-500 Appliance.
20
Rack mount and cable the WF-500 appliance. Refer to the WF-500 WildFire Appliance Hardware
Reference Guide.
Obtain the information required to configure network connectivity on the MGT port and the virtual
machine interface from your network administrator (IP address, subnet mask, gateway, hostname, DNS
server). All communication between the firewalls and the appliance occurs over the MGT port, including
file submissions, WildFire log delivery, and appliance administration. Therefore, ensure that the firewalls
have connectivity to the MGT port on the appliance. In addition, the appliance must be able to connect to
the updates.paloaltonetworks.com site to retrieve its operating system software updates.
Have a computer ready with either a console cable or Ethernet cable to connect to the device for the initial
configuration.
21
Step 1
Connect to the console port or the MGT port. Both are located
on the back of the appliance.
Console PortThis is a 9-pin male serial connector. Use the
following settings on the console application: 9600-8-N-1.
Connect the provided cable to the serial port on the
management computer or USB-To-Serial converter.
MGT PortThis is an Ethernet RJ-45 port. By default, the
MGT port IP address is 192.168.1.1. The interface on your
management computer must be on the same subnet as the
MGT port. For example, set the IP address on the
management computer to 192.168.1.5.
2.
Step 2
1.
Obtain the serial number from the S/N tag on the appliance, or
run the following command and refer to the serial field:
admin@WF-500> show system info
2.
3.
22
Step 3
1.
2.
3.
Type the old password, press enter and then enter and confirm
the new password. There is no need to commit the
configuration because this is an operational command.
4.
Type exit to log out and then log back in to confirm that the
new password is set.
Step 4
1.
Set the IP information for the MGT
interface and the hostname for the
appliance. All firewalls that will send files
to the WF-500 appliance will use the
2.
MGT port, so ensure that this interface is
accessible from those firewalls.
This example uses the following values:
4.
5.
6.
7.
admin@WF-500# commit
Step 5
In this example, you will create a superreader account for the user
bsimpson:
1. Enter configuration mode:
admin@WF-500> configure
2.
3.
4.
23
Step 6
1.
3.
Step 7
1.
2.
3.
24
1.
Select Device > Setup > WildFire and edit General Settings.
2.
Select the Report Benign Files check box to enable and then
click OK to save.
You can run the following CLI command to enable benign logging:
admin@WF-500# set deviceconfig setting wildfire
report-benign-file yes
1.
2.
Select the image that the appliance will use for analysis:
admin@WF-500# set deviceconfig setting wildfire
active-vm <vm-image-number>
25
Where to Go Next:
Step 1
26
Step 2
1.
3.
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
:
:
:
:
:
:
:
:
66
34
34
0
2
32
0
0
27
Step 3
28
The following illustration shows two options for connecting the VM interface to the network.
29
Option-2Use a dedicated Internet provider connection, such as a DSL, to connect the VM interface to
the Internet. Ensure that there is no access from this connection to internal servers/hosts. Although this is
a simple solution, traffic generated by the malware out the VM interface will not be logged unless you place
a firewall or a traffic monitoring tool between the WildFire appliance and the DSL connection.
IP Address: 192.168.2.1
Netmask: 255.255.255.0
30
DNS: 192.168.2.254
If you plan on enabling this interface, configure it with the appropriate settings for your network. If you do not
plan on using this interface, leave the default settings. Note that this interface must have network values
configured or a commit failure will occur.
Configure the VM Interface
Step 1
1.
admin@WF-500> configure
2.
1.
2.
Step 3
For example:
admin@WF-500> ping source 10.16.0.20 host 10.16.0.1
Step 4
Step 5
Continue to the next section to configure See Configure the Firewall to Control Traffic for the WF-500 VM
the firewall interface that you will use to Interface.
connect the VM interface on the
appliance.
31
Step 1
1.
Configure the interface on the firewall
that the VM interface will connect to and
set the virtual router.
The wf-vm-zone should only
contain the interface (ethernet1/3
in this example) used to connect
the VM interface on the appliance
to the firewall. This is done to
avoid having any traffic generated
by the malware from reaching
other networks.
Step 2
2.
3.
4.
In the Zone dialog Name field, enter wf-vm-zone and click OK.
5.
6.
7.
1.
2.
3.
4.
5.
6.
7.
Under Log Setting, select the Log at Session End check box.
If there are concerns that someone might inadvertently
add other interfaces to the wf-vm-zone, clone the
WildFire VM Interface security policy and then in the
Action tab for the cloned rule, select Deny. Make sure
this new security policy is listed below the WildFire VM
interface policy. This will override the implicit intra-zone
allow rule that allows communications between
interfaces in the same zone and will deny/block all
intra-zone communication.
Step 3
32
Configure the Firewall to Control Traffic for the WF-500 VM Interface (Continued)
Step 4
1.
2.
For example:
admin@WF-500> ping source 10.16.0.20 host 10.16.0.1
33
Step 1
Confirm that the appliance can communicate with the Palo Alto
Networks Update Server and view available updates:
admin@wf-500> request wf-content upgrade check
34
Step 2
1.
2.
You can run show jobs pending to view pending jobs. The
following output shows that the download (job id 5) has
finished downloading (Status FIN):
Enqueued
ID Type
Status Result Completed
--------------------------------------------------------2014/04/22 03:42:20 5 Downld
FIN
OK
03:42:23
3.
Run the show jobs all command again to monitor the status
of the install.
Step 3
Step 4
2.
35
Step 1
Step 2
2.
3.
For example:
admin@WF-500> scp import wf-content from
bart@10.10.10.5:c:/updates/panup-all-wfmeta-2-253.
tgz
Step 3
36
WildFire cloud: Uses port 443 for registration and file submissions.
WildFire appliance: Uses port 443 for registration and 10443 for file submissions.
Step 1
1.
Select Device > Licenses and confirm that the firewall has valid
WildFire and Threat Prevention subscriptions installed.
2.
3.
1.
2.
3.
Step 2
37
Step 3
1.
2.
3.
Click Add in the File Blocking Profile window and then click
Add again. Click in the Names field and enter a rule name.
4.
Select the Applications that will match this profile. For example,
selecting web-browsing as the application will cause the profile
to match any application traffic identified as web-browsing.
5.
In the File Type field, select the file types that will trigger the
forwarding action. Choose Any to forward all file types
supported by WildFire.
6.
7.
38
5.
Click the Advanced tab and select the Interface Mgmt profile
that has the response page option enabled and select it from the
drop-down menu.
6.
Click OK to save.
Step 5
2.
To forward SSL encrypted files to
WildFire, the firewall must have a
decryption policy and have forwarding of 3.
decrypted content enabled.
Click the edit icon for the URL Filtering options and enable
Allow Forwarding of Decrypted Content.
Step 6
1.
2.
Click Add to create a new policy for the zones that you are
applying WildFire forwarding to, or select an existing security
policy.
3.
On the Actions tab, select the File Blocking profile from the
drop-down.
If this security rule does not have any profiles attached to
it, select Profiles from the Profile Type drop-down to
enable selection of a file blocking profile.
Step 7
39
Step 8
1.
(Optional) Modify session options that
define what session information to record 2.
in WildFire analysis reports.
3.
40
Step 1
1.
Select Device > Licenses and confirm that a valid WildFire and
Threat Prevention subscription is installed. If valid licenses are
not installed, go to the License Management section and click
Retrieve license keys from the license server.
Check that the firewall can communicate with a WildFire server
for file forwarding:
admin@PA-200> test wildfire registration
1.
2.
41
Step 3
1.
2.
Step 4
Step 5
42
1.
Select Objects > Security Profiles > File Blocking and click the
file blocking profile to modify it.
2.
1.
Select Policies > Security and click the security policy rule that
triggers file forwarding to WildFire.
2.
Click the Actions tab and ensure that the file blocking profile is
selected in the File Blocking drop-down.
Step 6
10.3.4.99
Idle
10.3.4.99:10443
yes
yes
10.43.14.24
enable
enable
no
10
10
1000
10000
10
5
MB
MB
KB
KB
MB
MB
90
13
0
0
43
Step 7
Check WildFire statistics to confirm that The following command displays the output of a working firewall
counters are incrementing.
and shows counters for each file type that the firewall forwarded to
WildFire. If the counter fields all show 0, the firewall is not
forwarding files and you should check connectivity between the
firewall and the WF-500 appliance. Also verify that the file blocking
profile on the firewall is configured correctly and the profile is
attached to a security rule that allows file transfers.
admin@PA-200> show wildfire statistics
Packet based counters:
Total msg rcvd:
Total bytes rcvd:
Total msg read:
Total bytes read:
Total msg lost by read:
Total DROP_NO_MATCH_FILE
Total files received from DP: 86
Counters for file cancellation:
CANCEL_BY_DP
CANCEL_FILE_DUP
Counters for file forwarding:
file type: apk
file type: pdf
file type: email-link
file type: ms-office
file type: pe
FWD_CNT_LOCAL_FILE
FWD_CNT_REMOTE_FILE
file type: flash
FWD_CNT_LOCAL_FILE
FWD_CNT_LOCAL_DUP
FWD_CNT_REMOTE_FILE
FWD_CNT_REMOTE_DUP_CLEAN
FWD_CNT_REMOTE_DUP_MAL
file type: jar
file type: unknown
file type: pdns
Error counters:
FWD_ERR_CONN_FAIL
Reset counters:
DP receiver reset cnt:
File cache reset cnt:
Service connection reset cnt:
Log cache reset cnt:
Report cache reset cnt:
Resource meters:
data_buf_meter
msg_buf_meter
ctrl_msg_buf_meter
4548
4337198
4545
4227894
3
3
1
3
2
2
80
3
43
22
15
24
2
2
1
2
2
0%
0%
0%
Step 8
1.
2.
44
Step 9
Check the registration status and statistics See Verify the WF-500 Appliance Configuration.
for firewalls forwarding to a WF-500
appliance.
45
Antivirus signaturesDetect and block malicious files. WildFire adds these signatures to WildFire and
Antivirus content updates.
DNS signaturesDetect and block callback domains for command and control traffic associated with
malware. WildFire adds these signatures to WildFire and Antivirus content updates.
URL CategorizationCategorizes callback domains as malware and updates the URL category in
PAN-DB.
Firewalls must be running PAN-OS 6.1 or later to enable dynamic updates from a WF-500 appliance. In
addition, you must configure the firewalls to receive content updates from the WF-500 appliance, which can
occur as frequently as every five minutes. You can optionally send the malware sample file (or only the XML
report) to the WildFire cloud to enable signature generation for distribution through Palo Alto Networks
content releases.
When the local storage on the appliance is full, new signatures/URL categorizations will overwrite existing ones,
beginning with the oldest ones first.
The following topics describe how to enable signature/URL generation on the WF-500 appliance and how to
configure firewalls to retrieve content updates from the appliance:
Step 1
46
Step 2
1.
2.
3.
1.
(Optional) Configure the WF-500
appliance to forward analysis reports or
malicious samples to the Palo Alto
Networks WildFire cloud. If Packet
Captures (PCAPS) are enabled, the PCAP
will also be forwarded with the sample
file.
2.
3.
Step 1
Launch the firewall web interface and go Select Device > Dynamic Updates.
to the Dynamic Updates page.
47
Configure the Firewall to Retrieve Updates from the WF-500 Appliance (Continued)
Step 2
1.
Click the Install link in the Action column. When the installation
completes, a check mark displays in the Currently Installed column.
Step 4
1.
48
3.
4.
5.
6.
The following workflow describes how to upgrade the WF-500 appliance and enable the Windows 7 64-bit
environment:
WF-500 Appliance Upgrade
Step 1
1.
49
Step 2
1.
2.
3.
Step 3
Move the files to your SCP-enabled server and note the file
name and directory path.
Download the base image file from the SCP-enabled server:
admin@WF-500> scp import wildfire-vm-image from
username@host:path
For example:
admin@WF-500> scp import wildfire-vm-image from
bart@10.43.15.41:c:/scp/WFWin7_64Base_m-1.0.0_64ba
se
For example:
admin@WF-500> scp import wildfire-vm-image from
bart@10.43.15.41:c:/scp/WFWin7_64Base_m-1.0.0_64ad
don1
50
Step 4
2.
Step 5
Install the 6.1 operating system image file. Install the WF-500 appliance operating system image that you
downloaded previously:
admin@WF-500> request system software install version
6.1.0
Step 6
2.
3.
Step 7
2.
3.
4.
Commit
the configuration:
admin@WF-500# commit
51
52
53
WildFire cloud: Uses port 443 for registration and file submissions.
WildFire appliance: Uses port 443 for registration and 10443 for file submissions.
Perform the following steps on each firewall that will forward files to WildFire:
Configure a File Blocking Profile and Add it to a Security Profile
Step 1
54
1.
Select Device > Licenses and confirm that the firewall has valid
WildFire and Threat Prevention subscriptions.
2.
3.
Step 2
1.
2.
3.
Click Add in the File Blocking Profile window and then click
Add again. Click in the Names field and enter a rule name.
4.
Select the Applications that will match this profile. For example,
selecting web-browsing to match any application traffic
identified as web-browsing.
5.
In the File Type field, select the file types that will trigger the
forwarding action. Choose Any to forward all file types
supported by WildFire or select PE to only forward Portable
Executable files.
6.
7.
55
Step 4
2.
To forward SSL encrypted files to
WildFire, the firewall must have a
decryption policy and have forwarding of 3.
decrypted content enabled.
Click the edit icon for the URL Filtering options and enable
Allow Forwarding of Decrypted Content.
Step 5
1.
2.
Click Add to create a new policy for the zones to which to apply
WildFire forwarding, or select an existing security policy.
3.
On the Actions tab, select the File Blocking profile from the
drop-down.
If this security rule does not have any profiles attached to
it, select Profiles from the Profile Type drop-down to
enable selection of a file blocking profile.
Step 6
Step 7
56
Step 8
57
Step 1
1.
Select Device > Licenses and confirm that a valid WildFire and
Threat Prevention subscription is installed. If valid licenses are
not installed, go to the License Management section and click
Retrieve license keys from the license server.
2.
Step 2
3.
1.
2.
58
Step 3
3.
View the WildFire logs by selecting Monitor > Logs > WildFire
Submissions. If WildFire logs are listed, the firewall is
successfully forwarding files to WildFire and WildFire is
returning file analysis results.
For more information on WildFire-related logs, see
WildFire Logs.
Step 4
Step 5
1.
Select Objects > Security Profiles > File Blocking and click the
file blocking profile.
2.
1.
Select Policies > Security and click the security policy rule that
triggers file forwarding to WildFire.
2.
Click the Actions tab and ensure that the file blocking profile is
selected in the File Blocking drop-down.
59
Step 6
When forwarding files to the WildFire cloud, the output should look
similar to the following:
Connection info:
Wildfire cloud:
Status:
Best server:
Device registered:
Valid wildfire license:
Service route IP address:
Signature verification:
Server selection:
Through a proxy:
public cloud
Idle
s1.wildfire.paloaltonetworks.com
yes
yes
192.168.2.1
enable
enable
no
Forwarding info:
file size limit for pe (MB):
file size limit for jar (MB):
file size limit for apk (MB):
file size limit for pdf (KB):
file size limit for ms-office (KB):
file idle time out (second):
total file forwarded:
file forwarded in last minute:
concurrent files:
60
10
1
2
500
10000
90
1
0
0
Step 7
Check WildFire statistics to confirm that The following command displays the output of a working firewall
counters are incrementing.
and shows counters for each file type that the firewall forwarded to
WildFire. If the counter fields all show 0, the firewall is not
forwarding files and you should check connectivity between the
firewall and the WF-500 appliance. Also verify that the file blocking
profile on the firewall is configured correctly and the profile is
attached to a security rule that allows file transfers.
admin@PA-200> show wildfire statistics
Packet based counters:
Total msg rcvd:
Total bytes rcvd:
Total msg read:
Total bytes read:
Total msg lost by read:
Total DROP_NO_MATCH_FILE
12011
10975328
11963
10647634
48
48
11
7
178
11
121
56
8
3
880
Reset counters:
DP receiver reset cnt:
File cache reset cnt:
Service connection reset cnt:
Log cache reset cnt:
Report cache reset cnt:
2
2
1
2
2
Resource meters:
data_buf_meter
msg_buf_meter
ctrl_msg_buf_meter
0%
0%
0%
61
Step 8
1.
Check the dynamic updates status and
schedules to ensure that the firewall is
2.
automatically receiving signatures
generated by WildFire. See Best Practices
for Keeping Signatures up to Date.
3.
62
Step 1
Step 2
1.
3.
Navigate to the file, highlight it, and then click Open. The file
name will appear below the Add files icon.
4.
Click the Start icon to the right of the file, or click the Start
upload button if multiple files are waiting for upload. If the
file(s) upload successfully, Success will appear next to each file.
5.
1.
2.
The report page will show a list of all files that have been
uploaded to your account. Find the file you uploaded and click
the detail icon to the left of the date field.
The portal displays a full report of the file analysis detailing the
observed file behavior. If WildFire identifies the file as malware,
it generates a signature, which is then distributed to all Palo Alto
Networks firewalls configured with a WildFire or Threat
Prevention subscription.
63
64
WildFire Reporting
When malware is discovered on your network, it is important to take quick action to prevent propagation to
other systems on your network. To ensure immediate alerts for malware discovered on your network, configure
your firewalls to send email notifications, SNMP Traps, and/or syslogs whenever WildFire returns a malware
verdict on a sample. This allows you to quickly view the WildFire analysis report and identify the user who
downloaded the malware, determine if the user ran the infected file or accessed a malicious email link, and assess
whether the malware attempted to spread itself to other hosts. If you determine that the user has accessed the
malicious content, you can quickly disconnect the computer from the network to prevent the malware from
spreading and follow incident response and remediation processes as required.
The following topics describe the WildFire reporting and logging system and describes how to use this
information to track down threats and to identify users who have been targeted by malware.
WildFire Logs
WildFire in Action
65
WildFire Logs
WildFire Reporting
WildFire Logs
Each firewall that you configure to forward samples to WildFire will log the forward action in the data filtering
logs. After WildFire analyzes the sample, if the verdict is malware, WildFire sends the results back to the
WildFire Submission log on the firewall. You can also configure the firewall to log email header information for
files delivered over email or HTTP/HTTPS links contains in SMTP and POP3 messages. For more
information, see Enable Email Header Information in WildFire Logs.
The detailed analysis report for each file or email link that WildFire analyzes is located in the detailed view of
the WildFire Submissions log. You can also view analysis reports on the WildFire Portal.
If you configure your firewalls to forward samples to a WF-500 appliance, you can only view
analysis results on the firewall that forwarded the file to the appliance or by using the WildFire
XML API to retrieve the report from the appliance.
Forwarding Action LogsThe data filtering logs located in Monitor > Logs > Data Filtering will show the
files that were blocked/forwarded based on the file blocking profile. To determine which files were
forwarded to WildFire, look for the following values in the Action column of the log:
Action
Description
wildfire-upload-success
wildfire-upload-skip
wildfire-upload-fail
66
WildFire LogsThe analysis results for the samples scanned by WildFire are sent back to the firewall logs
after the analysis completes. These logs are written to the firewall that forwarded the sample in Monitor >
Logs > WildFire Submissions. If logs are forwarded from the firewall to Panorama, the logs are written to the
Panorama server in Monitor > Logs > WildFire Submissions. The Category column for the WildFire logs will
either show benign (benign email links are not logged); meaning that the file is safe, or malicious, indicating
that WildFire determined that the sample contains malicious code. If the sample is determined to be
malicious, a signature is generated by the WildFire signature generator. If your firewall is configured to
forward files to a WF-500 appliance, you can configuring the appliance to forward samples to the WildFire
cloud for signature generation or you can Enable Signature/URL Generation on the WF-500 Appliance.
By default, firewalls with a WildFire subscription will only retrieve analysis results from the WildFire cloud
or WF-500 appliance if the sample is identified as malware. To generate logs for benign files, select Device >
Setup > WildFire and edit General Settings and then click the Report Benign Files check box. You can also run
the following CLI command: admin@PA-200# set deviceconfig setting wildfire report-benign-file.
WildFire Reporting
WildFire Logs
To view the detailed report for a sample that has been analyzed by WildFire, locate the log entry in Monitor
> WildFire Submissions, click the icon to the left of the log entry to show log details and then click the WildFire
Analysis Report tab. A login prompt will appear to access the report and after entering the correct credentials
the report is retrieved from the WildFire system and is displayed in your browser. For information on portal
accounts to access the WildFire cloud, see Add WildFire Portal User Accounts. For information on the
admin account that is used to retrieve reports from a WildFire appliance, see Integrate the WF-500
Appliance into a Network and the refer to the step that describes the portal-admin account.
67
WildFire Reporting
Step 1
Step 2
3.
Click OK to save.
68
1.
2.
WildFire Reporting
Step 3
Select Monitor > Logs > Data Filtering from the firewall and
locate a log with the Action wildfire-upload-success. The
date/time should be after the date/time in which you enabled
this option.
2.
View the log and analysis report by selecting Monitor > Logs >
WildFire Submissions and locate the corresponding log for the
link or file attachment.
3.
Click the log details icon in the first column. In the Log Info
tab, you will see the new email information in the Email Headers
section.
69
WildFire Reporting
For information on configuring additional WildFire accounts that can be used to review report information, see
Add WildFire Portal User Accounts.
70
WildFire Reporting
Step 1
1.
2.
Click the Settings link located at the upper right of the portal
window.
3.
Select the time zone from the drop-down and then click Update
Time Zone to save the change.
Step 3
1.
Configure email notifications that the
portal will generate based on the results of
files submitted to WildFire. The email
notifications are sent to the email account
registered in the support account.
2.
The first row item will show Manual. Select Malware and/or
Benign to receive a notification for files that are manually
uploaded to the WildFire cloud, or that are submitted using the
WildFire API and click Update Notification to save.
Select the check boxes directly below the column
headings Malware and Benign to select all of the check
boxes for the listed devices.
71
WildFire Reporting
Step 1
Step 2
1.
2.
3.
1.
2.
Enter the email address for the user recipient would like to add.
The user can be an existing support site user that belongs
to any account (including the sub-account, parent
account, Palo Alto Networks, or any other account in the
system), as well as any email address that does not have
a support account at all. The only restriction is that the
email address cannot be from a free web-based email
account (Gmail, Hotmail, Yahoo, and so on). If an email
address is entered for a domain that is not supported, a
pop-up warning appears.
Step 3
1.
Select the firewall(s) by S/N that you want to grant access to and
fill out the optional account details.
An email will then be sent to the user. Users with an existing
support account will receive an email with a list of the firewalls
that are now available for WildFire report viewing. If the user
does not have a support account, the portal sends an email with
instructions on how to access the portal and how to set a new
password.
2.
72
The new user can now log in to the WildFire Portal and view
WildFire reports for the firewalls to which they have been
granted access. Users can also configure automatic email alerts
for these devices in order to receive alerts on files analyzed.
They can choose to receive reports on malicious and/or benign
files.
WildFire Reporting
73
WildFire Reporting
Report Heading
Description
Download PDF
Click the Download PDF icon (located in the upper right) to have the firewall
generate a PDF version of the WildFire report.
File Information
File TypeFlash, PE, PDF, APK, JAR/Class, or MS Office. This field is named
URL for HTTP/HTTPS email link reports and will display the URL that was
analyzed.
File SignerThe entity that signed the file for authenticity purposes.
Hash ValueA file hash is much like a fingerprint that uniquely identifies a file
to ensure that the file has not been modified in any way. The following lists the
hash versions that WildFire generates for each file analyzed:
SHA-1Displays the SHA-1 value for the file.
SHA-256Displays the SHA-256 value for the file.
MD5Displays the MD5 information for the file.
File SizeThe size (in bytes) of the file that WildFire analyzed.
First Seen TimestampIf the WildFire system has analyzed the file previously,
this is the date/time that it was first observed.
VerdictDisplays the analysis verdict:
BenignThe file is safe and does not exhibit malicious behavior.
MalwareWildFire identified the file as malware and generates a signature
to protect against future exposure.
Sample FileClick the Download File link to download the sample file to your
local system. Note that you can only download files with the malware verdict, not
benign.
74
WildFire Reporting
Report Heading
Description
Coverage Status
Click the Virus Total link to view endpoint antivirus coverage information for
samples that have already been identified by other vendors. If the file has never
been seen by any of the listed vendors, file not found appears.
In addition, when the report is rendered on the firewall, up-to-date information
about what signature and URL filtering coverage that Palo Alto Networks currently
provides to protect against the threat will also be displayed in this section. Because
this information is retrieved dynamically, it will not appear in the PDF report.
The following screen capture shows coverage status that appears after rendering
the report on the firewall:
75
WildFire Reporting
Report Heading
Description
Session Information
Contains session information based on the traffic as it traversed the firewall that
forwarded the sample. To define the session information that WildFire will include
in the reports, select Device > Setup > WildFire> Session Information Settings.
The following options are available:
Source IP
Source Port
Destination IP
Destination Port
Virtual System (If multi-vsys is configured on the firewall)
Application
User (If User-ID is configured on the firewall)
URL
Filename
Email sender
Email recipient
Email subject
Dynamic Analysis
If a file is low risk and WildFire can easily determine that it is safe, only a static
analysis is performed, instead of a dynamic analysis.
When a dynamic analysis is performed, this section contains tabs for each virtual
environment that the sample was run in when it was analyzed in the WildFire cloud.
For example, Virtual Machine 1 tab may have Windows XP, Adobe Reader 9.3.3,
and Office 2003 and Virtual Machine 2 may have similar attributes, but with Office
2007. When a file goes through a full dynamic analysis, it is run in each virtual
machine and the results of each environment can be viewed by clicking any of the
Virtual Machine tabs.
On the WF-500 appliance, only one virtual machine is used for the analysis,
which you select based on virtual environment attributes that best match
your local environment. For example, if most users have Windows 7 32-bit,
that virtual machine would be selected.
76
WildFire Reporting
Report Heading
Description
Behavior Summary
Each Virtual Machine tab summarizes the behavior of the sample file in the specific
environment. Examples include whether the sample created or modified files,
started a process, spawned new processes, modified the registry, or installed
browser helper objects.
The Severity column indicates the severity of each behavior. The severity gauge will
show one bar for low severity and additional bars for higher severity levels. This
information is also added to the dynamic and static analysis sections.
Submit Malware
Use this option to manually submit the sample to Palo Alto Networks. The
WildFire cloud will then re-analyze the sample and generate a signatures if it
determines that the sample is malicious. This is useful on a WF-500 appliance that
does not have signature generation or cloud intelligence enabled, which is used to
forward malware from the appliance to the WildFire cloud.
77
WildFire Reporting
Report Heading
Description
Click this link to submit the sample to the Palo Alto Networks threat team if you
feel the verdict is a false positive or false negative. The threat team will perform
further analysis on the sample to determine if it should be reclassified. If a malware
sample is determined to be safe, the signature for the file is disabled in an upcoming
antivirus signature update or if a benign file is determined to be malicious, a new
signature is generated. After the investigation is complete, you will receive an email
describing the action that was taken.
78
WildFire Reporting
Step 1
3.
4.
Click Add to add a new email server entry and enter the
information required to connect to the Simple Mail Transport
Protocol (SMTP) server and send email (up to four email
servers can be added to the profile):
ServerName to identify the mail server (1-31 characters).
This field is just a label and does not have to be the host name
of an existing SMTP server.
Display NameThe name to show in the From field of the
email.
FromThe email address where notification emails are sent
from.
ToThe email address to which notification emails are sent.
Additional Recipient(s)Enter an email address to send
notifications to a second recipient.
GatewayThe IP address or host name of the SMTP
gateway to use to send the emails.
Step 2
5.
6.
1.
2.
Click Add and select the new email profile from the Email
Profile drop-down.
3.
Click the Send test email button and a test email should be sent
to the recipients defined in the email profile.
79
WildFire Reporting
Step 3
1.
Configure a log forwarding profile to
forward WildFire logs to Panorama, an
2.
email account, SNMP, and/or a syslog
server. In this example you will forward
3.
WildFire logs to an email account when
the WildFire verdict is Malicious. You can
also enable Benign, which will produce
more activity if you are testing.
4.
Step 4
80
1.
Select Policies > Security and click on the policy that is used for
WildFire forwarding.
2.
3.
WildFire Reporting
Step 5
81
WildFire in Action
WildFire Reporting
WildFire in Action
The following example scenario summarizes the full WildFire lifecycle. In this example, a sales representative
from Palo Alto Networks downloads a new software sales tool that a sales partner uploaded to Dropbox. The
sales partner unknowingly uploaded an infected version of the sales tool install file and the sales rep then
downloads the infected file.
This example will demonstrate how a Palo Alto Networks firewall in conjunction with WildFire can discover
zero-day malware downloaded by an end user; even if the traffic is SSL encrypted. After WildFire identifies the
malware a log is sent to the firewall and the firewall alerts the administrator who then contacts the user to
eradicate the malware. WildFire then generates a new signature for the malware and firewalls with a Threat
Prevention or WildFire subscription automatically downloads the signature to protect against future exposure.
Although some file sharing web sites have an antivirus feature that checks files as they are uploaded, they can
only protect against known malware.
For more information on configuring WildFire, see Forward Samples to the WildFire Cloud or Forward Files
to a WF-500 Appliance.
This example uses a web site that uses SSL encryption, so the firewall must have decryption and
Allow forwarding of decrypted content enabled. For information on enabling forwarding of
decrypted content, see Forward Samples to the WildFire Cloud or Forward Files to a WF-500
Appliance.
\
Step 1
The sales person from the partner company uploads a sales tool file named sales-tool.exe to his Dropbox
account and then sends an email to the Palo Alto Networks sales person with a link to the file.
Step 2
The Palo Alto sales person receives the email from the sales partner and clicks the download link, which takes
her to the Dropbox site. She then clicks Download to save the file to her desktop.
82
WildFire Reporting
WildFire in Action
Step 3
The firewall that is protecting the Palo Alto sales rep has a file blocking profile attached to a security policy that
will look for files in any application that is used to download or upload any of the supported file type (Flash, PE,
PDF, APK, JAR/Class, or MS Office). Note that the firewall can also be configured to forward the email-link
file type, which enables the firewall to extract HTTP/HTTPS links contained in SMTP and POP3 email
messages. As soon as the sales rep clicks download, the firewall policy forwards the sales-toole.exe file to
WildFire, where the file is analyzed for zero-day malware. Even though the sales rep is using Dropbox, which is
SSL encrypted, the firewall is configured to decrypt traffic, so all traffic can be inspected. The following screen
shots show the File Blocking Profile, the Security Policy configured with the File Blocking profile, and the option
to allow forwarding of decrypted content.
83
WildFire in Action
WildFire Reporting
Step 4
At this point, WildFire has received the file and is analyzing it for more than 200 different malicious behaviors.
To see that the file was forwarded successfully, view Monitor > Logs > Data Filtering on the firewall.
Step 5
Within approximately five minutes, WildFire has completed the file analysis and then sends a WildFire log back
to the firewall with the analysis results. In this example, the WildFire log shows that the file is malicious.
Step 6
The firewall is configured with a log forwarding profile that will send WildFire alerts to the security administrator
when malware is discovered.
84
WildFire Reporting
WildFire in Action
Step 7
The security administrator identifies the user by name (if User-ID is configured), or by IP address if User-ID is
not enabled. At this point, the administrator can shut down the network or VPN connection that the sales
representative is using and will then contact the desktop support group to work with the user to check and clean
the system.
By using the WildFire detailed analysis report, the desktop support person can determine if the user system is
infected with malware by looking at the files, processes, and registry information detailed in the WildFire analysis
report. If the user runs the malware, the support person can attempt to clean the system manually or re-image it.
For details on the WildFire report fields, see WildFire Report Contents.
Step 8
Now that the administrator has identified the malware and the user system is being checked, how do you protect
from future exposure? Answer: In this example, the administrator set a schedule on the firewall to download
and install WildFire signatures every 15 minutes and to download and install Antivirus updates once per day. In
less than an hour and a half after the sales rep downloaded the infected file, WildFire identified the zero-day
malware, generated a signature, added it to the WildFire update signature database provided by Palo Alto
Networks, and the firewall downloaded and installed the new signature. This firewall and any other Palo Alto
Networks firewall configured to download WildFire and antivirus signatures is now protected against this newly
discovered malware. The following screenshot shows the WildFire update schedule:
85
WildFire in Action
WildFire Reporting
All of this occurs well before most antivirus vendors are even aware of the zero-day malware. In this example,
within a very short period of time, the malware is no longer considered zero-day because Palo Alto Networks
has already discovered it and has provided protection to customers to prevent future exposure.
86
WildFire API
The WildFire API enables you to programmatically send file analysis jobs to WildFire and query for report data
through a simple XML API interface and is supported on the WildFire cloud and the WF-500 appliance. All
API functions supported on the WildFire cloud are also supported on the WF-500 appliance, but in the case of
the appliance, you generate the API access keys used to access WildFire on the appliance instead of the Palo
Alto Networks support site. The URL used to access the WildFire cloud and the WildFire appliance are also
different. The examples in this section are based on the WildFire cloud. For an example on using the API on a
WF-500 appliance, see Use the WildFire API on a WF-500 Appliance.
Category Name
87
WildFire API
88
Category Name
WildFire API
Category Name
89
WildFire API
Submit a File to the WildFire Cloud Using the Submit File Method
Submit a File to the WildFire Cloud Using the Submit File Method
The WildFire API can be used to submit all Supported File Types. The file along with your API key is required
when submitting to WildFire for analysis. The return code of the submit-file method indicates a success or error
condition. If a 200 OK code is returned, the submission is successful and a result is normally available for query
within five minutes.
The following table describes the API attributes needed to submit files to the WildFire cloud using the submit
file method:
URL
https://wildfire.paloaltonetworks.com/publicapi/submit/file
Method
POST
Parameters
apikey
file
200 OK
401 Unauthorized
500
Internal error
513
Return
90
Category Name
WildFire API
URL
https://wildfire.paloaltonetworks.com/publicapi/submit/url
Method
POST
Parameters
apikey
url
200 OK
401 Unauthorized
422
500
Internal error
Return
The following shell code example demonstrates a simple script to submit a file to the WildFire API for analysis.
The API key is provided as the first parameter and the path to the file is the second parameter:
#manual upload sample to WildFire with APIKEY
#Parameter 1: APIKEY
#Parameter 2: location of the file
key=$1
file=$2
/usr/bin/curl -i -k -F apikey=$key -F file=@$file
https://wildfire.paloaltonetworks.com/submit/file
The following cURL command demonstrates how to submit a file to WildFire using the submit URL method:
curl k -F apikey=yourAPIkey -F url=URL
https://wildfire.paloaltonetworks.com/publicapi/submit/url
Category Name
91
WildFire API
https://wildfire.paloaltonetworks.com/publicapi/get/report
Method
POST
Parameters
hash
apikey
format
200 OK
401 Unauthorized
419
420
Insufficient arguments
421
Invalid arguments
500
Internal error
Return
92
Category Name
WildFire API
https://wildfire.paloaltonetworks.com/publicapi/get/sample
Method
POST
Parameters
hash
apikey
200 OK
401 Unauthorized
403 Forbidden
Permission Denied
419
420
Insufficient arguments
421
Invalid arguments
500
Internal error
Return
Category Name
93
WildFire API
Description
201
The following table describes the API attributes needed to query for pcaps:
URL
https://wildfire.paloaltonetworks.com/publicapi/get/pcap
Method
POST
Parameters
hash
apikey
platform*
200 OK
Return
94
Category Name
WildFire API
401 Unauthorized
403 Forbidden
Permission Denied
419
420
Insufficient arguments
421
Invalid arguments
500
Internal error
* Optional parameter
Category Name
95
WildFire API
Step 1
key-value
For example:
admin@WF-500> create wildfire api-key name
my-api-key key
0377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F45
5F142494BC43D4A1
Step 2
This command also shows the date the key was generated and the last
time the key was used.
In this example, the appliance generated the following key with the
name my-api-key:
0377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F455F1424
94BC43D4A1
96
Category Name
WildFire API
Use the following commands to disable API keys Disable or enable an API key:
temporarily, enable keys, or delete keys that are
admin@WF-500> edit wildfire api-key status [disable |
no longer used.
enable] key api-key
For example, to disable the API key used in this example:
admin@WF-500> edit wildfire api-key status disable key
0377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F455F142
494BC43D4A1
In the above command, you can type the first few unique
digits of the key and then hit tab to fill in the remaining
digits.
Delete an API key:
admin@WF-500> delete wildfire api-key key api-key
For example:
admin@WF-500> delete wildfire api-key key
377785F3F1A3D2DC6BCF2342730700747FBF4A23BD69F455F1424
94BC43D4A1
Category Name
97
WildFire API
Use the following commands to import or export Save all API keys to a file to prepare the keys for export:
API keys from the appliance using Secure Copy
admin@WF-500# save wildfire api-key to filename
(SCP).
For example:
admin@WF-500> save wildfire api-key to my-api-keys
For example:
admin@WF-500> scp export wildfire-api-keys to
bart@10.10.10.5:c:/scp/
If you leave out the mode option, the default behavior will merge
the new keys. To replace all API keys on the appliance, use the
replace option. For example, to replace all API keys, enter the
command:
admin@WF-500# load wildfire api-key mode replace from
my-api-keys
98
Category Name
WildFire API
Step 1
Generate a WildFire API key for the host computer that will perform API functions on the WildFire appliance.
For details, see Generate API Keys on the WildFire Appliance.
1. Access the CLI on the WildFire appliance and generate an API key:
admin@WF-500> create wildfire api-key name
my-api-key
3. Make sure the key status is Enabled and then highlight and copy the key. The following screen capture shows
an example API key named my-api-key.
Step 2
Using the new API key that you generated, submit a sample file to the WildFire appliance.
1. Place a sample file in a folder that can be accessed from the host computer that has the cURL command line
tool installed and note the path of the sample file.
2. Submit the file using cURL:
curl -k -F apikey=your-API-key -F file=@local-file-path --remote-name
https://WF-appliance-IP/publicapi/submit/file
The syntax will vary based on the host that you are using. The following examples shows the syntax using a
Linux host and a Windows host.
From a Linux host:
curl -k -F apikey=87C142CB01CA5BEBE06E226A25C0A473B34050B617073E21E8F1A6BCB8C5C387 -F
file=@test-wf-api.docx --remote-name https://10.3.4.99/publicapi/submit/file
From a Windows host (The only difference is the file path following the @ symbol):
curl -k -F apikey=87C142CB01CA5BEBE06E226A25C0A473B34050B617073E21E8F1A6BCB8C5C387 -F
file=@c://scp/test-wf-api.docx --remote-name https://10.3.4.99/publicapi/submit/file
3. Verify that the API successfully submitted the file to the WildFire appliance. To view a list of recent samples
submitted to the appliance:
admin@WF-500> show wildfire latest samples
The following screen capture shows that the sample file test-wf-api.docx successfully submitted to the
appliance:
If the sample file does not appear on the appliance, verify connectivity between the host computer and the appliance and
confirm that the folder/file path is correct. You can also run show wildfire status (status should show Idle) and
show wildfire statistics to verify that the appliance is ready to analyze files. For more information on
troubleshooting, refer to the Palo Alto Networks WildFire Administrators Guide.
Category Name
99
100
WildFire API
Category Name
101
Privilege Levels
Operational modeView the state of the system, navigate the WildFire appliance software CLI, and enter
configuration mode.
Example:
admin@WF-500>
In Configuration mode, the current hierarchy context is shown by the [edit...] banner presented in square
brackets when a command is issued.
102
The CLI checks the syntax of each command. If the syntax is correct, it executes the command and the
candidate hierarchy changes are recorded. If the syntax is incorrect, an invalid syntax message is presented, as
in the following example:
username@hostname# set deviceconfig setting wildfire cloud-intelligence
submit-sample yes
Unrecognized command
Invalid syntax.
[edit]
username@hostname#
Description
>
There are additional command options for this command at this level.
103
Symbol
Description
104
+
+
+
+
virus
Help string for virus
spyware
Help string for spyware
vulnerability
Help string for vulnerability
group
Help string for group
<Enter>
Finish input
[edit]
username@hostname# set rulebase security rules rule1 profiles
Privilege Levels
Privilege levels determine which commands the user is permitted to execute and the information the user is
permitted to view.
Level
Description
superreader
superuser
105
Configuration Mode
Operational Mode
Configuration Mode
Entering commands in configuration mode modifies the candidate configuration. The modified candidate
configuration is stored in the appliance memory and maintained while the appliance is running.
Each configuration command involves an action, and may also include keywords, options, and values.
This section describes Configuration mode and the configuration hierarchy:
Configuration Hierarchy
saveSaves the candidate configuration in the non-volatile storage on the appliance. The saved
configuration is retained until overwritten by subsequent save commands. Note that this command does not
make the configuration active.
commitApplies the candidate configuration to the appliance. A committed configuration becomes the
active configuration for the device.
loadAssigns the last saved configuration or a specified configuration to be the candidate configuration.
When exiting configuration mode without issuing the save or commit command, the
configuration changes could be lost if the appliance loses power.
106
Maintaining a candidate configuration and separating the save and commit steps confers important advantages
when compared with traditional CLI architectures:
Distinguishing between the save and commit concepts allows multiple changes to be made at the same time
and reduces system vulnerability.
Commands can easily be adapted for similar functions. For example, when configuring two Ethernet
interfaces, each with a different IP address, you can edit the configuration for the first interface, copy the
command, modify only the interface and IP address, and then apply the change to the second interface.
Because the candidate configuration is always unique, all authorized changes to the candidate configuration are
consistent with each other.
Configuration Hierarchy
The configuration for the appliance is organized in a hierarchical structure. To display a segment of the current
hierarchy level, use the show command. Entering show displays the complete hierarchy, while entering show
with keywords displays a segment of the hierarchy. For example, when running the command show from the
top level of configuration mode, the entire configuration is displayed. When running the command edit
mgt-config and you enter show, or by running show mgt-config, only the mgt-config part of the
hierarchy displays.
107
Hierarchy Paths
When entering commands, the path is traced through the hierarchy as follows:
For example, the following command assigns the primary DNS server 10.0.0.246 for the appliance:
[edit]
username@hostname# set deviceconfig system dns-setting servers primary
10.0.0.246
This command generates a new element in the hierarchy and in the output of the following show command:
[edit]
username@hostname# show deviceconfig system dns-settings
dns-setting {
servers {
primary 10.0.0.246
}
}
[edit]
username@hostname#
108
indicates that the relative context is the top level of the hierarchy, whereas
[edit deviceconfig]
Description
edit
up
top
109
Operational Mode
At the initial login to the device, the WildFire appliance software CLI opens in Operational mode. Operational
mode commands involve actions that are executed immediately. They do not involve changes to the
configuration, and do not need to be saved or committed.
Operational mode commands are of several types:
Monitoring and troubleshootingPerform diagnosis and analysis. Includes debug and ping commands.
Display commandsDisplay or clear current information. Includes clear and show commands.
WildFire appliance software CLI navigation commandsEnter Configure mode or exit the WildFire
appliance software CLI. Includes configure, exit, and quit commands.
System commandsMake system-level requests or restart. Includes set and request commands.
110
Data bits: 8
Parity: none
Stop bits: 1
1.
Use terminal emulation software to establish an SSH console connection with the
WF-500 appliance.
2.
3.
111
username@hostname> configure
Entering configuration mode
[edit]
username@hostname#
To leave Configuration mode and return to Operational mode, use the quit or exit command:
username@hostname# quit
Exiting configuration mode
username@hostname>
To enter an Operational mode command while in Configuration mode, use the run command. For example,
to show system resources from configure mode, use run show system resources.
username@hostname> ?
clear
Clear runtime parameters
configure
Manipulate software configuration information
debug
Debug and diagnose
exit
Exit this session
grep
Searches file for lines containing a pattern match
less
Examine debug file content
ping
Ping hosts and networks
quit
Exit this session
request
Make system-level requests
scp
Use ssh to copy file to another host
set
Set operational parameters
show
Show operational parameters
ssh
Start a secure shell to another host
tail
Print the last 10 lines of debug file content
112
username@hostname>
To display the available options for a specified command, enter the command followed by ?.
Example:
username@hostname> ping ?
+ bypass-routing
Bypass routing table, use specified interface
+ count
Number of requests to send (1..2000000000 packets)
+ do-not-fragment
Don't fragment echo request packets (IPv4)
+ inet
Force to IPv4 destination
+ interface
Source interface (multicast, all-ones, unrouted packets)
+ interval
Delay between requests (seconds)
+ no-resolve
Don't attempt to print addresses symbolically
+ pattern
Hexadecimal fill pattern
+ record-route
Record and report packet's path (IPv4)
+ size
Size of request packets (0..65468 bytes)
+ source
Source address of echo request
+ tos
IP type-of-service value (0..255)
+ ttl
IP time-to-live value (IPv6 hop-limit value) (0..255 hops)
+ verbose
Display detailed output
+ wait
Delay after sending last packet (seconds)
<host>
Hostname or IP address of remote host
113
114
Hierarchy Location
set deviceconfig settings
Syntax
wildfire {
active-vm;
cloud-server <value>;
vm-network-enable {no | yes};
vm-network-use-tor {enable | disable};
cloud-intelligence {
submit-report {no | yes};
submit-sample {no | yes};
signature-generation {
av {no | yes};
dns {no | yes};
url {no | yes};
{
{
{
115
Options
+ active-vm Select the virtual machine environment that WildFire will use for sample
analysis. Each vm has a different configuration, such as Windows XP, a specific versions
of Flash, Adobe reader, etc. To view which VM is selected, run the following command:
admin@WF-500> show wildfire status and view the Selected VM field. To view the VM
environment information, run the following command: admin@WF-500> show wildfire
vm-images.
+ cloud-server Hostname for the cloud server that the appliance will forward malicious
samples/reports to for a re-analysis. The default cloud server is
wildfire-public-cloud. To configure forwarding, use the following command: set
deviceconfig setting wildfire cloud-intelligence.
+ vm-network-enable Enable or disable the vm-network. When enabled, sample files
running in the virtual machine sandbox can access the Internet. This helps WildFire
better analyze the behavior of the malware to look for things like phone home activity.
+ vm-network-use-tor Enable or disable the Tor network for the vm-interface. When this
option is enabled, any malicious traffic coming from the sandbox systems on the WF-500
appliance during sample analysis is sent through the Tor network. The Tor network will
mask your public facing IP address, so the owners of the malicious site cannot determine
the source of the traffic.
+ cloud-intelligence Configure the appliance to submit WildFire reports or samples to
the Palo Alto Networks WildFire cloud. The submit report option will send reports for
malicious samples to the cloud for statistical gathering. The submit sample option will
send malicious samples to the cloud. If submit-sample enabled, there is no need to
enable submit-report because the sample is re-analyzed in the cloud and a new report and
signature is generated if the sample is malicious.
+ signature-generation Enable the appliance to generate signatures locally,
eliminating the need to send any data to the public cloud in order to block malicious
content. The WF-500 appliance will analyze files forwarded to it from Palo Alto Networks
firewalls or from the WildFire API and generate antivirus and DNS signatures that block
both the malicious files as well as associated command and control traffic. When the
appliance detects a malicious URL, it sends the URL to PAN-DB and PAN-DB assigns it the
malware category.
Sample Output
The following shows an example output of the WildFire settings.
admin@WF-500# show deviceconfig setting wildfire
wildfire {
active-vm vm-5;
cloud-intelligence {
submit-sample yes;
submit-report no;
}
cloud-server wildfire-public-cloud;
signature-generation {
av yes;
dns yes;
url yes;
}
}
116
superuser, deviceadmin
Hierarchy Location
set deviceconfig system update-schedule
Syntax
wf-content recurring {
daily at <value> action {download-and-install | download-only};
weekly {
action {download-and-install | download-only};
at <value>;
day-of-week {friday | monday | saturday | sunday | thursday | tuesday | wednesday};
}
}
Options
> wf-content WF-500 content updates
> daily Schedule update every day
+ action Specify the action to take. You can schedule the appliance to download and
install the update or download only and then you install manually
+ at Time specification hh:mm (e.g. 20:10)
> hourly Schedule update every hour
+ action Specify the action to take. You can schedule the appliance to download and
install the update or download only and then you install manually
+ at Minutes past the hour
> weekly Schedule update once a week
+ action Specify the action to take. You can schedule the appliance to download and
install the update or download only and then you install manually
+ at Time specification hh:mm (e.g. 20:10)
+ day-of-week Day of the week (Friday, Monday, Saturday, Sunday, Thursday, Tuesday,
Wednesday)
117
Sample Output
admin@WF-500# show
update-schedule {
wf-content {
recurring {
weekly {
at 19:00;
action download-and-install;
day-of-week friday;
}
}
}
}
Hierarchy Location
set deviceconfig system
Syntax
set vm-interface {
default-gateway <ip_address>;
dns-server <ip_address>;
ip-address <ip_address>;
link-state;
mtu;
netmask <ip_address>;
118
speed-duplex;
{
Options
admin@WF-500# set vm-interface
+ default-gateway Default gateway for the VM interface
+ dns-server dns server for the VM interface
+ ip-address IP address for VM interface
+ link-state Set the link state to up or down
+ mtu Maximum Transmission Unit for the VM interface
+ netmask IP netmask for the VM interface
+ speed-duplex Speed and duplex for the VM interface
Sample Output
The following shows a configured vm-interface.
vm-interface {
ip-address 10.16.0.20;
netmask 255.255.252.0;
default-gateway 10.16.0.1;
dns-server 10.0.0.246;
}
119
delete wildfire-metadata
request wf-content
show wildfire
Syntax
create {
wildfire {
api-key {
key <value>;
name <value>;
{
{
{
120
Options
+ key Create an API key by manually entering a key value. The value must be 64 alpha
characters (a-z) or numbers (0-9). If you do not specify the key option, the appliance
generates a key automatically.
+ name Optionally enter a name for the API key. An API key name is simply used to
label the keys to make it easier to identify keys assigned for specific uses and has no
impact on the functionality of the key.
Sample Output
The following output shows that the appliance has three API keys and one key is named my-api-key.
admin@WF-500> show wildfire api-keys all
+------------------------------------------------------------------+---------------+---------+---------------------+---------------------+
| Apikey
| Name
| Status | Create Time
| Last Used Time
|
+------------------------------------------------------------------+---------------+---------+---------------------+---------------------+
| C625DE87CBFB6EF0B1A8183A74AB5B61287F7F63B6E14E2FFC704AABF5640D62 | my-api-key
| Enabled | 2014-06-24 16:38:50 |
|
| D414CC910E93E9E05942A5E6F94DA36777B444543E71761CF5E9ACFA547F7D6F |
| Enabled | 2014-06-25 09:05:30 | 2014-06-26 14:49:35 |
| 73585ACAFEC0109CB65EB944B8DFC0B341B9B73A6FA7F43AA9862CAD47D0884C |
| Enabled | 2014-08-04 17:00:42 |
|
+------------------------------------------------------------------+---------------+---------+---------------------+---------------------+
Syntax
delete {
wildfire {
api-key {
key <value>;
{
{
{
121
Options
+ key <value> The key value for the key that you want to delete. To view a list of API
keys, run the following command: admin@WF-500> show wildfire api-keys all
Sample Output
admin@WF-500> delete wildfire api-key key
A0418F8EADABA4C78CD3106D71147321462C5AA085B2979136447B1EC334655A
APIKey A0418F8EADABA4C78CD3106D71147321462C5AA085B2979136447B1EC334655A
deleted
delete wildfire-metadata
Description
Delete content updates on the WF-500 appliance. For more information on content updates and how to install
them, see request wf-content.
Syntax
delete {
wildfire-metadata update <value>;
{
Options
+ update <value> Define the content update that you want to delete.
Sample Output
The output that follows shows the deletion of an update named
panup-all-wfmeta-2-181.candidate.tgz.
admin@WF-500> delete wildfire-metadata update panup-all-wfmeta-2-181.candidate.tgz
successfully removed panup-all-wfmeta-2-181.candidate.tgz
122
Syntax
edit {
wildfire {
api-key [name | status] key <value>;
{
{
Options
+ name Change the name of an API key
+ status Enable or disable an API key
* key Specify the key to modify
Sample Output
The key value in this command is required. For example, to change the name of a key named stu to
stu-key1, enter the following command:
In the following command, you do not need to enter the old key name; only enter the new key
name.
123
| Apikey
| Name
| Status
| Create Time
|
Last Used Time
|
+------------------------------------------------------------------+----------+----------+--------------------+---------------------+
|
| B870210A6BDF2615D5A40B2DE515A6F5E66186BE28E4FFAC4405F22E83329288 | stu-key1 | Disabled | 2014-08-21 07:23:34 |
|
+------------------------------------------------------------------+----------+----------+--------------------+---------------------+
Syntax
load {
wildfire {
from <value> mode [merge | replace];
{
{
Options
* from Specify the API key filename that you want to import. The key files use the
.keys file extension. For example, my-api-keys.keys. To view a list of keys that are
available for import, enter the following command:
admin@WF-500> load wildfire api-key from ?
+ mode Optionally enter the mode for the import (merge/replace). For example, to
replace the key database on the appliance with the contents of the contents of the new
key file, enter the following command:
admin@WF-500> load wildfire api-key mode replace from my-api-keys.keys
If you do not specify the mode option, the default action will merge the keys.
124
Hierarchy Location
request system
Syntax
raid {
remove <value>;
OR...
copy {
from <value>;
to <value>;
}
OR...
add {
Options
> add
> copy
> remove
Sample Output
The following output shows a WildFire WF-500 appliance with a correctly configured RAID.
admin@WF-500> show system raid
Disk Pair A
Disk id A1
Disk id A2
Disk Pair B
Disk id B1
Disk id B2
Available
Present
Present
Available
Present
Present
125
Hierarchy Location
request system
Syntax
request {
system {
wildfire-vm-image {
upgrade install file <value>;
}
}
}
Options
> wildfire-vm-image Install Virtual Machine (VM) images.
+ upgrade install file Perform an upgrade to the VM image. After the file option,
type ? to view a list of available VM images. For example, run the following command to
list available images: admin@WF-500> request system wildfire-vm-image
Sample Output
To list available VM images, run the following command:
admin@WF-500> request system wildfire-vm-image upgrade install file ?
To install a VM image (Windows 7 64-bit in this example), run the following command:
admin@WF-500> request system wildfire-vm-image upgrade install
WFWin7_64Base_m-1.0.0_64base
126
request wf-content
Perform content updates on a WF-500 appliance. These content updates equip the appliance with the most
up-to-date threat information for accurate malware detection and improve the appliance's ability to differentiate
the malicious from the benign. To schedule content updates to install automatically, see set deviceconfig system
update-schedule and to delete content updates on the WF-500, see delete wildfire-metadata.
Hierarchy Location
request
Syntax
request wf-content
{
downgrade install {previous | <value>};
upgrade
{
check
download latest
info
install {
file <filename>
version latest;
}
}
}
Options
> downgrade Installs a previous content version. Use the previous option to install
the previously installed content package or enter a value to downgrade to a specific
content package number.
> upgrade Performs content upgrade functions
> check Obtain information on available content packages from the Palo Alto Networks
Update Server
> download Download a content package
> info Show information about available content packages
> install Install a content package
> file Specify the name of the file containing the content package
> version Download or upgrade based on the version number of the content package
127
Sample Output
To list available content updates, run the following command:
admin@WF-500> request wf-content upgrade check
Version
Size
Released on Downloaded Installed
------------------------------------------------------------------------2-217
58MB 2014/07/29 13:04:55 PDT
yes
current
2-188
58MB 2014/07/01 13:04:48 PDT
yes
previous
2-221
59MB 2014/08/02 13:04:55 PDT
no
no
Hierarchy Location
save
Syntax
save {
wildfire {
api-key to <value>;
{
{
Options
* to Enter the filename for key export. For example, to export all of the API keys on
the WF-500 to a file named my-wf-keys, enter the following command:
admin@WF-500> save wildfire api-key to my-wf-keys
128
Hierarchy Location
set wildfire
Syntax
set {
wildfire {
portal-admin {
password <value>;
}
}
Sample Output
The following shows the ouput of this command.
admin@WF-500> set wildfire portal-admin password
Enter password:
Confirm password:
129
Hierarchy Location
show system
Syntax
raid {
detail;
{
Options
No additional options.
Sample Output
The following shows the RAID configuration on a functioning WF-500 appliance.
admin@WF-500> show system raid detail
Disk Pair A
Status
Disk id A1
model
size
partition_1
partition_2
Disk id A2
model
size
partition_1
partition_2
Disk Pair B
Status
Disk id B1
model
size
partition_1
130
Available
clean
Present
:
:
:
:
ST91000640NS
953869 MB
active sync
active sync
:
:
:
:
ST91000640NS
953869 MB
active sync
active sync
Present
Available
clean
Present
: ST91000640NS
: 953869 MB
: active sync
partition_2
Disk id B2
model
size
partition_1
partition_2
: active sync
Present
:
:
:
:
ST91000640NS
953869 MB
active sync
active sync
show wildfire
Description
Shows various information about the WildFire appliance, such as available API keys, registration information,
activity, recent samples that the appliance analyzed, and the virtual machine that is selected to perform analysis.
Hierarchy Location
show wildfire
Syntax
api-keys
all {
details;
}
key <value>;
}
last-device-registration all |
latest {
analysis {
filter malicious|benign;
sort-by SHA256|Submit Time|Start Time|Finish Time|Malicious|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
OR...
samples {
filter malicious|benign;
sort-by SHA256|Create Time|File Name|File Type|File Size|Malicious|Status;
sort-direction asc|desc;
131
limit 1-20000;
days 1-7;
}
OR...
sessions {
filter malicious|benign;
sort-by SHA256|Create Time|Src IP|Src Port|Dst Ip|Dst Port|File|Device
ID|App|Malicious|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
OR...
uploads {
sort-by SHA256|Create Time|Finish Time|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
sample-status {
sha256 {
equal <value>;
}
}
statistics days <1-31>;
status |
vm-images |
}
Options
admin@WF-500> show wildfire
> api-keys Show details about the API keys generated on the WF-500 appliance. You can
view the last time the key was used, the key name, status (Enabled or Disabled), and the
date/time the key was generated.
> last-device-registration Show list of latest registration activities.
> latest Show latest 30 activities, which include the last 30 analysis activities, the
last 30 files that were analyzed, network session information on files that were
analyzed and files that were uploaded to the public cloud server.
> sample-status Show wildfire sample status. Enter the SHA or MD5 value of the file to
view the current analysis status.
> statistics Display basic wildfire statistics.
> status Display the status of the appliance as well as configuration information such
as the Virtual Machine (VM) used for sample analysis, whether or not samples/reports are
sent to the cloud, vm network, and registration information.
> vm-images Display the attributes of the available virtual machine images used for
sample analysis. To view the current active image, run the following command:
admin@WF-500> show wildfire status and view the Select VM field.
132
Sample Output
The following shows the output for this command.
admin@WF-500> show wildfire api-keys all
+------------------------------------------------------------------+----------------+--------+---------------------+---------------------+
| Apikey
| Name
|
Status | Create Time
| Last Used Time
|
+------------------------------------------------------------------+----------------+--------+---------------------+---------------------+
| C625DE87CBFB6EF0B1A8183A74AB5B61287F7F63B6E14E2FFC704AABF5640D62 | my-api-key-stu |
Enabled | 2014-06-24 16:38:50 |
|
| D414CC910E93E9E05942A5E6F94DA36777B444543E71761CF5E9ACFA547F7D6F |
|
Enabled | 2014-06-25 09:05:30 | 2014-06-26 14:49:35 |
+------------------------------------------------------------------+----------------+--------+---------------------+---------------------+
admin@WF-500> show wildfire last-device-registration all
+--------------+---------------------+-------------+------------+----------+--------+
| Device ID
| Last Registered
| Device IP
| SW Version | HW Model | Status |
+--------------+---------------------+-------------+------------+----------+--------+
| 001606000114 | 2014-07-31 12:35:53 | 10.43.14.24 | 6.1.0-b14 | PA-200
| OK
|
+--------------+---------------------+-------------+------------+----------+--------+
admin@WF-500> show wildfire
> analysis
Show latest 30
> samples
Show latest 30
> sessions
Show latest 30
> uploads
Show latest 30
latest
analysis
samples
sessions
uploads
133
+---------------------+---------------+----------+--------------+----------+--------------------------------------------------------------+--------------+-------+
-----------+-----------+
| 2014-08-04 11:49:41 | 10.10.10.50 | 80
| 192.168.2.10 | 64108
|
25047801_20130919175646000_970x66_Adobe_Marketing_RM_AUTO.swf | 001606000114 | flash |
No
| completed |
+---------------------+---------------+----------+--------------+----------+--------------------------------------------------------------+--------------+-------+
-----------+-----------+
Analysis information:
+---------------------+---------------------+---------------------+-----------+----------------------------------------------------------+-----------+
| Submit Time
| Start Time
| Finish Time
| Malicious | VM Image
| Status
|
+---------------------+---------------------+---------------------+-----------+----------------------------------------------------------+-----------+
| 2014-08-04 11:49:41 | 2014-08-04 11:49:41 | 2014-08-04 11:56:52 | No
| Windows
7 x64 SP1, Adobe Reader 11, Flash 11, Office 2010 | completed |
+---------------------+---------------------+---------------------+-----------+----------------------------------------------------------+-----------+
admin@WF-500> show wildfire statistics
Last one hour statistics
Total sessions submitted
Samples submitted
analyzed
pending
malicious
benign
error
uploaded
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
:
:
:
:
:
:
:
:
:
13
13
13
0
0
13
0
0
134
s1.wildfire.paloaltonetworks.com
Idle
disabled
disabled
vm-5
disabled
disabled
s1.wildfire.paloaltonetworks.com
yes
10.3.4.99
enable
enable
no
Syntax
test {
wildfire {
registration;
}
}
Options
No additional options.
Sample Output
The following shows a successful output on a firewall that can communicate with a WildFire appliance. If this
is a WildFire appliance pointing to the Palo Alto Networks WildFire cloud, the server name of one of the cloud
servers is displayed in the select the best server: field.
Test wildfire
wildfire registration:
download server list:
select the best server:
successful
successful
ca-s1.wildfire.paloaltonetworks.com
135
136