PCNSE Study Notes: Wildfire

Wildfire Concepts
- When a file receives a file:
- It will check to see if it is signed by trusted signer.
- If there is not a signature, it creates a hash of the file to check if it has already been sent to wildfire
- If not already submitted, it will check if it is below the maximum file size configured to be uploaded to WF
- If exceeded max size, it is allowed through the firewall
- if under max size, it is uploaded and checked with Wildfire, and the response is sent to the firewall.
- The Types of verdicts assigned to files scanned by wildfire include:
- Benign – Found to be safe and pose no risk
- Greyware (intro’d in panos 7.0) – No security threat but may display obtrusive behavior; adware, spyware, browser helper objects.
- Malware – the file contains a malicious payload; viruses, worms, trojans, rootkits, botnets and remote access tools.
- Phishing (intro’d in panos 8.0) – scans links in emails to determine if the site is a site to phish for credentials or other personal data
- File attachments and URL in emails are also scanned and will be categorized in one of the options above.
- When files and URL’s are submitted to wildfire, new signatures are generated and are available for download within 24-48 hours as content updates.
- Two types of wildfire subscription service
- Standard Subscription: All systems running panOS 4.0+ can access wildfire standard subscription service (as an XP or Win7 VM)
- Includes Windows PE Analysis: EXE, DLL, SCR, FON, etc
- AV signature delivered daily dynamic content updates (requires Threat prevention license)
- Automatic file submission
- Wildfire Licensed Service get standard features plus:
- Additional file types scanned, including MSOffice files, PDF, JAR, CLASS, SWF, SWC, APK, Mach-O, DMG, and PKG
- Wildfire signature files updated every 5 minutes
- API File submission
- Wildfire private cloud appliance: WF-500
- Standard Subscription: All systems running panOS 4.0+ can access wildfire standard subscription service (as an XP or Win7 VM)
- Wildfire Private Cloud
- WF-500 is a private cloud Win7 64-bit image based Wildfire private system hosted on your network.
- Locally analyzes files forwarded from the FW or from the PAN XML API
- Signatures can be generated locally. Benign and Greyware never leave the network.
- You have the option to forward malware to the wildfire cloud for signature generation.
- Signatures updates every 5 minutes.
- Supports XML API
- Does not support Phishing; all positive matches are classified as ‘malware’.
- Content updates can be installed manually or automatically
- Hybrid Cloud
- Combines local and cloud solutions. WF-500 can analyze sensitive files locally, and less sensitive files can be uploaded to wildfire for analysis.
Configuring and Managing Wildfire
- Device > Setup > Wildfire to configured
- Default cloud is wildfire.paloaltonetworks.com (other clouds for different regions are available)
- If you have a WF-500 locally, you can specify the IP on this screen
- Can also specify the maximum size files to upload; anything larger is permitted.
- Can report benign and greyware by selecting the checkboxes
- Decrypted content is not forwarded to Wildfire by default; this can be set under Device > Setup > Content ID > Content ID settings to enable ‘allow forwarding of decrypted content’
- Under Device > Setup > Wildfire, you can specify what information is reported to wildfire. This can include information such as source/dest IP, ports, VSYS, Application, User, etc.
- Wildfire submission is activated by being added to a firewall security policy rule. This is added on the action tab in the rule details.
- Logs for submissions to wildfire are set under: Monitor > Logs > Wildfire Submissions
- A wildfire Analysis profile is created under Objects > Security Profiles > Wildfire Analysis
- A pre-configured default profile is included, that can be cloned/modified, or a new from-scratch profile can be created.
- The types of files can besent to a specific destination (public, private or hybrid). example: JAR can be sent to cloud, while DOCX can stay on a local WF-500 appliance.
- The profile can be added as an individual or as part of a group
- If a file block profile blocks a file, the file is not sent to wildfire for analysis.
- Updates are available under Device > Dynamic Updates. With a wildfire licence, you can specify to updates from 1 minute to every hour. If you do not have a license, it can be set to update once a day.
Wildfire Reporting
- Each time a file is analyzed, it reports its findings back to the firewall. The amount of information reported is configurable.
- To verify successful uploads, you can use the CLI command:
- debug wildfire upload-log show
- Output should indicate an uploaded successful
- debug wildfire upload-log show
- Detailed reports can be viewed by clicking the magnifying glass, and the analysis report tab to get details on users, and the file details.
- More details can be seen at wildfire.paloaltonetworks.com – this will give a breakdown of the category of findings (benign, greyware, malware, phishing).
- Files can also be manually uploaded on this portal as well.
- Reports button on the web portal can let you generate a custom report, and individual entries can be viewed.
- Email reports can also be configured on this to get automatic reports.
- If a file was found to be flagged as something other than benign, you can open the individual report, scroll to the bottom and submit a request to have it reviewed.
Source:User submitted post