WF-500 Appliance File Analysis

Transcription

1 WF-500 Appliance File Analysis Palo Alto Networks WildFire Administrator s Guide Version 6.1

2 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA About this Guide This guide describes the administrative tasks required to use and maintain the Palo Alto Networks WildFire feature. Topics covered include licensing information, configuring firewalls to forward files for inspection, viewing reports, and how to configure and manage the WF-500 appliance. For information on the additional capabilities and for instructions on configuring the features on the firewall, refer to For access to the knowledge base, discussion forums, and videos, refer to For contacting support, for information on the support programs, or to manage your account or devices, refer to For the latest release notes, go to the software downloads page at To provide feedback on the documentation, please write to us at: Palo Alto Networks, Inc Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at All other marks mentioned herein may be trademarks of their respective companies. Revision Date: August 24, WildFire 6.1 Administrator s Guide Palo Alto Networks

3 WF-500 Appliance File Analysis This topic describes the WF-500 appliance and how to configure and manage the appliance to prepare it to receive files for analysis. In addition, this topic provides steps for configuring a Palo Alto Networks firewall to forward files to a WildFire appliance for file analysis and also describes how to configure the appliance to provide local signature generation to avoid having to send samples to the WildFire cloud. You can also use the WildFire API to submit and retrieve content from a WF-500 appliance. About the WF-500 Appliance Configure the WF-500 Appliance Set Up the VM Interface on the WF-500 Appliance Manage Content Updates on the WF-500 Appliance Forward Files to a WF-500 Appliance Signature/URL Generation on a WF-500 Appliance Configure the Firewall to Retrieve Updates from a WF-500 Appliance Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support Palo Alto Networks WildFire 6.1 Administrator s Guide 25

4 About the WF-500 Appliance WF-500 Appliance File Analysis About the WF-500 Appliance The WF-500 appliance provides an on-premises WildFire private cloud, enabling you to analyze suspicious files in a sandbox environment without requiring that the firewall sends files outside of the network. To use a WF-500 appliance in place of the WildFire cloud, configure the WildFire server setting on the firewall to point to your WF-500 appliance rather than to the WildFire public cloud server. The WF-500 appliance sandboxes all files locally and analyzes them for malicious behaviors using the same engine used by the WildFire cloud system. Within minutes, the appliance returns the results of the analysis back to the firewall in the WildFire Submissions logs. By default, the WF-500 appliance does not send any files to the Palo Alto Networks WildFire cloud for signature generation. However, you can configure the appliance to generate signatures locally and the connected firewalls can retrieve the updates directly from the appliance. For information on configuring local signature generation and to learn about the types of content updates that the appliance can provide, see Signature/URL Generation on a WF-500 Appliance. The WF-500 appliance has an automatic submission feature that will enable it to only send confirmed malware to the public cloud for signature generation. You can also configure this feature (cloud-intelligence) to only send reports on malware, which will help Palo Alto Networks gather statistics on malware. It is recommended that you configure the appliance to send malware samples to the WildFire cloud, so signatures are generated and distributed to all customers. If you do not want to automatically send all detected malware to the WildFire cloud, you can manually download the malware from the WildFire Analysis Report tab and manually upload to the WildFire Portal. You can configure up to 100 Palo Alto Networks firewalls to forward to a single WildFire appliance. Each firewall must have a valid WildFire subscription to forward files to a WildFire appliance. The WildFire appliance has two interfaces: MGT Receives all files forwarded from the firewalls and returns logs detailing the results back to the firewalls. See Integrate the WF-500 Appliance into a Network. Virtual Machine Interface (VM interface) Provides network access for the WildFire sandbox systems to enable sample files to communicate with the Internet, which allows WildFire to better analyze the behavior of the sample. When the VM interface is configured, WildFire can observe malicious behaviors that the malware would not normally perform without network access, such as phone-home activity. However, to prevent malware from entering your network from the sandbox, configure this interface on an isolated network with an Internet connection. You can also enable the Tor option to hide the public IP addressed used by your company from malicious sites that are accessed by the sample. For more information on the VM interface, see Set Up the VM Interface on the WF-500 Appliance. 26 WildFire 6.1 Administrator s Guide Palo Alto Networks

5 WF-500 Appliance File Analysis Configure the WF-500 Appliance Configure the WF-500 Appliance The following topics describe how to integrate a WildFire appliance into the network: Prerequisites for Configuring the WF-500 Appliance Integrate the WF-500 Appliance into a Network Verify the WF-500 Appliance Configuration Prerequisites for Configuring the WF-500 Appliance Rack mount and cable the WF-500 appliance. Refer to the WF-500 WildFire Appliance Hardware Reference Guide. Obtain the information required to configure network connectivity on the MGT port and the virtual machine interface from your network administrator (IP address, subnet mask, gateway, hostname, DNS server). All communication between the firewalls and the appliance occurs over the MGT port, including file submissions, WildFire log delivery, and appliance administration. Therefore, ensure that the firewalls have connectivity to the MGT port on the appliance. In addition, the appliance must be able to connect to the updates.paloaltonetworks.com site to retrieve its operating system software updates. Have a computer ready with either a console cable or Ethernet cable to connect to the device for the initial configuration. Palo Alto Networks WildFire 6.1 Administrator s Guide 27

6 Configure the WF-500 Appliance WF-500 Appliance File Analysis Integrate the WF-500 Appliance into a Network This section describes the steps required to install a WF-500 appliance on a network and perform basic setup. Integrate the WF-500 Appliance into a Network Step 1 Connect the management computer to the appliance using the MGT or Console port and power on the appliance. 1. Connect to the console port or the MGT port. Both are located on the back of the appliance. Console Port This is a 9-pin male serial connector. Use the following settings on the console application: N-1. Connect the provided cable to the serial port on the management computer or USB-To-Serial converter. MGT Port This is an Ethernet RJ-45 port. By default, the MGT port IP address is The interface on your management computer must be on the same subnet as the MGT port. For example, set the IP address on the management computer to Power on the appliance. The appliance will power on as soon as you connect power to the first power supply and a warning beep will sound until you connect the second power supply. If the appliance is already plugged in and is in the shutdown state, use the power button on the front of the appliance to power on. Step 2 Register the WildFire appliance. 1. Obtain the serial number from the S/N tag on the appliance, or run the following command and refer to the serial field: admin@wf-500> show system info 2. From a browser, navigate to the Palo Alto Networks Support site. 3. Register the device as follows: If this is the first Palo Alto Networks device that you are registering and you do not yet have a login, click Register on the right side of the page. To register, provide an address and the serial number of the device. When prompted, set up a username and password for access to the Palo Alto Networks support community. For existing accounts, log in and then click My Devices. Scroll down to the Register Device section at the bottom of the screen and enter the serial number of the device, the city and postal code, and then click Register Device. 28 WildFire 6.1 Administrator s Guide Palo Alto Networks

7 WF-500 Appliance File Analysis Configure the WF-500 Appliance Integrate the WF-500 Appliance into a Network (Continued) Step 3 Reset the admin password. 1. Log in to the appliance with an SSH client or by using the Console port. Enter a username/password of admin/admin. 2. Set a new password by running the command: admin@wf-500# set password 3. Type the old password, press enter and then enter and confirm the new password. There is no need to commit the configuration because this is an operational command. 4. Type exit to log out and then log back in to confirm that the new password is set. Step 4 Step 5 Set the IP information for the MGT interface and the hostname for the appliance. All firewalls that will send files to the WF-500 appliance will use the MGT port, so ensure that this interface is accessible from those firewalls. This example uses the following values: IPv4 address /22 Subnet Mask Default Gateway Hostname - wildfire-corp1 DNS Server (Optional) Configure additional user accounts for managing the WildFire appliance. You can assign two role types: superuser and superreader. Superuser is equivalent to the admin account, and superreader only has read access. 1. Log in to the appliance with an SSH client or by using the Console port and enter configuration mode: admin@wf-500> configure 2. Set the IP information: admin@wf-500# set deviceconfig system ip-address netmask default-gateway dns-setting servers primary Configure a secondary DNS server by replacing primary with secondary in the above command, excluding the other IP parameters. For example: admin@wf-500# set deviceconfig system dns-setting servers secondary Set the hostname (wildfire-corp1 in this example): admin@wf-500# set deviceconfig system hostname wildfire-corp1 4. Commit the configuration to activate the new management (MGT) port configuration: admin@wf-500# commit 5. Connect the MGT interface port to a network switch. 6. Put the management PC back on your corporate network, or whatever network is required to access the appliance on the management network. 7. From your management computer, use an SSH client to connect to the new IP address or hostname assigned to the MGT port on the appliance. In this example, the IP address is In this example, you will create a superreader account for the user bsimpson: 1. Enter configuration mode: admin@wf-500> configure 2. Create the user account: admin@wf-500# set mgt-config users bsimpson <password> 3. Enter and confirm a new password. 4. Assign the superreader role: admin@wf-500# set mgt-config users bsimpson permissions role-based superreader yes Palo Alto Networks WildFire 6.1 Administrator s Guide 29

8 Configure the WF-500 Appliance WF-500 Appliance File Analysis Integrate the WF-500 Appliance into a Network (Continued) Step 6 (Optional) Configure RADIUS authentication for administrator access. The following steps summarize how to configure RADIUS on the appliance. 1. Create a RADIUS profile using the following options: admin@wf-500# set shared server-profile radius <profile-name> (Configure the RADIUS server and other attributes.) 2. Create an authentication profile: admin@wf-500# set shared authentication-profile <profile-name> method radius server-profile <server-profile-name> 3. Assign the profile to a local admin account: admin@wf-500# set mgt-config users username authentication-profile authentication-profile-name> Step 7 Activate the appliance with the WildFire authorization code that you received from Palo Alto Networks. The WF-500 appliance will function without an auth-code, but it cannot retrieve software updates without a valid auth-code. 1. Change to operational mode: admin@wf-500# exit 2. Fetch and install the WildFire license: admin@wf-500> request license fetch auth-code <auth-code> 3. Verify the license: admin@wf-500> request support check Information about the support site and the support contract date is displayed. Confirm that the date displayed is valid. Step 8 Set the current date/time and timezone. 1. Set the date and time: admin@wf-500> set clock date <YY/MM/DD> time <hh:mm:ss> 2. Enter configuration mode: admin@wf-500> configure 3. Set the local time zone: admin@wf-500# set deviceconfig system timezone <timezone> The time stamp that will appear on the WildFire detailed report will use the time zone set on the appliance. If administrators in various regions will view reports, consider setting the time zone to UTC. Step 9 (Optional) Configure cloud intelligence to enable the WildFire appliance to forward files that contain malware to the Palo Alto Networks WildFire cloud. The WildFire cloud system will re-analyze the sample and will generate a signatures if the sample is malware and will add the signature to the WildFire signature updates. You can also choose to only submit WildFire reports on malware. In this case, Palo Alto Networks uses the reports for statistical purposes. Cloud intelligence is disabled by default. 1. To enable cloud intelligence, run the command: admin@wf-500# set deviceconfig setting wildfire cloud-intelligence submit-sample yes 2. To only send WildFire reports for malware: admin@wf-500# set deviceconfig setting wildfire cloud-intelligence submit-report yes If submit-sample is enabled, there is no need to enable submit-report because the WildFire cloud re-analyzes the sample and generates a new report. If the sample is malicious, the cloud will generate a signature. 3. Confirm the setting by running the following command and then refer to the Submit sample and Submit report fields: admin@wf-500> show wildfire status 30 WildFire 6.1 Administrator s Guide Palo Alto Networks

9 WF-500 Appliance File Analysis Configure the WF-500 Appliance Integrate the WF-500 Appliance into a Network (Continued) Step 10 (Optional) Enable benign file logging on the firewall. This is a good way to confirm that the firewall is forwarding files to WildFire without having to download real malware. In this case, the Data Filtering log will contain information on the results of the WildFire analysis, even if the verdict is benign. To download sample malware for testing, see Malware Test Samples. This option is disabled by default. 1. Select Device > Setup > WildFire and edit General Settings. 2. Select the Report Benign Files check box to enable and then click OK to save. You can run the following CLI command to enable benign logging: admin@wf-500# set deviceconfig setting wildfire report-benign-file yes Step 11 Set a password for the portal admin account. This account is used when accessing WildFire reports from a firewall. The default username and password is admin/admin. 1. To change the WildFire portal admin account password: admin@wf-500> set wildfire portal-admin password 2. Press enter and type and confirm the new password. The portal admin account is the only account that can be used for viewing reports from the logs. Only the password can be changed for this account and additional accounts cannot be created for this purpose. This is not the same admin account used to manage the appliance. You can also use the WildFire API to retrieve logs, but in that case you use an API key generated on the WF-500 appliance. See Use the WildFire API on a WF-500 Appliance. Step 12 Choose the virtual machine image that the appliance will use for file analysis. The image should be based on the attributes that best represents the software installed on your end user computers. Each virtual image contains different versions of operating systems and software, such as Windows XP or Windows 7 32-bit or 64-bit and specific versions of Adobe Reader, and Flash. Although you configure the appliance to use one virtual machine image configuration, the appliance uses multiple instances of the image to improve performance. To view a list of available virtual machines to determine which one best represents your environment: admin@wf-500> show wildfire vm-images View the current virtual machine image by running the following command and refer to the Selected VM field: admin@wf-500> show wildfire status Select the image that the appliance will use for analysis: admin@wf-500# set deviceconfig setting wildfire active-vm <vm-image-number> For example, to use vm-1: admin@wf-500# set deviceconfig setting wildfire active-vm vm-1 Palo Alto Networks WildFire 6.1 Administrator s Guide 31

10 Configure the WF-500 Appliance WF-500 Appliance File Analysis Where to Go Next: Verify the WF-500 Appliance Configuration Forward Files to a WF-500 Appliance Upgrade the WF-500 Appliance and Enable Windows 7 64-bit Support Set Up the VM Interface on the WF-500 Appliance Verify the WF-500 Appliance Configuration This topic describes how to verify the configuration of the WildFire appliance to ensure that it is ready to receive files from a Palo Alto Networks firewall. For more details on the CLI commands referenced in this workflow, see WildFire Appliance Software CLI Reference. Verify the WF-500 Appliance Configuration Step 1 Verify that the appliance is registered and the license is activated. 1. Start an SSH session and connect to the MGT port on the appliance. 2. View the current support information: admin@wf-500> request support check This will display information about the support site and contract. Confirm that the contract date is valid. 3. Run the following command to check connectivity between the appliance and the WildFire cloud (needed to forward files to the cloud): admin@wf-500> test wildfire registration The following output indicates that the appliance is registered with one of the Palo Alto Networks WildFire cloud servers. Test wildfire wildfire registration: successful download server list: successful select the best server: cs-s1.wildfire.paloaltonetworks.com 32 WildFire 6.1 Administrator s Guide Palo Alto Networks

11 WF-500 Appliance File Analysis Configure the WF-500 Appliance Verify the WF-500 Appliance Configuration (Continued) Step 2 Check the WildFire server status on the appliance. 1. Display WildFire status: admin@wf-500> show wildfire status Connection info: Wildfire cloud: wildfire.paloaltonetworks.com Status: Idle Submit sample: enabled Submit report: disabled Selected VM: vm-5 VM internet connection: disabled VM network using Tor: disabled Best server: s1.wildfire.paloaltonetworks.com Device registered: yes Service route IP address: Signature verification: enable Server selection: enable Through a proxy: In the example output, status Idle indicates that the appliance is ready to receive files. Submit sample is enabled, which indicates that the appliance will forward detected malware files to the WildFire Cloud. The Device registered field displays yes, which means the appliance is registered with the WildFire cloud system. The appliance is also configured to use the vm-5 sandbox for sample analysis. You must have a WildFire cloud server defined even if you are not forwarding samples to the cloud server. If no cloud server is defined, the Status field will show Disabled by cloud server. 2. After configuring your firewalls to forward files to the appliance as described in Forward Files to a WF-500 Appliance, you can verify the connectivity status of the firewalls from the appliance. To verify that the appliance is receiving files from the firewalls and to verify if the appliance is sending files to the WildFire cloud for signature generation (if cloud intelligence is enabled), enter: admin@wf-500> show wildfire statistics days 7 Last one hour statistics: Total sessions submitted : 0 Samples submitted : 0 analyzed : 0 pending : 0 malicious : 0 benign : 0 error : 0 Uploaded : 0 Last 7 days statistics: Total sessions submitted : 66 Samples submitted : 34 analyzed : 34 pending : 0 malicious : 2 benign : 32 error : 0 Uploaded : 0 3. (Optional) View more detailed statistics: admin@wf-500> show wildfire latest [analysis samples sessions uploads] For example, to display details about the recent analysis results, enter: admin@wf-500> show wildfire latest analysis no Palo Alto Networks WildFire 6.1 Administrator s Guide 33

12 Configure the WF-500 Appliance WF-500 Appliance File Analysis Verify the WF-500 Appliance Configuration (Continued) Step 3 Verify that firewalls configured to forward files to the appliance have successfully registered with the WildFire appliance. 1. Display a list of firewalls that have registered with the appliance: admin@wf-500> show wildfire last-device-registration all The output will include the following information for each firewall that is registered with the appliance: firewall serial number, date registered, IP address, software version, hardware model, and status. If no firewalls are listed, there may be network connectivity issues between the firewalls and the appliance. Check the network to confirm that the firewalls and WildFire appliance can communicate. You can use ping tests from the appliance to the gateway address, or to one of the firewalls that you configured to forward files to the appliance. For example, if the IP address of the firewall is , you will see replies displayed when running the following CLI command from the appliance: admin@wf-500> ping host To verify the WildFire configuration on the firewalls that are forwarding to the appliance, see Verify Forwarding to a WF-500 Appliance. 34 WildFire 6.1 Administrator s Guide Palo Alto Networks

13 WF-500 Appliance File Analysis Set Up the VM Interface on the WF-500 Appliance Set Up the VM Interface on the WF-500 Appliance The virtual machine interface (vm-interface) provides external network connectivity from the sandbox virtual machines in the WF-500 appliance to enable observation of malicious behaviors in which the file being analyzed seeks network access. The following sections describe the VM interface and the steps required for configuring it. You can optionally enable the Tor feature with the VM interface, which will mask any malicious traffic sent from the WF-500 appliance through the VM interface, so the malware sites that the traffic may be sent to cannot detect your public-facing IP address. This section also describes the steps required to connect the VM interface to a dedicated port on a Palo Alto Networks firewall to enable Internet connectivity. Virtual Machine Interface Overview Configure the VM Interface on the WF-500 Appliance Configure the Firewall to Control Traffic for the WF-500 VM Interface Virtual Machine Interface Overview The VM interface (labeled 1 on the back of the appliance) is used by WildFire to improve malware detection capabilities. The interface allows a file sample running on the WildFire virtual machines to communicate with the Internet and enables WildFire to better analyze the behavior of the sample file to determine if it exhibits characteristics of malware. While it is recommended that you enable the VM interface, it is very important that you do not connect the interface to a network that allows access to any of your servers/hosts because malware that runs in the WildFire virtual machines could potentially use this interface to propagate itself. This connection can be a dedicated DSL line or a network connection that only allows direct access from the VM interface to the Internet and restricts any access to internal servers/client hosts. The following illustration shows two options for connecting the VM interface to the network. Palo Alto Networks WildFire 6.1 Administrator s Guide 35

14 Set Up the VM Interface on the WF-500 Appliance WF-500 Appliance File Analysis Virtual Machine Interface Example Option-1 (recommended) Connect the VM interface to an interface in a dedicated zone on a firewall that has a policy that only allows access to the Internet. This is important because malware that runs in the WildFire virtual machines can potentially use this interface to propagate itself. This is the recommended option because the firewall logs will provide visibility into any traffic that is generated by the VM interface. Option-2 Use a dedicated Internet provider connection, such as a DSL, to connect the VM interface to the Internet. Ensure that there is no access from this connection to internal servers/hosts. Although this is a simple solution, traffic generated by the malware out the VM interface will not be logged unless you place a firewall or a traffic monitoring tool between the WildFire appliance and the DSL connection. Configure the VM Interface on the WF-500 Appliance This section describes the steps required to configure the VM interface on the WildFire appliance using the Option 1 configuration detailed in the Virtual Machine Interface Example. After configuring the VM interface using this option, you must also configure an interface on a Palo Alto Networks firewall through which traffic from the VM interface is routed as described in Configure the Firewall to Control Traffic for the WF-500 VM Interface. By default, the VM interface has the following settings: IP Address: Netmask: WildFire 6.1 Administrator s Guide Palo Alto Networks

15 WF-500 Appliance File Analysis Set Up the VM Interface on the WF-500 Appliance Default Gateway: DNS: If you plan on enabling this interface, configure it with the appropriate settings for your network. If you do not plan on using this interface, leave the default settings. Note that this interface must have network values configured or a commit failure will occur. Configure the VM Interface Step 1 Set the IP information for the VM interface on the WildFire appliance. The following settings are used in this example: IPv4 address /22 Subnet Mask Default Gateway DNS Server The VM interface cannot be on the same network as the management interface (MGT). 1. Enter configuration mode: admin@wf-500> configure 2. Set the IP information for the VM interface: admin@wf-500# set deviceconfig system vm-interface ip-address netmask default-gateway dns-server You can only configure one DNS server on the VM interface. As a best practice, use the DNS server from your ISP or an open DNS service. Step 2 Enable the VM interface. 1. Enable the VM interface: admin@wf-500# set deviceconfig setting wildfire vm-network-enable yes 2. Commit the configuration: admin@wf-500# commit Step 3 Test connectivity of the VM interface. Ping a system and specify the VM interface as the source. For example, if the VM interface IP address is , run the following command where ip-or-hostname is the IP or hostname of a server/network that has ping enabled: admin@wf-500> ping source host ip-or-hostname For example: admin@wf-500> ping source host Step 4 (Optional) Enable the Tor network. When this option is enabled, any malicious traffic that the malware generates to the Internet is sent to the Tor network. The Tor network will mask your public facing IP address, so the owners of the malicious site cannot determine the source of the traffic. Enable the Tor network: 1. admin@wf-500# set deviceconfig setting wildfire vm-network-use-tor 2. Commit the configuration: admin@wf-500# commit Step 5 Continue to the next section to configure the firewall interface that you will use to connect the VM interface on the appliance. See Configure the Firewall to Control Traffic for the WF-500 VM Interface. Palo Alto Networks WildFire 6.1 Administrator s Guide 37

16 Set Up the VM Interface on the WF-500 Appliance WF-500 Appliance File Analysis Configure the Firewall to Control Traffic for the WF-500 VM Interface The following example workflow describes how to connect the VM interface to a port on a Palo Alto Networks firewall. Before connecting the VM interface to the firewall, the firewall must already have an Untrust zone connected to the Internet. In this example, you configure a new zone named wf-vm-zone that will contain the interface used to connect the VM interface on the appliance to the firewall. The policy associated with the wf-vm-zone will only allow communication from the VM interface to the Untrust zone. Configure the Firewall to Control Traffic for the WF-500 VM Interface Step 1 Configure the interface on the firewall that the VM interface will connect to and set the virtual router. The wf-vm-zone should only contain the interface (ethernet1/3 in this example) used to connect the VM interface on the appliance to the firewall. This is done to avoid having any traffic generated by the malware from reaching other networks. 1. From the web interface on the firewall, select Network > Interfaces and then select an interface, for example Ethernet1/3. 2. In the Interface Type drop-down, select Layer3. 3. On the Config tab, from the Security Zone drop-down box, select New Zone. 4. In the Zone dialog Name field, enter wf-vm-zone and click OK. 5. In the Virtual Router drop-down box, select default. 6. To assign an IP address to the interface, select the IPv4 tab, click Add in the IP section, and enter the IP address and network mask to assign to the interface, for example / To save the interface configuration, click OK. Step 2 Create a security policy on the firewall to allow access from the VM interface to the Internet and block all incoming traffic. In this example, the policy name is WildFire VM Interface. Because you will not create a security policy from the Untrust zone to the wf-vm-interface zone, all inbound traffic is blocked by default. 1. Select Policies > Security and click Add 2. In the General tab, enter a Name. 3. In the Source tab, set the Source Zone to wf-vm-zone. 4. In the Destination tab, set the Destination Zone to Untrust. 5. In the Application and Service/ URL Category tabs, leave the default as Any. 6. In the Actions tab, set the Action Setting to Allow. 7. Under Log Setting, select the Log at Session End check box. If there are concerns that someone might inadvertently add other interfaces to the wf-vm-zone, clone the WildFire VM Interface security policy and then in the Action tab for the cloned rule, select Deny. Make sure this new security policy is listed below the WildFire VM interface policy. This will override the implicit intra-zone allow rule that allows communications between interfaces in the same zone and will deny/block all intra-zone communication. Step 3 Connect the cables. Physically connect the VM interface on the WildFire appliance to the port you configured on the firewall (Ethernet 1/3 in this example) using a straight through RJ-45 cable. The VM interface is labeled 1 on the back of the appliance. 38 WildFire 6.1 Administrator s Guide Palo Alto Networks

17 WF-500 Appliance File Analysis Set Up the VM Interface on the WF-500 Appliance Configure the Firewall to Control Traffic for the WF-500 VM Interface (Continued) Step 4 Verify that the VM interface is transmitting and receiving traffic. 1. View the VM interface settings: admin@wf-500> show interface vm-interface 2. Verify that received/transmitted counters are incrementing. You can run the following command to generate ping traffic from the VM interface to an external device: admin@wf-500> ping source vm-interface-ip host <gateway-ip> For example: admin@wf-500> ping source host Palo Alto Networks WildFire 6.1 Administrator s Guide 39

18 Manage Content Updates on the WF-500 Appliance WF-500 Appliance File Analysis Manage Content Updates on the WF-500 Appliance Daily content updates for the WF-500 appliance equip the appliance with the most up-to-date threat information for accurate malware detection and improve the appliance's ability to differentiate the malicious from the benign. The updates also ensure that the appliance has the most recent information needed to generate signatures when signature/url generation is enabled on the appliance. For information on enabling signature generation, see Signature/URL Generation on a WF-500 Appliance. Install Content Updates Directly from the Update Server Install Content Updates from an SCP-Enabled Server Install Content Updates Directly from the Update Server Install Content Updates Directly from the Update Server Step 1 Verify connectivity from the appliance to the update server and identify the content update to install. 1. Log in to the WildFire appliance and run the following command to display the current content version: admin@wf-500> show system info match wf-content-version 2. Confirm that the appliance can communicate with the Palo Alto Networks Update Server and view available updates: admin@wf-500> request wf-content upgrade check The command queries the Palo Alto Networks Update Server and provides information about available updates and identifies the version that is currently installed on the appliance. Version Size Released on Downloaded Installed MB 2014/09/20 20:00:08 PDT no no MB 2014/02/12 14:04:27 PST yes current If the appliance cannot connect to the update server, you will need to allow connectivity from the appliance to the Palo Alto Networks Update Server, or download and install the update using SCP as described in Install Content Updates from an SCP-Enabled Server. 40 WildFire 6.1 Administrator s Guide Palo Alto Networks

19 WF-500 Appliance File Analysis Manage Content Updates on the WF-500 Appliance Install Content Updates Directly from the Update Server (Continued) Step 2 Download and install the latest content update. 1. Download the latest content update: admin@wf-500> request wf-content upgrade download latest 2. View the status of the download: admin@wf-500> show jobs all You can run show jobs pending to view pending jobs. The following output shows that the download (job id 5) has finished downloading (Status FIN): Enqueued ID Type Status Result Completed /04/22 03:42:20 5 Downld FIN OK 03:42:23 3. After the download is complete, install the update: admin@wf-500> request wf-content upgrade install version latest Run the show jobs all command again to monitor the status of the install. Step 3 Verify the content update. Run the following command and refer to the wf-content-version field: admin@wf-500> show system info The following shows an example output with content update version installed: admin@wf-500> show system info hostname: wf-500 ip-address: netmask: default-gateway: mac-address: 00:25:90:c3:ed:56 vm-interface-ip-address: vm-interface-netmask: vm-interface-default-gateway: vm-interface-dns-server: time: Mon Apr 21 09:59: uptime: 17 days, 23:19:16 family: m model: WF-500 serial: abcd3333 sw-version: wf-content-version: wfm-release-date: 2014/08/20 20:00:08 logdb-version: platform-family: m Step 4 (Optional) Schedule content updates to install the latest updates on the firewall at a set interval. You can configure the appliance to install daily or weekly and either download only or download and install the updates. 1. Schedule the appliance to download and install content updates: admin@wf-500# set deviceconfig system update-schedule wf-content recurring [daily weekly] action [download-and-install download-only] For example, to download and install updates daily at 8:00 am: admin@wf-500# set deviceconfig system update-schedule wf-content recurring daily action download-and-install at 08:00 2. Commit the configuration admin@wf-500# commit Palo Alto Networks WildFire 6.1 Administrator s Guide 41

20 Manage Content Updates on the WF-500 Appliance WF-500 Appliance File Analysis Install Content Updates from an SCP-Enabled Server The following procedure describes how to install content updates on a WildFire appliance that does not have direct connectivity to the Palo Alto Networks Update Server. You will need a Secure Copy (SCP)-enabled server that will temporarily store the content update. Install Content Updates from an SCP-Enabled Server Step 1 Step 2 Retrieve the content update file from the update server. Install the content update on the WildFire appliance. 1. Log in to the Palo Alto Networks Support site and click Dynamic Updates. 2. In the WildFire Appliance section, locate the latest WF-500 appliance content update and download it. 3. Copy the content update file to an SCP-enabled server and note the file name and directory path. 1. Log in to the WF-500 appliance and download the content update file from the SCP server: admin@wf-500> scp import wf-content from username@host:path For example: admin@wf-500> scp import wf-content from bart@ :c:/updates/panup-all-wfmeta tgz If your SCP server is running on a non-standard port or if you need to specify the source IP, you can also define those options in the scp import command. 2. Install the update: admin@wf-500> request wf-content upgrade install file panup-all-wfmeta tgz View status of the install: admin@wf-500> show jobs all Step 3 Verify the content update. Verify the content version: admin@wf-500> show system info match wf-content-version The following output now shows version 2-253: wf-content-version: WildFire 6.1 Administrator s Guide Palo Alto Networks

21 WF-500 Appliance File Analysis Forward Files to a WF-500 Appliance Forward Files to a WF-500 Appliance The following topics describe how to configure a firewall to forward files to a WF-500 appliance and how to verify the configuration. If you configure the WF-500 appliance to generate signatures and URL updates, you will also want to configure the firewall to retrieve content updates from the appliance. See Signature/URL Generation on a WF-500 Appliance. If you are using Panorama to manage your firewalls, simplify WildFire administration by using Panorama Templates to push the WildFire server information, allowed file size, and the session information settings to the firewalls. Use Panorama device groups to configure and push file blocking profiles and security policy rules. Starting with PAN-OS 6.0, the WildFire logs show which WildFire system each firewall used for file analysis (WildFire cloud, WF-500 appliance, and/or the WildFire Japan cloud). When configuring the WildFire server on Panorama (Panorama > Setup > WildFire), enter the WildFire server that your firewalls are using. For example, if your firewalls are forwarding samples to the WildFire cloud, the Panorama setting should point to the cloud server named wildfire-public-cloud. If your firewalls are forwarding to a WF-500 appliance, the Panorama setting should point to the IP address or FQDN of the appliance. Configure a Firewall to Forward Samples to a WF-500 Appliance Verify Forwarding to a WF-500 Appliance Configure a Firewall to Forward Samples to a WF-500 Appliance Perform the following steps on each firewall that will forward samples to the WildFire appliance: If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed. WildFire cloud: Uses port 443 for registration and file submissions. WildFire appliance: Uses port 443 for registration and for file submissions. Configure a Firewall to Forward Samples to a WF-500 Appliance Step 1 Step 2 Verify that the firewall has a WildFire subscription and that dynamic updates are scheduled and are up-to-date. See Best Practices for Keeping Signatures up to Date for recommended settings. Define the WildFire server that the firewall will forward files to for analysis. 1. Select Device > Licenses and confirm that the firewall has valid WildFire and Threat Prevention subscriptions installed. 2. Select Device > Dynamic Updates and click Check Now to ensure that the firewall has the most recent Antivirus, Applications and Threats, and WildFire updates. If you are using a WildFire appliance that has Signature/URL generation enabled, check those updates as well. 3. Confirm and update the dynamic updates as needed. Stagger the update schedules because the firewall can only perform one update at a time. 1. Select Device > Setup > WildFire. 2. Click the General Settings edit icon. 3. In the WildFire Server field, enter the IP address or FQDN of the WF-500 appliance. Palo Alto Networks WildFire 6.1 Administrator s Guide 43

22 Forward Files to a WF-500 Appliance WF-500 Appliance File Analysis Configure a Firewall to Forward Samples to a WF-500 Appliance (Continued) Step 3 Step 4 Configure the file blocking profile to define which applications and file types will trigger forwarding to WildFire. If you choose PE in the objects profile File Types column to select a category of file types, do not also add an individual file type that is part of that category because this will result in redundant entries in the Data Filtering logs. For example, if you select PE, there is no need to select exe because it is part of the PE category. This also applies to the zip file type, because supported file types that are zipped are automatically sent to WildFire. If you would like to ensure that all supported Microsoft Office file types are forwarded, it is recommended that you choose the category msoffice. Choosing a category rather than an individual file type also ensures that as new file type support is added to a given category, they are automatically made part of the file blocking profile. If you select Any, all supported file types are forwarded to WildFire. (Optional) If the continue-and-forward action is configured for any file type, you must enable the response page option on the ingress interface (the interface that first receives traffic for your users). 1. Select Objects > Security Profiles > File Blocking. 2. Click Add to add a new profile and enter a Name and Description. 3. Click Add in the File Blocking Profile window and then click Add again. Click in the Names field and enter a rule name. 4. Select the Applications that will match this profile. For example, selecting web-browsing as the application will cause the profile to match any application traffic identified as web-browsing. 5. In the File Type field, select the file types that will trigger the forwarding action. Choose Any to forward all file types supported by WildFire. 6. In the Direction field select upload, download, or both. Selecting both will trigger forwarding whenever a user attempts to upload or download a file. 7. Define an Action as follows (choose Forward for this example): Forward The firewall will automatically forward any files matching this profile to WildFire for analysis in addition to delivering the file to the user. Continue-and-forward The user is prompted and must click Continue before the download occurs and the file is forwarded to WildFire. Because this action requires user interaction with a web browser, it is only supported for web-browsing applications. 8. Click OK to save. 1. Select Network > Network Profiles > Interface Mgmt and either add a new profile or edit an existing profile. 2. Select the Response Pages check box. 3. Click OK to save the profile. 4. Select Network > Interfaces and then edit the layer 3 interface or VLAN interface that is your ingress interface. 5. Click the Advanced tab and select the Interface Mgmt profile that has the response page option enabled and select it from the drop-down menu. 6. Click OK to save. 44 WildFire 6.1 Administrator s Guide Palo Alto Networks

23 WF-500 Appliance File Analysis Forward Files to a WF-500 Appliance Configure a Firewall to Forward Samples to a WF-500 Appliance (Continued) Step 5 Step 6 Step 7 Enable forwarding of decrypted content. To forward SSL encrypted files to WildFire, the firewall must have a decryption policy and have forwarding of decrypted content enabled. Only a superuser can enable this option. Attach the file blocking profile to a security policy. (Optional) Modify the maximum file size that the firewall can upload to WildFire. 1. Select Device > Setup > Content-ID. 2. Click the edit icon for the URL Filtering options and enable Allow Forwarding of Decrypted Content. 3. Click OK to save the changes. If you configured multiple virtual systems on the firewall, you must enable this option per VSYS. Select Device > Virtual Systems, click the virtual system you want to modify and select the Allow Forwarding of Decrypted Content check box. 1. Select Policies > Security. 2. Click Add to create a new policy for the zones that you are applying WildFire forwarding to, or select an existing security policy. 3. On the Actions tab, select the File Blocking profile from the drop-down. If this security rule does not have any profiles attached to it, select Profiles from the Profile Type drop-down to enable selection of a file blocking profile. 1. Select Device > Setup > WildFire. 2. Click the General Settings edit icon. 3. Set the maximum file size for each file type. For example, if you set PDF to 5MB, any PDF larger than 5MB will not be forwarded. Palo Alto Networks WildFire 6.1 Administrator s Guide 45

24 Forward Files to a WF-500 Appliance WF-500 Appliance File Analysis Configure a Firewall to Forward Samples to a WF-500 Appliance (Continued) Step 8 Step 9 (PA-7050 only) If you are configuring log forwarding on a PA-7050 firewall, you must configure a data port on one of the NPCs with the interface type Log Card. This is due to the traffic/logging capabilities of the PA-7050 to avoid overwhelming the MGT port. The log card (LPC) will use this port directly and the port will act as a log forwarding port for syslog, , and SNMP. The firewall will forward the following log types through this port: traffic, HIP match, threat, and WildFire logs. The firewall also uses this port to forward files/ s links to WildFire for analysis. If the port is not configured, a commit error is displayed. Note that only one data port can be configured with the Log Card type. The MGT port cannot be used for forwarding samples to WildFire, even if you configure a service route. The PA-7050 does not forward logs to Panorama. Panorama will only query the PA-7050 log card for log information. (Optional) Modify session options that define what session information to record in WildFire analysis reports. 1. Select Network > Interfaces and locate an available port on an NPC. 2. Select the port and change the Interface Type to Log Card. 3. In the Log Card Forwarding tab, enter IP information (IPv4 and/or IPv6) that will enable the firewall to communicate with your syslog servers and your servers to enable the firewall to logs and alerts. The port will also need to reach the WildFire cloud or your WildFire appliance to enable file forwarding. 4. Connect the newly configured port to a switch or router. There is no other configuration needed. The PA-7050 firewall will automatically use this port as soon as it is activated. 1. Click the Session Information Settings edit icon. 2. By default, all session information items will display in the reports. Clear the check boxes that correspond to any fields to remove them from the WildFire analysis reports. 3. Click OK to save the changes. Step 10 Commit the configuration. Click Commit to apply the settings. During security policy evaluation, all files that meet the criteria defined in the file blocking policy are forwarded by the firewall to WildFire. For information on viewing analysis reports, see WildFire Reporting. For information on verifying the configuration, see Verify Forwarding to a WF-500 Appliance. 46 WildFire 6.1 Administrator s Guide Palo Alto Networks

25 WF-500 Appliance File Analysis Forward Files to a WF-500 Appliance Verify Forwarding to a WF-500 Appliance This topic describes the steps required to verify that the firewall is properly configured to forward samples to a WF-500 appliance. For information on a test file that you can use to verify the process, see Malware Test Samples. Verify Forwarding to a WF-500 Appliance Step 1 Step 2 Check the WildFire and Threat Prevention subscriptions and WildFire registration. The firewall must have a WildFire subscription to forward files to a WildFire appliance. See WildFire Subscription Requirements. Confirm that the firewall is sending files to the correct WildFire server. 1. Select Device > Licenses and confirm that a valid WildFire and Threat Prevention subscription is installed. If valid licenses are not installed, go to the License Management section and click Retrieve license keys from the license server. 2. Check that the firewall can communicate with a WildFire server for file forwarding: admin@pa-200> test wildfire registration In the following output, the firewall is pointing to a WildFire appliance. If the firewall is pointing to the WildFire cloud, it will show the hostname of one of the WildFire systems in the WildFire cloud. Test wildfire wildfire registration: successful download server list: successful select the best server: s1.wildfire.paloaltonetworks.com If problems persist with the licenses, contact your reseller or Palo Alto Networks System Engineer to confirm each license and to get a new authorization code if required. 1. To determine where the firewall is forwarding files (WildFire cloud or WildFire appliance), select Device > Setup > WildFire. 2. Click the General Settings edit button. The U.S.-based WildFire Server is wildfire-public-cloud and the Japan-based WildFire server is wildfire-paloaltonetworks.jp. If you configured the firewall to forward to a WF-500 appliance, the IP address or FQDN of the WildFire appliance is displayed. If you forget the name of the WildFire public cloud, clear the WildFire Server field and click OK and the field will auto populate with the default value for the WildFire cloud. Palo Alto Networks WildFire 6.1 Administrator s Guide 47