Managed WildFire Cluster and Appliance Administration
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT > DHCP Server
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Managed WildFire Cluster and Appliance Administration
Select PanoramaManaged WildFire Clusters and
select a cluster to manage or select a WildFire appliance (PanoramaManaged WildFire Appliances)
to manage a standalone appliance. The PanoramaManaged WildFire Cluster view
lists cluster nodes (WildFire appliances that are members of the
cluster) and standalone appliances so that you can add available
appliances to a cluster. Because the cluster manages the nodes,
selecting a cluster node provides only limited management capability.
Unless noted, the settings and descriptions in the following
table apply to both WildFire clusters and WildFire standalone appliances.
Information previously configured on a cluster or appliance is prepopulated.
You must first commit changes and additions to the information on
Panorama and then push the new configuration to the appliances.
Setting | Description |
---|---|
General tab | |
Name | The cluster or appliance Name or
the appliance serial number. |
Enable DNS (WildFire clusters
only) | Enable DNS service
for the cluster. |
Register Firewall To | The domain name to which you register firewalls.
Format must be wfpc.service.<cluster-name>.<domain>.
For example, the default domain name is wfpc.service.mycluster.paloaltonetworks.com. |
Content Update Server | Enter the Content Update Server location
or use the default wildfire.paloaltonetworks.com so
that the cluster or appliance receives content updates from the
closest server in the Content Delivery Network infrastructure. Connecting
to the global cloud gives you the benefit of accessing signatures
and updates based on threat analysis from all sources connected
to the cloud, instead of relying only on the analysis of local threats. |
Check Server Identity | Check Server Identity to
confirm the identity of the update server by matching the common
name (CN) in the certificate with the IP address or FQDN of the
server. |
WildFire Cloud Server | Enter the global WildFire Cloud
Server location or use the default wildfire.paloaltonetworks.com so
that the cluster or appliance can send information to the closest
server. You can choose whether to send information and what types
of information to send to the global cloud (WildFire
Cloud Services). |
Sample Analysis Image | Select the VM image for the cluster or appliance
to use for sample analysis (default is vm-5). You can Get a Malware Test File (WildFire API) to
see the result of the sample analysis. |
WildFire Cloud Services | If the cluster or appliance is connected
to the global WildFire Cloud Server, you can choose whether to Send
Analysis Data, Send Malicious Samples, Send
Diagnostics to the global cloud or any combination of
the three. You can also choose whether to perform a Verdict
Lookup in the global cloud. Sending information to the
global cloud benefits the entire community of WildFire users because
the shared information increases the ability of every appliance
to identify malicious traffic and prevent it from traversing the
network. |
Sample Data Retention | The number of days to retain benign or grayware
samples and malicious samples:
|
Analysis Environment Services | Environment Networking enables
virtual machines to communicate with the internet. You can select Anonymous
Networking to make network communication anonymous but
you must select Environment Networking before
you can enable Anonymous Networking. Different
network environments produce different types of analysis loads depending
on whether more documents need to be analyzed or more executable
files need to be analyzed. You can configure your Preferred Analysis
Environment to allocate more resources to Executables or
to Documents, depending on the needs of your
environment. The Default allocation is balanced
between Executables and Documents. The
amount of available resources depends on how many WildFire nodes are
in the cluster. |
Signature Generation | Select whether you want the cluster or appliance
to generate signatures for AV, DNS, URLs, or any combination of
the three. |
Appliance tab | |
Hostname (Standalone WildFire appliance
only) | Enter the hostname of the WildFire appliance. |
Panorama Server | Enter the IP address or FQDN of the appliance
or of the primary Panorama managing the cluster. |
Panorama Server 2 | Enter the IP address or FQDN of the appliance
or of the backup Panorama managing the cluster. |
Domain | Enter the domain name of the appliance cluster
or appliance. |
Primary DNS Server | Enter the IP address of the primary DNS
Server. |
Secondary DNS Server | Enter the IP address of the secondary DNS
Server. |
Timezone | Select the time zone to use for the cluster
or appliance. |
Latitude (Standalone WildFire appliance
only) | Enter the latitude of the WildFire appliance. |
Longitude (Standalone WildFire appliance
only) | Enter the longitude of the WildFire appliance. |
Primary NTP Server | Enter the IP address of the primary NTP
Server and set the Authentication Type to None (default), Symmetric
Key, or Autokey. Setting
the Authentication Type to Symmetric Key reveals
four more fields:
|
Secondary NTP Server | Enter the IP address of the secondary NTP
Server and set the Authentication Type to None (default), Symmetric
Key, or Autokey. Setting
the Authentication Type to Symmetric Key reveals
four more fields:
|
Login Banner | Enter a banner message that displays when
users log in to the cluster or appliance. |
Logging tab (Includes System
tab and Configuration tab) | |
Add | Add log forwarding
profiles (PanoramaManaged
WildFire Clusters<cluster>LoggingSystem or PanoramaManaged WildFire Clusters<cluster>LoggingConfiguration) to forward:
No other log
types are supported (see Device
> Log Settings). The Log Forwarding profiles specify
which logs to forward and to which destination servers. For each
profile, complete the following:
|
Add > Filter > Filter Builder | Use Filter Builder to
create new log filters. Select Create Filter to construct
filters and, for each query in a new filter, specify the following settings
and then Add the query:
To
display or export logs that the filter matches, select View
Filtered Logs.
You
can change the number and order of entries displayed per page and you
can use the paging controls at the bottom left of the page to navigate
through the log list. Log entries are retrieved in blocks of 10 pages.
|
Delete | Select and then Delete the
log forwarding settings you want to remove from the System or Configuration
log list. |
Authentication tab | |
Authentication Profile | Select a configured authentication profile
to define the authentication service that validates the login credentials
of the WildFire appliance or Panorama administrators. |
Failed Attempts | Enter the number of failed login attempts
that the WildFire appliance allows on the CLI before locking out
the administrator (range is 0 to 10; default is 10). Limiting login
attempts helps protect the WildFire appliance from brute force attacks.
A value of 0 specifies unlimited login attempts. If you set the Failed Attempts to
a value other than 0 but leave the Lockout Time at
0, then the administrator is indefinitely locked out until another
administrator manually unlocks the locked-out administrator. If
no other administrator has been created, you must reconfigure the Failed
Attempts and Lockout Time settings
on Panorama and push the configuration change to the WildFire appliance.
To ensure that an administrator is never locked out, use the default
(0) value for both Failed Attempts and Lockout
Time. Set the number
of Failed Attempts to 5 or fewer to accommodate
a reasonable number of retries in case of typing errors, while preventing
malicious systems from trying brute force methods to log in to the
WildFire appliance. |
Lockout Time (min) | Enter the number of minutes for which the
WildFire appliance locks out an administrator from access to the
CLI after reaching the Failed Attempts limit
(range is 0 to 60; default is 5). A value of 0 means the lockout
applies until another administrator manually unlocks the account. If you set the Failed Attempts to
a value other than 0 but leave the Lockout Time at
0, then the administrator is indefinitely locked out until another
administrator manually unlocks the locked-out administrator. If
no other administrator has been created, you must reconfigure the Failed
Attempts and Lockout Time settings
on Panorama and push the configuration change to the WildFire appliance.
To ensure that an administrator is never locked out, use the default
(0) value for both Failed Attempts and Lockout
Time. Set the Lockout
Time to at least 30 minutes to prevent continuous login
attempts from a malicious actor. |
Idle Timeout (min) | Enter the maximum number of minutes without
any activity on the CLI before an administrator is automatically
logged out (range is 0 to 1,440; default is None). A value of 0
means that inactivity does not trigger an automatic logout. Set the Idle Timeout to
10 minutes to prevent unauthorized users from accessing the WildFire
appliance if an administrator leaves a session open. |
Max Session Count | Enter the number of active sessions the
administrator can have open concurrently, The default is 0, which
means that the WildFire appliance can have an unlimited number of
concurrently active sessions. |
Max Session time | Enter the number of minutes the administrator
can be logged in before being automatically logged out. The default
is 0, which means that the administrator can be logged in indefinitely
even if idle. |
Local Administrators | Add and configure new administrators for
the WildFire appliance. These administrators are unique to the WildFire
appliance are managed from this page (PanoramaManaged WildFire AppliancesAuthentication). |
Panorama Administrators | Import existing administrators configured
on Panorama. These administrators are created on Panorama and imported
into the WildFire appliance. |
Clustering tab (Managed
WildFire Clusters only) and Interfaces tab (Managed WildFire
Appliances only) You must add appliances to Panorama
to manage interfaces and add appliances to clusters to manage node
interfaces. | |
Appliance (Clustering tab only) | Select a cluster node to access the Appliance
and Interfaces tabs for that node. The Appliance tab node information
is prepopulated and not configurable except for the hostname. The
Interfaces tab lists the node interfaces. Select an interface to
manage it as described in: |
Interface
Name Management | The management interface is Ethernet0. Configure
or view management interface settings:
Configure
proxy settings if you use a proxy server to connect to the Internet:
Specify
IP addresses that are permitted on the interface:
|
Interface
Name Analysis Environment Network | Configure settings for the WildFire appliance
cluster or standalone WildFire appliance analysis environment network
interface (Ethernet1, also known as the VM interface):
Specify
IP addresses that are permitted on the interface:
|
Interface
Name Ethernet2 Interface
Name Ethernet3 | You can set the same parameters for the
Ethernet2 and Ethernet3 interfaces:
|
Role (Clustering tab only) | When a cluster has member appliances, the
appliance roles can be Controller, Controller Backup, or Worker.
Select Controller or Backup Controller to
change the WildFire appliance used for each role from the appliances
in the cluster. Changing the Controller results in data loss during
the role change. |
Browse (Clustering tab only) | The Clustering tab
lists the WildFire appliance nodes in the cluster. Browse to
view and add standalone WildFire appliances that the Panorama device
already manages:
The first WildFire appliance you
add to a cluster automatically becomes the Controller node. The
second WildFire appliance you add automatically becomes the Controller
Backup node. You can add up to 20 WildFire appliances to a
cluster. After adding the Controller and Controller Backup nodes,
all subsequent added nodes are Worker nodes. |
Delete (Clustering tab only) | Select one or more appliances from the Appliance
list and then Delete them from the cluster.
You can remove a Controller node only if there are two Controller
nodes in the cluster. |
Manage Controller (Clustering
tab only) | Select Manage Controller to
specify a Controller and a Controller Backup from
the WildFire appliance nodes that belong to the cluster. The current
Controller node and backup Controller node are selected by default.
The backup Controller node can’t be the same node as the primary
Controller node. |
Communication tab | |
Customize Secure Server Communication |
|
Secure Client Communication | Using Secure Client
Communication ensures that WildFire uses configured
custom certificates (instead of the default predefined certificate)
to authenticate SSL connections with another WildFire appliance.
|
Secure Cluster Communication | Select Enable to
encrypt communications between WildFire appliances. The default
certificate uses the predefined certificate type. To use a user-defined
custom certificate, you must configure Customize Secure Server
Communication and enable Custom Certificate
Only. |