Security Profile: WildFire® Analysis
Focus
Focus
Network Security

Security Profile: WildFire® Analysis

Table of Contents

Security Profile: WildFire® Analysis

Use a WildFire Analysis profile to specify for WildFire file analysis to be performed locally on the WF-500 appliance or in the WildFire cloud.
Where Can I Use This?What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Cloud Managed)
  • Prisma Access (Panorama Managed)
Check for any license or role requirements for the products you're using.
Use a WildFire analysis profile to enable forwarding of unknown files or email links for WildFire analysis. Specify files to be forwarded for analysis based on application, file type, and transmission direction (upload or download). Files or email links matched to the profile rule are forwarded to either the WildFire public cloud or the WildFire private cloud (hosted with a WF-500 appliance), depending on the analysis location defined for the rule. If a profile rule is set to forward files to the WildFire public cloud, the files that match existing antivirus signatures, in addition to unknown files are also forwarded.
You can also use the WildFire Analysis profiles to set up a WildFire hybrid cloud deployment. If you're using a WF-500 appliance to analyze sensitive files locally (such as PDFs), you can specify for less sensitive file types (such as PE files) or file types that are not supported for WF-500 appliance analysis (such as APKs) to be analyzed by the WildFire public cloud. Using both the WF-500 appliance and the WildFire cloud for analysis allows you to benefit from a prompt verdict for files that have already been processed by the cloud, and for files that are not supported for appliance analysis, and frees up the appliance capacity to process sensitive content.

Configure a WildFire Analysis Profile

Configure a WildFire Analysis Profile (Strata Cloud Manager)

Use a WildFire Analysis profile to specify for WildFire file analysis to be performed locally on the WF-500 appliance or in the WildFire cloud.
Follow these steps to configure a WildFire analysis and get started with Advanced WildFire™ analysis in your network deployment. You can set up a configuration to automatically forward unknown files to the Advanced WildFire public cloud or a WildFire private cloud, and you can also manually submit files for analysis using the Advanced WildFire portal. Samples submitted for analysis receive a verdict of benign, grayware, malicious, or phishing, and a detailed analysis report is generated for each sample.
  1. Go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesWildfire and Antivirus.
  2. Add Profile.
  3. Give your profile a Name that tells other administrators what it does.
  4. Give a Description of the purpose of this profile for easy reference and reuse later.
  5. Save your configuration.
    A WildFire Analysis profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate a WildFire Analysis profile (and any Security profile).
  6. Once you've saved your initial configuration, consider carrying out these tasks:
    • Forward Files for Advanced WildFire Analysis
      Forward unknown files or email links and blocked files that match existing antivirus signatures for analysis. Use the WildFire Analysis profile to define files to forward to one of the Advanced WildFire public cloud options and then attach the profile to a security rule to trigger inspection for zero-day malware.
    • Forward Decrypted SSL Traffic for Advanced WildFire Analysis
      Traffic that your configuration decrypts is evaluated against Security rules; if it matches the WildFire Analysis profile attached to the security rule, the decrypted traffic is forwarded for analysis before the firewall re-encrypts it.
    • Enable Advanced WildFire Inline ML
      Prevent malicious variants of Portable Executables and PowerShell scripts from entering your network in real-time using machine learning (ML) based analytics on the firewall dataplane. By utilizing WildFire® Cloud analysis technology on your security platform, Advanced WildFire Inline ML dynamically detects malicious files of a specific type by evaluating various file details, including decoder fields and patterns, to formulate a high probability classification of a file.
    • Manually Upload Files to the WildFire Portal
      All Palo Alto Networks customers with a support account can use the Palo Alto Networks WildFire portal to manually submit up to five samples a day for analysis.

Configure a WildFire Analysis Profile (PAN-OS & Panorama)

Use a WildFire Analysis profile to specify for WildFire file analysis to be performed locally on the WF-500 appliance or in the WildFire cloud.
Follow these steps to configure a WildFire analysis and get started with Advanced WildFire™ analysis in your network deployment. You can set up a configuration to automatically forward unknown files to the Advanced WildFire public cloud or a WildFire private cloud, and you can also manually submit files for analysis using the Advanced WildFire portal. Samples submitted for analysis receive a verdict of benign, grayware, malicious, or phishing, and a detailed analysis report is generated for each sample.
  1. Go to ObjectsSecurity ProfilesWildFire Analysis.
  2. Add a profile.
  3. Give your profile a Name that tells other administrators what it does.
  4. Give a Description of the purpose of this profile for easy reference and reuse later.
  5. Select OK to save your configuration.
  6. Once you've saved your initial configuration, consider carrying out these tasks:
    • Forward Files for Advanced WildFire Analysis
      Forward unknown files or email links and blocked files that match existing antivirus signatures for analysis. Use the WildFire Analysis profile to define files to forward to one of the Advanced WildFire public cloud options and then attach the profile to a security rule to trigger inspection for zero-day malware.
    • Forward Decrypted SSL Traffic for Advanced WildFire Analysis
      Traffic that the firewall decrypts is evaluated against Security rules; if it matches the WildFire Analysis profile attached to the security rule, the decrypted traffic is forwarded for analysis before the firewall re-encrypts it.
    • Enable Advanced WildFire Inline ML
      Prevent malicious variants of Portable Executables and PowerShell scripts from entering your network in real-time using machine learning (ML) based analytics on the firewall dataplane. By utilizing WildFire® Cloud analysis technology on your security platform, Advanced WildFire Inline ML dynamically detects malicious files of a specific type by evaluating various file details, including decoder fields and patterns, to formulate a high probability classification of a file.
    • Enable Advanced WildFire Inline Cloud Analysis
      Palo Alto Networks Advanced WildFire operates a series of cloud-based ML detection engines that provide inline analysis of PE (Portable Executable) files traversing your network to detect and prevent advanced malware in real-time.
    • Enable Hold Mode for Real-Time Signature Lookup
      Configure the NGFW to hold the transfer of a sample while the real-time signature cloud performs a signature lookup.
    • Verify WildFire Submissions
      Test your deployment using malware test samples, and also verify that the firewall is correctly forwarding files for WildFire analysis.
    • Manually Upload Files to the WildFire Portal
      All Palo Alto Networks customers with a support account can use the Palo Alto Networks WildFire portal to manually submit up to five samples a day for analysis.
    • Firewall File Forwarding Capacity by Model