PNCSE Study Notes: Chapter 9: Wildfire

Wildfire

Wildfire Concepts

• When a file receives a file:

  • It will check to see if it is signed by trusted signer.

  • If there is not a signature, it creates a hash of the file to check if it has already been sent to wildfire

    • If not already submitted, it will check if it is below the maximum file size configured to be uploaded to WF

    • If exceeded max size, it is allowed through the firewall

    • if under max size, it is uploaded and checked with Wildfire, and the response is sent to the firewall.

  • The Types of verdicts assigned to files scanned by wildfire include:

    • Benign - Found to be safe and pose no risk

    • Greyware (intro'd in panos 7.0) - No security threat but may display obtrusive behavior; adware, spyware, browser helper objects.

    • Malware - the file contains a malicious payload; viruses, worms, trojans, rootkits, botnets and remote access tools.

    • Phishing (intro'd in panos 8.0) - scans links in emails to determine if the site is a site to phish for credentials or other personal data

  • File attachments and URL in emails are also scanned and will be categorized in one of the options above.

• When files and URL's are submitted to wildfire, new signatures are generated and are available for download within 24-48 hours as content updates.

• Two types of wildfire subscription service

  • Standard Subscription: All systems running panOS 4.0+ can access wildfire standard subscription service (as an XP or Win7 VM)

    • Includes Windows PE Analysis: EXE, DLL, SCR, FON, etc

    • AV signature delivered daily dynamic content updates (requires Threat prevention license)

    • Automatic file submission

  • Wildfire Licensed Service get standard features plus:

    • Additional file types scanned, including MSOffice files, PDF, JAR, CLASS, SWF, SWC, APK, Mach-O, DMG, and PKG

    • Wildfire signature files updated every 5 minutes

    • API File submission

    • Wildfire private cloud appliance: WF-500

• Wildfire Private Cloud

  • WF-500 is a private cloud Win7 64-bit image based Wildfire private system hosted on your network.

  • Locally analyzes files forwarded from the FW or from the PAN XML API

  • Signatures can be generated locally. Benign and Greyware never leave the network.

  • You have the option to forward malware to the wildfire cloud for signature generation.

  • Signatures updates every 5 minutes.

  • Supports XML API

  • Does not support Phishing; all positive matches are classified as 'malware'.

  • Content updates can be installed manually or automatically

• Hybrid Cloud

  • Combines local and cloud solutions. WF-500 can analyze sensitive files locally, and less sensitive files can be uploaded to wildfire for analysis.

Configuring and Managing Wildfire

• Device > Setup > Wildfire to configured

  • Default cloud is wildfire.paloaltonetworks.com (other clouds for different regions are available)

  • If you have a WF-500 locally, you can specify the IP on this screen

  • Can also specify the maximum size files to upload; anything larger is permitted.

  • Can report benign and greyware by selecting the checkboxes

  • Decrypted content is not forwarded to Wildfire by default; this can be set under Device > Setup > Content ID > Content ID settings to enable 'allow forwarding of decrypted content'

• Under Device > Setup > Wildfire, you can specify what information is reported to wildfire. This can include information such as source/dest IP, ports, VSYS, Application, User, etc.

• Wildfire submission is activated by being added to a firewall security policy rule. This is added on the action tab in the rule details.

  • Logs for submissions to wildfire are set under: Monitor > Logs > Wildfire Submissions

• A wildfire Analysis profile is created under Objects > Security Profiles > Wildfire Analysis

  • A pre-configured default profile is included, that can be cloned/modified, or a new from-scratch profile can be created.

  • The types of files can besent to a specific destination (public, private or hybrid). example: JAR can be sent to cloud, while DOCX can stay on a local WF-500 appliance.

• The profile can be added as an individual or as part of a group

  • If a file block profile blocks a file, the file is not sent to wildfire for analysis.

• Updates are available under Device > Dynamic Updates. With a wildfire licence, you can specify to updates from 1 minute to every hour. If you do not have a license, it can be set to update once a day.

Wildfire Reporting

• Each time a file is analyzed, it reports its findings back to the firewall. The amount of information reported is configurable.

• To verify successful uploads, you can use the CLI command:

  • debug wildfire upload-log show

    • Output should indicate an uploaded successful

• Detailed reports can be viewed by clicking the magnifying glass, and the analysis report tab to get details on users, and the file details.

• More details can be seen at wildfire.paloaltonetworks.com - this will give a breakdown of the category of findings (benign, greyware, malware, phishing).

  • Files can also be manually uploaded on this portal as well.

  • Reports button on the web portal can let you generate a custom report, and individual entries can be viewed.

  • Email reports can also be configured on this to get automatic reports.

  • If a file was found to be flagged as something other than benign, you can open the individual report, scroll to the bottom and submit a request to have it reviewed.