WildFire Cloud File Analysis



Similar documents
WildFire Cloud File Analysis

WF-500 File Analysis

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

WF-500 Appliance File Analysis

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

Manage Licenses and Updates

WildFire Features. Palo Alto Networks. PAN-OS New Features Guide Version 6.1. Copyright Palo Alto Networks

WildFire Reporting. WildFire Administrator s Guide. Version 6.1

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Content Inspection Features

About the VM-Series Firewall

About the VM-Series Firewall

Panorama High Availability

Set Up a VM-Series Firewall on the Citrix SDX Server

Configuring PA Firewalls for a Layer 3 Deployment

Installing and Configuring vcloud Connector

Device Management. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Certificate Management

High Availability. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

GlobalProtect Features

Reports and Logging. PAN-OS Administrator s Guide. Version 6.1

Manage Firewalls. Palo Alto Networks. Panorama Administrator s Guide Version 6.1. Copyright Palo Alto Networks

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

User-ID Features. PAN-OS New Features Guide Version 6.0. Copyright Palo Alto Networks

Reports and Logging. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

How To Monitor Network Activity On Palo Alto Network On Pnetorama On A Pcosa.Com (For Free)

Monitor Network Activity

Quality of Service. PAN-OS Administrator s Guide. Version 6.0

Manage Firewalls and Log Collection

Installing and Configuring vcloud Connector

High Availability. PAN-OS Administrator s Guide. Version 7.0

Manage Log Collection. Panorama Administrator s Guide. Version 7.0

Set Up a VM-Series Firewall on an ESXi Server

Manage Traps in a VDI Environment. Traps Administrator s Guide. Version 3.3. Copyright Palo Alto Networks

Palo Alto Networks Users Group. February 2014

Troubleshooting. Palo Alto Networks. Panorama Administrator s Guide Version 6.0. Copyright Palo Alto Networks


Installing and Configuring vcenter Support Assistant

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Deployment Guide for Microsoft Lync 2010

Configuration Information

vcloud Director User's Guide

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Secure Traffic Inspection

Monitor Network Activity

Note: With v3.2, the DocuSign Fetch application was renamed DocuSign Retrieve.

F-Secure Messaging Security Gateway. Deployment Guide

PAN-OS Syslog Integration

1 You will need the following items to get started:

Configuration Guide. BES12 Cloud

IQSweb Reference G. ROSS Migration/Registration

Web Interface Reference Guide Version 6.1

Set Up Panorama. Palo Alto Networks. Panorama Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Deploying F5 to Replace Microsoft TMG or ISA Server

NETWRIX EVENT LOG MANAGER

Manage Firewalls and Log Collection. Panorama Administrator s Guide. Version 6.0

Chapter 9 Monitoring System Performance

NETWRIX EVENT LOG MANAGER

PassGuide.PCNSE6 (48Q)


vcenter Support Assistant User's Guide

How to Configure Captive Portal

Configuring Trend Micro Content Security

Set Up a VM-Series Firewall on an ESXi Server

Copyright 2013 Trend Micro Incorporated. All rights reserved.

QUICK START GUIDE. Cisco S170 Web Security Appliance. Web Security Appliance

OneLogin Integration User Guide

TriCore Secure Web Gateway User Guide 1

Set Up a VM-Series NSX Edition Firewall

Web Application Firewall

McAfee SIEM Alarms. Setting up and Managing Alarms. Introduction. What does it do? What doesn t it do?

NovaBACKUP. Storage Server. NovaStor / May 2011

Content-ID. Content-ID URLS THREATS DATA

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Installation Steps for PAN User-ID Agent

NETWRIX USER ACTIVITY VIDEO REPORTER

Set Up a VM-Series NSX Edition Firewall

WildFire. Preparing for Modern Network Attacks

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Set Up the VM-Series Firewall in AWS

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Configuration Information

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

Setup Guide. network support pc repairs web design graphic design Internet services spam filtering hosting sales programming

CTERA Agent for Mac OS-X


Manage the Endpoints. Palo Alto Networks. Advanced Endpoint Protection Administrator s Guide Version 3.1. Copyright Palo Alto Networks

Palo Alto Networks AAC Lab Creation Guidelines v1.0

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

URL Filtering. PAN OS Administrator s Guide. Version 6.1

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

RoomWizard Synchronization Software Manual Installation Instructions

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v10 with Microsoft IIS 7.0 and 7.5

Set Up Setup with Microsoft Outlook 2007 using POP3

Customer Tips. Configuration and Use of the MeterAssistant Option. for the user. Purpose. Xerox Device Configuration. Xerox Multifunction Devices

STARTER KIT. Infoblox DNS Firewall for FireEye

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

Paxera Uploader Basic Troubleshooting

ProSafe Plus Switch Utility

Docufide Client Installation Guide for Windows

Transcription:

WildFire 6.1 Administrator s Guide WildFire Cloud File Analysis Palo Alto Networks WildFire Administrator s Guide Version 6.1

Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us About this Guide This guide describes the administrative tasks required to use and maintain the Palo Alto Networks WildFire feature. Topics covered include licensing information, configuring firewalls to forward files for inspection, viewing reports, and how to configure and manage the WF-500 appliance. For information on the additional capabilities and for instructions on configuring the features on the firewall, refer to https://www.paloaltonetworks.com/documentation. For access to the knowledge base, discussion forums, and videos, refer to https://live.paloaltonetworks.com. For contacting support, for information on the support programs, or to manage your account or devices, refer to https://support.paloaltonetworks.com. For the latest release notes, go to the software downloads page at https://support.paloaltonetworks.com/updates/softwareupdates. To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com. Palo Alto Networks, Inc. www.paloaltonetworks.com 2014 2015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: December 1, 2015 2 WildFire 6.1 Administrator s Guide Palo Alto Networks

WildFire Cloud File Analysis The following topics describe how to configure a Palo Alto Networks firewall to forward files to the WildFire cloud for analysis and also describes how to manually upload files using the WildFire Portal. You can also use the WildFire API to submit samples to the WildFire cloud. Forward Samples to the WildFire Cloud Verify Forwarding to the WildFire Cloud Upload Files using the WildFire Cloud Portal Palo Alto Networks WildFire 6.1 Administrator s Guide 59

Forward Samples to the WildFire Cloud To configure a Palo Alto Networks firewall to automatically submit samples to the WildFire cloud to identify malware, you must configure a file blocking profile with the forward or continue-and-forward action (forward only for email links) and then attach the profile to the security rule that will trigger inspection for zero-day malware. The samples can be specific file types or HTTP/HTTPS links contained in SMTP or POP3 messages. For example, you can configure a policy with a file blocking profile that triggers the firewall to forward a specific file type (PDF for example) to WildFire, or all supported file types that users attempt to download during a web-browsing session. The firewall can forward encrypted files if SSL decryption is configured and the option to forward encrypted files is enabled. To enable WildFire Email Link Analysis, you simply configure the firewall to forward the file type email-link. If you are using Panorama to manage your firewalls, simplify WildFire administration by using Panorama Templates to push the WildFire server information, allowed file size, and the session information settings to the firewalls. Use Panorama device groups to configure and push file blocking profiles and security policy rules. Starting with PAN-OS 6.0, the WildFire logs show which WildFire system each firewall used for file analysis (WildFire cloud, WF-500 appliance, and/or the WildFire Japan cloud). When configuring the WildFire server on Panorama (Panorama > Setup > WildFire), enter the WildFire server that your firewalls are using. For example, if your firewalls are forwarding samples to the WildFire cloud, the Panorama setting should point to the cloud server named wildfire-public-cloud. If your firewalls are forwarding to a WF-500 appliance, the Panorama setting should point to the IP address or FQDN of the appliance. If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed. WildFire cloud: Uses port 443 for registration and file submissions. WildFire appliance: Uses port 443 for registration and 10443 for file submissions. Perform the following steps on each firewall that will forward files to WildFire: Configure a File Blocking Profile and Add it to a Security Profile Step 1 Verify that the firewall has valid Threat Prevention and WildFire subscriptions and that dynamic updates are scheduled and up-to-date. See Best Practices for Keeping Signatures up to Date for recommended settings. Having a WildFire subscription provides many benefits, such as forwarding of advanced file types and receiving WildFire signatures within 15 minutes. For details, see WildFire Subscription Requirements. 1. Select Device > Licenses and confirm that the firewall has valid WildFire and Threat Prevention subscriptions. 2. Select Device > Dynamic Updates and click Check Now to ensure that the firewall has the most recent Antivirus, Applications and Threats, and WildFire updates. 3. If the updates are not scheduled, schedule them now. Stagger the update schedules because the firewall can only perform one update at a time. 60 WildFire 6.1 Administrator s Guide Palo Alto Networks

Configure a File Blocking Profile and Add it to a Security Profile (Continued) Step 2 Step 3 Configure the file blocking profile to define which applications and file types will trigger forwarding to WildFire. If you choose PE in the objects profile File Types column to select a category of file types, do not also add an individual file type that is part of that category because this will result in redundant entries in the Data Filtering logs. For example, if you select PE, there is no need to select exe because it is part of the PE category. This also applies to the zip file type, because the firewall will automatically forward supported file types that are zipped. If you would like to ensure that all supported Microsoft Office file types are forwarded, it is recommended that you choose the category msoffice. Choosing a category rather than an individual file type also ensures that as new file type support is added to a given category, they are automatically made part of the file blocking profile. If you select Any, all supported file types are forwarded to WildFire. (Optional) Enable response pages to allow users to decide whether to forward a file. If the continue-and-forward action is configured for any file type, you must enable the response page option on the ingress interface (the interface that first receives traffic for your users). 1. Select Objects > Security Profiles > File Blocking. 2. Click Add to add a new profile and enter a Name and Description. 3. Click Add in the File Blocking Profile window and then click Add again. Click in the Names field and enter a rule name. 4. Select the Applications that will match this profile. For example, selecting web-browsing to match any application traffic identified as web-browsing. 5. In the File Type field, select the file types that will trigger the forwarding action. Choose Any to forward all file types supported by WildFire or select PE to only forward Portable Executable files. 6. In the Direction field, select upload, download, or both. The both option will trigger forwarding whenever a user attempts to upload or download a file. 7. Define an Action as follows: Forward The firewall will automatically forward any files matching this profile to WildFire for analysis in addition to delivering the file to the user. Continue-and-forward The user is prompted and must click continue before the download occurs and the file is forwarded to WildFire. Because this action requires user interaction with a web browser, it is only supported for web-browsing applications. 8. Click OK to save. 1. Select Network > Network Profiles > Interface Mgmt and either add a new profile or edit an existing profile. 2. Click the Response Pages check box to enable. 3. Click OK to save the profile. 4. Select Network > Interfaces and then edit the Layer 3 interface or VLAN interface that is the ingress interface. 5. On the Advanced tab, select the Interface Mgmt profile that has the response page option enabled. 6. Click OK to save. Palo Alto Networks WildFire 6.1 Administrator s Guide 61

Configure a File Blocking Profile and Add it to a Security Profile (Continued) Step 4 Step 5 Enable forwarding of decrypted content. To forward SSL encrypted files to WildFire, the firewall must have a decryption policy and have forwarding of decrypted content enabled. Only a superuser can enable this option. Attach the file blocking profile to a security policy. 1. Select Device > Setup > Content-ID. 2. Click the edit icon for the URL Filtering options and enable Allow Forwarding of Decrypted Content. 3. Click OK to save the changes. If the firewall has multiple virtual systems, you must enable this option per VSYS. In this situation, select Device > Virtual Systems, click the virtual system to be modified and select the Allow Forwarding of Decrypted Content check box. 1. Select Policies > Security. 2. Click Add to create a new policy for the zones to which to apply WildFire forwarding, or select an existing security policy. 3. On the Actions tab, select the File Blocking profile from the drop-down. If this security rule does not have any profiles attached to it, select Profiles from the Profile Type drop-down to enable selection of a file blocking profile. Step 6 Step 7 (Optional) Modify the maximum file size allowed for upload to WildFire. (Optional) Modify session options that define what session information to record in WildFire analysis reports. 1. Select Device > Setup > WildFire. 2. Click the General Settings edit icon. 3. Set the maximum file size for each file type. For example, if you set PDF to 5MB, any PDF larger than 5MB will not be forwarded. 1. Click the Session Information Settings edit icon. 2. By default, all session information items will display in the reports. Clear the check boxes that correspond to any fields to remove from the WildFire analysis reports. 3. Click OK to save the changes. 62 WildFire 6.1 Administrator s Guide Palo Alto Networks

Configure a File Blocking Profile and Add it to a Security Profile (Continued) Step 8 (PA-7050 only) If you are configuring log forwarding on a PA-7050 firewall, you must configure a data port on one of the NPCs with the interface type Log Card. This is due to the traffic/logging capabilities of the PA-7050 to avoid overwhelming the MGT port. The log card (LPC) will use this port directly and the port will act as a log forwarding port for syslog, email, and SNMP. The firewall will forward the following log types through this port: traffic, HIP match, threat, and WildFire logs. The firewall also uses this port to forward files/emails links to WildFire for analysis. If the port is not configured, a commit error is displayed. Note that only one data port can be configured with the Log Card type. The MGT port cannot be used for forwarding samples to WildFire, even if you configure a service route. The PA-7050 does not forward logs to Panorama. Panorama will query the PA-7050 log card for log information. 1. Select Network > Interfaces and locate an available port on an NPC. 2. Select the port and change the Interface Type to Log Card. 3. In the Log Card Forwarding tab, enter IP information (IPv4 and/or IPv6) that will enable the firewall to communicate with your syslog servers and your email servers to enable the firewall to logs and email alerts. The port will also need to reach the WildFire cloud or your WildFire appliance to enable file forwarding. 4. Connect the newly configured port to a switch or router. There is no other configuration needed. The PA-7050 firewall will automatically use this port as soon as it is activated. Step 9 Commit the configuration. Click Commit to apply the settings. During security policy evaluation, all files that meet the criteria defined in the file blocking policy are forwarded by the firewall to WildFire. For information on viewing WildFire reports, see WildFire Reporting. For information on verifying the configuration, see Verify Forwarding to the WildFire Cloud. Palo Alto Networks WildFire 6.1 Administrator s Guide 63

Verify Forwarding to the WildFire Cloud This topic describes the steps required to verify that the firewall is properly configured to forward samples to the WildFire cloud. For information on a test file that you can use to verify the process, see Malware Test Samples. Verify Forwarding to the WildFire Cloud Step 1 Step 2 Check the WildFire and Threat Prevention subscriptions and WildFire registration. Confirm that the firewall is sending files to the correct WildFire system. 1. Select Device > Licenses and confirm that a valid WildFire and Threat Prevention subscription is installed. If valid licenses are not installed, go to the License Management section and click Retrieve license keys from the license server. 2. Check that the firewall can communicate with a WildFire server for file forwarding: admin@pa-200> test wildfire registration In the following output, the firewall is pointing to the WildFire cloud. If the firewall is pointing to a WildFire appliance, it will show the FQDN or IP address of the appliance. Test wildfire wildfire registration: successful download server list: successful select the best server: s1.wildfire.paloaltonetworks.com 3. If problems persist with the licenses, contact your reseller or Palo Alto Networks System Engineer to confirm each license and to get a new authorization code if required. 1. To determine where the firewall is forwarding files (to the Palo Alto Networks WildFire cloud or to a WildFire appliance), select Device > Setup > WildFire. 2. Click the General Settings edit button. The U.S.-based WildFire Server is wildfire-public-cloud and the Japan-based WildFire server is wildfire-paloaltonetworks.jp. If the firewall is configured to forward to a WF-500 appliance, the IP address or FQDN of the WildFire appliance is displayed. If you forget the name of the WildFire public cloud, clear the WildFire Server field and click OK and the field will auto populate with the default value for the WildFire cloud. 64 WildFire 6.1 Administrator s Guide Palo Alto Networks

Verify Forwarding to the WildFire Cloud (Continued) Step 3 Step 4 Step 5 Check the logs to verify that forwarding is working. For information on enabling email header details in logs, see Enable Email Header Information in WildFire Logs. Verify the action setting in the file blocking profile. Verify that the file blocking profile is in the correct security policy. 1. Select Monitor > Logs > Data Filtering. 2. View the Action column to determine the forwarding results: Forward Indicates that the sample was successfully forwarded from the dataplane to the management plane on the firewall by a file blocking profile and a security policy. At this point, the firewall has not yet forwarded the sample to the WildFire cloud or a WildFire appliance. Wildfire-upload-success Indicates that the firewall forwarded the file to WildFire. This means that a trusted signer did not sign the file and it has not been previously analyzed by WildFire. Wildfire-upload-skip Indicates that the file is eligible to be sent to WildFire, but did not need to be analyzed because WildFire has already analyzed it previously. 3. View the WildFire logs by selecting Monitor > Logs > WildFire Submissions. If WildFire logs are listed, the firewall is successfully forwarding files to WildFire and WildFire is returning file analysis results. For more information on WildFire-related logs, see WildFire Logs. 1. Select Objects > Security Profiles > File Blocking and click the file blocking profile. 2. Confirm that the action is set to forward or continue-and-forward. If you set to continue-and-forward, the firewall will only forward http/https traffic because this is the only type of traffic that will allow the firewall to serve a response page to the user. 1. Select Policies > Security and click the security policy rule that triggers file forwarding to WildFire. 2. Click the Actions tab and ensure that the file blocking profile is selected in the File Blocking drop-down. Palo Alto Networks WildFire 6.1 Administrator s Guide 65

Verify Forwarding to the WildFire Cloud (Continued) Step 6 Check the WildFire server status on the appliance. admin@pa-200> show wildfire status When forwarding files to the WildFire cloud, the output should look similar to the following: Connection info: Wildfire cloud: public cloud Status: Idle Best server: s1.wildfire.paloaltonetworks.com Device registered: yes Valid wildfire license: yes Service route IP address: 192.168.2.1 Signature verification: enable Server selection: enable Through a proxy: no Forwarding info: file size limit for pe (MB): 10 file size limit for jar (MB): 1 file size limit for apk (MB): 2 file size limit for pdf (KB): 500 file size limit for ms-office (KB): 10000 file idle time out (second): 90 total file forwarded: 1 file forwarded in last minute: 0 concurrent files: 0 66 WildFire 6.1 Administrator s Guide Palo Alto Networks

Verify Forwarding to the WildFire Cloud (Continued) Step 7 Check WildFire statistics to confirm that counters are incrementing. The following command displays the output of a working firewall and shows counters for each file type that the firewall forwarded to WildFire. If the counter fields all show 0, the firewall is not forwarding files and you should check connectivity between the firewall and the WF-500 appliance. Also verify that the file blocking profile on the firewall is configured correctly and the profile is attached to a security rule that allows file transfers. admin@pa-200> show wildfire statistics Packet based counters: Total msg rcvd: 12011 Total bytes rcvd: 10975328 Total msg read: 11963 Total bytes read: 10647634 Total msg lost by read: 48 Total DROP_NO_MATCH_FILE 48 Total files received from DP: 196 Counters for file cancellation: CANCEL_FILE_DUP 11 CANCEL_CONCURRENT_LIMIT 7 Counters for file forwarding: file type: apk file type: pdf file type: email-link file type: ms-office file type: pe file type: flash FWD_CNT_LOCAL_FILE 178 FWD_CNT_LOCAL_DUP 11 FWD_CNT_REMOTE_FILE 121 FWD_CNT_REMOTE_DUP_CLEAN 56 FWD_CNT_REMOTE_DUP_TBD 8 FWD_CNT_REMOTE_DUP_MAL 3 file type: jar file type: unknown file type: pdns Error counters: LOG_ERR_REPORT_CACHE_NOMATCH 880 Reset counters: DP receiver reset cnt: 2 File cache reset cnt: 2 Service connection reset cnt: 1 Log cache reset cnt: 2 Report cache reset cnt: 2 Resource meters: data_buf_meter 0% msg_buf_meter 0% ctrl_msg_buf_meter 0% File forwarding queues: priority: 1, size: 0 priority: 2, size: 0 priority: 3, size: 0 Palo Alto Networks WildFire 6.1 Administrator s Guide 67

Verify Forwarding to the WildFire Cloud (Continued) Step 8 Check the dynamic updates status and schedules to ensure that the firewall is automatically receiving signatures generated by WildFire. See Best Practices for Keeping Signatures up to Date. 1. Select Device > Dynamic Updates. 2. Ensure that Antivirus, Applications and Threats, and WildFire have the most recent updates and that a schedule is set for each item. 3. Click Check Now at the bottom of the windows to see if any new updates are available, which also confirms that the firewall can communicate with updates.paloaltonetworks.com. If the firewall does not have connectivity to the update server, download the updates directly from Palo Alto Networks. Log in to the Palo Alto Networks Support site and select Dynamic Updates. 68 WildFire 6.1 Administrator s Guide Palo Alto Networks

Upload Files using the WildFire Cloud Portal All Palo Alto Networks customers with a support account can manually upload files to the Palo Alto Networks WildFire portal for analysis. The WildFire portal supports manual uploading of all Supported File Types. Manual Upload to WildFire Step 1 Manually upload a file to WildFire for analysis. 1. Log in to the WildFire Portal. If your firewall is forwarding to the WildFire portal in Japan, use https://wildfire.paloaltonetworks.jp. 2. Click the Upload Sample button then click Add files. 3. Navigate to the file, highlight it, and then click Open. The file name will appear below the Add files icon. 4. Click the Start icon to the right of the file, or click the Start upload button if multiple files are waiting for upload. If the file(s) upload successfully, Success will appear next to each file. Step 2 View the analysis results. It will take approximately five minutes for WildFire to complete a file analysis. Because a manual upload is not associated with a specific firewall, manual uploads will appear separately from your registered firewalls and will not show session information in the reports. 5. Close the Uploaded File Information pop-up. 1. Refresh the portal page from your browser. 2. Click Manual under the source column to view the results of manual sample upload. 3. The report page will show a list of all files that have been uploaded to your account. Find the file you uploaded and click the detail icon to the left of the date field. The portal displays a full report of the file analysis detailing the observed file behavior. If WildFire identifies the file as malware, it generates a signature, which is then distributed to all Palo Alto Networks firewalls configured with a WildFire or Threat Prevention subscription. Palo Alto Networks WildFire 6.1 Administrator s Guide 69

70 WildFire 6.1 Administrator s Guide Palo Alto Networks

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information