WF-500 Appliance File Analysis

Transcription

1 WF-500 Appliance File Analysis Palo Alto Networks WildFire Administrator s Guide Version 6.1

2 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA About this Guide This guide describes the administrative tasks required to use and maintain the Palo Alto Networks WildFire feature. Topics covered include licensing information, configuring firewalls to forward files for inspection, viewing reports, and how to configure and manage the WF-500 appliance. For information on the additional capabilities and for instructions on configuring the features on the firewall, refer to For access to the knowledge base, discussion forums, and videos, refer to For contacting support, for information on the support programs, or to manage your account or devices, refer to For the latest release notes, go to the software downloads page at To provide feedback on the documentation, please write to us at: Palo Alto Networks, Inc Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at All other marks mentioned herein may be trademarks of their respective companies. Revision Date: August 24, WildFire 6.1 Administrator s Guide Palo Alto Networks

3 WF-500 Appliance File Analysis This topic describes the WF-500 appliance and how to configure and manage the appliance to prepare it to receive files for analysis. In addition, this topic provides steps for configuring a Palo Alto Networks firewall to forward files to a WildFire appliance for file analysis and also describes how to configure the appliance to provide local signature generation to avoid having to send samples to the WildFire cloud. You can also use the WildFire API to submit and retrieve content from a WF-500 appliance. About the WF-500 Appliance Configure the WF-500 Appliance Set Up the VM Interface on the WF-500 Appliance Manage Content Updates on the WF-500 Appliance Forward Files to a WF-500 Appliance Signature/URL Generation on a WF-500 Appliance Configure the Firewall to Retrieve Updates from a WF-500 Appliance Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support Palo Alto Networks WildFire 6.1 Administrator s Guide 25

4 About the WF-500 Appliance WF-500 Appliance File Analysis About the WF-500 Appliance The WF-500 appliance provides an on-premises WildFire private cloud, enabling you to analyze suspicious files in a sandbox environment without requiring that the firewall sends files outside of the network. To use a WF-500 appliance in place of the WildFire cloud, configure the WildFire server setting on the firewall to point to your WF-500 appliance rather than to the WildFire public cloud server. The WF-500 appliance sandboxes all files locally and analyzes them for malicious behaviors using the same engine used by the WildFire cloud system. Within minutes, the appliance returns the results of the analysis back to the firewall in the WildFire Submissions logs. By default, the WF-500 appliance does not send any files to the Palo Alto Networks WildFire cloud for signature generation. However, you can configure the appliance to generate signatures locally and the connected firewalls can retrieve the updates directly from the appliance. For information on configuring local signature generation and to learn about the types of content updates that the appliance can provide, see Signature/URL Generation on a WF-500 Appliance. The WF-500 appliance has an automatic submission feature that will enable it to only send confirmed malware to the public cloud for signature generation. You can also configure this feature (cloud-intelligence) to only send reports on malware, which will help Palo Alto Networks gather statistics on malware. It is recommended that you configure the appliance to send malware samples to the WildFire cloud, so signatures are generated and distributed to all customers. If you do not want to automatically send all detected malware to the WildFire cloud, you can manually download the malware from the WildFire Analysis Report tab and manually upload to the WildFire Portal. You can configure up to 100 Palo Alto Networks firewalls to forward to a single WildFire appliance. Each firewall must have a valid WildFire subscription to forward files to a WildFire appliance. The WildFire appliance has two interfaces: MGT Receives all files forwarded from the firewalls and returns logs detailing the results back to the firewalls. See Integrate the WF-500 Appliance into a Network. Virtual Machine Interface (VM interface) Provides network access for the WildFire sandbox systems to enable sample files to communicate with the Internet, which allows WildFire to better analyze the behavior of the sample. When the VM interface is configured, WildFire can observe malicious behaviors that the malware would not normally perform without network access, such as phone-home activity. However, to prevent malware from entering your network from the sandbox, configure this interface on an isolated network with an Internet connection. You can also enable the Tor option to hide the public IP addressed used by your company from malicious sites that are accessed by the sample. For more information on the VM interface, see Set Up the VM Interface on the WF-500 Appliance. 26 WildFire 6.1 Administrator s Guide Palo Alto Networks

5 WF-500 Appliance File Analysis Configure the WF-500 Appliance Configure the WF-500 Appliance The following topics describe how to integrate a WildFire appliance into the network: Prerequisites for Configuring the WF-500 Appliance Integrate the WF-500 Appliance into a Network Verify the WF-500 Appliance Configuration Prerequisites for Configuring the WF-500 Appliance Rack mount and cable the WF-500 appliance. Refer to the WF-500 WildFire Appliance Hardware Reference Guide. Obtain the information required to configure network connectivity on the MGT port and the virtual machine interface from your network administrator (IP address, subnet mask, gateway, hostname, DNS server). All communication between the firewalls and the appliance occurs over the MGT port, including file submissions, WildFire log delivery, and appliance administration. Therefore, ensure that the firewalls have connectivity to the MGT port on the appliance. In addition, the appliance must be able to connect to the updates.paloaltonetworks.com site to retrieve its operating system software updates. Have a computer ready with either a console cable or Ethernet cable to connect to the device for the initial configuration. Palo Alto Networks WildFire 6.1 Administrator s Guide 27

6 Configure the WF-500 Appliance WF-500 Appliance File Analysis Integrate the WF-500 Appliance into a Network This section describes the steps required to install a WF-500 appliance on a network and perform basic setup. Integrate the WF-500 Appliance into a Network Step 1 Connect the management computer to the appliance using the MGT or Console port and power on the appliance. 1. Connect to the console port or the MGT port. Both are located on the back of the appliance. Console Port This is a 9-pin male serial connector. Use the following settings on the console application: N-1. Connect the provided cable to the serial port on the management computer or USB-To-Serial converter. MGT Port This is an Ethernet RJ-45 port. By default, the MGT port IP address is The interface on your management computer must be on the same subnet as the MGT port. For example, set the IP address on the management computer to Power on the appliance. The appliance will power on as soon as you connect power to the first power supply and a warning beep will sound until you connect the second power supply. If the appliance is already plugged in and is in the shutdown state, use the power button on the front of the appliance to power on. Step 2 Register the WildFire appliance. 1. Obtain the serial number from the S/N tag on the appliance, or run the following command and refer to the serial field: admin@wf-500> show system info 2. From a browser, navigate to the Palo Alto Networks Support site. 3. Register the device as follows: If this is the first Palo Alto Networks device that you are registering and you do not yet have a login, click Register on the right side of the page. To register, provide an address and the serial number of the device. When prompted, set up a username and password for access to the Palo Alto Networks support community. For existing accounts, log in and then click My Devices. Scroll down to the Register Device section at the bottom of the screen and enter the serial number of the device, the city and postal code, and then click Register Device. 28 WildFire 6.1 Administrator s Guide Palo Alto Networks

7 WF-500 Appliance File Analysis Configure the WF-500 Appliance Integrate the WF-500 Appliance into a Network (Continued) Step 3 Reset the admin password. 1. Log in to the appliance with an SSH client or by using the Console port. Enter a username/password of admin/admin. 2. Set a new password by running the command: admin@wf-500# set password 3. Type the old password, press enter and then enter and confirm the new password. There is no need to commit the configuration because this is an operational command. 4. Type exit to log out and then log back in to confirm that the new password is set. Step 4 Step 5 Set the IP information for the MGT interface and the hostname for the appliance. All firewalls that will send files to the WF-500 appliance will use the MGT port, so ensure that this interface is accessible from those firewalls. This example uses the following values: IPv4 address /22 Subnet Mask Default Gateway Hostname - wildfire-corp1 DNS Server (Optional) Configure additional user accounts for managing the WildFire appliance. You can assign two role types: superuser and superreader. Superuser is equivalent to the admin account, and superreader only has read access. 1. Log in to the appliance with an SSH client or by using the Console port and enter configuration mode: admin@wf-500> configure 2. Set the IP information: admin@wf-500# set deviceconfig system ip-address netmask default-gateway dns-setting servers primary Configure a secondary DNS server by replacing primary with secondary in the above command, excluding the other IP parameters. For example: admin@wf-500# set deviceconfig system dns-setting servers secondary Set the hostname (wildfire-corp1 in this example): admin@wf-500# set deviceconfig system hostname wildfire-corp1 4. Commit the configuration to activate the new management (MGT) port configuration: admin@wf-500# commit 5. Connect the MGT interface port to a network switch. 6. Put the management PC back on your corporate network, or whatever network is required to access the appliance on the management network. 7. From your management computer, use an SSH client to connect to the new IP address or hostname assigned to the MGT port on the appliance. In this example, the IP address is In this example, you will create a superreader account for the user bsimpson: 1. Enter configuration mode: admin@wf-500> configure 2. Create the user account: admin@wf-500# set mgt-config users bsimpson <password> 3. Enter and confirm a new password. 4. Assign the superreader role: admin@wf-500# set mgt-config users bsimpson permissions role-based superreader yes Palo Alto Networks WildFire 6.1 Administrator s Guide 29

8 Configure the WF-500 Appliance WF-500 Appliance File Analysis Integrate the WF-500 Appliance into a Network (Continued) Step 6 (Optional) Configure RADIUS authentication for administrator access. The following steps summarize how to configure RADIUS on the appliance. 1. Create a RADIUS profile using the following options: admin@wf-500# set shared server-profile radius <profile-name> (Configure the RADIUS server and other attributes.) 2. Create an authentication profile: admin@wf-500# set shared authentication-profile <profile-name> method radius server-profile <server-profile-name> 3. Assign the profile to a local admin account: admin@wf-500# set mgt-config users username authentication-profile authentication-profile-name> Step 7 Activate the appliance with the WildFire authorization code that you received from Palo Alto Networks. The WF-500 appliance will function without an auth-code, but it cannot retrieve software updates without a valid auth-code. 1. Change to operational mode: admin@wf-500# exit 2. Fetch and install the WildFire license: admin@wf-500> request license fetch auth-code <auth-code> 3. Verify the license: admin@wf-500> request support check Information about the support site and the support contract date is displayed. Confirm that the date displayed is valid. Step 8 Set the current date/time and timezone. 1. Set the date and time: admin@wf-500> set clock date <YY/MM/DD> time <hh:mm:ss> 2. Enter configuration mode: admin@wf-500> configure 3. Set the local time zone: admin@wf-500# set deviceconfig system timezone <timezone> The time stamp that will appear on the WildFire detailed report will use the time zone set on the appliance. If administrators in various regions will view reports, consider setting the time zone to UTC. Step 9 (Optional) Configure cloud intelligence to enable the WildFire appliance to forward files that contain malware to the Palo Alto Networks WildFire cloud. The WildFire cloud system will re-analyze the sample and will generate a signatures if the sample is malware and will add the signature to the WildFire signature updates. You can also choose to only submit WildFire reports on malware. In this case, Palo Alto Networks uses the reports for statistical purposes. Cloud intelligence is disabled by default. 1. To enable cloud intelligence, run the command: admin@wf-500# set deviceconfig setting wildfire cloud-intelligence submit-sample yes 2. To only send WildFire reports for malware: admin@wf-500# set deviceconfig setting wildfire cloud-intelligence submit-report yes If submit-sample is enabled, there is no need to enable submit-report because the WildFire cloud re-analyzes the sample and generates a new report. If the sample is malicious, the cloud will generate a signature. 3. Confirm the setting by running the following command and then refer to the Submit sample and Submit report fields: admin@wf-500> show wildfire status 30 WildFire 6.1 Administrator s Guide Palo Alto Networks

9 WF-500 Appliance File Analysis Configure the WF-500 Appliance Integrate the WF-500 Appliance into a Network (Continued) Step 10 (Optional) Enable benign file logging on the firewall. This is a good way to confirm that the firewall is forwarding files to WildFire without having to download real malware. In this case, the Data Filtering log will contain information on the results of the WildFire analysis, even if the verdict is benign. To download sample malware for testing, see Malware Test Samples. This option is disabled by default. 1. Select Device > Setup > WildFire and edit General Settings. 2. Select the Report Benign Files check box to enable and then click OK to save. You can run the following CLI command to enable benign logging: admin@wf-500# set deviceconfig setting wildfire report-benign-file yes Step 11 Set a password for the portal admin account. This account is used when accessing WildFire reports from a firewall. The default username and password is admin/admin. 1. To change the WildFire portal admin account password: admin@wf-500> set wildfire portal-admin password 2. Press enter and type and confirm the new password. The portal admin account is the only account that can be used for viewing reports from the logs. Only the password can be changed for this account and additional accounts cannot be created for this purpose. This is not the same admin account used to manage the appliance. You can also use the WildFire API to retrieve logs, but in that case you use an API key generated on the WF-500 appliance. See Use the WildFire API on a WF-500 Appliance. Step 12 Choose the virtual machine image that the appliance will use for file analysis. The image should be based on the attributes that best represents the software installed on your end user computers. Each virtual image contains different versions of operating systems and software, such as Windows XP or Windows 7 32-bit or 64-bit and specific versions of Adobe Reader, and Flash. Although you configure the appliance to use one virtual machine image configuration, the appliance uses multiple instances of the image to improve performance. To view a list of available virtual machines to determine which one best represents your environment: admin@wf-500> show wildfire vm-images View the current virtual machine image by running the following command and refer to the Selected VM field: admin@wf-500> show wildfire status Select the image that the appliance will use for analysis: admin@wf-500# set deviceconfig setting wildfire active-vm <vm-image-number> For example, to use vm-1: admin@wf-500# set deviceconfig setting wildfire active-vm vm-1 Palo Alto Networks WildFire 6.1 Administrator s Guide 31

10 Configure the WF-500 Appliance WF-500 Appliance File Analysis Where to Go Next: Verify the WF-500 Appliance Configuration Forward Files to a WF-500 Appliance Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support Set Up the VM Interface on the WF-500 Appliance Verify the WF-500 Appliance Configuration This topic describes how to verify the configuration of the WildFire appliance to ensure that it is ready to receive files from a Palo Alto Networks firewall. For more details on the CLI commands referenced in this workflow, see WildFire Appliance Software CLI Reference. Verify the WF-500 Appliance Configuration Step 1 Verify that the appliance is registered and the license is activated. 1. Start an SSH session and connect to the MGT port on the appliance. 2. View the current support information: admin@wf-500> request support check This will display information about the support site and contract. Confirm that the contract date is valid. 3. Run the following command to check connectivity between the appliance and the WildFire cloud (needed to forward files to the cloud): admin@wf-500> test wildfire registration The following output indicates that the appliance is registered with one of the Palo Alto Networks WildFire cloud servers. Test wildfire wildfire registration: successful download server list: successful select the best server: cs-s1.wildfire.paloaltonetworks.com 32 WildFire 6.1 Administrator s Guide Palo Alto Networks

11 WF-500 Appliance File Analysis Configure the WF-500 Appliance Verify the WF-500 Appliance Configuration (Continued) Step 2 Check the WildFire server status on the appliance. 1. Display WildFire status: admin@wf-500> show wildfire status Connection info: Wildfire cloud: wildfire.paloaltonetworks.com Status: Idle Submit sample: enabled Submit report: disabled Selected VM: vm-5 VM internet connection: disabled VM network using Tor: disabled Best server: s1.wildfire.paloaltonetworks.com Device registered: yes Service route IP address: Signature verification: enable Server selection: enable Through a proxy: In the example output, status Idle indicates that the appliance is ready to receive files. Submit sample is enabled, which indicates that the appliance will forward detected malware files to the WildFire Cloud. The Device registered field displays yes, which means the appliance is registered with the WildFire cloud system. The appliance is also configured to use the vm-5 sandbox for sample analysis. You must have a WildFire cloud server defined even if you are not forwarding samples to the cloud server. If no cloud server is defined, the Status field will show Disabled by cloud server. 2. After configuring your firewalls to forward files to the appliance as described in Forward Files to a WF-500 Appliance, you can verify the connectivity status of the firewalls from the appliance. To verify that the appliance is receiving files from the firewalls and to verify if the appliance is sending files to the WildFire cloud for signature generation (if cloud intelligence is enabled), enter: admin@wf-500> show wildfire statistics days 7 Last one hour statistics: Total sessions submitted : 0 Samples submitted : 0 analyzed : 0 pending : 0 malicious : 0 benign : 0 error : 0 Uploaded : 0 Last 7 days statistics: Total sessions submitted : 66 Samples submitted : 34 analyzed : 34 pending : 0 malicious : 2 benign : 32 error : 0 Uploaded : 0 3. (Optional) View more detailed statistics: admin@wf-500> show wildfire latest [analysis samples sessions uploads] For example, to display details about the recent analysis results, enter: admin@wf-500> show wildfire latest analysis no Palo Alto Networks WildFire 6.1 Administrator s Guide 33

12 Configure the WF-500 Appliance WF-500 Appliance File Analysis Verify the WF-500 Appliance Configuration (Continued) Step 3 Verify that firewalls configured to forward files to the appliance have successfully registered with the WildFire appliance. 1. Display a list of firewalls that have registered with the appliance: admin@wf-500> show wildfire last-device-registration all The output will include the following information for each firewall that is registered with the appliance: firewall serial number, date registered, IP address, software version, hardware model, and status. If no firewalls are listed, there may be network connectivity issues between the firewalls and the appliance. Check the network to confirm that the firewalls and WildFire appliance can communicate. You can use ping tests from the appliance to the gateway address, or to one of the firewalls that you configured to forward files to the appliance. For example, if the IP address of the firewall is , you will see replies displayed when running the following CLI command from the appliance: admin@wf-500> ping host To verify the WildFire configuration on the firewalls that are forwarding to the appliance, see Verify Forwarding to a WF-500 Appliance. 34 WildFire 6.1 Administrator s Guide Palo Alto Networks

13 WF-500 Appliance File Analysis Set Up the VM Interface on the WF-500 Appliance Set Up the VM Interface on the WF-500 Appliance The virtual machine interface (vm-interface) provides external network connectivity from the sandbox virtual machines in the WF-500 appliance to enable observation of malicious behaviors in which the file being analyzed seeks network access. The following sections describe the VM interface and the steps required for configuring it. You can optionally enable the Tor feature with the VM interface, which will mask any malicious traffic sent from the WF-500 appliance through the VM interface, so the malware sites that the traffic may be sent to cannot detect your public-facing IP address. This section also describes the steps required to connect the VM interface to a dedicated port on a Palo Alto Networks firewall to enable Internet connectivity. Virtual Machine Interface Overview Configure the VM Interface on the WF-500 Appliance Configure the Firewall to Control Traffic for the WF-500 VM Interface Virtual Machine Interface Overview The VM interface (labeled 1 on the back of the appliance) is used by WildFire to improve malware detection capabilities. The interface allows a file sample running on the WildFire virtual machines to communicate with the Internet and enables WildFire to better analyze the behavior of the sample file to determine if it exhibits characteristics of malware. While it is recommended that you enable the VM interface, it is very important that you do not connect the interface to a network that allows access to any of your servers/hosts because malware that runs in the WildFire virtual machines could potentially use this interface to propagate itself. This connection can be a dedicated DSL line or a network connection that only allows direct access from the VM interface to the Internet and restricts any access to internal servers/client hosts. The following illustration shows two options for connecting the VM interface to the network. Palo Alto Networks WildFire 6.1 Administrator s Guide 35

14 Set Up the VM Interface on the WF-500 Appliance WF-500 Appliance File Analysis Virtual Machine Interface Example Option-1 (recommended) Connect the VM interface to an interface in a dedicated zone on a firewall that has a policy that only allows access to the Internet. This is important because malware that runs in the WildFire virtual machines can potentially use this interface to propagate itself. This is the recommended option because the firewall logs will provide visibility into any traffic that is generated by the VM interface. Option-2 Use a dedicated Internet provider connection, such as a DSL, to connect the VM interface to the Internet. Ensure that there is no access from this connection to internal servers/hosts. Although this is a simple solution, traffic generated by the malware out the VM interface will not be logged unless you place a firewall or a traffic monitoring tool between the WildFire appliance and the DSL connection. Configure the VM Interface on the WF-500 Appliance This section describes the steps required to configure the VM interface on the WildFire appliance using the Option 1 configuration detailed in the Virtual Machine Interface Example. After configuring the VM interface using this option, you must also configure an interface on a Palo Alto Networks firewall through which traffic from the VM interface is routed as described in Configure the Firewall to Control Traffic for the WF-500 VM Interface. By default, the VM interface has the following settings: IP Address: Netmask: WildFire 6.1 Administrator s Guide Palo Alto Networks

15 WF-500 Appliance File Analysis Set Up the VM Interface on the WF-500 Appliance Default Gateway: DNS: If you plan on enabling this interface, configure it with the appropriate settings for your network. If you do not plan on using this interface, leave the default settings. Note that this interface must have network values configured or a commit failure will occur. Configure the VM Interface Step 1 Set the IP information for the VM interface on the WildFire appliance. The following settings are used in this example: IPv4 address /22 Subnet Mask Default Gateway DNS Server The VM interface cannot be on the same network as the management interface (MGT). 1. Enter configuration mode: admin@wf-500> configure 2. Set the IP information for the VM interface: admin@wf-500# set deviceconfig system vm-interface ip-address netmask default-gateway dns-server You can only configure one DNS server on the VM interface. As a best practice, use the DNS server from your ISP or an open DNS service. Step 2 Enable the VM interface. 1. Enable the VM interface: admin@wf-500# set deviceconfig setting wildfire vm-network-enable yes 2. Commit the configuration: admin@wf-500# commit Step 3 Test connectivity of the VM interface. Ping a system and specify the VM interface as the source. For example, if the VM interface IP address is , run the following command where ip-or-hostname is the IP or hostname of a server/network that has ping enabled: admin@wf-500> ping source host ip-or-hostname For example: admin@wf-500> ping source host Step 4 (Optional) Enable the Tor network. When this option is enabled, any malicious traffic that the malware generates to the Internet is sent to the Tor network. The Tor network will mask your public facing IP address, so the owners of the malicious site cannot determine the source of the traffic. Enable the Tor network: 1. admin@wf-500# set deviceconfig setting wildfire vm-network-use-tor 2. Commit the configuration: admin@wf-500# commit Step 5 Continue to the next section to configure the firewall interface that you will use to connect the VM interface on the appliance. See Configure the Firewall to Control Traffic for the WF-500 VM Interface. Palo Alto Networks WildFire 6.1 Administrator s Guide 37

16 Set Up the VM Interface on the WF-500 Appliance WF-500 Appliance File Analysis Configure the Firewall to Control Traffic for the WF-500 VM Interface The following example workflow describes how to connect the VM interface to a port on a Palo Alto Networks firewall. Before connecting the VM interface to the firewall, the firewall must already have an Untrust zone connected to the Internet. In this example, you configure a new zone named wf-vm-zone that will contain the interface used to connect the VM interface on the appliance to the firewall. The policy associated with the wf-vm-zone will only allow communication from the VM interface to the Untrust zone. Configure the Firewall to Control Traffic for the WF-500 VM Interface Step 1 Configure the interface on the firewall that the VM interface will connect to and set the virtual router. The wf-vm-zone should only contain the interface (ethernet1/3 in this example) used to connect the VM interface on the appliance to the firewall. This is done to avoid having any traffic generated by the malware from reaching other networks. 1. From the web interface on the firewall, select Network > Interfaces and then select an interface, for example Ethernet1/3. 2. In the Interface Type drop-down, select Layer3. 3. On the Config tab, from the Security Zone drop-down box, select New Zone. 4. In the Zone dialog Name field, enter wf-vm-zone and click OK. 5. In the Virtual Router drop-down box, select default. 6. To assign an IP address to the interface, select the IPv4 tab, click Add in the IP section, and enter the IP address and network mask to assign to the interface, for example / To save the interface configuration, click OK. Step 2 Create a security policy on the firewall to allow access from the VM interface to the Internet and block all incoming traffic. In this example, the policy name is WildFire VM Interface. Because you will not create a security policy from the Untrust zone to the wf-vm-interface zone, all inbound traffic is blocked by default. 1. Select Policies > Security and click Add 2. In the General tab, enter a Name. 3. In the Source tab, set the Source Zone to wf-vm-zone. 4. In the Destination tab, set the Destination Zone to Untrust. 5. In the Application and Service/ URL Category tabs, leave the default as Any. 6. In the Actions tab, set the Action Setting to Allow. 7. Under Log Setting, select the Log at Session End check box. If there are concerns that someone might inadvertently add other interfaces to the wf-vm-zone, clone the WildFire VM Interface security policy and then in the Action tab for the cloned rule, select Deny. Make sure this new security policy is listed below the WildFire VM interface policy. This will override the implicit intra-zone allow rule that allows communications between interfaces in the same zone and will deny/block all intra-zone communication. Step 3 Connect the cables. Physically connect the VM interface on the WildFire appliance to the port you configured on the firewall (Ethernet 1/3 in this example) using a straight through RJ-45 cable. The VM interface is labeled 1 on the back of the appliance. 38 WildFire 6.1 Administrator s Guide Palo Alto Networks

17 WF-500 Appliance File Analysis Set Up the VM Interface on the WF-500 Appliance Configure the Firewall to Control Traffic for the WF-500 VM Interface (Continued) Step 4 Verify that the VM interface is transmitting and receiving traffic. 1. View the VM interface settings: admin@wf-500> show interface vm-interface 2. Verify that received/transmitted counters are incrementing. You can run the following command to generate ping traffic from the VM interface to an external device: admin@wf-500> ping source vm-interface-ip host <gateway-ip> For example: admin@wf-500> ping source host Palo Alto Networks WildFire 6.1 Administrator s Guide 39

18 Manage Content Updates on the WF-500 Appliance WF-500 Appliance File Analysis Manage Content Updates on the WF-500 Appliance Daily content updates for the WF-500 appliance equip the appliance with the most up-to-date threat information for accurate malware detection and improve the appliance's ability to differentiate the malicious from the benign. The updates also ensure that the appliance has the most recent information needed to generate signatures when signature/url generation is enabled on the appliance. For information on enabling signature generation, see Signature/URL Generation on a WF-500 Appliance. Install Content Updates Directly from the Update Server Install Content Updates from an SCP-Enabled Server Install Content Updates Directly from the Update Server Install Content Updates Directly from the Update Server Step 1 Verify connectivity from the appliance to the update server and identify the content update to install. 1. Log in to the WildFire appliance and run the following command to display the current content version: admin@wf-500> show system info match wf-content-version 2. Confirm that the appliance can communicate with the Palo Alto Networks Update Server and view available updates: admin@wf-500> request wf-content upgrade check The command queries the Palo Alto Networks Update Server and provides information about available updates and identifies the version that is currently installed on the appliance. Version Size Released on Downloaded Installed MB 2014/09/20 20:00:08 PDT no no MB 2014/02/12 14:04:27 PST yes current If the appliance cannot connect to the update server, you will need to allow connectivity from the appliance to the Palo Alto Networks Update Server, or download and install the update using SCP as described in Install Content Updates from an SCP-Enabled Server. 40 WildFire 6.1 Administrator s Guide Palo Alto Networks

19 WF-500 Appliance File Analysis Manage Content Updates on the WF-500 Appliance Install Content Updates Directly from the Update Server (Continued) Step 2 Download and install the latest content update. 1. Download the latest content update: admin@wf-500> request wf-content upgrade download latest 2. View the status of the download: admin@wf-500> show jobs all You can run show jobs pending to view pending jobs. The following output shows that the download (job id 5) has finished downloading (Status FIN): Enqueued ID Type Status Result Completed /04/22 03:42:20 5 Downld FIN OK 03:42:23 3. After the download is complete, install the update: admin@wf-500> request wf-content upgrade install version latest Run the show jobs all command again to monitor the status of the install. Step 3 Verify the content update. Run the following command and refer to the wf-content-version field: admin@wf-500> show system info The following shows an example output with content update version installed: admin@wf-500> show system info hostname: wf-500 ip-address: netmask: default-gateway: mac-address: 00:25:90:c3:ed:56 vm-interface-ip-address: vm-interface-netmask: vm-interface-default-gateway: vm-interface-dns-server: time: Mon Apr 21 09:59: uptime: 17 days, 23:19:16 family: m model: WF-500 serial: abcd3333 sw-version: wf-content-version: wfm-release-date: 2014/08/20 20:00:08 logdb-version: platform-family: m Step 4 (Optional) Schedule content updates to install the latest updates on the firewall at a set interval. You can configure the appliance to install daily or weekly and either download only or download and install the updates. 1. Schedule the appliance to download and install content updates: admin@wf-500# set deviceconfig system update-schedule wf-content recurring [daily weekly] action [download-and-install download-only] For example, to download and install updates daily at 8:00 am: admin@wf-500# set deviceconfig system update-schedule wf-content recurring daily action download-and-install at 08:00 2. Commit the configuration admin@wf-500# commit Palo Alto Networks WildFire 6.1 Administrator s Guide 41

20 Manage Content Updates on the WF-500 Appliance WF-500 Appliance File Analysis Install Content Updates from an SCP-Enabled Server The following procedure describes how to install content updates on a WildFire appliance that does not have direct connectivity to the Palo Alto Networks Update Server. You will need a Secure Copy (SCP)-enabled server that will temporarily store the content update. Install Content Updates from an SCP-Enabled Server Step 1 Step 2 Retrieve the content update file from the update server. Install the content update on the WildFire appliance. 1. Log in to the Palo Alto Networks Support site and click Dynamic Updates. 2. In the WildFire Appliance section, locate the latest WF-500 appliance content update and download it. 3. Copy the content update file to an SCP-enabled server and note the file name and directory path. 1. Log in to the WF-500 appliance and download the content update file from the SCP server: admin@wf-500> scp import wf-content from username@host:path For example: admin@wf-500> scp import wf-content from bart@ :c:/updates/panup-all-wfmeta tgz If your SCP server is running on a non-standard port or if you need to specify the source IP, you can also define those options in the scp import command. 2. Install the update: admin@wf-500> request wf-content upgrade install file panup-all-wfmeta tgz View status of the install: admin@wf-500> show jobs all Step 3 Verify the content update. Verify the content version: admin@wf-500> show system info match wf-content-version The following output now shows version 2-253: wf-content-version: WildFire 6.1 Administrator s Guide Palo Alto Networks

21 WF-500 Appliance File Analysis Forward Files to a WF-500 Appliance Forward Files to a WF-500 Appliance The following topics describe how to configure a firewall to forward files to a WF-500 appliance and how to verify the configuration. If you configure the WF-500 appliance to generate signatures and URL updates, you will also want to configure the firewall to retrieve content updates from the appliance. See Signature/URL Generation on a WF-500 Appliance. If you are using Panorama to manage your firewalls, simplify WildFire administration by using Panorama Templates to push the WildFire server information, allowed file size, and the session information settings to the firewalls. Use Panorama device groups to configure and push file blocking profiles and security policy rules. Starting with PAN-OS 6.0, the WildFire logs show which WildFire system each firewall used for file analysis (WildFire cloud, WF-500 appliance, and/or the WildFire Japan cloud). When configuring the WildFire server on Panorama (Panorama > Setup > WildFire), enter the WildFire server that your firewalls are using. For example, if your firewalls are forwarding samples to the WildFire cloud, the Panorama setting should point to the cloud server named wildfire-public-cloud. If your firewalls are forwarding to a WF-500 appliance, the Panorama setting should point to the IP address or FQDN of the appliance. Configure a Firewall to Forward Samples to a WF-500 Appliance Verify Forwarding to a WF-500 Appliance Configure a Firewall to Forward Samples to a WF-500 Appliance Perform the following steps on each firewall that will forward samples to the WildFire appliance: If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed. WildFire cloud: Uses port 443 for registration and file submissions. WildFire appliance: Uses port 443 for registration and for file submissions. Configure a Firewall to Forward Samples to a WF-500 Appliance Step 1 Step 2 Verify that the firewall has a WildFire subscription and that dynamic updates are scheduled and are up-to-date. See Best Practices for Keeping Signatures up to Date for recommended settings. Define the WildFire server that the firewall will forward files to for analysis. 1. Select Device > Licenses and confirm that the firewall has valid WildFire and Threat Prevention subscriptions installed. 2. Select Device > Dynamic Updates and click Check Now to ensure that the firewall has the most recent Antivirus, Applications and Threats, and WildFire updates. If you are using a WildFire appliance that has Signature/URL generation enabled, check those updates as well. 3. Confirm and update the dynamic updates as needed. Stagger the update schedules because the firewall can only perform one update at a time. 1. Select Device > Setup > WildFire. 2. Click the General Settings edit icon. 3. In the WildFire Server field, enter the IP address or FQDN of the WF-500 appliance. Palo Alto Networks WildFire 6.1 Administrator s Guide 43

22 Forward Files to a WF-500 Appliance WF-500 Appliance File Analysis Configure a Firewall to Forward Samples to a WF-500 Appliance (Continued) Step 3 Step 4 Configure the file blocking profile to define which applications and file types will trigger forwarding to WildFire. If you choose PE in the objects profile File Types column to select a category of file types, do not also add an individual file type that is part of that category because this will result in redundant entries in the Data Filtering logs. For example, if you select PE, there is no need to select exe because it is part of the PE category. This also applies to the zip file type, because supported file types that are zipped are automatically sent to WildFire. If you would like to ensure that all supported Microsoft Office file types are forwarded, it is recommended that you choose the category msoffice. Choosing a category rather than an individual file type also ensures that as new file type support is added to a given category, they are automatically made part of the file blocking profile. If you select Any, all supported file types are forwarded to WildFire. (Optional) If the continue-and-forward action is configured for any file type, you must enable the response page option on the ingress interface (the interface that first receives traffic for your users). 1. Select Objects > Security Profiles > File Blocking. 2. Click Add to add a new profile and enter a Name and Description. 3. Click Add in the File Blocking Profile window and then click Add again. Click in the Names field and enter a rule name. 4. Select the Applications that will match this profile. For example, selecting web-browsing as the application will cause the profile to match any application traffic identified as web-browsing. 5. In the File Type field, select the file types that will trigger the forwarding action. Choose Any to forward all file types supported by WildFire. 6. In the Direction field select upload, download, or both. Selecting both will trigger forwarding whenever a user attempts to upload or download a file. 7. Define an Action as follows (choose Forward for this example): Forward The firewall will automatically forward any files matching this profile to WildFire for analysis in addition to delivering the file to the user. Continue-and-forward The user is prompted and must click Continue before the download occurs and the file is forwarded to WildFire. Because this action requires user interaction with a web browser, it is only supported for web-browsing applications. 8. Click OK to save. 1. Select Network > Network Profiles > Interface Mgmt and either add a new profile or edit an existing profile. 2. Select the Response Pages check box. 3. Click OK to save the profile. 4. Select Network > Interfaces and then edit the layer 3 interface or VLAN interface that is your ingress interface. 5. Click the Advanced tab and select the Interface Mgmt profile that has the response page option enabled and select it from the drop-down menu. 6. Click OK to save. 44 WildFire 6.1 Administrator s Guide Palo Alto Networks

23 WF-500 Appliance File Analysis Forward Files to a WF-500 Appliance Configure a Firewall to Forward Samples to a WF-500 Appliance (Continued) Step 5 Step 6 Step 7 Enable forwarding of decrypted content. To forward SSL encrypted files to WildFire, the firewall must have a decryption policy and have forwarding of decrypted content enabled. Only a superuser can enable this option. Attach the file blocking profile to a security policy. (Optional) Modify the maximum file size that the firewall can upload to WildFire. 1. Select Device > Setup > Content-ID. 2. Click the edit icon for the URL Filtering options and enable Allow Forwarding of Decrypted Content. 3. Click OK to save the changes. If you configured multiple virtual systems on the firewall, you must enable this option per VSYS. Select Device > Virtual Systems, click the virtual system you want to modify and select the Allow Forwarding of Decrypted Content check box. 1. Select Policies > Security. 2. Click Add to create a new policy for the zones that you are applying WildFire forwarding to, or select an existing security policy. 3. On the Actions tab, select the File Blocking profile from the drop-down. If this security rule does not have any profiles attached to it, select Profiles from the Profile Type drop-down to enable selection of a file blocking profile. 1. Select Device > Setup > WildFire. 2. Click the General Settings edit icon. 3. Set the maximum file size for each file type. For example, if you set PDF to 5MB, any PDF larger than 5MB will not be forwarded. Palo Alto Networks WildFire 6.1 Administrator s Guide 45

24 Forward Files to a WF-500 Appliance WF-500 Appliance File Analysis Configure a Firewall to Forward Samples to a WF-500 Appliance (Continued) Step 8 Step 9 (PA-7050 only) If you are configuring log forwarding on a PA-7050 firewall, you must configure a data port on one of the NPCs with the interface type Log Card. This is due to the traffic/logging capabilities of the PA-7050 to avoid overwhelming the MGT port. The log card (LPC) will use this port directly and the port will act as a log forwarding port for syslog, , and SNMP. The firewall will forward the following log types through this port: traffic, HIP match, threat, and WildFire logs. The firewall also uses this port to forward files/ s links to WildFire for analysis. If the port is not configured, a commit error is displayed. Note that only one data port can be configured with the Log Card type. The MGT port cannot be used for forwarding samples to WildFire, even if you configure a service route. The PA-7050 does not forward logs to Panorama. Panorama will only query the PA-7050 log card for log information. (Optional) Modify session options that define what session information to record in WildFire analysis reports. 1. Select Network > Interfaces and locate an available port on an NPC. 2. Select the port and change the Interface Type to Log Card. 3. In the Log Card Forwarding tab, enter IP information (IPv4 and/or IPv6) that will enable the firewall to communicate with your syslog servers and your servers to enable the firewall to logs and alerts. The port will also need to reach the WildFire cloud or your WildFire appliance to enable file forwarding. 4. Connect the newly configured port to a switch or router. There is no other configuration needed. The PA-7050 firewall will automatically use this port as soon as it is activated. 1. Click the Session Information Settings edit icon. 2. By default, all session information items will display in the reports. Clear the check boxes that correspond to any fields to remove them from the WildFire analysis reports. 3. Click OK to save the changes. Step 10 Commit the configuration. Click Commit to apply the settings. During security policy evaluation, all files that meet the criteria defined in the file blocking policy are forwarded by the firewall to WildFire. For information on viewing analysis reports, see WildFire Reporting. For information on verifying the configuration, see Verify Forwarding to a WF-500 Appliance. 46 WildFire 6.1 Administrator s Guide Palo Alto Networks

25 WF-500 Appliance File Analysis Forward Files to a WF-500 Appliance Verify Forwarding to a WF-500 Appliance This topic describes the steps required to verify that the firewall is properly configured to forward samples to a WF-500 appliance. For information on a test file that you can use to verify the process, see Malware Test Samples. Verify Forwarding to a WF-500 Appliance Step 1 Step 2 Check the WildFire and Threat Prevention subscriptions and WildFire registration. The firewall must have a WildFire subscription to forward files to a WildFire appliance. See WildFire Subscription Requirements. Confirm that the firewall is sending files to the correct WildFire server. 1. Select Device > Licenses and confirm that a valid WildFire and Threat Prevention subscription is installed. If valid licenses are not installed, go to the License Management section and click Retrieve license keys from the license server. 2. Check that the firewall can communicate with a WildFire server for file forwarding: admin@pa-200> test wildfire registration In the following output, the firewall is pointing to a WildFire appliance. If the firewall is pointing to the WildFire cloud, it will show the hostname of one of the WildFire systems in the WildFire cloud. Test wildfire wildfire registration: successful download server list: successful select the best server: s1.wildfire.paloaltonetworks.com If problems persist with the licenses, contact your reseller or Palo Alto Networks System Engineer to confirm each license and to get a new authorization code if required. 1. To determine where the firewall is forwarding files (WildFire cloud or WildFire appliance), select Device > Setup > WildFire. 2. Click the General Settings edit button. The U.S.-based WildFire Server is wildfire-public-cloud and the Japan-based WildFire server is wildfire-paloaltonetworks.jp. If you configured the firewall to forward to a WF-500 appliance, the IP address or FQDN of the WildFire appliance is displayed. If you forget the name of the WildFire public cloud, clear the WildFire Server field and click OK and the field will auto populate with the default value for the WildFire cloud. Palo Alto Networks WildFire 6.1 Administrator s Guide 47

26 Forward Files to a WF-500 Appliance WF-500 Appliance File Analysis Verify Forwarding to a WF-500 Appliance Step 3 Step 4 Check the logs to verify that files are forwarded to WildFire. Verify the action setting in the file blocking profile. 1. Select Monitor > Logs > Data Filtering. 2. View the Action column to determine the forwarding results: Forward Indicates that the sample was successfully forwarded from the dataplane to the management plane on the firewall by a file blocking profile and a security policy. At this point, the firewall has not yet forwarded the sample to the WildFire cloud or a WildFire appliance. Wildfire-upload-success Indicates that the firewall forwarded the file to WildFire. This means that a trusted signer did not sign the file and it has not been previously analyzed by WildFire. Wildfire-upload-skip Indicates that the file is eligible to be sent to WildFire, but did not need to be analyzed because WildFire has already analyzed it previously. View the WildFire Logs by selecting Monitor > Logs > WildFire Submissions. If WildFire logs are listed, the firewall is successfully forwarding files to WildFire and WildFire is returning analysis reports. 1. Select Objects > Security Profiles > File Blocking and click the file blocking profile to modify it. 2. Confirm that the action is set to forward or continue-and-forward. If you set to continue-and-forward, the firewall will only forward http/https traffic because this is the only type of traffic that will allow the firewall to serve a response page to the user. Step 5 Check the security policy. 1. Select Policies > Security and click the security policy rule that triggers file forwarding to WildFire. 2. Click the Actions tab and ensure that the file blocking profile is selected in the File Blocking drop-down. 48 WildFire 6.1 Administrator s Guide Palo Alto Networks

27 WF-500 Appliance File Analysis Forward Files to a WF-500 Appliance Verify Forwarding to a WF-500 Appliance Step 6 Check the WildFire status on the firewall and confirm that the Status field is idle and that Device registered and Valid wildfire license is yes. The output also shows the allowed file size for each file type that the firewall will forward. View WildFire status: admin@pa-200> show wildfire status The following output shows the IP address of the WF-500 appliance and that status is Idle, which means the appliance is ready to receive files. Connection info: Wildfire cloud: Status: Idle Best server: :10443 Device registered: yes Valid wildfire license: yes Service route IP address: Signature verification: enable Server selection: enable Through a proxy: no File size limit info: pe 10 MB apk 10 MB pdf 1000 KB ms-office KB jar 10 MB flash 5 MB Forwarding info: file idle time out (second): 90 total file forwarded: 13 file forwarded in last minute: 0 concurrent files: 0 Palo Alto Networks WildFire 6.1 Administrator s Guide 49

28 Forward Files to a WF-500 Appliance WF-500 Appliance File Analysis Verify Forwarding to a WF-500 Appliance Step 7 Step 8 Check WildFire statistics to confirm that counters are incrementing. Check the dynamic updates status and schedules to ensure that the firewall is automatically receiving WildFire signatures. See Best Practices for Keeping Signatures up to Date. The following command displays the output of a working firewall and shows counters for each file type that the firewall forwarded to WildFire. If the counter fields all show 0, the firewall is not forwarding files and you should check connectivity between the firewall and the WF-500 appliance. Also verify that the file blocking profile on the firewall is configured correctly and the profile is attached to a security rule that allows file transfers. admin@pa-200> show wildfire statistics Packet based counters: Total msg rcvd: 4548 Total bytes rcvd: Total msg read: 4545 Total bytes read: Total msg lost by read: 3 Total DROP_NO_MATCH_FILE 3 Total files received from DP: 86 Counters for file cancellation: CANCEL_BY_DP 1 CANCEL_FILE_DUP 3 Counters for file forwarding: file type: apk file type: pdf file type: -link file type: ms-office file type: pe FWD_CNT_LOCAL_FILE 2 FWD_CNT_REMOTE_FILE 2 file type: flash FWD_CNT_LOCAL_FILE 80 FWD_CNT_LOCAL_DUP 3 FWD_CNT_REMOTE_FILE 43 FWD_CNT_REMOTE_DUP_CLEAN 22 FWD_CNT_REMOTE_DUP_MAL 15 file type: jar file type: unknown file type: pdns Error counters: FWD_ERR_CONN_FAIL 24 Reset counters: DP receiver reset cnt: 2 File cache reset cnt: 2 Service connection reset cnt: 1 Log cache reset cnt: 2 Report cache reset cnt: 2 Resource meters: data_buf_meter 0% msg_buf_meter 0% ctrl_msg_buf_meter 0% File forwarding queues: priority: 1, size: 0 priority: 2, size: 0 priority: 3, size: 0 1. Select Device > Dynamic Updates. 2. Ensure that Antivirus, Applications and Threats, and WildFire have the most recent updates and that a schedule is set for each item. Stagger the update schedules because the firewall can only perform one update at a time. 3. Click Check Now at the bottom of the windows to see if any new updates are available, which also confirms that the firewall can communicate with updates.paloaltonetworks.com. If the firewall does not have connectivity to the update server, download the updates directly from Palo Alto Networks. Log in to the Palo Alto Networks Support site and select Dynamic Updates. 50 WildFire 6.1 Administrator s Guide Palo Alto Networks

29 WF-500 Appliance File Analysis Forward Files to a WF-500 Appliance Verify Forwarding to a WF-500 Appliance Step 9 Check the registration status and statistics for firewalls forwarding to a WF-500 appliance. See Verify the WF-500 Appliance Configuration. Palo Alto Networks WildFire 6.1 Administrator s Guide 51

30 Signature/URL Generation on a WF-500 Appliance WF-500 Appliance File Analysis Signature/URL Generation on a WF-500 Appliance The WF-500 appliance can generate signatures locally, eliminating the need to send any data to the public cloud in order to block malicious content. The appliance can analyze files forwarded to it from Palo Alto Networks firewalls or from the WildFire API and generate the following types of signatures that block both the malicious files as well as associated command and control traffic: Antivirus signatures Detect and block malicious files. WildFire adds these signatures to WildFire and Antivirus content updates. DNS signatures Detect and block callback domains for command and control traffic associated with malware. WildFire adds these signatures to WildFire and Antivirus content updates. URL Categorization Categorizes callback domains as malware and updates the URL category in PAN-DB. Firewalls must be running PAN-OS 6.1 or later to enable dynamic updates from a WF-500 appliance. In addition, you must configure the firewalls to receive content updates from the WF-500 appliance, which can occur as frequently as every five minutes. You can optionally send the malware sample file (or only the XML report) to the WildFire cloud to enable signature generation for distribution through Palo Alto Networks content releases. When the local storage on the appliance is full, new signatures/url categorizations will overwrite existing ones, beginning with the oldest ones first. The following topics describe how to enable signature/url generation on the WF-500 appliance and how to configure firewalls to retrieve content updates from the appliance: Enable Signature/URL Generation on the WF-500 Appliance Configure the Firewall to Retrieve Updates from a WF-500 Appliance Enable Signature/URL Generation on the WF-500 Appliance This workflow describes how to enable a WildFire appliance to generate antivirus signatures, DNS signatures, and URL categorization updates (PAN-DB only) based on samples that the appliance receives from connected firewalls and the WildFire XML API. Enable Signature/URL Generation on the WildFire Appliance Step 1 Before configuring this feature, verify that the WF-500 appliance is configured to receive the latest content updates from Palo Alto Networks. The content updates will equip the appliance with the most up-to-date threat information for accurate malware detection and signature generation. Follow the procedure described in Manage Content Updates on the WF-500 Appliance. 52 WildFire 6.1 Administrator s Guide Palo Alto Networks

31 WF-500 Appliance File Analysis Signature/URL Generation on a WF-500 Appliance Enable Signature/URL Generation on the WildFire Appliance Step 2 Enable signature/url generation. 1. Log in to the appliance and type configure to enter configuration mode. 2. Enable all threat prevention options: admin@wf-500# set deviceconfig setting wildfire signature-generation av yes dns yes url yes 3. Commit the configuration: admin@wf-500# commit To configure connected firewalls to retrieve updates from the appliance, see Configure the Firewall to Retrieve Updates from a WF-500 Appliance. Step 3 (Optional) Configure the WF-500 appliance to forward analysis reports or malicious samples to the Palo Alto Networks WildFire cloud. If Packet Captures (PCAPS) are enabled, the PCAP will also be forwarded with the sample file. 1. To auto submit analysis reports: admin@wf-500# set deviceconfig setting wildfire cloud-intelligence submit-report yes If submit-sample is enabled as described in the following step, there is no need to enable submit-report because the WildFire cloud will re-analyze the sample and will generate a new report and will also generate a signature for malicious samples. 2. To auto submit file samples: admin@wf-500# set deviceconfig setting wildfire cloud-intelligence submit-sample yes 3. Commit the configuration: admin@wf-500# commit Configure the Firewall to Retrieve Updates from a WF-500 Appliance If you Enable Signature/URL Generation on the WF-500 Appliance, you can configure your firewalls to retrieve regular content updates from the appliance. This ensures that your network is protected from threats that WildFire detects in your local environment. As a best practice, you should configure your firewalls to retrieve content updates from the Palo Alto Networks Update Servers and from the WildFire cloud. This will ensure that your firewalls receive signatures based on threats detected world wide, not just signatures generated by your local WF-500 appliance. The following workflow describes how to configure a Palo Alto Networks firewall to retrieve content updates from a WildFire appliance. Configure the Firewall to Retrieve Updates from the WF-500 Appliance Step 1 Launch the firewall web interface and go to the Dynamic Updates page. Select Device > Dynamic Updates. Palo Alto Networks WildFire 6.1 Administrator s Guide 53

32 Signature/URL Generation on a WF-500 Appliance WF-500 Appliance File Analysis Configure the Firewall to Retrieve Updates from the WF-500 Appliance (Continued) Step 2 Check for the latest updates. 1. Click Check Now (located in the lower left-hand corner of the window) to check for the latest updates. The link in the Action column indicates whether an update is available: Download Indicates that a new update file is available. Click the link to begin downloading the file directly to the firewall. After successful download, the link in the Action column changes from Download to Install. The following screen capture shows the new WF-Private section in Dynamic Updates. This is where you will download updates from the WF-500 appliance. To check the status of an action, click Tasks (on the lower right-hand corner of the window). Revert Indicates that the firewall downloaded the corresponding update previously. Click Revert to install the previous version of the update. Step 3 Install the updates. Click the Install link in the Action column. When the installation completes, a check mark displays in the Currently Installed column. Step 4 Schedule the update. To receive updates at the minimal interval, configure the firewall to download/install updates every five minutes. See Best Practices for Keeping Signatures up to Date. 1. Click None to the right of Schedule if no schedule is configured. If a schedule exists and you would like to modify it, click the defined schedule. 2. Specify how often you want the updates to occur by selecting a value from the Recurrence drop-down. The WF-500 appliance updates are available Every 5 minutes (best practice), Every 15 minutes, Every 30 minutes, or Every Hour. 3. Specify if the firewall will Download And Install the update (best practice) or Download Only. 4. Specify how long after a content release to wait before performing a content update by entering the number of hours to wait in the Threshold (Hours) field. This provides added protection in the event that there are errors in a content release. 5. Click OK to save the schedule settings. 6. Click Commit to save the settings to the running configuration. 54 WildFire 6.1 Administrator s Guide Palo Alto Networks

33 WF-500 Appliance File Analysis Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support This topic describes how to upgrade the WF-500 appliance operating system and how to install and enable the Windows 7 64-bit Virtual Machine (VM) sandbox environment. Note that when upgrading to version 6.1, you first download and install the Windows 7 64-bit image before upgrading the WF-500 appliance operating system. The VM images can be as large as 4GB, so you must download them from the Palo Alto Networks update servers and then host them on an SCP-enabled server that you provide. You will then use the SCP client on the appliance to download the images from the SCP-enabled server prior to upgrading the appliance. The appliance can only use one environment at a time to analyze samples, so after upgrading the appliance, review the list of available VM images and then choose the image that best fits your environment. In the case of Windows 7, if your environment has a mix of Windows 7 32-bit and Windows 7 64-bit systems, it is recommended that you choose the Windows 7 64-bit image, so WildFire will analyze both 32-bit and 64-bit PE files. Although you configure the appliance to use one virtual machine image configuration, to improve the appliance uses multiple instances of the image to perform file analyses. Upgrade the WF-500 appliance before upgrading the firewalls that are configured to forward samples to it. If you are upgrading to a 6.1 maintenance release, you do not have to install the Windows 7 64-bit image. You only need to download the latest image update and then install. The following workflow describes how to upgrade the WF-500 appliance and enable the Windows 7 64-bit environment: WF-500 Appliance Upgrade Step 1 Determine the upgrade path and download a base image file if needed. You cannot upgrade directly to the WildFire appliance operating system version 6.1 from version 5.1. Although you do not have to install version (feature release), you must first download the image and then download and install version All releases have the requirement to download the base image files to skip a feature release. 1. Log in to the WF-500 appliance and view system information: admin@wf-500> show system info 2. Check the sw-version: field to determine the installed version and proceed as follows: If version or later is installed, continue to step Step 2. If a version prior to is installed, continue the steps in this section. 3. Download the base image: admin@wf-500> request system software download version Check the status of the download: admin@wf-500> show jobs all 5. After the download completes, continue to Step 2. Palo Alto Networks WildFire 6.1 Administrator s Guide 55

34 Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support WF-500 Appliance File Analysis WF-500 Appliance Upgrade (Continued) Step 2 Step 3 Download the required WildFire files to prepare for the upgrade. In this case, you will need the WildFire operating system image file, the Windows 7 64-bit base image, and the Windows 7 64-bit add-on image. Download the VM images to the WF-500 appliance. 1. Check the Update Server for the available WildFire operating system software versions: admin@wf-500> request system software check In this case, look for version The Downloaded column indicates if the image has been downloaded to the appliance or not. If the image is already downloaded you can proceed. If the image is not downloaded, run the following command: admin@wf-500> request system software download version To download the Windows 7 64-bit images, go to Palo Alto Networks Support site, click Software Updates and in the WF-500 Guest VM Images section locate and download the latest Windows 7 64-bit base image and the Windows 7 64-bit Add-on image. The VM files can be as large as 4GB, so ensure that your Secure Copy (SCP) enabled server software supports file transfers over 4GB and verify that there is enough free space to temporarily store the files. The file names are similar to the following: Base Image WFWin7_64Base_m-1.0.0_64base Add-on Image WFWin7_64Addon1_m-1.0.0_64addon 3. Move the files to your SCP-enabled server and note the file name and directory path. 1. Download the base image file from the SCP-enabled server: admin@wf-500> scp import wildfire-vm-image from username@host:path For example: admin@wf-500> scp import wildfire-vm-image from bart@ :c:/scp/wfwin7_64base_m-1.0.0_64ba se The SCP path following the IP or hostname varies depending on the SCP software that you are using. For Windows, the path is c:/folder/filename or //folder/filename; for Unix/Mac systems, the path is /folder/filename or //folder/filename. 2. Download the add-on image: admin@wf-500> scp import wildfire-vm-image from username@host:path For example: admin@wf-500> scp import wildfire-vm-image from bart@ :c:/scp/wfwin7_64base_m-1.0.0_64ad don1 56 WildFire 6.1 Administrator s Guide Palo Alto Networks

35 WF-500 Appliance File Analysis Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support WF-500 Appliance Upgrade (Continued) Step 4 Install the Windows 7 64-bit VM images. 1. Install the Windows 7 64-bit base image: admin@wf-500> request system wildfire-vm-image upgrade install WFWin7_64Base_m-1.0.0_64base 2. Install the Windows 7 64-bit Add-on image: admin@wf-500> request system wildfire-vm-image upgrade install WFWin7_64Base_m-1.0.0_64addon1 Step 5 Install the 6.1 operating system image file. Install the WF-500 appliance operating system image that you downloaded previously: admin@wf-500> request system software install version Step 6 Restart the appliance and confirm that the installation was successful. 1. Confirm that the upgrade has completed by running the following command and look for the job type Install and status FIN: admin@wf-500> show jobs all Enqueued ID Type Status Result Completed /07/30 10:38:48 2 Downld FIN OK 10:39:08 Step 7 (Optional) Enable the Windows 7 64-bit sandbox environment. 2. After the upgrade is complete, restart the appliance: admin@wf-500> request restart system 3. Verify that the sw-version field shows 6.1: admin@wf-500> show system info match sw-version 1. View the active virtual machine image by running the following command and refer to the Selected VM field: admin@wf-500> show wildfire status 2. View a list of available virtual machines images: admin@wf-500> show wildfire vm-images The following output shows that vm-5 is the Windows 7 64-bit image: vm-5 Windows 7 64bit, Adobe Reader 11, Flash 11, Office Support PE, PDF, Office 2010 and earlier 3. Select the image to be used for analysis: admin@wf-500# set deviceconfig setting wildfire active-vm <vm-image-number> For example, to use vm-5, run the following command: admin@wf-500# set deviceconfig setting wildfire active-vm vm-5 4. Commit the configuration: admin@wf-500# commit Palo Alto Networks WildFire 6.1 Administrator s Guide 57

36 Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support WF-500 Appliance File Analysis 58 WildFire 6.1 Administrator s Guide Palo Alto Networks