Forward Samples to the WildFire Cloud
To configure a Palo Alto Networks firewall to automatically submit samples to the WildFire cloud to identify malware, you must configure a file blocking profile with the forward or continue-and-forward action (forward only for email links) and then attach the profile to the security rule that will trigger inspection for zero-day malware. The samples can be specific file types or HTTP/HTTPS links contained in SMTP or POP3 messages. For example, you can configure a policy with a file blocking profile that triggers the firewall to forward a specific file type (PDF for example) to WildFire, or all supported file types that users attempt to download during a web-browsing session. The firewall can forward encrypted files if SSL decryption is configured and the option to forward encrypted files is enabled. To enable WildFire Email Link Analysis, you simply configure the firewall to forward the file type email-link.
If you are using Panorama to manage your firewalls, simplify WildFire administration by using Panorama Templates to push the WildFire server information, allowed file size, and the session information settings to the firewalls. Use Panorama device groups to configure and push file blocking profiles and security policy rules. Starting with PAN-OS 6.0, the WildFire logs show which WildFire system each firewall used for file analysis (WildFire cloud, WF-500 appliance, and/or the WildFire Japan cloud). When configuring the WildFire server on Panorama ( Panorama > Setup > WildFire), enter the WildFire server that your firewalls are using. For example, if your firewalls are forwarding samples to the WildFire cloud, the Panorama setting should point to the cloud server named wildfire-public-cloud. If your firewalls are forwarding to a WF-500 appliance, the Panorama setting should point to the IP address or FQDN of the appliance.
If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed. WildFire cloud: Uses port 443 for registration and file submissions. WildFire appliance: Uses port 443 for registration and 10443 for file submissions.
Perform the following steps on each firewall that will forward files to WildFire:
Configure a File Blocking Profile and Add it to a Security Profile
Verify that the firewall has valid Threat Prevention and WildFire subscriptions and that dynamic updates are scheduled and up-to-date. See Reference: Firewall File Forwarding Capacity by Platform for recommended settings. Having a WildFire subscription provides many benefits, such as forwarding of advanced file types and receiving WildFire signatures within 15 minutes. For details, see WildFire Subscription Requirements. Select Device > Licenses and confirm that the firewall has valid WildFire and Threat Prevention subscriptions. Select Device > Dynamic Updates and click Check Now to ensure that the firewall has the most recent Antivirus, Applications and Threats, and WildFire updates. If the updates are not scheduled, schedule them now. Stagger the update schedules because the firewall can only perform one update at a time.
Define the WildFire server that the firewall will forward files to for analysis. Select Device > Setup > WildFire. Click the General Settings edit icon. In the WildFire Server field, enter wildfire.paloaltonetworks.com to forward to the WildFire cloud hosted in the United States.
Review the maximum file size allowed for upload to WildFire. Continue in the WildFire General Settings and review the Maximum File Size settings. It is recommended that you set the File Size for PEs to the maximum file size limit of 10 MB, and for other file types, leave the default File Size limit. This step is one of the recommended WildFire Best Practices.
Configure the file blocking profile to define which applications and file types will trigger forwarding to WildFire. If you choose PE in the objects profile File Types column to select a category of file types, do not also add an individual file type that is part of that category because this will result in redundant entries in the Data Filtering logs. For example, if you select PE, there is no need to select exe because it is part of the PE category. This also applies to the zip file type, because the firewall will automatically forward supported file types that are zipped. If you would like to ensure that all supported Microsoft Office file types are forwarded, it is recommended that you choose the category msoffice. Choosing a category rather than an individual file type also ensures that as new file type support is added to a given category, they are automatically made part of the file blocking profile. If you select Any, all supported file types are forwarded to WildFire. Select Objects > Security Profiles > File Blocking. Click Add to add a new profile and enter a Name and Description. Click Add in the File Blocking Profile window and then click Add again. Click in the Names field and enter a rule name. Select the Applications that will match this profile. For example, selecting web-browsing to match any application traffic identified as web-browsing. In the File Type field, select the file types that will trigger the forwarding action. Choose Any to forward all file types supported by WildFire or select PE to only forward Portable Executable files. In the Direction field, select upload, download, or both. The both option will trigger forwarding whenever a user attempts to upload or download a file. Define an Action as follows: Forward—The firewall will automatically forward any files matching this profile to WildFire for analysis in addition to delivering the file to the user. Continue-and-forward—The user is prompted and must click continue before the download occurs and the file is forwarded to WildFire. Because this action requires user interaction with a web browser, it is only supported for web-browsing applications. Click OK to save.
(Optional) Enable response pages to allow users to decide whether to forward a file. If the continue-and-forward action is configured for any file type, you must enable the response page option on the ingress interface (the interface that first receives traffic for your users). Select Network > Network Profiles > Interface Mgmt and either add a new profile or edit an existing profile. Click the Response Pages check box to enable. Click OK to save the profile. Select Network > Interfaces and then edit the Layer 3 interface or VLAN interface that is the ingress interface. On the Advanced tab, select the Interface Mgmt profile that has the response page option enabled. Click OK to save.
Enable forwarding of decrypted content. To forward SSL encrypted files to WildFire, the firewall must have a decryption policy and have forwarding of decrypted content enabled. Only a superuser can enable this option. This step is one of the recommended WildFire Best Practices. Select Device > Setup > Content-ID. Edit the Content-ID settings and Allow Forwarding of Decrypted Content. Click OK to save the changes. If the firewall has multiple virtual systems, you must enable this option per VSYS. In this situation, select Device > Virtual Systems, click the virtual system to be modified and select the Allow Forwarding of Decrypted Content check box.
Attach the file blocking profile to a security policy. Select Policies > Security. Click Add to create a new policy for the zones to which to apply WildFire forwarding, or select an existing security policy. On the Actions tab, select the File Blocking profile from the drop-down. If this security rule does not have any profiles attached to it, select Profiles from the Profile Type drop-down to enable selection of a file blocking profile.
(Optional) Modify session options that define what session information to record in WildFire analysis reports. Click the Session Information Settings edit icon. By default, all session information items will display in the reports. Clear the check boxes that correspond to any fields to remove from the WildFire analysis reports. Click OK to save the changes.
(PA-7050 only) If you are configuring log forwarding on a PA-7050 firewall, you must configure a data port on one of the NPCs with the interface type Log Card. This is due to the traffic/logging capabilities of the PA-7050 to avoid overwhelming the MGT port. The log card (LPC) will use this port directly and the port will act as a log forwarding port for syslog, email, and SNMP. The firewall will forward the following log types through this port: traffic, HIP match, threat, and WildFire logs. The firewall also uses this port to forward files/emails links to WildFire for analysis. If the port is not configured, a commit error is displayed. Note that only one data port can be configured with the Log Card type. The MGT port cannot be used for forwarding samples to WildFire, even if you configure a service route. The PA-7050 does not forward logs to Panorama. Panorama will query the PA-7050 log card for log information. Select Network > Interfaces and locate an available port on an NPC. Select the port and change the Interface Type to Log Card. In the Log Card Forwarding tab, enter IP information (IPv4 and/or IPv6) that will enable the firewall to communicate with your syslog servers and your email servers to enable the firewall to logs and email alerts. The port will also need to reach the WildFire cloud or your WildFire appliance to enable file forwarding. Connect the newly configured port to a switch or router. There is no other configuration needed. The PA-7050 firewall will automatically use this port as soon as it is activated.
Commit the configuration. Click Commit to apply the settings. During security policy evaluation, all files that meet the criteria defined in the file blocking policy are forwarded by the firewall to WildFire. For information on viewing WildFire reports, see WildFire Reporting. For information on verifying the configuration, see Verify Forwarding to the WildFire Cloud.

Related Documentation