The WildFire appliance can now leverage WildFire global cloud intelligence to deliver quick verdicts for known samples. This allows the WildFire appliance to dedicate analysis resources to samples that are truly unknown to both your private network and the global WildFire community. Before analyzing a sample locally, the WildFire appliance checks if the WildFire global cloud has already analyzed the sample (the WildFire appliance sends only the sample hash to the WildFire global cloud—it does not send the raw file or any additional sample data). If the sample is known to the WildFire global cloud, the WildFire appliance retrieves the sample verdict and analysis report and delivers them promptly to the firewall that detected the sample. If the sample is unknown to the WildFire global cloud, the WildFire appliance analyzes the sample locally. In either case, the WildFire appliance locally generates a signature to detect the malware, and delivers the signature to the firewall as part of the WildFire private cloud content update.

The WildFire appliance continues to periodically synchronize verdicts and analysis reports for locally-analyzed samples so that they match the verdicts and analysis reports the WildFire global cloud provides—this ensures that analysis information for locally-analyzed samples stays up-to-date with worldwide WildFire submissions and the latest threat intelligence. In cases where the WildFire global cloud and the WildFire appliance record a different verdict for a sample, the WildFire global cloud verdict takes precedence and changes the local verdict.

The following CLI command enables the WildFire appliance to perform verdict lookups and synchronize verdicts with the WildFire global cloud. This feature is disabled by default; set the command to yes to enable the feature.

admin@WF-500# set deviceconfig setting wildfire cloud-intelligence cloud-query [yes | no]