WildFire Cloud File Analysis



Similar documents
WildFire Cloud File Analysis

WF-500 File Analysis

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

WF-500 Appliance File Analysis

WildFire Features. Palo Alto Networks. PAN-OS New Features Guide Version 6.1. Copyright Palo Alto Networks

WildFire Reporting. WildFire Administrator s Guide. Version 6.1

Content Inspection Features

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Device Management. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Configuring PA Firewalls for a Layer 3 Deployment

Manage Licenses and Updates

Palo Alto Networks Users Group. February 2014

Certificate Management

User-ID Features. PAN-OS New Features Guide Version 6.0. Copyright Palo Alto Networks

About the VM-Series Firewall

Installing and Configuring vcloud Connector

PAN-OS Syslog Integration

Reports and Logging. PAN-OS Administrator s Guide. Version 6.1

Reports and Logging. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Manage Firewalls. Palo Alto Networks. Panorama Administrator s Guide Version 6.1. Copyright Palo Alto Networks

How To Monitor Network Activity On Palo Alto Network On Pnetorama On A Pcosa.Com (For Free)

Monitor Network Activity

Configuration Guide. BES12 Cloud

Note: With v3.2, the DocuSign Fetch application was renamed DocuSign Retrieve.

Manage Firewalls and Log Collection

About the VM-Series Firewall

Monitor Network Activity

Manage Log Collection. Panorama Administrator s Guide. Version 7.0


Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Manage Traps in a VDI Environment. Traps Administrator s Guide. Version 3.3. Copyright Palo Alto Networks

Installing and Configuring vcenter Support Assistant

Web Interface Reference Guide Version 6.1

Secure Traffic Inspection

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Configuration Information

IQSweb Reference G. ROSS Migration/Registration

Panorama High Availability

Deploying F5 to Replace Microsoft TMG or ISA Server

Web Application Firewall

Content-ID. Content-ID URLS THREATS DATA

Installing and Configuring vcloud Connector

WildFire. Preparing for Modern Network Attacks

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

How to Configure Captive Portal

Description of Microsoft Internet Information Services (IIS) 5.0 and

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Access Control Rules: URL Filtering

Palo Alto Networks Certified Network Security Engineer (PCNSE6) Study Guide

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

PassGuide.PCNSE6 (48Q)

Configuration Information

High Availability. PAN-OS Administrator s Guide. Version 7.0

System Administration Training Guide. S100 Installation and Site Management

Threat Prevention. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Virtual Data Centre. User Guide

McAfee SIEM Alarms. Setting up and Managing Alarms. Introduction. What does it do? What doesn t it do?

vcloud Director User's Guide

DiskPulse DISK CHANGE MONITOR

F-Secure Messaging Security Gateway. Deployment Guide

Configuring WildFire. Version 1.0 PAN-OS Johan Loos.

Optum Patient Portal. 70 Royal Little Drive. Providence, RI Copyright Optum. All rights reserved. Updated: 3/7/13

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Set Up a VM-Series Firewall on the Citrix SDX Server

High Availability. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

This presentation covers virtual application shared services supplied with IBM Workload Deployer version 3.1.

CalREDIE Browser Requirements

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v10 with Microsoft IIS 7.0 and 7.5

RoomWizard Synchronization Software Manual Installation Instructions

RSA SecurID Ready Implementation Guide

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Palo Alto Networks Administrator's Guide. Release 3.1

Set Up Panorama. Palo Alto Networks. Panorama Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Secure Web Appliance. SSL Intercept

Docufide Client Installation Guide for Windows

Troubleshooting. Palo Alto Networks. Panorama Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Copyright 2013 Trend Micro Incorporated. All rights reserved.

Plesk 11 Manual. Fasthosts Customer Support

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

BROWSER AND SYSTEM REQUIREMENTS

Configuring Security Features of Session Recording

Set Up a VM-Series Firewall on an ESXi Server

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

McAfee Web Gateway 7.4.1

Proctor Caching User Guide

Set Up the VM-Series Firewall in AWS

Installation Steps for PAN User-ID Agent

WatchGuard SSL v3.2 Update 1 Release Notes. Introduction. Windows 8 and 64-bit Internet Explorer Support. Supported Devices SSL 100 and 560

Palo Alto Networks Next-generation Firewall Overview

Customer Tips. Xerox Network Scanning TWAIN Configuration for the WorkCentre 7328/7335/7345. for the user. Purpose. Background

STARTER KIT. Infoblox DNS Firewall for FireEye

Aspera Connect User Guide

Initial Access and Basic IPv4 Internet Configuration

Networking for Caribbean Development

Set Up a VM-Series NSX Edition Firewall

Deployment Guide Microsoft IIS 7.0

Transcription:

WildFire Cloud File Analysis The following topics describe the different methods for sending files to the WildFire Cloud for analysis. Forward Files to the WildFire Cloud Verify Firewall File Forwarding to the WildFire Cloud Upload Files to the WildFire Cloud Portal Upload Files and Query WildFire Using the WildFire API WildFire Administrator s Guide 39

Forward Files to the WildFire Cloud WildFire Cloud File Analysis Forward Files to the WildFire Cloud To configure a firewall to automatically submit files to the WildFire Cloud, you must configure a file blocking profile with the forward or continue-and-forward action and then attach it to the security rule(s) that you want to trigger inspection for zero-day malware. For example, you could configure a policy with a file blocking profile that triggers the firewall to forward a specific file type, or all supported file types that users attempt to download during a web-browsing session. Forwarding of encrypted files is also supported provided that SSL decryption is configured on the firewall and the option to forward encrypted files is enabled. If your firewalls are managed by Panorama, simplify WildFire administration by using Panorama Templates to push the WildFire server information, allowed file size, and the session information settings to the firewalls. Use Panorama device groups to configure and push file blocking profiles and security policy rules. Starting with PAN-OS 6.0, the WildFire logs show which WildFire system each firewall used for file analysis (WildFire cloud, WF-500 appliance, and/or the WildFire Japan cloud). If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed. WildFire cloud: Uses port 443 for registration and file submissions. WildFire appliance: Uses port 443 for registration and 10443 for file submissions. Perform the following steps on each firewall that will forward files to WildFire: Configure a File Blocking Profile and Add it to a Security Profile Step 1 Verify that the firewall has valid Threat Prevention and WildFire subscriptions and that dynamic updates are scheduled and up-to-date. Having a WildFire subscription provides many benefits, such as forwarding of advanced file types, receiving WildFire signatures within 15 minutes, and more. For details, see WildFire Subscription Requirements. 1. Select Device > Licenses and confirm that the firewall has valid WildFire and Threat Prevention subscriptions. 2. Select Device > Dynamic Updates and click Check Now to ensure that the firewall has the most recent Antivirus, Applications and Threats, and WildFire updates. 3. If the updates are not scheduled, schedule them now. Be sure to stagger the update schedules because only one update can be performed at a time. See Best Practices for Keeping Signatures up to Date for recommended settings. When configuring a WildFire signature update schedule, you must enter a value other than zero in the Minutes Past Hour field. 40 WildFire Administrator s Guide

WildFire Cloud File Analysis Forward Files to the WildFire Cloud Configure a File Blocking Profile and Add it to a Security Profile (Continued) Step 2 Step 3 Configure the file blocking profile to define which applications and file types will trigger forwarding to WildFire. If you choose PE in the objects profile File Types column to select a category of file types, do not also add an individual file type that is part of that category because this will result in redundant entries in the Data Filtering logs. For example, if you select PE, there is no need to select exe because it is part of the PE category. This also applies to the zip file type, because supported file types that are zipped are automatically sent to WildFire. If you would like to ensure that all supported Microsoft Office file types are forwarded, it is recommended that you choose the category msoffice. Choosing a category rather than an individual file type also ensures that as new file type support is added to a given category, they are automatically made part of the file blocking profile. If you select Any, all supported file types will be forwarded to WildFire. (Optional) Enable response pages to allow users to decide whether to forward a file. If the continue-and-forward action is configured for any file type, you must enable the response page option on the ingress interface (the interface that first receives traffic for your users). 1. Select Objects > Security Profiles > File Blocking. 2. Click Add to add a new profile and enter a Name and Description. 3. Click Add in the File Blocking Profile window and then click Add again. Click in the Names field and enter a rule name. 4. Select the Applications that will match this profile. For example, selecting web-browsing as the application will cause the profile to match any application traffic identified as web-browsing. 5. In the File Type field, select the file types that will trigger the forwarding action. Choose Any to forward all file types supported by WildFire or select PE to only forward Portable Executable files. 6. In the Direction field select upload, download, or both. The both option will trigger forwarding whenever a user attempts to upload or download a file. 7. Define an Action as follows: Forward The firewall will automatically forward any files matching this profile to WildFire for analysis in addition to delivering the file to the user. Continue-and-forward The user is prompted and must click continue before the download occurs and the file is forwarded to WildFire. Because this action requires user interaction with a web browser, it is only supported for web-browsing applications. 8. Click OK to save. 1. Select Network > Network Profiles > Interface Mgmt and either add a new profile or edit an existing profile. 2. Click the Response Pages check box to enable. 3. Click OK to save the profile. 4. Select Network > Interfaces and then edit the Layer 3 interface or VLAN interface that is the ingress interface. 5. On the Advanced tab, select the Interface Mgmt profile that has the response page option enabled. 6. Click OK to save. WildFire Administrator s Guide 41

Forward Files to the WildFire Cloud WildFire Cloud File Analysis Configure a File Blocking Profile and Add it to a Security Profile (Continued) Step 4 Step 5 Step 6 Step 7 Enable forwarding of decrypted content. To forward SSL encrypted files to WildFire, the firewall must have a decryption policy and have forwarding of decrypted content enabled. Only a superuser can enable this option. Attach the file blocking profile to a security policy. (Optional) Modify the maximum file size allowed for upload to WildFire. (Optional) Modify session options that define what session information to record in WildFire analysis reports. 1. Select Device > Setup > Content-ID. 2. Click the edit icon for the URL Filtering options and enable Allow Forwarding of Decrypted Content. 3. Click OK to save the changes. If the firewall has multiple virtual systems, you must enable this option per VSYS. In this situation, select Device > Virtual Systems, click the virtual system to be modified and select the Allow Forwarding of Decrypted Content check box. 1. Select Policies > Security. 2. Click Add to create a new policy for the zones to which to apply WildFire forwarding, or select an existing security policy. 3. On the Actions tab, select the File Blocking profile from the drop-down. If this security rule does not have any profiles attached to it, select Profiles from the Profile Type drop-down to enable selection of a file blocking profile. 1. Select Device > Setup > WildFire. 2. Click the General Settings edit icon. 3. Set the maximum size that will be sent for each file type. 1. Click the Session Information Settings edit icon. 2. By default, all session information items will display in the reports. Clear the check boxes that correspond to any fields to remove from the WildFire analysis reports. 3. Click OK to save the changes. 42 WildFire Administrator s Guide

WildFire Cloud File Analysis Forward Files to the WildFire Cloud Configure a File Blocking Profile and Add it to a Security Profile (Continued) Step 8 (PA-7050 only) Enable logging to the PA-7050 firewall. If you are configuring a PA-7050 firewall, a data port on one of the NPCs must be configured as a log card interface. This is due to the traffic/logging capabilities of the PA-7050 to avoid overwhelming the MGT port. When a data port is configured as type Log Card, log forwarding and WildFire file forwarding will be sent through the Log Card port instead of using the default service route. This port will be used by the log card directly and will act as a log forwarding port for Syslog, Email, SNMP, and WildFire file forwarding. After the port is configured, WildFire file forwarding will use this port, as well as the following log types: traffic, HIP match, threat, and WildFire logs. If the port is not configured, a commit error will be displayed and only one port can be configured with the Log Card type. The MGT port cannot be used for forwarding samples to WildFire, even if you configure a service route. The PA-7050 does not forward logs to Panorama. Panorama will query the PA-7050 log card for log information. 1. Select Network > Interfaces and locate an available port on an NPC. 2. Select the port and change the Interface Type to Log Card. 3. In the Log Card Forwarding tab, enter IP information (IPv4 and/or IPv6) for the network that is used to communicate with the systems that you will use to receive logs. For example: Syslog servers and Email servers. For WildFire file forwarding ensure connectivity to the WildFire cloud or a WildFire appliance. 4. Connect the newly configured port to a switch or router. There is no other configuration needed. The PA-7050 will use this port as soon as it is activated. Step 9 Commit the configuration. Click Commit to apply the settings. During security policy evaluation, all files that meet the criteria defined in the file blocking policy will be forwarded to WildFire for analysis. For information on viewing reports for files that have been analyzed, see WildFire Reporting. For information on verifying the configuration, see Verify Firewall File Forwarding to the WildFire Cloud. WildFire Administrator s Guide 43

Verify Firewall File Forwarding to the WildFire Cloud WildFire Cloud File Analysis Verify Firewall File Forwarding to the WildFire Cloud This section describes the steps required to verify the WildFire configuration on the firewall. For information on a test file that can be used during the verification process, see Malware Test Samples. Verify the WildFire Configuration on the Firewall Step 1 Step 2 Check the WildFire and Threat Prevention subscriptions and WildFire registration. Confirm that the firewall is sending files to the correct WildFire system. 1. Select Device > Licenses and confirm that a valid WildFire and Threat Prevention subscription is installed. If valid licenses are not installed, go to the License Management section and click Retrieve license keys from the license server. 2. To check that the firewall can communicate with a WildFire system, so files can be forwarded to it for analysis, run the following CLI command: admin@pa-200> test wildfire registration In the following output, the firewall is pointing to the WildFire cloud. If the firewall is pointing to a WildFire appliance, it will show the FQDN or IP address of the appliance. Test wildfire wildfire registration: successful download server list: successful select the best server: s1.wildfire.paloaltonetworks.com 3. If problems persist with the licenses, contact your reseller or Palo Alto Networks System Engineer to confirm each license and to get a new authorization code if required. 1. To determine where the firewall is forwarding files (to the Palo Alto Networks WildFire cloud or to a WildFire appliance), select Device > Setup > WildFire. 2. Click the General Settings edit button. 3. If the firewall is forwarding files to the WildFire cloud, this field should show wildfire-public-cloud for the U.S. based WildFire cloud, or wildfire.paloaltonetworks.jp for the Japan based WildFire cloud. If the firewall forwards files to a WildFire appliance, the IP address or FQDN of the WildFire appliance will be displayed. In Panorama, the default cloud name is wildfire-public-cloud. The best way to set the WildFire Server field back to the default cloud is to clear the field and click OK. The wildfire-default-cloud setting will then be applied. 44 WildFire Administrator s Guide

WildFire Cloud File Analysis Verify Firewall File Forwarding to the WildFire Cloud Verify the WildFire Configuration on the Firewall (Continued) Step 3 Check the logs. 1. Select Monitor > Logs > Data Filtering. 2. Confirm that files are being forwarded to WildFire by viewing the Action column: Forward Indicates that the file was successfully forwarded by the file blocking profile and security policy. Wildfire-upload-success Indicates that the file was sent to WildFire. This means the file is not signed by a trusted file signer and it has not been previously analyzed by WildFire. Wildfire-upload-skip Indicates that the file was identified as eligible to be sent to WildFire by a file blocking profile/security policy, but did not need to be analyzed by WildFire because it has already been analyzed previously. In this case, the forward action will appear in the Data Filtering log because it was a valid forward action, but it was not sent to WildFire and analyzed because the file has already been sent to the WildFire cloud from another session, possibly from another firewall. 3. View the WildFire logs by selecting Monitor > Logs > WildFire Submissions. If WildFire logs are listed, the firewall is successfully forwarding files to WildFire and WildFire is returning file analysis results. For more information on WildFire-related logs, see WildFire Logs. Step 4 Check the file blocking policy. 1. Select Objects > Security Profiles > File Blocking and click the file blocking profile to modify it. 2. Confirm that the action is set to forward or continue-and-forward. If set to continue-and-forward, only http/https traffic will be forwarded because this is the only type of traffic that allows for prompting the user to click continue. Step 5 Check the security policy. 1. Select Policies > Security and click the security policy rule that triggers file forwarding to WildFire. 2. Click the Actions tab and ensure that the file blocking policy is selected in the File Blocking drop-down. WildFire Administrator s Guide 45

Verify Firewall File Forwarding to the WildFire Cloud WildFire Cloud File Analysis Verify the WildFire Configuration on the Firewall (Continued) Step 6 Check the WildFire status. admin@pa-200> show wildfire status When forwarding files to the WildFire cloud, the output should look similar to the following: Connection info: Wildfire cloud: public cloud Status: Idle Best server: s1.wildfire.paloaltonetworks.com Device registered: yes Valid wildfire license: yes Service route IP address: 192.168.2.1 Signature verification: enable Server selection: enable Through a proxy: no Forwarding info: file size limit for pe (MB): 10 file size limit for jar (MB): 1 file size limit for apk (MB): 2 file size limit for pdf (KB): 500 file size limit for ms-office (KB): 10000 file idle time out (second): 90 total file forwarded: 1 file forwarded in last minute: 0 concurrent files: 0 If the firewall is forwarding files to a WildFire appliance, the Wildfire cloud: field will display the IP address or FQDN of the appliance and Best server: will not display a value. Step 7 Check the WildFire statistics. Use the following command to check statistics to determine if the values have incremented: admin@pa-200> show wildfire statistics The following displays the output of a working firewall. If no values display, the firewall is not forwarding files. Packet based counters: Total msg rcvd: 599 Total bytes rcvd: 480074 Total msg read: 599 Total bytes read: 465698 Total files received from DP: 2 Counters for file cancellation: Counters for file forwarding: file type: apk file type: pdf FWD_CNT_LOCAL_FILE 1 FWD_CNT_REMOTE_FILE 1 file type: ms-office file type: pe FWD_CNT_LOCAL_FILE 1 FWD_CNT_REMOTE_DUP_CLEAN 1 file type: jar file type: unknown file type: pdns Error counters: FWD_ERR_UNKNOWN_QUERY_RESPONSE 4 FWD_ERR_CONN_FAIL 8 Reset counters: DP receiver reset cnt: 2 File cache reset cnt: 3 Service connection reset cnt: 1 Log cache reset cnt: 3 Report cache reset cnt: 3 Resource meters: data_buf_meter 0% msg_buf_meter 0% ctrl_msg_buf_meter 0% File forwarding queues: priority: 1, size: 0 priority: 2, size: 0 46 WildFire Administrator s Guide

WildFire Cloud File Analysis Verify Firewall File Forwarding to the WildFire Cloud Verify the WildFire Configuration on the Firewall (Continued) Step 8 Check dynamic updates status and schedules to ensure that the firewall is automatically receiving signatures generated by WildFire. When configuring a WildFire signature update schedule, you must enter a value other than zero in the Minutes Past Hour field. See Best Practices for Keeping Signatures up to Date 1. Select Device > Dynamic Updates. 2. Ensure that Antivirus, Applications and Threats, and WildFire have the most recent updates and that a schedule is set for each item. Stagger the update schedules because only one update can be performed at a time. 3. Click Check Now at the bottom of the windows to see if any new updates are available, which also confirms that the firewall can communicate with updates.paloaltonetworks.com. If the firewall does not have connectivity to the update server, download the updates directly from Palo Alto Networks. Log in to the Palo Alto Networks Support and in the Manage Devices section, click Dynamic Updates to see available updates. WildFire Administrator s Guide 47

Upload Files to the WildFire Cloud Portal WildFire Cloud File Analysis Upload Files to the WildFire Cloud Portal All Palo Alto Networks customers with a support account can manually upload files to the Palo Alto Networks WildFire portal for analysis. The WildFire portal supports manual upload of all supported file types. The following procedure describes the steps to upload files manually: Manual Upload to WildFire Step 1 Upload a file to be analyzed by WildFire. 1. Log in to the WildFire Portal at one of the following URLs: https://wildfire.paloaltonetworks.com or https://wildfire.paloaltonetworks.jp. 2. Click the Upload File button near the upper right side of the page and click Choose File. 3. Navigate to the file, highlight it, and then click Open. The file name will appear next to Choose File. 4. Click the Upload button to upload the file to WildFire. If the file uploads successfully, an Uploaded File Information pop-up similar to the following will display: 5. Close the Uploaded File Information pop-up. Step 2 View the analysis results. It will take approximately five minutes for WildFire to complete a file analysis. Because a manual upload is not associated with a specific firewall, manual uploads will appear separately from your registered firewalls and will not show session information in the reports. 1. Refresh the portal page from your browser. 2. A Manual line item will be displayed in the Device list of your portal page and the analysis result Malware or Benign will also be displayed. Click the word Manual. 3. The report page will show a list of all files that have been uploaded to your account. Find the uploaded file and click the detail icon to the left of the date field. The portal displays a full report of the file analysis detailing the observed file behavior, including the user that was targeted, the application that delivered the malware, and all URLs involved in the delivery or phone-home activity of the sample. If WildFire identifies the file as malware, it generates a signature, which will be distributed to all Palo Alto Networks firewalls configured for Threat Prevention. Firewalls with a WildFire subscription can download these signatures on a sub-hourly basis. 48 WildFire Administrator s Guide

WildFire Cloud File Analysis Upload Files and Query WildFire Using the WildFire API Upload Files and Query WildFire Using the WildFire API The WildFire API enables you to programmatically send file analysis jobs to the WildFire cloud and query the system for report data through a simple XML API interface. This section contains the following topics: About WildFire Subscriptions and API Keys How to Use the WildFire API? WildFire API File Submission Methods Query WildFire for a PDF or XML Report Use the API to Retrieve a Sample Malware Test File Use the API to Retrieve a Sample File or PCAP About WildFire Subscriptions and API Keys Access to the WildFire API key is provided if at least one Palo Alto Networks firewall has an active WildFire subscription registered to an account holder in your organization. You can share the same API key within your organization. The API key is displayed in the My Account section of the WildFire web portal, along with statistics, such as how many uploads and queries have been performed using the key. The key should be considered secret and should not be shared outside of authorized channels. How to Use the WildFire API? The WildFire API uses standard HTTP requests to send and receive data. API calls can be made directly from command line utilities such as curl or using any scripting or application framework that supports REST services. The API methods are hosted at https://wildfire.paloaltonetworks.com and the HTTPS protocol (not HTTP) is required in order to protect your API key and any other data exchanged with the service. A WildFire API key allows up to 100 sample uploads per day and up to 1000 report queries per day. WildFire API File Submission Methods Use the following methods to submit files to WildFire: Submit a File to the WildFire Cloud Using the Submit File Method Submit a File to WildFire Using the Submit URL Method WildFire Administrator s Guide 49

Upload Files and Query WildFire Using the WildFire API WildFire Cloud File Analysis Submit a File to the WildFire Cloud Using the Submit File Method The WildFire API can be used to submit all supported file types (APK, PE, PDF, Microsoft Office, Java Applet). The file along with your API key is required when submitting to have WildFire open the file in a sandbox environment and analyze the file for potentially malicious behaviors. The return code of the submit-file method indicates a success or error condition. If a 200 OK code was returned, the submission was successful and a result is normally available for query within five minutes. The following table describes the API attributes needed to submit files to the WildFire cloud using the submit file method: URL Method https://wildfire.paloaltonetworks.com/publicapi/submit/file POST Parameters apikey Your WildFire API key file The sample file to be analyzed Return 200 OK Indicates success and report will be returned 401 Unauthorized API key invalid 405 Method Not Allowed Method other than POST used 413 Request Entity Too Large Sample file size over max limit 418 Unsupported File Type Sample file type is not supported 419 Max Request Reached Max number of uploads per day exceeded 500 Internal error 513 File upload failed Submit a File to WildFire Using the Submit URL Method Use the submit-url method to submit a file for analysis via a URL. This method is identical in interface and functionality to the submit-file method, except that the file parameter is replaced with a url parameter. The url parameter must point to an accessible supported file type. If a 200 OK code is returned, the submission is successful and a result is usually available for query within five minutes. The following table describes the API attributes needed to submit files to the WildFire cloud using a URL: URL Method https://wildfire.paloaltonetworks.com/publicapi/submit/url POST Parameters apikey Your WildFire API key url The URL for the file to be analyzed Return 200 OK Indicates success and report will be returned 50 WildFire Administrator s Guide

WildFire Cloud File Analysis Upload Files and Query WildFire Using the WildFire API 401 Unauthorized API key invalid 405 Method Not Allowed Method other than POST used 413 Request Entity Too Large Sample file size over max limit Code Examples for File Submit The following curl command demonstrates how to submit a file to WildFire using the submit file method: curl k -F apikey=yourapikey -F file=@local-file-path https://wildfire.paloaltonetworks.com/publicapi/submit/file The following shell code example demonstrates a simple script to submit a file to the WildFire API for analysis. The API key is provided as the first parameter and the path to the file is the second parameter: #manual upload sample to WildFire with APIKEY #Parameter 1: APIKEY #Parameter 2: location of the file key=$1 file=$2 418 Unsupported File Type Sample file type is not supported 419 Max Request Reached Max number of uploads per day exceeded 422 URL download error 500 Internal error /usr/bin/curl -i -k -F apikey=$key -F file=@$file https://wildfire.paloaltonetworks.com/submit/file The following curl command demonstrates how to submit a file to WildFire using the submit URL method: curl k -F apikey=yourapikey -F url=url https://wildfire.paloaltonetworks.com/publicapi/submit/url Query WildFire for a PDF or XML Report Use the get report method to query for an XML or PDF report of analysis results for a particular sample. Use either the MD5 or SHA-256 hash of the sample file as a search query. The following table describes the API attributes needed to query for reports: URL Method https://wildfire.paloaltonetworks.com/publicapi/get/report POST WildFire Administrator s Guide 51

Upload Files and Query WildFire Using the WildFire API WildFire Cloud File Analysis Parameters hash The MD5 or SHA-256 hash value of the sample apikey format Your WildFire API key Report format: PDF or XML Return 200 OK Indicates success and report will be returned 401 Unauthorized API key invalid 404 Not Found The report was not found 405 Method Not Allowed Method other than POST used 419 Request report quota exceeded 420 Insufficient arguments 421 Invalid arguments 500 Internal error Example API Query for PDF or XML Report The following curl command demonstrates a query for a PDF report using the MD5 hash of a sample file: curl k -F hash=1234556 -F format=pdf -F apikey=yourapikey https://wildfire.paloaltonetworks.com/publicapi/get/report Note: To retrieve the XML version of the report, just replace format=pdf with format=xml. For example: curl k -F hash=1234556 -F format=xml -F apikey=yourapikey https://wildfire.paloaltonetworks.com/publicapi/get/report Use the API to Retrieve a Sample Malware Test File The following describes the API syntax to retrieve a sample malware file, which can be used to test end-to-end WildFire sample processing. For details on the sample file, see Malware Test Samples. To retreive the file using the API: API : GET https://wildfire.paloaltonetworks.com/publicapi/test/pe This will return a test file and every API call will return a similar file, but with a different SHA256 value. If there is problem retrieving the file, a 500-Internal Server error will be returned. To retrieve the test file using curl: curl k https://wildfire.paloaltonetworks.com/publicapi/test/pe 52 WildFire Administrator s Guide

WildFire Cloud File Analysis Upload Files and Query WildFire Using the WildFire API Use the API to Retrieve a Sample File or PCAP Use the API to Retrieve a Sample File Use the API to Retrieve a Packet Capture (PCAP) Use the API to Retrieve a Sample File Use the get-sample method to retrieve a particular sample. You can use either the MD5 or SHA-256 hash of the sample file as a search query. URL Method https://wildfire.paloaltonetworks.com/publicapi/get/sample POST Parameters hash The MD5 or SHA-256 hash value of the sample apikey Your WildFire API key Return 200 OK Indicates success and sample will be returned 401 Unauthorized API key invalid 403 Forbidden Permission Denied 404 Not Found The sample was note found 405 Method Not Allowed Method other than POST used 419 Request sample quota exceeded 420 Insufficient arguments 421 Invalid arguments 500 Internal error Example API Query for Get-Sample The following curl command demonstrates a query for a sample using the sample's MD5 hash: curl -k -F hash=md5hash -F apikey=yourapikey https://wildfire.paloaltonetworks.com/publicapi/get/sample Use the API to Retrieve a Packet Capture (PCAP) Use the get-pcap method to query for a PCAP recorded during analysis of a particular sample. Use either the MD5 or SHA-256 hash of the sample file as a search query. You can optionally define the platform of the desired PCAP to specify which PCAP should be returned. If no platform is specified, the method returns a PCAP from a session that yielded a verdict of Malware. Samples uploaded prior to August 2014 are not guaranteed to return a PCAP if no platform parameter is supplied. WildFire Administrator s Guide 53

Upload Files and Query WildFire Using the WildFire API WildFire Cloud File Analysis The following table describes the available platform parameters: Platform ID Description 1 Windows XP, Adobe Reader 9.3.3, Office 2003 2 Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007 3 Windows XP, Adobe Reader 11, Flash 11, Office 2010 4 Windows 7, Adobe Reader 11, Flash 11, Office 2010 201 Android 2.3, API 10, avd2.3.1 The following table describes the API attributes needed to query for pcaps: URL Method https://wildfire.paloaltonetworks.com/publicapi/get/pcap POST Parameters hash The MD5 or SHA-256 hash value of the sample apikey platform* Your WildFire API key Target analysis environment Return 200 OK Indicates success and PCAP will be returned * Optional parameter 401 Unauthorized API key invalid 403 Forbidden Permission Denied 404 Not Found The PCAP was note found 405 Method Not Allowed Method other than POST used 419 Request sample quota exceeded 420 Insufficient arguments 421 Invalid arguments 500 Internal error Example API Query for Get-PCAP The following curl command demonstrates a query for a pcap using the sample's MD5 hash: curl -k -F hash=md5hash -F apikey=yourapikey -F platform=targetplatform https://wildfire.paloaltonetworks.com/publicapi/get/pcap 54 WildFire Administrator s Guide

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information