WildFire Cloud File Analysis

Transcription

1 WildFire 6.1 Administrator s Guide WildFire Cloud File Analysis Palo Alto Networks WildFire Administrator s Guide Version 6.1

2 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA About this Guide This guide describes the administrative tasks required to use and maintain the Palo Alto Networks WildFire feature. Topics covered include licensing information, configuring firewalls to forward files for inspection, viewing reports, and how to configure and manage the WF-500 appliance. For information on the additional capabilities and for instructions on configuring the features on the firewall, refer to For access to the knowledge base, discussion forums, and videos, refer to For contacting support, for information on the support programs, or to manage your account or devices, refer to For the latest release notes, go to the software downloads page at To provide feedback on the documentation, please write to us at: Palo Alto Networks, Inc Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at All other marks mentioned herein may be trademarks of their respective companies. Revision Date: December 1, WildFire 6.1 Administrator s Guide Palo Alto Networks

3 WildFire Cloud File Analysis The following topics describe how to configure a Palo Alto Networks firewall to forward files to the WildFire cloud for analysis and also describes how to manually upload files using the WildFire Portal. You can also use the WildFire API to submit samples to the WildFire cloud. Forward Samples to the WildFire Cloud Verify Forwarding to the WildFire Cloud Upload Files using the WildFire Cloud Portal Palo Alto Networks WildFire 6.1 Administrator s Guide 59

4 Forward Samples to the WildFire Cloud To configure a Palo Alto Networks firewall to automatically submit samples to the WildFire cloud to identify malware, you must configure a file blocking profile with the forward or continue-and-forward action (forward only for links) and then attach the profile to the security rule that will trigger inspection for zero-day malware. The samples can be specific file types or HTTP/HTTPS links contained in SMTP or POP3 messages. For example, you can configure a policy with a file blocking profile that triggers the firewall to forward a specific file type (PDF for example) to WildFire, or all supported file types that users attempt to download during a web-browsing session. The firewall can forward encrypted files if SSL decryption is configured and the option to forward encrypted files is enabled. To enable WildFire Link Analysis, you simply configure the firewall to forward the file type -link. If you are using Panorama to manage your firewalls, simplify WildFire administration by using Panorama Templates to push the WildFire server information, allowed file size, and the session information settings to the firewalls. Use Panorama device groups to configure and push file blocking profiles and security policy rules. Starting with PAN-OS 6.0, the WildFire logs show which WildFire system each firewall used for file analysis (WildFire cloud, WF-500 appliance, and/or the WildFire Japan cloud). When configuring the WildFire server on Panorama (Panorama > Setup > WildFire), enter the WildFire server that your firewalls are using. For example, if your firewalls are forwarding samples to the WildFire cloud, the Panorama setting should point to the cloud server named wildfire-public-cloud. If your firewalls are forwarding to a WF-500 appliance, the Panorama setting should point to the IP address or FQDN of the appliance. If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed. WildFire cloud: Uses port 443 for registration and file submissions. WildFire appliance: Uses port 443 for registration and for file submissions. Perform the following steps on each firewall that will forward files to WildFire: Configure a File Blocking Profile and Add it to a Security Profile Step 1 Verify that the firewall has valid Threat Prevention and WildFire subscriptions and that dynamic updates are scheduled and up-to-date. See Best Practices for Keeping Signatures up to Date for recommended settings. Having a WildFire subscription provides many benefits, such as forwarding of advanced file types and receiving WildFire signatures within 15 minutes. For details, see WildFire Subscription Requirements. 1. Select Device > Licenses and confirm that the firewall has valid WildFire and Threat Prevention subscriptions. 2. Select Device > Dynamic Updates and click Check Now to ensure that the firewall has the most recent Antivirus, Applications and Threats, and WildFire updates. 3. If the updates are not scheduled, schedule them now. Stagger the update schedules because the firewall can only perform one update at a time. 60 WildFire 6.1 Administrator s Guide Palo Alto Networks

5 Configure a File Blocking Profile and Add it to a Security Profile (Continued) Step 2 Step 3 Configure the file blocking profile to define which applications and file types will trigger forwarding to WildFire. If you choose PE in the objects profile File Types column to select a category of file types, do not also add an individual file type that is part of that category because this will result in redundant entries in the Data Filtering logs. For example, if you select PE, there is no need to select exe because it is part of the PE category. This also applies to the zip file type, because the firewall will automatically forward supported file types that are zipped. If you would like to ensure that all supported Microsoft Office file types are forwarded, it is recommended that you choose the category msoffice. Choosing a category rather than an individual file type also ensures that as new file type support is added to a given category, they are automatically made part of the file blocking profile. If you select Any, all supported file types are forwarded to WildFire. (Optional) Enable response pages to allow users to decide whether to forward a file. If the continue-and-forward action is configured for any file type, you must enable the response page option on the ingress interface (the interface that first receives traffic for your users). 1. Select Objects > Security Profiles > File Blocking. 2. Click Add to add a new profile and enter a Name and Description. 3. Click Add in the File Blocking Profile window and then click Add again. Click in the Names field and enter a rule name. 4. Select the Applications that will match this profile. For example, selecting web-browsing to match any application traffic identified as web-browsing. 5. In the File Type field, select the file types that will trigger the forwarding action. Choose Any to forward all file types supported by WildFire or select PE to only forward Portable Executable files. 6. In the Direction field, select upload, download, or both. The both option will trigger forwarding whenever a user attempts to upload or download a file. 7. Define an Action as follows: Forward The firewall will automatically forward any files matching this profile to WildFire for analysis in addition to delivering the file to the user. Continue-and-forward The user is prompted and must click continue before the download occurs and the file is forwarded to WildFire. Because this action requires user interaction with a web browser, it is only supported for web-browsing applications. 8. Click OK to save. 1. Select Network > Network Profiles > Interface Mgmt and either add a new profile or edit an existing profile. 2. Click the Response Pages check box to enable. 3. Click OK to save the profile. 4. Select Network > Interfaces and then edit the Layer 3 interface or VLAN interface that is the ingress interface. 5. On the Advanced tab, select the Interface Mgmt profile that has the response page option enabled. 6. Click OK to save. Palo Alto Networks WildFire 6.1 Administrator s Guide 61

6 Configure a File Blocking Profile and Add it to a Security Profile (Continued) Step 4 Step 5 Enable forwarding of decrypted content. To forward SSL encrypted files to WildFire, the firewall must have a decryption policy and have forwarding of decrypted content enabled. Only a superuser can enable this option. Attach the file blocking profile to a security policy. 1. Select Device > Setup > Content-ID. 2. Click the edit icon for the URL Filtering options and enable Allow Forwarding of Decrypted Content. 3. Click OK to save the changes. If the firewall has multiple virtual systems, you must enable this option per VSYS. In this situation, select Device > Virtual Systems, click the virtual system to be modified and select the Allow Forwarding of Decrypted Content check box. 1. Select Policies > Security. 2. Click Add to create a new policy for the zones to which to apply WildFire forwarding, or select an existing security policy. 3. On the Actions tab, select the File Blocking profile from the drop-down. If this security rule does not have any profiles attached to it, select Profiles from the Profile Type drop-down to enable selection of a file blocking profile. Step 6 Step 7 (Optional) Modify the maximum file size allowed for upload to WildFire. (Optional) Modify session options that define what session information to record in WildFire analysis reports. 1. Select Device > Setup > WildFire. 2. Click the General Settings edit icon. 3. Set the maximum file size for each file type. For example, if you set PDF to 5MB, any PDF larger than 5MB will not be forwarded. 1. Click the Session Information Settings edit icon. 2. By default, all session information items will display in the reports. Clear the check boxes that correspond to any fields to remove from the WildFire analysis reports. 3. Click OK to save the changes. 62 WildFire 6.1 Administrator s Guide Palo Alto Networks

7 Configure a File Blocking Profile and Add it to a Security Profile (Continued) Step 8 (PA-7050 only) If you are configuring log forwarding on a PA-7050 firewall, you must configure a data port on one of the NPCs with the interface type Log Card. This is due to the traffic/logging capabilities of the PA-7050 to avoid overwhelming the MGT port. The log card (LPC) will use this port directly and the port will act as a log forwarding port for syslog, , and SNMP. The firewall will forward the following log types through this port: traffic, HIP match, threat, and WildFire logs. The firewall also uses this port to forward files/ s links to WildFire for analysis. If the port is not configured, a commit error is displayed. Note that only one data port can be configured with the Log Card type. The MGT port cannot be used for forwarding samples to WildFire, even if you configure a service route. The PA-7050 does not forward logs to Panorama. Panorama will query the PA-7050 log card for log information. 1. Select Network > Interfaces and locate an available port on an NPC. 2. Select the port and change the Interface Type to Log Card. 3. In the Log Card Forwarding tab, enter IP information (IPv4 and/or IPv6) that will enable the firewall to communicate with your syslog servers and your servers to enable the firewall to logs and alerts. The port will also need to reach the WildFire cloud or your WildFire appliance to enable file forwarding. 4. Connect the newly configured port to a switch or router. There is no other configuration needed. The PA-7050 firewall will automatically use this port as soon as it is activated. Step 9 Commit the configuration. Click Commit to apply the settings. During security policy evaluation, all files that meet the criteria defined in the file blocking policy are forwarded by the firewall to WildFire. For information on viewing WildFire reports, see WildFire Reporting. For information on verifying the configuration, see Verify Forwarding to the WildFire Cloud. Palo Alto Networks WildFire 6.1 Administrator s Guide 63

8 Verify Forwarding to the WildFire Cloud This topic describes the steps required to verify that the firewall is properly configured to forward samples to the WildFire cloud. For information on a test file that you can use to verify the process, see Malware Test Samples. Verify Forwarding to the WildFire Cloud Step 1 Step 2 Check the WildFire and Threat Prevention subscriptions and WildFire registration. Confirm that the firewall is sending files to the correct WildFire system. 1. Select Device > Licenses and confirm that a valid WildFire and Threat Prevention subscription is installed. If valid licenses are not installed, go to the License Management section and click Retrieve license keys from the license server. 2. Check that the firewall can communicate with a WildFire server for file forwarding: admin@pa-200> test wildfire registration In the following output, the firewall is pointing to the WildFire cloud. If the firewall is pointing to a WildFire appliance, it will show the FQDN or IP address of the appliance. Test wildfire wildfire registration: successful download server list: successful select the best server: s1.wildfire.paloaltonetworks.com 3. If problems persist with the licenses, contact your reseller or Palo Alto Networks System Engineer to confirm each license and to get a new authorization code if required. 1. To determine where the firewall is forwarding files (to the Palo Alto Networks WildFire cloud or to a WildFire appliance), select Device > Setup > WildFire. 2. Click the General Settings edit button. The U.S.-based WildFire Server is wildfire-public-cloud and the Japan-based WildFire server is wildfire-paloaltonetworks.jp. If the firewall is configured to forward to a WF-500 appliance, the IP address or FQDN of the WildFire appliance is displayed. If you forget the name of the WildFire public cloud, clear the WildFire Server field and click OK and the field will auto populate with the default value for the WildFire cloud. 64 WildFire 6.1 Administrator s Guide Palo Alto Networks

9 Verify Forwarding to the WildFire Cloud (Continued) Step 3 Step 4 Step 5 Check the logs to verify that forwarding is working. For information on enabling header details in logs, see Enable Header Information in WildFire Logs. Verify the action setting in the file blocking profile. Verify that the file blocking profile is in the correct security policy. 1. Select Monitor > Logs > Data Filtering. 2. View the Action column to determine the forwarding results: Forward Indicates that the sample was successfully forwarded from the dataplane to the management plane on the firewall by a file blocking profile and a security policy. At this point, the firewall has not yet forwarded the sample to the WildFire cloud or a WildFire appliance. Wildfire-upload-success Indicates that the firewall forwarded the file to WildFire. This means that a trusted signer did not sign the file and it has not been previously analyzed by WildFire. Wildfire-upload-skip Indicates that the file is eligible to be sent to WildFire, but did not need to be analyzed because WildFire has already analyzed it previously. 3. View the WildFire logs by selecting Monitor > Logs > WildFire Submissions. If WildFire logs are listed, the firewall is successfully forwarding files to WildFire and WildFire is returning file analysis results. For more information on WildFire-related logs, see WildFire Logs. 1. Select Objects > Security Profiles > File Blocking and click the file blocking profile. 2. Confirm that the action is set to forward or continue-and-forward. If you set to continue-and-forward, the firewall will only forward http/https traffic because this is the only type of traffic that will allow the firewall to serve a response page to the user. 1. Select Policies > Security and click the security policy rule that triggers file forwarding to WildFire. 2. Click the Actions tab and ensure that the file blocking profile is selected in the File Blocking drop-down. Palo Alto Networks WildFire 6.1 Administrator s Guide 65

10 Verify Forwarding to the WildFire Cloud (Continued) Step 6 Check the WildFire server status on the appliance. admin@pa-200> show wildfire status When forwarding files to the WildFire cloud, the output should look similar to the following: Connection info: Wildfire cloud: public cloud Status: Idle Best server: s1.wildfire.paloaltonetworks.com Device registered: yes Valid wildfire license: yes Service route IP address: Signature verification: enable Server selection: enable Through a proxy: no Forwarding info: file size limit for pe (MB): 10 file size limit for jar (MB): 1 file size limit for apk (MB): 2 file size limit for pdf (KB): 500 file size limit for ms-office (KB): file idle time out (second): 90 total file forwarded: 1 file forwarded in last minute: 0 concurrent files: 0 66 WildFire 6.1 Administrator s Guide Palo Alto Networks

11 Verify Forwarding to the WildFire Cloud (Continued) Step 7 Check WildFire statistics to confirm that counters are incrementing. The following command displays the output of a working firewall and shows counters for each file type that the firewall forwarded to WildFire. If the counter fields all show 0, the firewall is not forwarding files and you should check connectivity between the firewall and the WF-500 appliance. Also verify that the file blocking profile on the firewall is configured correctly and the profile is attached to a security rule that allows file transfers. admin@pa-200> show wildfire statistics Packet based counters: Total msg rcvd: Total bytes rcvd: Total msg read: Total bytes read: Total msg lost by read: 48 Total DROP_NO_MATCH_FILE 48 Total files received from DP: 196 Counters for file cancellation: CANCEL_FILE_DUP 11 CANCEL_CONCURRENT_LIMIT 7 Counters for file forwarding: file type: apk file type: pdf file type: -link file type: ms-office file type: pe file type: flash FWD_CNT_LOCAL_FILE 178 FWD_CNT_LOCAL_DUP 11 FWD_CNT_REMOTE_FILE 121 FWD_CNT_REMOTE_DUP_CLEAN 56 FWD_CNT_REMOTE_DUP_TBD 8 FWD_CNT_REMOTE_DUP_MAL 3 file type: jar file type: unknown file type: pdns Error counters: LOG_ERR_REPORT_CACHE_NOMATCH 880 Reset counters: DP receiver reset cnt: 2 File cache reset cnt: 2 Service connection reset cnt: 1 Log cache reset cnt: 2 Report cache reset cnt: 2 Resource meters: data_buf_meter 0% msg_buf_meter 0% ctrl_msg_buf_meter 0% File forwarding queues: priority: 1, size: 0 priority: 2, size: 0 priority: 3, size: 0 Palo Alto Networks WildFire 6.1 Administrator s Guide 67

12 Verify Forwarding to the WildFire Cloud (Continued) Step 8 Check the dynamic updates status and schedules to ensure that the firewall is automatically receiving signatures generated by WildFire. See Best Practices for Keeping Signatures up to Date. 1. Select Device > Dynamic Updates. 2. Ensure that Antivirus, Applications and Threats, and WildFire have the most recent updates and that a schedule is set for each item. 3. Click Check Now at the bottom of the windows to see if any new updates are available, which also confirms that the firewall can communicate with updates.paloaltonetworks.com. If the firewall does not have connectivity to the update server, download the updates directly from Palo Alto Networks. Log in to the Palo Alto Networks Support site and select Dynamic Updates. 68 WildFire 6.1 Administrator s Guide Palo Alto Networks

13 Upload Files using the WildFire Cloud Portal All Palo Alto Networks customers with a support account can manually upload files to the Palo Alto Networks WildFire portal for analysis. The WildFire portal supports manual uploading of all Supported File Types. Manual Upload to WildFire Step 1 Manually upload a file to WildFire for analysis. 1. Log in to the WildFire Portal. If your firewall is forwarding to the WildFire portal in Japan, use 2. Click the Upload Sample button then click Add files. 3. Navigate to the file, highlight it, and then click Open. The file name will appear below the Add files icon. 4. Click the Start icon to the right of the file, or click the Start upload button if multiple files are waiting for upload. If the file(s) upload successfully, Success will appear next to each file. Step 2 View the analysis results. It will take approximately five minutes for WildFire to complete a file analysis. Because a manual upload is not associated with a specific firewall, manual uploads will appear separately from your registered firewalls and will not show session information in the reports. 5. Close the Uploaded File Information pop-up. 1. Refresh the portal page from your browser. 2. Click Manual under the source column to view the results of manual sample upload. 3. The report page will show a list of all files that have been uploaded to your account. Find the file you uploaded and click the detail icon to the left of the date field. The portal displays a full report of the file analysis detailing the observed file behavior. If WildFire identifies the file as malware, it generates a signature, which is then distributed to all Palo Alto Networks firewalls configured with a WildFire or Threat Prevention subscription. Palo Alto Networks WildFire 6.1 Administrator s Guide 69

14 70 WildFire 6.1 Administrator s Guide Palo Alto Networks