Professional Documents
Culture Documents
Administrators
Guide
Version8.0
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
AboutthisGuide
ThisguidedescribeshowtoconfigureyourPaloAltoNetworksfirewallstosubmitsamplestotheWildFirecloud
andhowtomanageaWildFireapplianceforuseinprivatecloudorhybridclouddeployments:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseanddiscussionforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandWildFire8.0releaseinformation,goto
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:June5,2017
2 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
WildFireOverview .................................................... 7
AboutWildFire..................................................................... 8
WildFireConcepts.................................................................. 9
WildFireDeployments.............................................................14
WildFireFileTypeSupport.........................................................16
WildFireSubscription ..............................................................17
GetStartedwithWildFire ..........................................................18
SubmitFilesforWildFireAnalysis...................................... 21
WildFireBestPractices ............................................................22
ForwardFilesforWildFireAnalysis ..................................................24
ForwardDecryptedSSLTrafficforWildFireAnalysis ..................................30
VerifyWildFireSubmissions........................................................31
TestaSampleMalwareFile.....................................................31
VerifyFileForwarding..........................................................32
ManuallyUploadFilestotheWildFirePortal..........................................36
SubmitMalwareorReportsfromtheWildFireAppliance ...............................37
FirewallFileForwardingCapacitybyModel...........................................38
SetUpandManageaWildFireAppliance ............................... 39
AbouttheWildFireAppliance .......................................................40
ConfiguretheWildFireAppliance ...................................................42
SetUptheWildFireApplianceVMInterface ..........................................48
VirtualMachineInterfaceOverview..............................................48
ConfiguretheVMInterfaceontheWildFireAppliance.............................49
ConnecttheFirewalltotheWildFireApplianceVMInterface .......................50
EnableWildFireApplianceAnalysisFeatures..........................................52
SetUpWildFireApplianceContentUpdates......................................52
EnableLocalSignatureandURLCategoryGeneration ..............................54
SubmitLocallyDiscoveredMalwareorReportstotheWildFirePublicCloud .............56
UpgradeaWildFireAppliance.......................................................57
MonitorWildFireActivity ............................................. 59
AboutWildFireLogsandReporting ..................................................60
UsetheFirewalltoMonitorMalware ................................................61
ConfigureWildFireSubmissionsLogSettings......................................61
MonitorWildFireSubmissionsandAnalysisReports ...............................63
SetUpAlertsforMalware ......................................................65
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 3
TableofContents
UsetheWildFirePortaltoMonitorMalware.......................................... 67
ConfigureWildFirePortalSettings ............................................... 67
AddWildFirePortalUsers....................................................... 68
ViewReportsontheWildFirePortal.............................................. 69
WildFireAnalysisReportsCloseUp ................................................. 70
WildFireExample .................................................................. 74
WildFireApplianceClusters...........................................79
AboutWildFireApplianceClusters ................................................... 80
WildFireApplianceClusterResiliencyandScale ....................................... 81
WildFireApplianceClusterManagement ............................................. 84
ConfigureaClusterLocallyonWildFireAppliances .................................... 87
ConfigureaClusterandAddNodesLocally........................................ 87
ConfigureGeneralClusterSettingsLocally........................................ 93
RemoveaNodefromaClusterLocally............................................ 95
UpgradeWildFireAppliancesinaCluster ............................................. 97
UpgradeaClusterLocally....................................................... 97
UpgradeaClusterCentrallyonPanoramawithanInternetConnection ............... 99
UpgradeaClusterCentrallyonPanoramawithoutanInternetConnection...........101
ConfigureaClusterCentrallyonPanorama ..........................................104
ConfigureaClusterandAddNodesonPanorama .................................104
ConfigureGeneralClusterSettingsonPanorama..................................108
RemoveaClusterfromPanoramaManagement...................................110
4 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
setdeviceconfigsystempanoramaserver........................................ 137
setdeviceconfigsystempanoramaserver2...................................... 138
setdeviceconfigsystemupdateschedule ........................................ 139
setdeviceconfigsystemvminterface ........................................... 140
WildFireApplianceOperationalModeCommandReference........................... 142
clearhighavailability .......................................................... 143
createwildfireapikey......................................................... 144
deletehighavailabilitykey..................................................... 145
deletewildfireapikey......................................................... 147
deletewildfiremetadata....................................................... 148
disablewildfire............................................................... 148
editwildfireapikey ........................................................... 149
loadwildfireapikey .......................................................... 150
requestclusterdecommission.................................................. 151
requestclusterrebootlocalnode............................................... 153
requesthighavailabilitystate .................................................. 154
requesthighavailabilitysynctoremote ......................................... 156
requestsystemraid........................................................... 157
requestwildfiresampleredistribution........................................... 159
requestsystemwildfirevmimage.............................................. 160
requestwfcontent ........................................................... 161
savewildfireapikey .......................................................... 162
setwildfireportaladmin....................................................... 163
showclusterallpeers......................................................... 164
showclustercontroller........................................................ 165
showclustermembership ...................................................... 166
showclustertask............................................................. 169
showhighavailabilityall ....................................................... 171
showhighavailabilitycontrollink............................................... 173
showhighavailabilitystate .................................................... 174
showhighavailabilitytransitions ............................................... 176
showsystemraid............................................................. 177
submitwildfirelocalverdictchange............................................. 178
showwildfire................................................................. 179
showwildfireglobal ........................................................... 181
showwildfirelocal ............................................................ 184
testwildfireregistration....................................................... 188
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 5
TableofContents
6 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireOverview
WildFireprovidesdetectionandpreventionofzerodaymalwareusingacombinationofdynamicand
staticanalysistodetectthreatsandcreateprotectionstoblockmalware.WildFireextendsthecapabilities
ofPaloAltoNetworksnextgenerationfirewallstoidentifyandblocktargetedandunknownmalware.
AboutWildFire
WildFireConcepts
WildFireDeployments
WildFireFileTypeSupport
WildFireSubscription
GetStartedwithWildFire
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 7
AboutWildFire WildFireOverview
AboutWildFire
TheWildFireVirtualEnvironmentidentifiespreviouslyunknownmalwareandgeneratessignaturesthatPalo
AltoNetworksfirewallscanusetothendetectandblockthemalware.WhenaPaloAltoNetworksfirewall
detectsanunknownsample(afileoralinkincludedinanemail),thefirewallcanautomaticallyforwardthe
sampleforWildFireanalysis.Basedontheproperties,behaviors,andactivitiesthesampledisplayswhen
analyzedandexecutedintheWildFiresandbox,WildFiredeterminesthesampletobebenign,grayware,
phishing,ormalicious.WildFirethengeneratessignaturestorecognizethenewlydiscoveredmalware,and
makesthelatestsignaturesgloballyavailableeveryfiveminutes.AllPaloAltoNetworksfirewallscanthen
compareincomingsamplesagainstthesesignaturestoautomaticallyblockthemalwarefirstdetectedbya
singlefirewall.
TolearnmoreaboutWildFire,ortogetstartedwithWildFirenow,seethefollowingtopics:
ReviewWildFireConceptstolearnmoreaboutthetypesofsamplesyoucansubmitforWildFire
analysis,WildFireverdicts,andWildFiresignatures.
LearnmoreaboutWildFireDeploymentsdeploymentsyoucansetupwiththefirewall.Youcansubmit
samplesyouwouldliketohaveanalyzedtoaPaloAltoNetworkshostedWildFirecloud,a
locallyhostedWildFireprivatecloud,oryoucanuseahybridcloud,wherethefirewallsubmitscertain
samplestothepubliccloudandcertainsamplestoaprivatecloud.
GetStartedwithWildFiretodefinethesamplesthatyouwanttosubmitforanalysis,andtobegin
submittedsamplestoaWildFirecloud.
ManageWildFireAppliancesusingPanoramatomanageupto200WildFireappliancescentrallyinstead
ofindividually.
CreateWildFireApplianceClusterstoincreaseanalysisandstoragecapacity,supportmorefirewallson
asinglenetwork,andimplementhighavailabilitytoprovidefaulttolerance.YoucanmanageWildFire
applianceclustersusingthelocalWildFireCLIorusingPanorama.
8 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireOverview WildFireConcepts
WildFireConcepts
Samples
FirewallForwarding
SessionInformationSharing
VirtualEnvironment
Verdicts
FileAnalysis
EmailLinkAnalysis
CompressedandEncodedFileAnalysis
WildFireSignatures
Samples
SamplesareallfiletypesandemaillinkssubmittedforWildFireanalysisfromthefirewallandthepublicAPI.
SeeFileAnalysisandEmailLinkAnalysisfordetailsonthefiletypesandlinksthatafirewallcansubmitfor
WildFireanalysis.
FirewallForwarding
Thefirewallforwardsunknownsamples,aswellasblockedfilesthatmatchantivirussignatures,forWildFire
analysisbasedontheconfiguredWildFireAnalysisprofilesettings(Objects > Security Profiles > WildFire
Analysis).Inadditiontodetectinglinksincludedinemails,filesthatareattachedtoemails,andbrowserbased
filedownloads,thefirewallleveragesthePaloAltoNetworksAppIDfeaturetodetectfiletransferswithin
applications.Forsamplesthatthefirewalldetects,thefirewallanalyzesthestructureandcontentofthe
sampleandcomparesitagainstexistingsignatures.Ifthesamplematchesasignature,thefirewallappliesthe
defaultactiondefinedforthesignature(allow,alert,orblock).Ifthesamplematchesanantivirussignature
orifthesampleremainsunknownaftercomparingitagainstWildFiresignatures,thefirewallforwardsitfor
WildFireanalysis.
Bydefault,thefirewallalsoforwardsinformationaboutthesessioninwhichanunknownsamplewas
detected.Tomanagethesessioninformationthatthefirewallforwards,selectDevice > Setup > WildFireand
editSessionInformationSettings.
SessionInformationSharing
Inadditiontoforwardingunknownandblockedsamplesforanalysis,thefirewallalsoforwardsinformation
aboutthenetworksessionforasample.PaloAltoNetworksusessessioninformationtolearnmoreabout
thecontextofthesuspiciousnetworkevent,indicatorsofcompromiserelatedtothemalware,affected
hostsandclients,andapplicationsusedtodeliverthemalware.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 9
WildFireConcepts WildFireOverview
Thefirewallisenabledtoforwardsessioninformationbydefault;however,youcanadjustthedefault
settingsandchoosewhattypeofsessioninformationthefirewallforwardstoWildFire.Onthefirewall,
selectDevice > Setup > WildFireandselectorclearthefollowingSession Information Settings:
Source IPForwardthesourceIPaddressthatsenttheunknownfile.
Source PortForwardthesourceportthatsenttheunknownfile.
Destination IPForwardthedestinationIPaddressfortheunknownfile.
Destination PortForwardthedestinationportfortheunknownfile.
Virtual SystemForwardthevirtualsystemthatdetectedtheunknownfile.
ApplicationForwardtheuserapplicationthattransmittedtheunknownfile.
UserForwardthetargeteduser.
URLForwardtheURLassociatedwiththeunknownfile.
FilenameForwardthenameoftheunknownfile.
Email senderForwardthesenderofanunknownemaillink(thenameoftheemailsenderalsoappears
inWildFirelogsandreports).
Email recipientForwardtherecipientofanunknownemaillink(thenameoftheemailrecipientalso
appearsinWildFirelogsandreports).
Email subjectForwardthesubjectofanunknownemaillink(theemailsubjectalsoappearsinWildFire
logsandreports).
VirtualEnvironment
MultiplevirtualmachinesrunintheWildFirepubliccloudtorepresentavarietyofoperatingsystemsand
applications.WildFireexecutessamplesinavirtualenvironmentandobservessamplebehaviorforsignsof
maliciousactivities,suchaschangestobrowsersecuritysettings,injectionofcodeintootherprocesses,
modificationoffilesintheWindowssystemfolder,orattemptsbythesampletoaccessmaliciousdomains.
TheWildFirepubliccloudalsoanalyzesfilesacrossapplicationversionsinordertoidentifymalware
intendedtouniquelytargetspecificversionsofclientapplications(theWildFireprivateclouddoesnot
supportmultiversionanalysis,anddoesnotanalyzeapplicationspecificfilesareanalyzedacrossseveral
versionsoftheapplication).Forlinksthatthefirewallextractsfromemailmessagesandforwardsto
WildFire,WildFirevisitsthelinkstodetermineifthecorrespondingwebpagehostsanyexploits.When
WildFirecompletesanalysis,itgeneratesadetailedforensicsreportthatsummarizessamplebehaviorsand
assignsaverdictofmalware,benign,grayware,orphishingtothesample.
WildFirerunsvirtualenvironmentswitheachofthefollowingoperatingsystems:
MicrosoftWindowsXP32bit
MicrosoftWindows732bit(SupportedasanoptionforWildFireapplianceonly)
MicrosoftWindows764bit
Verdicts
WhenWildFireanalyzesapreviouslyunknownsampleinthePaloAltoNetworkshostedWildFireglobal
cloudoralocallyhostedWildFireprivatecloud,averdictisproducedthatidentifiessamplesasmalicious,
unwanted(graywareisconsideredobtrusivebutnotmalicious),phishing,orbenign:
10 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireOverview WildFireConcepts
BenignThesampleissafeanddoesnotexhibitmaliciousbehavior.
GraywareThesampledoesnotposeadirectsecuritythreat,butmightdisplayotherwiseobtrusive
behavior.Graywaretypicallyincludesadware,spyware,andBrowserHelperObjects(BHOs).
PhishingThelinkdirectsuserstoaphishingsiteandposesasecuritythreat.Phishingsitesaresitesthat
attackersdisguiseaslegitimatewebsiteswiththeaimtostealuserinformation,especiallycorporate
passwordsthatunlockaccesstoyournetwork.TheWildFireappliancedoesnotsupportthephishing
verdictandcontinuestoclassifythesetypesoflinksasmalicious.
MaliciousThesampleismalwareandposesasecuritythreat.Malwarecanincludeviruses,worms,
Trojans,RemoteAccessTools(RATs),rootkits,andbotnets.Forfilesidentifiedasmalware,WildFire
generatesanddistributesasignaturetopreventagainstfutureexposuretothethreat.
VerdictsthatyoususpectareeitherfalsepositivesorfalsenegativescanbesubmittedtothePaloAltoNetworks
threatteamforadditionalanalysis.YoucanalsomanuallychangeverdictsofsamplessubmittedtoWildFire
appliances.
FileAnalysis
APaloAltoNetworksfirewallconfiguredwithaWildFireanalysisprofileforwardssamplesforWildFire
analysisbasedonfiletype(includingemaillinks).Additionally,thefirewalldecodesfilesthathavebeen
encodedorcompresseduptofourtimes(suchasfilesinZIPformat);ifthedecodedfilematchesWildFire
Analysisprofilecriteria,thefirewallforwardsthedecodedfileforWildFireanalysis.
Whilethefirewallcanforwardallthefiletypeslistedbelow,WildFireanalysissupportcanvarydepending
ontheWildFirecloudtowhichyouaresubmittedsamples.ReviewWildFireFileTypeSupporttolearnmore.
FileTypesSupportedfor Description
WildFireForwarding
apk AndroidApplicationPackage(APK)files.APKfilesarenotsupportedforWildFire
privatecloudanalysisusingaWildFireappliance.
flash AdobeFlashappletsandFlashcontentembeddedinwebpages.
jar Javaapplets(JAR/classfilestypes).
ms-office MicrosoftOfficefiles,includingdocuments(DOC,DOCX,RTF),workbooks(XLS,
XLSX),andPowerPoint(PPT,PPTX)presentations,andOfficeOpenXML(OOXML)
2007+documents.
pe PortableExecutable(PE)files.PEsincludeexecutablefiles,objectcode,DLLs,and
FON(fonts).AsubscriptionisnotrequiredtoforwardPEfilesforWildFireanalysis,
butisrequiredforallothersupportedfiletypes.
pdf PortableDocumentFormat(PDF)files.
MacOSX MachO,DMG,andPKGfilesaresupportedwithcontentversion599.Youcanalso
manuallyorprogrammaticallysubmitallMacOSXsupportedfiletypesforanalysis
(includingapplicationbundles,forwhichthefirewalldoesnotsupportautomatic
forwarding).
email-link HTTP/HTTPSlinkscontainedinSMTPandPOP3emailmessages.SeeEmailLink
Analysis.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 11
WildFireConcepts WildFireOverview
EmailLinkAnalysis
APaloAltoNetworksfirewallcanextractHTTP/HTTPSlinkscontainedinSMTPandPOP3emailmessages
andforwardthelinksforWildFireanalysis.Thefirewallonlyextractslinksandassociatedsession
information(sender,recipient,andsubject)fromemailmessages;itdoesnotreceive,store,forward,orview
theemailmessage.
WildFirevisitssubmittedlinkstodetermineifthecorrespondingwebpagehostsanyexploitsordisplays
phishingactivity.AlinkthatWildFirefindstobemaliciousorphishingis:
RecordedonthefirewallasaWildFireSubmissionslogentry.TheWildFireanalysisreportthatdetails
thebehaviorandactivityobservedforthelinkisavailableforeachWildFireSubmissionslogentry.The
logentryalsoincludestheemailheaderinformationemailsender,recipient,andsubjectsothatyou
canidentifythemessageanddeleteitfromthemailserver,ormitigatethethreatiftheemailhasbeen
deliveredoropened.
AddedtoPANDBandtheURLiscategorizedasmalware.
Thefirewallforwardsemaillinksinbatchesof100emaillinksoreverytwominutes(dependingonwhich
limitishitfirst).EachbatchuploadtoWildFirecountsasoneuploadtowardtheuploadperminutecapacity
forthegivenfirewallmodel(FirewallFileForwardingCapacitybyModel).Ifalinkincludedinanemail
correspondstoafiledownloadinsteadofaURL,thefirewallforwardsthefileonlyifthecorrespondingfile
typeisenabledforWildFireanalysis.
ToenablethefirewalltoforwardlinksincludedinemailsforWildFireanalysis,seeForwardFilesforWildFire
Analysis.WithaPANDBURLFilteringlicense,youcanalsoblockuseraccesstomaliciousandphishingsites.
CompressedandEncodedFileAnalysis
Bydefault,thefirewalldecodesfilesthathavebeenencodedorcompresseduptofourtimes,includingfiles
thathavebeencompressedusingtheZIPformat.Thefirewalltheninspectsandenforcespolicyonthe
decodedfile;ifthefileisunknown,thefirewallforwardsthedecodedfileforWildFireanalysis.
WildFireSignatures
WildFirecandiscoverzerodaymalwareinwebtraffic(HTTP/HTTPS),emailprotocols(SMTP,IMAP,and
POP),andFTPtrafficandcanquicklygeneratesignaturestoidentifyandprotectagainstfutureinfections
fromthemalwareitdiscovers.WildFireautomaticallygeneratesasignaturebasedonthemalwarepayload
ofthesampleandtestsitforaccuracyandsafety.
EachWildFirecloudglobal,regional,andprivateanalyzessamplesandgeneratesmalwaresignatures
independentlyoftheotherWildFireclouds.WiththeexceptionofWildFireprivatecloudsignatures,
WildFiresignaturesaresharedglobally,enablingWildFireusersworldwidetobenefitfrommalware
coverageregardlessofthelocationinwhichthemalwarewasfirstdetected.Becausemalwareevolves
rapidly,thesignaturesthatWildFiregeneratesaddressmultiplevariantsofthemalware.
FirewallswithanactiveWildFirelicensecanretrievethelatestWildFiresignatureseveryfiveminutes.Ifyou
donothaveaWildFiresubscription,signaturesaremadeavailablewithin2448hoursaspartoftheantivirus
updateforfirewallswithanactiveThreatPreventionlicense.
12 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireOverview WildFireConcepts
Assoonasthefirewalldownloadsandinstallsthenewsignature,thefirewallcanblockthefilesthatcontain
thatmalware(oravariantofthemalware).Malwaresignaturesdonotdetectmaliciousandphishinglinks;
toenforcetheselinks,youmusthaveaPANDBURLFilteringlicense.Youcanthenblockuseraccessto
maliciousandphishingsites.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 13
WildFireDeployments WildFireOverview
WildFireDeployments
YoucansetupaPaloAltoNetworksfirewalltosubmitunknownsamplestothePaloAltoNetworkshosted
WildFireglobalcloud,toalocallyhostedWildFireprivatecloud,oryoucanenablethefirewalltoforward
certainsamplestoaWildFireglobalcloudandcertainsamplestoaWildFireprivatecloud:
WildFireGlobalCloud
WildFirePrivateCloud
WildFireHybridCloud
WildFireGlobalCloud
APaloAltoNetworksfirewallwithcanforwardunknownfilesandemaillinkstotheWildFireglobalcloudor
tooneofthreeWildFireregionalcloudsthatPaloAltoNetworksownsandmaintains.ChoosetheWildFire
publiccloudtowhichyouwanttosubmitsamplesforanalysisbasedonyourlocationandyourorganizations
needs:
WildFireGlobalCloud
TheWildFireglobalcloudisapubliccloudenvironmenthostedintheUnitedStates.
UsethefollowingURLtosubmitfilestotheWildFireglobalcloudforanalysisandtoaccesstheWildFire
globalportal:wildfire.paloaltonetworks.com.
WildFireEuropeCloud
TheWildFireEuropecloudisaregionalpubliccloudenvironmenthostedinTheNetherlands.Itis
designedtoadheretoEuropeanUnion(EU)dataprivacyregulationsandsamplessubmittedtothe
WildFireEuropecloudremainwithinEUborders.
UsethefollowingURLtosubmitfilestotheWildFireEuropecloudforanalysisandtoaccesstheWildFire
Europecloudportal:eu.wildfire.paloaltonetworks.com.
WildFireJapanCloud
TheWildFireJapancloudisaregionalpubliccloudenvironmenthostedinJapan.
UsethefollowingURLtosubmitfilestotheWildFireJapancloudforanalysisandtoaccesstheWildFire
Japancloudportal:jp.wildfire.paloaltonetworks.com.
WildFireSingaporeCloud
TheWildFireSingaporecloudisaregionalpubliccloudenvironmenthostedinSingapore.
UsethefollowingURLtosubmitfilestotheWildFireSingaporecloudforanalysisandtoaccessthe
WildFireSingaporecloudportal:sg.wildfire.paloaltonetworks.com.
EachWildFirecloudglobalandregionalanalyzessamplesandgeneratesmalwaresignatures
independentlyoftheotherWildFireclouds.WildFiresignaturesarethensharedglobally,enablingWildFire
usersworldwidetobenefitfrommalwarecoverageregardlessofthelocationinwhichthemalwarewasfirst
detected.ReviewWildFireFileTypeSupporttolearnmoreaboutthefiletypesthateachcloudanalyzes.
IfyouhaveaWildFireappliance,youcanenableaWildFireHybridClouddeployment,wherethefirewall
canforwardcertainfilestoaWildFirepubliccloud,andotherfilestoaWildFireprivatecloudforlocal
analysis.TheWildFireappliancecanalsobeconfiguredtoquicklygatherverdictsforknownsamplesby
queryingtheglobalcloudbeforeperforminganalysis.ThisallowstheWildFireappliancetodedicateanalysis
resourcestosamplesthatareunknowntobothyourprivatenetworkandtheglobalWildFirecommunity.
14 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireOverview WildFireDeployments
WildFirePrivateCloud
InaPaloAltoNetworksprivateclouddeployment,PaloAltoNetworksfirewallsforwardfilestoaWildFire
applianceonyourcorporatenetworkthatisbeingusedtohostaprivatecloudanalysislocation.AWildFire
privatecloudcanreceiveandanalyzefilesfromupto100PaloAltoNetworksfirewalls.
BecausetheWildFireprivatecloudisalocalsandbox,benign,grayware,andphishingsamplesthatare
analyzedneverleaveyournetwork.Bydefault,theprivatecloudalsodoesnotsenddiscoveredmalware
outsideofyournetwork;however,youcanchoosetoautomaticallyforwardmalwaretotheWildFirepublic
cloudforsignaturegenerationanddistribution.Inthiscase,TheWildFirepubliccloudreanalyzesthe
sample,generatesasignaturetoidentifythesample,anddistributesthesignaturetoallPaloAltoNetworks
firewallswithThreatPreventionandWildFirelicenses.
IfyoudonotwanttheWildFireprivatecloudtoforwardevenmalicioussamplesoutsideofyournetwork,
youcan:
EnabletheWildFireappliancetoforwardthemalwarereport(andnotthesampleitself)totheWildFire
publiccloud.WildFirereportsprovidestatisticalinformationthathelpsPaloAltoNetworksassessthe
pervasivenessandpropagationofthemalware.Formoredetails,seeSubmitMalwareorReportsfrom
theWildFireAppliance.
ManuallyUploadFilestotheWildFirePortal(insteadofautomaticallyforwardingallmalware)orUsethe
WildFireAPItosubmitfilestotheWildFirepubliccloud.
YoucanalsoEnableLocalSignatureandURLCategoryGenerationontheWildFireappliance.Signaturesthe
WildFireappliancegeneratesaredistributedtoconnectedfirewallssothatthefirewallscaneffectivelyblock
themalwarethenexttimeitisdetected.
AndroidApplicationPackage(APK)andMACOSXfilesarenotsupportedforWildFireprivatecloudanalysis.
WildFireHybridCloud
AfirewallinaWildFirehybridclouddeploymentcanforwardcertainsamplestothePaloAlto
NetworkshostedWildFireglobalcloudandothersamplestoaWildFireprivatecloudhostedbyaWildFire
appliance.AWildFirehybridclouddeploymentallowstheflexibilitytoanalyzeprivatedocumentslocallyand
insideyournetwork,whiletheWildFirepubliccloudanalyzesfilesfromtheInternet.Forexample,forward
PaymentCardIndustry(PCI)andProtectedHealthInformation(PHI)dataexclusivelytotheWildFireprivate
cloudforanalysis,whileforwardingPortableExecutables(PEs)totheWildFirepubliccloudforanalysis.Ina
WildFirehybridclouddeployment,offloadingfilestothepubliccloudforanalysisallowsyoubenefitfroma
promptverdictforfilesthathavebeenpreviouslyprocessedintheWildFirepubliccloud,andalsofreesup
theWildFireappliancecapacitytoprocesssensitivecontent.Additionally,youcanforwardcertainfiletypes
totheWildFirepubliccloudthatarenotcurrentlysupportedforWildFireapplianceanalysis,suchasAndroid
ApplicationPackage(APK)files.
InaWildFirehybridclouddeployment,theremightbesomecaseswhereasinglefilematchesyourcriteria
forbothpubliccloudanalysisandprivatecloudanalysis;inthesecases,thefileissubmittedonlytothe
privatecloudforanalysisasacautionarymeasure.
Tosetuphybridcloudforwarding,seeForwardFilesforWildFireAnalysis.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 15
WildFireFileTypeSupport WildFireOverview
WildFireFileTypeSupport
ThefollowingtableliststhefiletypesthataresupportedforanalysisintheWildFirecloudenvironments.
Linkscontainedinemails
Androidapplicationpackage
(APK)files
AdobeFlashfiles
JavaArchive(JAR)files
MicrosoftOfficefiles
Portableexecutable(PE)files
Portabledocumentformat
(PDF)files
MacOSXfiles
Lookingformore?
FordetailsoneachWildFirecloudanalysisenvironment,seeWildFireDeployments.
FordetailsabouteachfiletypesupportedforWildFireanalysis,seeFileAnalysis.
16 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireOverview WildFireSubscription
WildFireSubscription
ThebasicWildFireserviceisincludedaspartofthePaloAltoNetworksnextgenerationfirewallanddoes
notrequireaWildFiresubscription.WiththebasicWildFireservice,thefirewallcanforwardportable
executable(PE)filesforWildFireanalysis,andcanretrieveWildFiresignaturesonlywithantivirusand/or
ThreatPreventionupdateswhicharemadeavailableevery2448hours.
AWildFiresubscriptionunlocksthefollowingWildFirefeatures:
WildFireDynamicUpdatesTheWildFirepubliccloudandaWildFireprivatecloudcangenerateand
distributenewWildFiresignatureseveryfiveminutes,andyoucansetthefirewalltoretrieveandinstall
thesesignatureseveryminute(thisallowsthefirewalltogetthelatestsignatureswithinaminuteof
availability).SelectDevice > Dynamic UpdatestoEnablethefirewalltogetthelatestWildFiresignatures.
DependingonyourWildFiredeployment,youcansetuponeorbothofthefollowingsignaturepackage
updates:
WildFireGetthelatestsignaturesfromtheWildFirepubliccloud.
WFPrivateGetthelatestsignaturesfromaWildFireappliancethatisconfiguredtolocally
generatesignaturesandURLcategories.
WildFireAdvancedFileTypeSupportInadditiontoPEs,forwardadvancedfiletypesforWildFire
analysis,includingAPKs,Flashfiles,PDFs,MicrosoftOfficefiles,JavaApplets,Javafiles(.jarand.class),
andHTTP/HTTPSemaillinkscontainedinSMTPandPOP3emailmessages.(WildFireprivatecloud
analysisdoesnotsupportAPKfiles).
WildFireAPIAccesstotheWildFireAPI,whichenablesdirectprogrammaticaccesstotheWildFire
publiccloudoraWildFireprivatecloud.UsetheWildFireAPItosubmitfilesforanalysisandtoretrieve
thesubsequentWildFireanalysisreports.TheWildFireAPIsupportsupto1,000filesubmissionsandup
to10,000queriesaday.
WildFirePrivateandHybridCloudSupportForwardfilestoaWildFireappliance.WildFireprivate
cloudandWildFirehybridclouddeploymentsbothrequirethefirewalltobeabletosubmitsamplestoa
WildFireappliance.EnablingaWildFireappliancerequiresonlyasupportlicense.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 17
GetStartedwithWildFire WildFireOverview
GetStartedwithWildFire
ThefollowingstepsprovideaquickworkflowtogetstartedwithWildFire.Ifyoudliketolearnmoreabout
WildFirebeforegettingstarted,takealookattheWildFireOverviewandreviewWildFireBestPractices.
GetStartedwithWildFire
Step1 GetyourWildFireSubscription.IfyoudonothaveaWildFiresubscription,youcanstillforwardPEsfor
WildFireanalysis.
Step2 DecidewhichoftheWildFireDeploymentsworksforyou:
WildFireGlobalCloudForwardsamplestoaPaloAltoNetworkshostedWildFirepubliccloud.
WildFirePrivateCloud(RequiresaWildFireappliance)ForwardsamplestoalocalWildFireappliancethat
residesonyournetwork.
WildFireHybridCloud(RequiresaWildFireappliance)ForwardsomesamplestotheWildFirepublic
cloudandsomesamplestoaWildFireprivatecloud.
Step3 (WildFireprivateandhybridcloudonly)SetUpandManageaWildFireAppliance,includingupgradingthe
WildFireappliancetothelatestreleaseversion.Firewallsconnectedtotheappliancemustberunningthe
samereleaseversion.
Step6 EnablethefirewalltoForwardDecryptedSSLTrafficforWildFireAnalysis.
ThisisarecommendedWildFirebestpractice.
18 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireOverview GetStartedwithWildFire
GetStartedwithWildFire(Continued)
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 19
GetStartedwithWildFire WildFireOverview
GetStartedwithWildFire(Continued)
20 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SubmitFilesforWildFireAnalysis
ThefollowingtopicsdescribehowtosubmitfilesforWildFireanalysis.YoucansetupPaloAltoNetworks
firewallstoautomaticallyforwardunknownfilestotheWildFirepubliccloudoraWildFireprivatecloud,and
youcanalsomanuallysubmitfilesforanalysisusingtheWildFireportal.SamplessubmittedforWildFire
analysisreceiveaverdictofbenign,grayware,malicious,orphishing,andadetailedanalysisreportis
generatedforeachsample.
WildFireBestPractices
ForwardFilesforWildFireAnalysis
ForwardDecryptedSSLTrafficforWildFireAnalysis
VerifyWildFireSubmissions
ManuallyUploadFilestotheWildFirePortal
SubmitMalwareorReportsfromtheWildFireAppliance
FirewallFileForwardingCapacitybyModel
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 21
WildFireBestPractices SubmitFilesforWildFireAnalysis
WildFireBestPractices
FollowthebestpracticestosecureyournetworkfromLayer4andLayer7evasionstoensurereliable
contentidentificationandanalysis.SpecificallymakesuretoimplementthebestpracticesforTCP
settings(Device > Setup > Session > TCP Settings)andContentIDsettings(Device > Setup > Content-ID >
Content-ID Settings).
MakesurethatyoualsohaveanactiveThreatPreventionsubscription.Together,WildFireandThreat
Preventionenablecomprehensivethreatdetectionandprevention.
IfthefirewallisconfiguredtodecryptSSLtraffic,enablethefirewalltoForwardDecryptedSSLTraffic
forWildFireAnalysis.Onlyasuperusercanenablethisoption.
UsethedefaultWildFireAnalysisprofiletodefinethetrafficthefirewallshouldforwardforWildFire
analysis(Objects > Security Profiles > WildFire Analysis).ThedefaultWildFireAnalysisprofileensures
completeWildFirecoverageforalltrafficyoursecuritypolicyallowsitspecifiesthatallsupportedfile
typesacrossallapplicationsareforwardedforWildFireanalysis,regardlessofwhetherthefilesare
uploadedordownloaded.
IfyouchoosetocreateacustomWildFireAnalysisprofile,itisabestpracticetostillsettheprofileto
forwardanyfiletype.Thisallowsthefirewalltoautomaticallybeginforwardingfiletypesastheybecome
supportedforWildFireanalysis.
FordetailsonapplyingaWildFireAnalysisprofiletofirewalltraffic,reviewhowtoForwardFilesfor
WildFireAnalysis.
WhileyouareconfiguringthefirewalltoforwardfilesforWildFireanalysis,reviewthefileSize Limitfor
allsupportedfiletypes.SettheSize Limitforportableexecutables(PEs)tothemaximumsupportedfile
sizelimit:10MB.LeavetheSize Limit forallotherfiletypessettothedefaultlimit.(SelectDevice > Setup
> WildFireandedittheGeneralSettingstoadjustfilesizelimitsbasedonfiletype.ClicktheHelpiconto
findthedefaultsizelimitforeachfiletype).
AbouttheDefaultFileSizeLimitsforWildFireForwarding
Thedefaultfilesizelimitsonthefirewallaredesignedtoincludethelargemajorityofmalwareinthewild
(whichissmallerthanthedefaultsizelimits)andexcludelargefilesthatareveryunlikelytobemalicious
andcanimpactWildFireforwardingcapacity.Becausethefirewallhasaspecificcapacityreservedto
forwardfilesforWildFireanalysis,forwardinghighnumbersoflargefilesmightcausethefirewalltoskip
forwardingsomefiles.Thisconditionmightoccurwhenthemaximumfilesizelimitsareconfiguredfora
filetypethatistraversingthefirewallatahighrate.Inthiscase,apotentiallymaliciousfilemightnotbe
forwardedforWildFireanalysis.Considerthispossibleconditionifyouwouldliketoincreasethesize
limitforfilesotherthanPEsbeyondthedefaultsizelimit.
Thefollowinggraphisarepresentativeillustrationofthedistributionoffilesizesformalware,as
observedbythePaloAltoNetworksthreatresearchteam.Thefirewalldefaultfilesizessettingscanbe
increasedtothemaximumfilesizesettingtogainarelativelysmallincreaseinthemalwarecatchratefor
eachfiletype.
22 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SubmitFilesforWildFireAnalysis WildFireBestPractices
RecommendedFileSizeLimitstoCatchUncommonlyLargeMaliciousFiles
Ifyouarespecificallyconcernedaboutuncommonlylargemaliciousfilesmightwanttoincreasefilesize
limitsbeyondthedefaultsettings.Inthesecases,thefollowingsettingsarerecommendedtocatchrare,
verylargemaliciousfiles.
SelectDevice > Setup > WildFire,andeditGeneralSettingstoadjusttheSize Limitforeachfiletype:
pe10MB
apk30MB
pdf1,000KB
ms-office2,000KB
jar5MB
flash5MB
MacOSX1MB
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 23
ForwardFilesforWildFireAnalysis SubmitFilesforWildFireAnalysis
ForwardFilesforWildFireAnalysis
ConfigurePaloAltoNetworksfirewallstoforwardunknownfilesoremaillinksandblockedfilesthatmatch
existingantivirussignaturesforanalysis.UsetheWildFire Analysisprofiletodefinefilestoforwardtothe
WildFirecloud(usethepubliccloudoraprivatecloud),andthenattachtheprofiletoasecurityruletotrigger
inspectionforzerodaymalware.
Specifytraffictobeforwardedforanalysisbasedontheapplicationinuse,thefiletypedetected,links
containedinemailmessages,orthetransmissiondirectionofthesample(upload,download,orboth).For
example,youcansetupthefirewalltoforwardPortableExecutables(PEs)oranyfilesthatusersattemptto
downloadduringawebbrowsingsession.Inadditiontounknownsamples,thefirewallforwardsblocked
filesthatmatchexistingantivirussignatures.ThisprovidesPaloAltoNetworksavaluablesourceofthreat
intelligencebasedonmalwarevariantsthatsignaturessuccessfullypreventedbutneitherWildFirenorthe
firewallhasseenbefore.
IfyouareusingaWildFireappliancetohostaWildFireprivatecloud,youcanextendWildFireanalysis
resourcestoaWildFireHybridCloud,byconfiguringthefirewalltocontinuetoforwardsensitivefilesto
yourWildFireprivatecloudforlocalanalysis,andforwardlesssensitiveorunsupportedfiletypestothe
WildFirepubliccloud.
Additionally,youcandedicateWildFireapplianceresourcestoanalyzespecificfiletypes:eitherdocuments
(MicrosoftOfficefilesandPDFs)orPEs.Forexample,ifyoudeployaWildFirehybridcloudtoanalyze
documentslocallyandPEsintheWildFireglobalcloud,youcandedicateallanalysisenvironmentsto
documents.ThisallowsyoutooffloadanalysisofPEstothepubliccloud,allowingyoutoallocateadditional
WildFireapplianceresourcestoprocesssensitivedocuments.
Beforeyoubegin:
IfanotherfirewallresidesbetweenthefirewallyouareconfiguringtoforwardfilesandtheWildFire
cloudorWildFireappliance,makesurethatthefirewallinthemiddleallowsthefollowingports:
TheWildFirepubliccloudusesport443forregistrationandfilesubmissions.
TheWildFireapplianceusesport443forregistrationand10443forfilesubmissions.
(PA7000SeriesFirewallsOnly)ToenableaPA7000Seriesfirewalltoforwardfilesandemaillinksfor
WildFireanalysis,youmustfirstconfigureadataportonanNPCasaLogCardinterface.
24 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SubmitFilesforWildFireAnalysis ForwardFilesforWildFireAnalysis
ConfigureaFirewalltoForwardFilesandEmailLinkstoWildFire
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 25
ForwardFilesforWildFireAnalysis SubmitFilesforWildFireAnalysis
ConfigureaFirewalltoForwardFilesandEmailLinkstoWildFire(Continued)
26 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SubmitFilesforWildFireAnalysis ForwardFilesforWildFireAnalysis
ConfigureaFirewalltoForwardFilesandEmailLinkstoWildFire(Continued)
Step4 DefinetraffictoforwardforWildFire 1. SelectObjects > Security Profiles > WildFire Analysis, Adda
analysis. newWildFireanalysisprofile,andgivetheprofileadescriptive
IfyouhaveaWildFireappliance Name.
setup,youcanuseboththe 2. Addaprofileruletodefinetraffictobeforwardedforanalysis
privatecloudandthepubliccloud andgivetheruleadescriptiveName,suchas
inahybridclouddeployment. localPDFanalysis.
Analyzesensitivefileslocallyon
3. Definefortheprofileruletomatchtounknowntrafficandto
yournetwork,whilesendingall
forwardsamplesforanalysisbasedon:
otherunknownfilestothe
WildFirepubliccloudfor ApplicationsForwardfilesforanalysisbasedonthe
comprehensiveanalysisand applicationinuse.
promptverdictreturns. File TypesForwardfilesforanalysisbasedonfiletypes,
includinglinkscontainedinemailmessages.Forexample,
selectPDF toforwardunknownPDFsdetectedbythe
firewallforanalysis.
DirectionForwardfilesforanalysisbasedthetransmission
directionofthefile(upload,download,orboth).For
example,selectbothtoforwardallunknownPDFsfor
analysis,regardlessofthetransmissiondirection.
4. SettheAnalysislocationtowhichthefirewallforwardsfiles
matchedtotherule.
Selectpublic-cloudtoforwardmatchingsamplestothe
WildFirepubliccloudforanalysis.
Selectprivate-cloudtoforwardmatchingsamplestoa
WildFireprivatecloudforanalysis.
Forexample,toanalyzePDFsthatcouldcontainsensitiveor
proprietaryinformationwithoutsendingthesedocuments
outofyournetwork,settheAnalysislocationfortherule
localPDFanalysistoprivate-cloud.
Differentrulescanforwardmatchedsamplesto
differentanalysislocations,dependingonyour
needs.Theexampleaboveshowsarulethat
forwardssensitivefiletypesforlocalanalysisina
WildFireprivatecloud.Youcouldcreateanother
ruletoforwardlesssensitivefiletypes,suchasPEs,
totheWildFirepubliccloud.Thisflexibilityis
supportedwithaWildFireHybridCloud
deployment.
Inahybridclouddeployment,filesthatmatchto
bothprivate-cloudandpublic-cloud rulesare
forwardedonlytotheprivatecloudasacautionary
measure.
5. (Optional)ContinuetoaddrulestotheWildFireanalysis
profileasneeded.Forexample,youcouldaddasecondruleto
theprofiletoforwardAndroidapplicationpackage(APK),
PortableExecutable(PE),andFlashfilestotheWildFirepublic
cloudforanalysis.
6. ClickOKtosavetheWildFireanalysisprofile.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 27
ForwardFilesforWildFireAnalysis SubmitFilesforWildFireAnalysis
ConfigureaFirewalltoForwardFilesandEmailLinkstoWildFire(Continued)
7. (Optional)ContinuetoaddrulestotheWildFireanalysis
profileasneeded.Forexample,youcouldaddasecondruleto
theprofiletoforwardAndroidapplicationpackage(APK),
PortableExecutable(PE),andFlashfilestotheWildFirepublic
cloudforanalysis.
8. ClickOKtosavetheWildFireanalysisprofile.
28 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SubmitFilesforWildFireAnalysis ForwardFilesforWildFireAnalysis
ConfigureaFirewalltoForwardFilesandEmailLinkstoWildFire(Continued)
Step7 MakesuretoenablethefirewalltoalsoForwardDecryptedSSLTrafficforWildFireAnalysis.
ThisisarecommendedWildFirebestpractice.
Step8 ReviewandimplementWildFireBestPractices.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 29
ForwardDecryptedSSLTrafficforWildFireAnalysis SubmitFilesforWildFireAnalysis
ForwardDecryptedSSLTrafficforWildFireAnalysis
EnablethefirewalltoforwarddecryptedSSLtrafficforWildFireanalysis.Trafficthatthefirewalldecrypts
isevaluatedagainstsecuritypolicyrules;ifitmatchestheWildFireanalysisprofileattachedtothesecurity
rule,thedecryptedtrafficisforwardedforWildFireanalysisbeforethefirewallreencryptsit.Onlyasuper
usercanenablethisoption.
ForwardingdecryptedSSLtrafficforWildFireanalysisisaWildFirebestpractice.
ForwardDecryptedSSLTraffic
Onafirewallthatdoesnothavemultiplevirtual 1. Ifyouhavenotalready,enablethefirewalltoperform
systemsenabled: decryptionandForwardFilesforWildFireAnalysis.
2. SelectDevice > Setup > Content-ID.
3. EdittheContentIDsettingsandAllow Forwarding of
Decrypted Content.
4. ClickOKtosavethechanges.
Onafirewallwithvirtualsystemsenabled: 1. Ifyouhavenotalready,enabledecryptionandForwardFiles
forWildFireAnalysis.
2. SelectDevice > Virtual Systems,clickthevirtualsystemyou
wanttomodify,andAllow Forwarding of Decrypted Content.
30 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SubmitFilesforWildFireAnalysis VerifyWildFireSubmissions
VerifyWildFireSubmissions
TestyourWildFiresetupusingmalwaretestsamples,andalsoverifythatthefirewalliscorrectlyforwarding
filesforWildFireanalysis.
TestaSampleMalwareFile
VerifyFileForwarding
TestaSampleMalwareFile
PaloAltoNetworksprovidesasamplemalwarefilethatyoucanusetotestaWildFireconfiguration.Take
thefollowingstepstodownloadthemalwaresamplefile,verifythatthefileisforwardedforWildFire
analysis,andviewtheanalysisresults.
UseaSampleMalwareFiletoTesttheWildFireConfiguration
Step1 Downloadthemalwaretestfile:https://wildfire.paloaltonetworks.com/publicapi/test/pe.IfyouhaveSSL
decryptionenabledonthefirewall,usethefollowingURLinstead:
http://wildfire.paloaltonetworks.com/publicapi/test/pe.
Thetestfileisnamedwildfiretestpefile.exeandeachtestfilehasauniqueSHA256hashvalue.
YoucanalsousetheWildFireAPItoretrieveamalwaretestfile.SeetheWildFireAPIReferencefor
details.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 31
VerifyWildFireSubmissions SubmitFilesforWildFireAnalysis
VerifyFileForwarding
AfterthefirewallissetuptoForwardFilesforWildFireAnalysis,usethefollowingoptionstoverifythe
connectionbetweenthefirewallandtheWildFirepublicorprivatecloud,andtomonitorfileforwarding.
SeveraloftheoptionstoverifythatafirewallisforwardingsamplesforWildFireanalysisareCLI
commands;fordetailsongettingstartedwithandusingtheCLI,refertothePANOSCLIQuick
StartGuide.
VerifyFileForwarding
Theexampleoutputconfirmsthatthefirewallisconnectedtothe
WildFireprivatecloud,andisnotconnectedtotheWildFirepublic
cloud(publiccloudregistrationfails).
IfthefirewallisconfiguredinaWildFireHybridClouddeployment,
checkthatthefirewallissuccessfullyregisteredwithand
connectedtoboththeWildFirepubliccloudandaWildFireprivate
cloud.
32 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SubmitFilesforWildFireAnalysis VerifyWildFireSubmissions
VerifyFileForwarding(Continued)
ToviewforwardinginformationforonlytheWildFirepubliccloud
orWildFireprivatecloud,usethefollowingcommands:
show wildfire status channel public
show wildfire status channel private
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 33
VerifyWildFireSubmissions SubmitFilesforWildFireAnalysis
VerifyFileForwarding(Continued)
Verifythataspecificsamplewasforwardedby ExecutethefollowingCLIcommandsonthefirewalltoview
thefirewallandcheckthatstatusofthat samplesthefirewallhasforwardedWildFireanalysis:
sample. ViewallsamplesforwardedbythefirewallwiththeCLI
Thisoptioncanbehelpfulwhen commanddebug wildfire upload-log.
troubleshootingto: ViewonlysamplesforwardedtotheWildFirepubliccloudwith
Confirmthatsamplesthathavenotyet theCLIcommanddebug wildfire upload-log channel
receivedaWildFireverdictwere public.
correctlyforwardedbythefirewall. ViewonlysamplesforwardedtotheWildFireprivatecloudwith
BecauseWildFire Submissionsare theCLIcommanddebug wildfire upload-log channel
loggedonthefirewallonlywhen private.
WildFireanalysisiscompleteandthe Thefollowingexampleshowstheoutputforthethreecommands
samplehasreceivedaWildFireverdict, listedabovewhenissuedonafirewallinaWildFirepubliccloud
usethisoptiontoverifythefirewall deployment:
forwardedasamplethatiscurrently
undergoingWildFireanalysis.
Trackthestatusforasinglefileor
emaillinkthatwasallowedaccordingto
yoursecuritypolicy,matchedtoa
WildFireAnalysisprofile,andthen
forwardedforWildFireanalysis.
CheckthatafirewallinaWildFire
HybridClouddeploymentisforwarding
thecorrectfiletypesandemaillinksto
eithertheWildFirepubliccloudora
WildFireprivatecloud.
34 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SubmitFilesforWildFireAnalysis VerifyWildFireSubmissions
VerifyFileForwarding(Continued)
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 35
ManuallyUploadFilestotheWildFirePortal SubmitFilesforWildFireAnalysis
ManuallyUploadFilestotheWildFirePortal
AllPaloAltoNetworkscustomerswithasupportaccountcanusethePaloAltoNetworksWildFireportalto
manuallysubmituptofivesamplesadayforWildFireanalysis.IfyouhaveaWildFiresubscription,youcan
manuallysubmitsamplestotheportalaspartofyour1000sampleuploadsdailylimit;however,keepinmind
thatthe1000sampledailylimitalsoincludesWildFireAPIsubmissions.
UploadSamplestheWildFirePortal
36 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SubmitFilesforWildFireAnalysis SubmitMalwareorReportsfromtheWildFireAppliance
SubmitMalwareorReportsfromtheWildFireAppliance
EnabletheWildFireappliancecloudintelligencefeaturetoautomaticallysubmitmalwaresamples
discoveredintheWildFireprivatecloudtotheWildFirepubliccloud.TheWildFirepubliccloudfurther
analyzesthemalwareandgeneratesasignaturetoidentifythesample.Thesignatureisthenaddedto
WildFiresignatureupdates,anddistributedtoglobaluserstopreventfutureexposuretothethreat.Ifyou
donotwanttoforwardmalwaresamplesoutsideofyournetwork,youcaninsteadchoosetosubmitonly
WildFirereportsforthemalwarediscoveredonyournetworktocontributetoWildFirestatisticsandthreat
intelligence.
EnabletheWildFireAppliancetoSubmitMalwareorReportstotheWildFirePublicCloud
SubmitMalwaretotheWildFirePublicCloud ExecutethefollowingCLIcommandfromtheWildFireapplianceto
enabletheappliancetoautomaticallysubmitmalwaresamplesto
theWildFirepubliccloud:
admin@WF-500admin@WF-500# set deviceconfig setting
wildfire cloud-intelligence submit-sample yes
Ifthefirewallthatoriginallysubmittedthesamplefor
WildFireprivatecloudanalysishaspacketcaptures(PCAPs)
enabled,thePCAPsforthemalwarewillalsobeforwarded
totheWildFirepubliccloud.
SubmitMalwareReportstotheWildFirePublic ToenabletheWildFireappliancetoautomaticallysubmitmalware
Cloud reportstotheWildFirepubliccloud(andnotthemalwaresample),
IftheWildFireapplianceisenabledto executethefollowingCLIcommandontheWildFireappliance:
SubmitMalwaretotheWildFirePublic admin@WF-500# set deviceconfig setting wildfire
Cloud,youdonotneedtoalsoenablethe cloud-intelligence submit-report yes
appliancetosubmitmalwarereportstothe
publiccloud.Whenmalwareissubmitted
totheWildFirepubliccloud,thepublic
cloudgeneratesanewmalwarereportfor
thesample.
VerifyCloudIntelligenceSettings Checktoconfirmthatcloudintelligenceisenabledtoeithersubmit
malwareorsubmitmalwarereportstotheWildFirepubliccloudby
runningthefollowingcommand:
admin@WF-500> show wildfire status
RefertotheSubmit sample andSubmit reportfields.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 37
FirewallFileForwardingCapacitybyModel SubmitFilesforWildFireAnalysis
FirewallFileForwardingCapacitybyModel
FileforwardingcapacityisthemaximumrateperminuteatwhicheachPaloAltoNetworksfirewallmodel
cansubmitfilestotheWildFirecloudoraWildFireapplianceforanalysis.Ifthefirewallreachesthe
perminutelimit,itqueuesanyremainingsamples.
TheReservedDriveSpacecolumninthefollowingtableliststheamountofdrivespaceonthefirewallthat
isreservedforqueuingfiles.Ifthefirewallreachesthedrivespacelimit,itcancelsforwardingofnewfilesto
WildFireuntilmorespaceinthequeueisavailable.
ThespeedatwhichthefirewallcanforwardfilestoWildFirealsodependsonthebandwidthof
theuploadlinktotheWildFiresystems.
VM50 5 100MB
VM100 5 100MB
VM200 10 200MB
VM300 20 200MB
VM500 25 250MB
VM700 30 250MB
PA200 5 100MB
PA220 10 100MB
PA500 10 200MB
PA820 30 300MB
PA850 30 300MB
PA3020 50 200MB
PA3050/3060 50 500MB
PA5000Series 50 500MB
38 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SetUpandManageaWildFire
Appliance
TheWildFireappliancecanbeconfiguredasalocallyhostedWildFireprivatecloud.Thefollowingtopics
describereadyingtheWildFireappliancetoreceivefilesforanalysis,howtomanagetheappliance,andhow
toenabletheappliancetolocallygeneratethreatsignaturesandURLcategories.
AbouttheWildFireAppliance
ConfiguretheWildFireAppliance
SetUptheWildFireApplianceVMInterface
EnableWildFireApplianceAnalysisFeatures
UpgradeaWildFireAppliance
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 39
AbouttheWildFireAppliance SetUpandManageaWildFireAppliance
AbouttheWildFireAppliance
TheWildFireapplianceprovidesanonpremisesWildFireprivatecloud,enablingyoutoanalyzesuspicious
filesinasandboxenvironmentwithoutrequiringthefirewalltosendsfilesoutofnetwork.Tousethe
WildFireappliancetohostaWildFireprivatecloud,configurethefirewalltosubmitsamplestotheWildFire
applianceforanalysis.TheWildFireappliancesandboxesallfileslocallyandanalyzesthemformalicious
behaviorsusingthesameenginetheWildFirepublicclouduses.Withinminutes,theprivatecloudreturns
analysisresultstothefirewallWildFire Submissionslogs.
YoucanenableaWildFireapplianceto:
LocallygenerateantivirusandDNSsignaturesfordiscoveredmalware,andtoassignaURLcategoryto
maliciouslinks.YoucanthenenableconnectedfirewallstoretrievethelatestsignaturesandURL
categorieseveryfiveminutes.
SubmitmalwaretotheWildFirepubliccloud.TheWildFirepubliccloudreanalyzesthesampleand
generatesasignaturetodetectthemalwarethissignaturecanbemadeavailablewithinminutesto
protectglobalusers
Submitlocallygeneratedmalwarereports(withoutsendingtherawsamplecontent)totheWildFire
publiccloud,tocontributetomalwarestatisticsandthreatintelligence.
Youcanconfigureupto100PaloAltoNetworksfirewalls,eachwithvalidWildFiresubscriptions,toforward
toasingleWildFireappliance.BeyondtheWildFirefirewallsubscriptions,noadditionalWildFire
subscriptionisrequiredtoenableaWildFireprivateclouddeployment.
YoucanmanageWildFireappliancesusingthelocalapplianceCLI,oryoucancentrallyManageWildFire
ApplianceswithPanorama.StartingwithPANOS8.0.1,youcanalsogroupWildFireappliancesinto
WildFireApplianceClustersandmanagetheclusterslocallyorfromPanorama.
WildFireApplianceInterfaces
TheWF500appliancesareequippedwithfourRJ45Ethernetportslocatedatthebackoftheappliance.
TheseportsarelabeledMGT,1,2,and3andcorrespondtospecificinterfaces.
TheWildFireappliancehasthreeinterfaces:
MGTReceivesallfilesforwardedfromthefirewallsandreturnslogsdetailingtheresultsbacktothe
firewalls.SeeConfiguretheWildFireAppliance.
VirtualMachineInterface(VMinterface)ProvidesnetworkaccessfortheWildFiresandboxsystemsto
enablesamplefilestocommunicatewiththeInternet,whichallowsWildFiretobetteranalyzethe
behaviorofthesample.WhentheVMinterfaceisconfigured,WildFirecanobservemaliciousbehaviors
thatthemalwarewouldnotnormallyperformwithoutnetworkaccess,suchasphonehomeactivity.
However,topreventmalwarefromenteringyournetworkfromthesandbox,configuretheVMinterface
onanisolatednetworkwithanInternetconnection.YoucanalsoenabletheToroptiontohidethepublic
IPaddressusedbyyourcompanyfrommalicioussitesthatareaccessedbythesample.Formore
informationontheVMinterface,seeSetUptheWildFireApplianceVMInterface.
ClusterManagementInterfaceProvidesclusterwidecommunicationamongtheWildFireappliance
nodesthataremembersofaWildFireappliancecluster.ThisisadifferentinterfacethantheMGT
interfaceforfirewalloperations.YoucanconfiguretheEthernet2interfaceortheEthernet3interface
(labeled2 and3,respectively)astheclustermanagementinterface.
40 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SetUpandManageaWildFireAppliance AbouttheWildFireAppliance
ObtaintheinformationrequiredtoconfigurenetworkconnectivityontheMGTport,theVMinterface,and
theclustermanagementinterface(forWildFireapplianceclustersonly)fromyournetworkadministrator(IP
address,subnetmask,gateway,hostname,DNSserver).Allcommunicationbetweenthefirewallsandthe
applianceoccursovertheMGTport,includingfilesubmissions,WildFirelogdelivery,andappliance
administration.Therefore,ensurethatthefirewallshaveconnectivitytotheMGTportontheappliance.In
addition,theappliancemustbeabletoconnecttoupdates.paloaltonetworks.comtoretrieveitsoperating
systemsoftwareupdates.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 41
ConfiguretheWildFireAppliance SetUpandManageaWildFireAppliance
ConfiguretheWildFireAppliance
ThissectiondescribesthestepsrequiredtointegrateaWildFireapplianceintoanetworkandperformbasic
setup.
ConfiguretheWildFireAppliance
42 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SetUpandManageaWildFireAppliance ConfiguretheWildFireAppliance
ConfiguretheWildFireAppliance(Continued)
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 43
ConfiguretheWildFireAppliance SetUpandManageaWildFireAppliance
ConfiguretheWildFireAppliance(Continued)
44 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SetUpandManageaWildFireAppliance ConfiguretheWildFireAppliance
ConfiguretheWildFireAppliance(Continued)
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 45
ConfiguretheWildFireAppliance SetUpandManageaWildFireAppliance
ConfiguretheWildFireAppliance(Continued)
46 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SetUpandManageaWildFireAppliance ConfiguretheWildFireAppliance
ConfiguretheWildFireAppliance(Continued)
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 47
SetUptheWildFireApplianceVMInterface SetUpandManageaWildFireAppliance
SetUptheWildFireApplianceVMInterface
Thevirtualmachineinterface(vminterface)providesexternalnetworkconnectivityfromthesandbox
virtualmachinesintheWildFireappliancetoenableobservationofmaliciousbehaviorsinwhichthefile
beinganalyzedseeksnetworkaccess.ThefollowingsectionsdescribetheVMinterfaceandthesteps
requiredforconfiguringit.YoucanoptionallyenabletheTorfeaturewiththeVMinterface,whichwillmask
anymalicioustrafficsentfromtheWildFireappliancethroughtheVMinterface,sothemalwaresitesthat
thetrafficmaybesenttocannotdetectyourpublicfacingIPaddress.
ThissectionalsodescribesthestepsrequiredtoconnecttheVMinterfacetoadedicatedportonaPaloAlto
NetworksfirewalltoenableInternetconnectivity.
VirtualMachineInterfaceOverview
ConfiguretheVMInterfaceontheWildFireAppliance
ConnecttheFirewalltotheWildFireApplianceVMInterface
VirtualMachineInterfaceOverview
TheVMinterface(labeled1onthebackoftheappliance)isusedbyWildFiretoimprovemalwaredetection
capabilities.TheinterfaceallowsasamplerunningontheWildFirevirtualmachinestocommunicatewiththe
InternetsothattheWildFireappliancecanbetteranalyzethebehaviorofthesamplefiletodetermineifit
exhibitscharacteristicsofmalware.
WhileitisrecommendedthatyouenabletheVMinterface,itisveryimportantthatyoudonot
connecttheinterfacetoanetworkthatallowsaccesstoanyofyourservers/hostsbecause
malwarethatrunsintheWildFirevirtualmachinescouldpotentiallyusethisinterfaceto
propagateitself.
ThisconnectioncanbeadedicatedDSLlineoranetworkconnectionthatonlyallowsdirect
accessfromtheVMinterfacetotheInternetandrestrictsanyaccesstointernalservers/client
hosts.
ThefollowingillustrationshowstwooptionsforconnectingtheVMinterfacetothenetwork.
48 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SetUpandManageaWildFireAppliance SetUptheWildFireApplianceVMInterface
VirtualMachineInterfaceExample
Option1(recommended)ConnecttheVMinterfacetoaninterfaceinadedicatedzoneonafirewall
thathasapolicythatonlyallowsaccesstotheInternet.Thisisimportantbecausemalwarethatrunsin
theWildFirevirtualmachinescanpotentiallyusethisinterfacetopropagateitself.Thisisthe
recommendedoptionbecausethefirewalllogswillprovidevisibilityintoanytrafficthatisgeneratedby
theVMinterface.
Option2UseadedicatedInternetproviderconnection,suchasaDSL,toconnecttheVMinterfaceto
theInternet.Ensurethatthereisnoaccessfromthisconnectiontointernalservers/hosts.Althoughthis
isasimplesolution,trafficgeneratedbythemalwareouttheVMinterfacewillnotbeloggedunlessyou
placeafirewalloratrafficmonitoringtoolbetweentheWildFireapplianceandtheDSLconnection.
ConfiguretheVMInterfaceontheWildFireAppliance
ThissectiondescribesthestepsrequiredtoconfiguretheVMinterfaceontheWildFireapplianceusingthe
Option1configurationdetailedintheVirtualMachineInterfaceExample.AfterconfiguringtheVMinterface
usingthisoption,youmustalsoconfigureaninterfaceonaPaloAltoNetworksfirewallthroughwhichtraffic
fromtheVMinterfaceisroutedasdescribedinConnecttheFirewalltotheWildFireApplianceVMInterface.
Bydefault,theVMinterfacehasthefollowingsettings:
IPAddress:192.168.2.1
Netmask:255.255.255.0
DefaultGateway:192.168.2.254
DNS:192.168.2.254
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 49
SetUptheWildFireApplianceVMInterface SetUpandManageaWildFireAppliance
Ifyouplanonenablingthisinterface,configureitwiththeappropriatesettingsforyournetwork.Ifyoudo
notplanonusingthisinterface,leavethedefaultsettings.Notethatthisinterfacemusthavenetworkvalues
configuredoracommitfailurewilloccur.
ConfiguretheVMInterface
Step5 ConnecttheFirewalltotheWildFireApplianceVMInterface.
ConnecttheFirewalltotheWildFireApplianceVMInterface
ThefollowingexampleworkflowdescribeshowtoconnecttheVMinterfacetoaportonaPaloAlto
Networksfirewall.BeforeconnectingtheVMinterfacetothefirewall,thefirewallmustalreadyhavean
UntrustzoneconnectedtotheInternet.Inthisexample,youconfigureanewzonenamedwfvmzonethat
willcontaintheinterfaceusedtoconnecttheVMinterfaceontheappliancetothefirewall.Thepolicy
associatedwiththewfvmzonewillonlyallowcommunicationfromtheVMinterfacetotheUntrustzone.
50 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SetUpandManageaWildFireAppliance SetUptheWildFireApplianceVMInterface
ConfiguretheFirewalltoControlTrafficfortheWildFireApplianceVMInterface
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 51
EnableWildFireApplianceAnalysisFeatures SetUpandManageaWildFireAppliance
EnableWildFireApplianceAnalysisFeatures
SetUpWildFireApplianceContentUpdates
EnableLocalSignatureandURLCategoryGeneration
SubmitLocallyDiscoveredMalwareorReportstotheWildFirePublicCloud
SetUpWildFireApplianceContentUpdates
ConfiguredailycontentupdatesfortheWildFireappliance.WildFirecontentupdatesprovidetheappliance
withthreatintelligencetofacilitateaccuratemalwaredetection,improveappliancecapabilityto
differentiatemalicioussamplesfrombenignsamples,andensurethattheappliancehasthemostrecent
informationneededtogeneratesignatures.
InstallWildFireContentUpdatesDirectlyfromtheUpdateServer
InstallWildFireContentUpdatesfromanSCPEnabledServer
InstallWildFireContentUpdatesDirectlyfromtheUpdateServer
InstallThreatIntelligenceContentUpdatesDirectlyfromtheUpdateServer
52 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SetUpandManageaWildFireAppliance EnableWildFireApplianceAnalysisFeatures
InstallThreatIntelligenceContentUpdatesDirectlyfromtheUpdateServer(Continued)
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 53
EnableWildFireApplianceAnalysisFeatures SetUpandManageaWildFireAppliance
InstallWildFireContentUpdatesfromanSCPEnabledServer
ThefollowingproceduredescribeshowtoinstallthreatintelligencecontentupdatesonaWildFireappliance
thatdoesnothavedirectconnectivitytothePaloAltoNetworksUpdateServer.YouwillneedaSecureCopy
(SCP)enabledservertotemporarilystorethecontentupdate.
InstallThreatIntelligenceContentUpdatesfromanSCPEnabledServer
EnableLocalSignatureandURLCategoryGeneration
TheWildFireappliancecangeneratesignatureslocallybasedonthesamplesreceivedfromconnected
firewallsandtheWildFireAPI,asanalternativetosendingmalwaretothepubliccloudforsignature
generation.Theappliancecangeneratethefollowingtypesofsignaturesforthefirewallstousetoblock
malwareandanyassociatedcommandandcontroltraffic:
AntivirussignaturesDetectandblockmaliciousfiles.WildFireaddsthesesignaturestoWildFireand
Antiviruscontentupdates.
DNSsignaturesDetectandblockcallbackdomainsforcommandandcontroltrafficassociatedwith
malware.WildFireaddsthesesignaturestoWildFireandAntiviruscontentupdates.
URLcategoriesCategorizescallbackdomainsasmalwareandupdatestheURLcategoryinPANDB.
54 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SetUpandManageaWildFireAppliance EnableWildFireApplianceAnalysisFeatures
ConfigurethefirewallstoretrievethesignaturesgeneratedbytheWildFireapplianceasfrequentlyasevery
fiveminutes.YoucanalsosendthemalwaresampletotheWildFirepubliccloud,inordertoenablethe
signaturetobedistributedgloballythroughPaloAltoNetworkscontentreleases.
EvenifyoureusingtheWildFireapplianceforlocalfileanalysis,youcanalsoenableconnectedfirewallsto
receivethelatestsignaturesdistributedbytheWildFirepubliccloud.
EnabletheWildFireAppliancetoGenerateandDistributeSignatureandURLCategories
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 55
SubmitLocallyDiscoveredMalwareorReportstotheWildFirePublicCloud SetUpandManageaWildFireAppliance
SubmitLocallyDiscoveredMalwareorReportstothe
WildFirePublicCloud
EnabletheWildFireappliancetoautomaticallysubmitmalwaresamplestotheWildFirepubliccloud.The
WildFirepubliccloudfurtheranalyzesthemalwareandgeneratesasignaturetoidentifythesample.The
signatureisthenaddedtoWildFiresignatureupdates,anddistributedtoglobaluserstopreventfuture
exposuretothethreat.Ifyoudonotwanttoforwardmalwaresamplesoutsideofyournetwork,youcan
insteadchoosetosubmitonlyWildFirereportsforthemalwarediscoveredonyournetwork,inorderto
contributetoandrefineWildFirestatisticsandthreatintelligence.
EnabletheWildFireAppliancetoSubmitMalwareorReportstotheWildFirePublicCloud
SubmitMalwaretotheWildFirePublicCloud. 1. ExecutethefollowingCLIcommandfromtheWildFire
appliancetoenabletheappliancetoautomaticallysubmit
malwaresamplestotheWildFirepubliccloud:
admin@WF-500# set deviceconfig setting wildfire
cloud-intelligence submit-sample yes
Ifthefirewallthatoriginallysubmittedthesamplefor
WildFireprivatecloudanalysishaspacketcaptures
(PCAPs)enabled,thePCAPsforthemalwarewillalso
beforwardedtotheWildFirepubliccloud.
2. GototheWildFireportaltoviewanalysisreportsformalware
automaticallysubmittedtotheWildFirepubliccloud.When
malwareissubmittedtotheWildFirepubliccloud,thepublic
cloudgeneratesanewanalysisreportforthesample.
SubmitAnalysisReportstotheWildFirePublic ToautomaticallysubmitmalwarereportstotheWildFirepublic
Cloud cloud(andnotthemalwaresample),executethefollowingCLI
commandontheWildFireappliance:
admin@WF-500# set deviceconfig setting wildfire
cloud-intelligence submit-report yes
IfyouhaveenabledtheWildFireappliancetoautomatically
submitmalwaretotheWildFirepubliccloud,youdonot
needtoenablethisoptiontheWildFirepubliccloudwill
generateanewanalysisreportforthesample.
ReportssubmittedtotheWildFirepubliccloudcannotbe
viewedontheWildFireportal.TheWildFireportaldisplays
onlyWildFirepubliccloudreports.
VerifyMalwareandReportSubmissionSettings Checktoconfirmthatcloudintelligenceisenabledtoeithersubmit
malwareorsubmitreportstotheWildFirepubliccloudbyrunning
thefollowingcommand:
admin@WF-500> show wildfire status
RefertotheSubmit sampleandSubmit reportfields.
56 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
SetUpandManageaWildFireAppliance UpgradeaWildFireAppliance
UpgradeaWildFireAppliance
UsethefollowingworkflowtoupgradetheWildFireapplianceoperatingsystem.Ifyouwanttoupgradean
appliancethatispartofaWildFirecluster,seeUpgradeWildFireAppliancesinaCluster.Theappliancecanonly
useoneenvironmentatatimetoanalyzesamples,soafterupgradingtheappliance,reviewthelistof
availableVMimagesandthenchoosetheimagethatbestfitsyourenvironment.InthecaseofWindows7,
ifyourenvironmenthasamixofWindows732bitandWindows764bitsystems,itisrecommendedthat
youchoosetheWindows764bitimage,soWildFirewillanalyzeboth32bitand64bitPEfiles.Although
youconfiguretheappliancetouseonevirtualmachineimageconfiguration,theapplianceusesmultiple
instancesoftheimagetoperformfileanalyses.
DependingonthenumberofsamplestheWildFireappliancehasanalyzedandstored,thetimerequiredto
upgradetheappliancesoftwarevaries;thisisbecauseupgradingrequiresthemigrationofallmalware
samplesand14daysofbenignsamples.Allow30to60minutestoupgradeaWildFireappliancethatyou
haveusedinaproductionenvironment.
UpgradetheWildFireAppliancetoPANOS8.0
Step1 IfyouresettingupaWildFireapplianceforthefirsttime,startbyconfiguringtheWildFireappliance.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 57
UpgradeaWildFireAppliance SetUpandManageaWildFireAppliance
UpgradetheWildFireAppliancetoPANOS8.0(Continued)
58 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
MonitorWildFireActivity
DependingonyourWildFiredeploymentpublic,private,orhybridyoucanviewsamplessubmittedto
WildFireandanalysisresultsforeachsampleusingtheWildFireportal,byaccessingthefirewallthat
submittedthesample(orPanorama,ifyouarecentrallymanagingmultiplefirewalls),orbyusingtheWildFire
API.
AfterWildFirehasanalyzedasampleanddeliveredaverdictofmalicious,phishing,grayware,orbenign,a
detailedanalysisreportisgeneratedforthesample.WildFireanalysisreportsviewedonthefirewallthat
submittedthesamplealsoincludedetailsforthesessionduringwhichthesamplewasdetected.Forsamples
identifiedasmalware,theWildFireanalysisreportincludesdetailsonexistingWildFiresignaturesthatmight
berelatedtothenewlyidentifiedmalwareandinformationonfileattributes,behavior,andactivitythat
indicatedthesamplewasmalicious.
SeethefollowingtopicsfordetailsonhowtomonitorWildFiresubmissions,toWildFireanalysisreportsfor
samples,andtosetupalertsandnotificationsbasedonsubmissionsandanalysisresults:
AboutWildFireLogsandReporting
UsetheFirewalltoMonitorMalware
UsetheWildFirePortaltoMonitorMalware
WildFireAnalysisReportsCloseUp
WildFireExample
TheAutoFocusthreatintelligenceportalprovidesadifferentlensthroughwhichtoviewWildFire
analysisdetailsforasample.AutoFocuslayersstatisticsoverWildFireanalysisdatatoindicate
highriskartifactsfoundduringsampleanalysis(suchasanIPaddressoradomain).
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 59
AboutWildFireLogsandReporting MonitorWildFireActivity
AboutWildFireLogsandReporting
YoucanMonitorWildFireActivityonthefirewall,withtheWildFireportal,orwiththeWildFireAPI.
ForeachsampleWildFireanalyzes,WildFirecategorizesthesampleasmalware,phishing,grayware,or
benignanddetailssampleinformationandbehaviorintheWildFireanalysisreport.WildFireanalysisreports
canbefoundonthefirewallthatsubmittedthesampleandtheWildFirecloud(publicorprivate)that
analyzedthesample,orcanberetrievedusingtheWildFireAPI:
OnthefirewallAllsamplessubmittedbyafirewallforWildFireanalysisareloggedasWildFire
Submissionsentries(Monitor > WildFire Submissions).TheActioncolumnintheWildFireSubmissionslog
indicateswhetherafilewasallowedorblockedbythefirewall.ForeachWildFiresubmissionentryyou
canopenadetailedlogviewtoviewtheWildFireanalysisreportforthesampleortodownloadthereport
asaPDF.
OntheWildFireportalMonitorWildFireactivity,includingtheWildFireanalysisreportforeachsample,
whichcanalsobedownloadedasaPDF.InaWildFireprivateclouddeployment,theWildFireportal
providesdetailsforsamplesthataremanuallyuploadedtotheportalandsamplessubmittedbya
WildFireappliancewithcloudintelligenceenabled.
TheoptiontoviewWildFireanalysisreportsontheportalisonlysupportedforWildFire
applianceswiththecloudintelligencefeatureisenabled.
WiththeWildFireAPIRetrieveWildFireanalysisreportsfromaWildFireapplianceorfromtheWildFire
publiccloud.
60 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
MonitorWildFireActivity UsetheFirewalltoMonitorMalware
UsetheFirewalltoMonitorMalware
SamplesforwardedbythefirewallareaddedasentriestotheWildFire Submissionslogs.AdetailedWildFire
analysisreportisdisplayedintheexpandedviewforeachWildFireSubmissionsentry.
ConfigureWildFireSubmissionsLogSettings
MonitorWildFireSubmissionsandAnalysisReports
SetUpAlertsforMalware
ConfigureWildFireSubmissionsLogSettings
EnablethefollowingoptionsforWildFire Submissionslogs:
EnableLoggingforBenignandGraywareSamples
IncludeEmailHeaderInformationinWildFireLogsandReports
IncludeUserIDInformationinWildFireLogsandReports
EnableLoggingforBenignandGraywareSamples
Loggingforbenignandgraywaresamplesisdisabledbydefault.Emaillinksthatreceivebenignorgrayware
verdictsarenotlogged.
EnableLoggingforBenignandGraywareSamples
IncludeEmailHeaderInformationinWildFireLogsandReports
Usethefollowingstepstoincludeemailheaderinformationemailsender,recipient(s),andsubjectin
WildFirelogsandreports.
SessioninformationisforwardedtotheWildFirecloudalongwiththesample,andusedtogeneratethe
WildFireanalysisreport.NeitherthefirewallnortheWildFirecloudreceive,store,orviewactualemail
contents.
Sessioninformationcanhelpyoutoquicklytrackdownandremediatethreatsdetectedinemailattachmentsor
links,includinghowtoidentifyrecipientswhohavedownloadedoraccessedmaliciouscontent.
IncludeEmailHeaderInformationinWildFireLogsandReports
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 61
UsetheFirewalltoMonitorMalware MonitorWildFireActivity
IncludeEmailHeaderInformationinWildFireLogsandReports
Step3 ClickOKtosave.
IncludeUserIDInformationinWildFireLogsandReports
EnablethefirewalltomatchUserIDinformationwithemailheaderinformation,sothattheUserIDfortherecipientof
amaliciousemailattachmentorlinkisidentifiedforaWildFireentry.
IncludeUserIDInformationinWildFireLogsandReports
Step2 Selectthedesiredgroupmappingprofiletomodifyit.
62 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
MonitorWildFireActivity UsetheFirewalltoMonitorMalware
MonitorWildFireSubmissionsandAnalysisReports
SamplesthatfirewallssubmitforWildFireanalysisaredisplayedasentriesintheWildFire Submissionslogon
thefirewallwebinterface.ForeachWildFireentry,youcanopenanexpandedlogviewwhichdisplayslog
detailsandtheWildFireanalysisreportforthesample.
MonitorWildFireSubmissionsandReports
Step1 ForwardFilesforWildFireAnalysis.
Step2 ConfigureWildFireSubmissionsLogSettings.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 63
UsetheFirewalltoMonitorMalware MonitorWildFireActivity
MonitorWildFireSubmissionsandReports(Continued)
Step4 Foranyentry,selecttheLogDetailsicontoopenadetailedlogviewforeachentry:
ThedetailedlogviewdisplaysLogInfoandtheWildFireAnalysisReportfortheentry.Ifthefirewallhas
packetcaptures(PCAPs)enabled,thesamplePCAPsarealsodisplayed.
Forallsamples,theWildFireanalysisreportdisplaysfileandsessiondetails.Formalwaresamples,the
WildFireanalysisreportisextendedtoincludedetailsonthefileattributesandbehaviorthatindicatedthe
filewasmalicious.
64 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
MonitorWildFireActivity UsetheFirewalltoMonitorMalware
SetUpAlertsforMalware
YoucanconfigureaPaloAltoNetworksfirewalltosendanalertwhenWildFireidentifiesamaliciousor
phishingsample.Youcanconfigurealertsforbenignandgraywarefilesaswell,butnotforbenignand
graywareemaillinks.Thisexampledescribeshowtoconfigureanemailalert;however,youcouldalso
configurelogforwardingtosetupalertstobedeliveredassyslogmessages,SNMPtraps,orPanoramaalerts.
SetUpAlertsforMalware
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 65
UsetheFirewalltoMonitorMalware MonitorWildFireActivity
SetUpAlertsforMalware(Continued)
ToforwardlogstoPanorama,selectthecheckboxes
underthePanoramacolumnforBenign,Grayware,
Phishingand/orMalicious.ForSNMPandSyslog,
selectthedropdownandchoosetheappropriate
profileorclickNewtoconfigureanewprofile.
4. ClickOKtosavethechanges.
66 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
MonitorWildFireActivity UsetheWildFirePortaltoMonitorMalware
UsetheWildFirePortaltoMonitorMalware
LogintothePaloAltoNetworksWildFireportalusingyourPaloAltoNetworkssupportcredentialsoryour
WildFireaccount.Theportalopenstodisplaythedashboard,whichlistssummaryreportinformationforall
ofthefirewallsassociatedwiththespecificWildFiresubscriptionorsupportaccount.Foreachdevicelisted,
theportaldisplaysstatisticsforthenumberofmalwaresamplesthathavebeendetected,benignsamples
thathavebeenanalyzed,andthenumberofpendingfilesthatarewaitingtobeanalyzed.YourWildFire
portalaccountdisplaysdataforallsamplessubmittedbyfirewallsonyournetworkthatareconnectedto
theWildFirepubliccloud,aswellasdataforsamplesmanuallysubmittedtotheportal.Additionally,ifyou
haveenabledaWildFireappliancetoforwardmalwaretotheWildFirepubliccloudforsignaturegeneration
anddistribution,reportsforthosemalwaresamplescanalsobeaccessedontheportal.
SeethefollowingsectionsfordetailsonusingtheWildFireportaltomonitorWildFireactivity:
ConfigureWildFirePortalSettings
AddWildFirePortalUsers
ViewReportsontheWildFirePortal
ConfigureWildFirePortalSettings
ThissectiondescribesthesettingsthatcanbecustomizedforaWildFirecloudaccount,suchastimezone
andemailnotificationsforeachfirewallconnectedtotheaccount.Youcanalsodeletefirewalllogsstored
inthecloud.
CustomizetheWildFirePortalSettings
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 67
UsetheWildFirePortaltoMonitorMalware MonitorWildFireActivity
CustomizetheWildFirePortalSettings(Continued)
AddWildFirePortalUsers
WildFireportalaccountsarecreatedbyasuperuser(theregisteredownerofaPaloAltoNetworksdevice)
togiveadditionaluserstheabilitytologintotheWildFirecloudandviewdevicedataforwhichtheyare
grantedaccessbythesuperuser.AWildFireusercanbeauserassociatedwithanexistingPaloAlto
NetworksaccountorausernotassociatedwithaPaloAltoNetworkssupportaccount,towhomyoucan
allowaccesstojusttheWildFirepubliccloudsandaspecificsetoffirewalldata.
AddWildFirePortalUsers
68 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
MonitorWildFireActivity UsetheWildFirePortaltoMonitorMalware
AddWildFirePortalUsers(Continued)
ViewReportsontheWildFirePortal
TheWildfireportaldisplaysreportsforsamplesthataresubmittedfromfirewalls,manuallyuploaded,or
uploadedusingtheWildFireAPI.SelectReportstodisplaythelatestreportsforsamplesanalyzedbythe
WildFirecloud.Foreachsamplelisted,thereportentryshowsthedateandtimethesamplewasreceived
bythecloud,theserialnumberofthefirewallthatsubmittedthefile,thefilenameorURL,andtheverdict
deliveredbyWildFire(benign,grayware,malware,orphishing).
Usethesearchoptiontosearchforreportsbasedonthefilenameorthesamplehashvalue.Youcanalso
narrowtheresultsdisplayedbyviewingonlyreportsforsamplessubmittedbyaspecificSource(viewonly
resultssubmittedmanuallyorbyaspecificfirewall)orforsamplesthatreceivedaspecificWildFireVerdict
(any,benign,malware,grayware,phishing,orpending).
Toviewanindividualreportfromtheportal,clicktheReportsicontotheleftofthereportname.Tosavethe
detailedreport,clicktheDownload as PDFbuttonontheupperrightofthereportpage.Fordetailson
WildFireanalysisreports,seeWildFireAnalysisReportsCloseUp.
Thefollowingshowsalistofsamplefilessubmittedbyaspecificfirewall:
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 69
WildFireAnalysisReportsCloseUp MonitorWildFireActivity
WildFireAnalysisReportsCloseUp
AccessWildFireanalysisreportsonthefirewall,theWildFireportal,andtheWildFireAPI.
WildFireanalysisreportsdisplaydetailedsampleinformation,aswellasinformationontargetedusers,email
headerinformation(ifenabled),theapplicationthatdeliveredthefile,andallURLsinvolvedinthedelivery
orphonehomeactivityofthefile.WildFirereportscontainsomeoralloftheinformationdescribedinthe
followingtablebasedonthesessioninformationconfiguredonthefirewallthatforwardedthefileand
dependingontheobservedbehaviorforthefile.
WhenviewingaWildFirereportforafilethatwasmanuallyuploadedtotheWildFireportalorby
usingtheWildFireAPI,thereportwillnotshowsessioninformationbecausethetrafficdidnot
traversethefirewall.Forexample,thereportwouldnotshowtheAttacker/Sourceand
Victim/Destination.
ReportHeading Description
70 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
MonitorWildFireActivity WildFireAnalysisReportsCloseUp
ReportHeading Description
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 71
WildFireAnalysisReportsCloseUp MonitorWildFireActivity
ReportHeading Description
Thefollowingdescribesthevariousbehaviorsthatareanalyzed:
Network ActivityShowsnetworkactivityperformedbythesample,suchas
accessingotherhostsonthenetwork,DNSqueries,andphonehomeactivity.
Alinkisprovidedtodownloadthepacketcapture.
Host Activity (by process)Listsactivitiesperformedonthehost,suchas
registrykeysthatwereset,modified,ordeleted.
Process ActivityListsfilesthatstartedaparentprocess,theprocessname,
andtheactiontheprocessperformed.
FileListsfilesthatstartedachildprocesses,theprocessname,andtheaction
theprocessperformed.
MutexIfthesamplefilegeneratesotherprogramthreads,themutexname
andparentprocessisloggedinthisfield.
Activity TimelineProvidesaplaybyplaylistofallrecordedactivityofthe
sample.Thiswillhelpinunderstandingthesequenceofeventsthatoccurred
duringtheanalysis.
TheactivitytimelineinformationisonlyavailableinthePDFexportof
theWildFirereports.
72 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
MonitorWildFireActivity WildFireAnalysisReportsCloseUp
ReportHeading Description
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 73
WildFireExample MonitorWildFireActivity
WildFireExample
ThefollowingexamplescenariosummarizesthefullWildFirelifecycle.Inthisexample,asales
representativefromPaloAltoNetworksdownloadsanewsoftwaresalestoolthatasalespartneruploaded
toDropbox.Thesalespartnerunknowinglyuploadedaninfectedversionofthesalestoolinstallfileandthe
salesrepthendownloadstheinfectedfile.
ThisexamplewilldemonstratehowaPaloAltoNetworksfirewallinconjunctionwithWildFirecandiscover
zerodaymalwaredownloadedbyanenduser,evenifthetrafficisSSLencrypted.AfterWildFireidentifies
themalwarealogissenttothefirewallandthefirewallalertstheadministratorwhothencontactstheuser
toeradicatethemalware.WildFirethengeneratesanewsignatureforthemalwareandfirewallswitha
ThreatPreventionorWildFiresubscriptionautomaticallydownloadsthesignaturetoprotectagainstfuture
exposure.Althoughsomefilesharingwebsiteshaveanantivirusfeaturethatchecksfilesastheyare
uploaded,theycanonlyprotectagainstknownmalware.
ThisexampleusesawebsitethatusesSSLencryption.Inthiscase,thefirewallhasdecryption
enabled,includingtheoptiontoforwarddecryptedcontentforanalysis.Toenabledecrypted
contenttobeforwardedtotheWildFirecloud,seeForwardFilesforWildFireAnalysis.
WildFireExample
Step1 Thesalespersonfromthepartnercompanyuploadsasalestoolfilenamedsalestool.exetohisDropbox
accountandthensendsanemailtothePaloAltoNetworkssalespersonwithalinktothefile.
Step2 ThePaloAltosalespersonreceivestheemailfromthesalespartnerandclicksthedownloadlink,whichtakes
hertotheDropboxsite.ShethenclicksDownloadtosavethefiletoherdesktop.
74 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
MonitorWildFireActivity WildFireExample
WildFireExample(Continued)
Step3 ThefirewallthatisprotectingthePaloAltosalesrephasaWildFireAnalysisprofileruleattachedtoasecurity
policyrulethatwilllookforfilesinanyapplicationthatisusedtodownloadoruploadanyofthesupported
filetypes.Thefirewallcanalsobeconfiguredtoforwardtheemaillinkfiletype,whichenablesthefirewallto
extractHTTP/HTTPSlinkscontainedinSMTPandPOP3emailmessages.Assoonasthesalesrepclicks
download,thefirewallforwardsthesalestoole.exefiletoWildFire,wherethefileisanalyzedforzeroday
malware.EventhoughthesalesrepisusingDropbox,whichisSSLencrypted,thefirewallisconfiguredto
decrypttraffic,soalltrafficcanbeinspected.ThefollowingscreenshotsshowtheWildFireAnalysisprofile
rule,thesecuritypolicyruleconfiguredwiththeWildFireanalysisprofileruleattached,andtheoptiontoallow
forwardingofdecryptedcontentenabled.
Step4 Atthispoint,WildFirehasreceivedthefileandisanalyzingitformorethan200differentmaliciousbehaviors.
VerifyFileForwardingtocheckthatthefirewallhascorrectlyforwardedafileoremaillinksforWildFire
analysis.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 75
WildFireExample MonitorWildFireActivity
WildFireExample(Continued)
Step5 Withinapproximatelyfiveminutes,WildFirehascompletedthefileanalysisandthensendsaWildFirelog
backtothefirewallwiththeanalysisresults.Inthisexample,theWildFirelogshowsthatthefileismalicious.
Step6 ThefirewallisconfiguredwithalogforwardingprofilethatwillsendWildFirealertstothesecurity
administratorwhenmalwareisdiscovered.
76 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
MonitorWildFireActivity WildFireExample
WildFireExample(Continued)
Step7 Thesecurityadministratoridentifiestheuserbyname(ifUserIDisconfigured),orbyIPaddressifUserIDis
notenabled.Atthispoint,theadministratorcanshutdownthenetworkorVPNconnectionthatthesales
representativeisusingandwillthencontactthedesktopsupportgrouptoworkwiththeusertocheckand
cleanthesystem.
ByusingtheWildFiredetailedanalysisreport,thedesktopsupportpersoncandetermineiftheusersystem
isinfectedwithmalwarebylookingatthefiles,processes,andregistryinformationdetailedintheWildFire
analysisreport.Iftheuserrunsthemalware,thesupportpersoncanattempttocleanthesystemmanuallyor
reimageit.
FordetailsontheWildFirereportfields,seeWildFireAnalysisReportsCloseUp.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 77
WildFireExample MonitorWildFireActivity
WildFireExample(Continued)
Step8 Nowthattheadministratorhasidentifiedthemalwareandtheusersystemisbeingchecked,howdoyou
protectfromfutureexposure?Answer:Inthisexample,theadministratorsetascheduleonthefirewallto
downloadandinstallWildFiresignaturesevery15minutesandtodownloadandinstallAntivirusupdatesonce
perday.Inlessthananhourandahalfafterthesalesrepdownloadedtheinfectedfile,WildFireidentifiedthe
zerodaymalware,generatedasignature,addedittotheWildFireupdatesignaturedatabaseprovidedbyPalo
AltoNetworks,andthefirewalldownloadedandinstalledthenewsignature.ThisfirewallandanyotherPalo
AltoNetworksfirewallconfiguredtodownloadWildFireandantivirussignaturesisnowprotectedagainstthis
newlydiscoveredmalware.ThefollowingscreenshotshowstheWildFireupdateschedule:
Allofthisoccurswellbeforemostantivirusvendorsareevenawareofthezerodaymalware.Inthisexample,
withinaveryshortperiodoftime,themalwareisnolongerconsideredzerodaybecausePaloAltoNetworks
hasalreadydiscovereditandhasprovidedprotectiontocustomerstopreventfutureexposure.
78 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireApplianceClusters
AWildFireapplianceclusterisaninterconnectedgroupofWildFireappliancesthatpoolresourcestoincrease
sampleanalysisandstoragecapacity,supportlargergroupsoffirewalls,andsimplifyconfigurationand
managementofmultipleWildFireappliances.Thisisespeciallyusefulinenvironmentswhereaccesstothe
WildFirepubliccloudisnotpermitted.YoucanconfigureandmanageuptotwentyWildFireappliancesas
aWildFireapplianceclusteronasinglenetwork.Clustersalsoprovideasinglesignaturepackagethatthe
clusterdistributestoallconnectedfirewalls,highavailability(HA)architectureforfaulttolerance,andthe
abilitytomanageclusterscentrallyusingPanorama.YoucanalsomanagestandaloneWildFireappliances
usingPanorama.
TocreateWildFireapplianceclusters,alloftheWildFireappliancesthatyouwanttoplaceinaclustermust
runPANOS8.0.1orlater.WhenyouusePanoramatomanageWildFireapplianceclusters,Panoramaalso
mustrunPANOS8.0.1orlater.YoudonotneedaseparatelicensetocreateandmanageWildFireappliance
clusters.
WildFireApplianceClusterResiliencyandScale
WildFireApplianceClusterManagement
ConfigureaClusterLocallyonWildFireAppliances
UpgradeWildFireAppliancesinaCluster
ConfigureaClusterCentrallyonPanorama
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 79
AboutWildFireApplianceClusters WildFireApplianceClusters
AboutWildFireApplianceClusters
WildFireapplianceclustersaggregatethesampleanalysisandstoragecapacityofuptotwentyWildFire
appliancessothatyoucansupportlargefirewalldeploymentsonasinglenetwork.Youhavetheflexibility
tomanageandConfigureaClusterLocallyonWildFireAppliancesusingtheCLI,ormanageandConfigure
aClusterCentrallyonPanoramaMSeriesorvirtualapplianceservers.AWildFireappliancecluster
environmentincludes:
From2to20WildFireappliancesthatyouwanttogroupandmanageasacluster.Ataminimum,acluster
musthavetwoWildFireappliancesconfiguredinahighavailability(HA)pair.
Firewallsthatforwardsamplestotheclusterfo
80 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireApplianceClusters WildFireApplianceClusterResiliencyandScale
WildFireApplianceClusterResiliencyandScale
WildFireapplianceclustersaggregatethesampleanalysisandstoragecapacityofuptotwentyWildFire
appliancessothatyoucansupportlargefirewalldeploymentsonasinglenetwork.Youhavetheflexibility
tomanageandConfigureaClusterLocallyonWildFireAppliancesusingtheCLI,ormanageandConfigure
aClusterCentrallyonPanoramaMSeriesorvirtualapplianceservers.AWildFireappliancecluster
environmentincludes:
From2to20WildFireappliancesthatyouwanttogroupandmanageasacluster.Ataminimum,acluster
musthavetwoWildFireappliancesconfiguredinahighavailability(HA)pair.
Firewallsthatforwardsamplestotheclusterfortrafficanalysisandsignaturegeneration.
(Optional)OneortwoPanoramaappliancesforcentralizedclustermanagementifyouchoosenotto
managetheclusterlocally.ToprovideHA,usetwoPanoramaappliancesconfiguredasanHApair.
EachWildFireapplianceyouaddtoaWildFireapplianceclusterbecomesanodeinthatcluster(asopposed
toastandaloneWildFireappliance).Panoramacanmanageupto10WildFireapplianceclusterswithatotal
of200WildFireclusternodes(10clusters,eachwiththemaximumof20nodes).
PanoramacanmanagestandaloneWildFireappliancesaswellasWildFireapplianceclusters.Thecombinedtotal
ofstandaloneWildFireappliancesandWildFireapplianceclusternodesthatPanoramacanmanageis200.For
example,ifPanoramamanagesthreeclusterswithatotalof15WildFireclusternodesandeightstandalone
WildFireappliances,thenPanoramamanagesatotalof23WildFireappliancesandcanmanageupto177more
WildFireappliances.
Clusternodesplayoneoftworoles:
ControllerNodeTwocontrollernodesmanagethequeuingserviceanddatabase,generatesignatures,
andmanagetheclusterlocallyifyoudontmanagetheclusterwithaPanoramaMSeriesorvirtual
appliance.Eachclustercanhaveamaximumoftwocontrollernodes.Forfaulttolerance,eachWildFire
applianceclustershouldhaveaminimumoftwonodesconfiguredasaprimarycontrollernodeanda
controllerbackupnodeHApair.Exceptduringnormalmaintenanceorfailureconditions,eachcluster
shouldhavetwocontrollernodes.
WorkerNodeClusternodesthatarenotcontrollernodesareworkernodes.Workernodesincreasethe
analysiscapacity,storagecapacity,anddataresiliencyofthecluster.
Whenafirewallregisterswithaclusternode,orwhenyouaddaWildFireappliancethatalreadyhas
registeredfirewallstoacluster,theclusterpushesaregistrationlisttotheconnectedfirewalls.The
registrationlistcontainseverynodeinthecluster.Ifaclusternodefails,thefirewallsconnectedtothatnode
reregisterwithanotherclusternode.ThistypeofresiliencyisoneofthebenefitsofcreatingWildFire
applianceclusters.
Benefit Description
Scale AWildFireapplianceclusterincreasestheanalysisthroughputandstoragecapacityavailable
onasinglenetworksothatyoucanservealargernetworkoffirewallswithoutsegmentingyour
network.
Highavailability Ifaclusternodegoesdown,HAconfigurationprovidesfaulttolerancetopreventthelossof
criticaldataandservices.IfyoumanageclusterscentrallyusingPanorama,PanoramaHA
configurationprovidescentralmanagementfaulttolerance.
Singlesignaturepackage Allfirewallsconnectedtoaclusterreceivethesamesignaturepackage,regardlessofthecluster
distribution nodethatreceivedoranalyzedthedata.Thesignaturepackageisbasedontheactivityand
resultsofallclustermembers,whichmeansthateachconnectedfirewallbenefitsfromthe
combinedclusterknowledge.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 81
WildFireApplianceClusterResiliencyandScale WildFireApplianceClusters
Benefit Description
Centralizedmanagement YousavetimeandsimplifythemanagementprocesswhenyouusePanoramatomanage
(Panorama) WildFireapplianceclusters.InsteadofusingtheCLIandscriptingtomanageaWildFire
applianceorcluster,Panoramaprovidesasinglepaneofglassviewofyournetworkdevices.
Youcanalsopushcommonconfigurations,configurationupdates,andsoftwareupgradesto
multipleWildFireapplianceclusters,andyoucandoallofthisusingthePanoramaweb
interfaceinsteadoftheWildFireapplianceCLI.
Loadbalancing Whenaclusterhastwoormoreactivenodes,theclusterautomaticallydistributesandload
balancesanalysis,reportgeneration,signaturecreation,storage,andWildFirecontent
distributionamongthenodes.
HighavailabilityisacrucialadvantageofWildFireapplianceclustersbecauseHApreventsthelossofcritical
dataandservices.AnHAclustercopiesanddistributescriticaldata,suchasanalysisresults,reports,and
signatures,acrossnodessothatanodefailuredoesnotresultindataloss.AnHAclusteralsoprovides
redundantcriticalservices,suchasanalysisfunctionality,WildFireAPI,andsignaturegeneration,sothata
nodefailuredoesntinterruptservice.Aclustermusthaveatleasttwonodestoprovidehighavailability
benefits.
Donotconfigureaclusterwithonlyonecontrollernode.EachclustershouldhaveanHAcontrollerpair.Acluster
shouldhaveasinglecontrollernodeonlyintemporarysituations,forexample,whenyouswapcontrollernodes
orifacontrollernodefails.
InatwonodeclusterHApair,ifonecontrollernodefails,theothercontrollernodetakesovercluster
operation.Ifacontrollernodefails,replaceitassoonaspossibletorestorethefaulttolerantHA
configuration.Regardlessofclustersize,ifanodefails,theclusterqueueserviceredirectssamplestothe
nextavailablenode,includingsamplesthatthefailednodebegantoanalyzebutdonotyethaveaverdict.
Clusternodefailuredoesntaffectfirewalls,becausefirewallsregisteredtoafailednodeusethecluster
registrationlisttoregisterwithanotherclusternode.
IfyoumanageWildFireapplianceclusterswithPanorama,youcanconfiguretwoPanoramaMSeriesor
virtualappliancesasanHApairtoprovidemanagementredundancy.Ifyoudontconfigureredundant
PanoramaappliancesandthePanoramafails,thenyoucanstillmanageclusterslocallyfromacontroller
node.
IfyouareusingaPanoramaHApairtomanagetheclusterandonePanoramafails,theotherPanorama
appliancetakesovermanagementofthecluster.IfaPanoramaHApeerfails,restoreservicefromthefailed
PanoramapeerassoonaspossibletorestoremanagementHA.
Providinganalysis,storage,andcentralizedmanagementHArequiresatleasttwoWildFireappliances
configuredasclustercontrollerandcontrollerbackupnodes,andtwoPanoramaMSeriesorvirtual
appliances.
82 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireApplianceClusters WildFireApplianceClusterResiliencyandScale
FirewallsreceivearegistrationlistthatcontainsalloftheWildFireappliancesthataremembersofthe
cluster.Firewallscanregisterwithanynodeintheclusterandtheclusterautomaticallybalancestheload
amongitsnodes.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 83
WildFireApplianceClusterManagement WildFireApplianceClusters
WildFireApplianceClusterManagement
TomanageaWildFireappliancecluster,youneedtoknowthecapabilitiesofclustersandmanagement
recommendations.
Category Description
Clusteroperationand Configureallclusternodesidenticallytoensureconsistencyinanalysisand
configuration appliancetoappliancecommunication:
AllclusternodesmustrunthesameversionofPANOS(PANOS8.0.1orlater).
Panoramamustrunthesamesoftwareversionastheclusternodesoranewer
version.Firewallscanrunthesamesoftwareversionsthatenablethemtosubmit
samplestoaWildFireappliance.Firewallsdonotrequireaparticularsoftware
versiontosubmitsamplestoaWildFireappliancecluster.
Clusternodesinherittheirconfigurationfromthecontrollernode,withthe
exceptionofinterfaceconfiguration.Clustermembersmonitorthecontrollernode
configurationandupdatetheirownconfigurationswhenthecontrollernode
commitsanupdatedconfiguration.Workernodesinheritsettingssuchascontent
updateserversettings,WildFirecloudserversettings,thesampleanalysisimage,
sampledataretentiontimeframes,analysisenvironmentsettings,signature
generationsettings,logsettings,authenticationsettings,andPanoramaserver,
DNSserver,andNTPserversettings,
WhenyoumanageaclusterwithPanorama,thePanoramaappliancepushesa
consistentconfigurationtoallclusternodes.Althoughyoucanchangethe
configurationlocallyonaWildFireappliancenode,PaloAltoNetworksdoesnot
recommendthatyoudothis,becausethenexttimethePanoramaappliance
pushesaconfiguration,itreplacestherunningconfigurationonthenode.Local
changestoclusternodesthatPanoramamanagesoftencauseOutofSyncerrors.
Iftheclusternodemembershiplistdiffersonthetwocontrollernodes,thecluster
generatesanOutofSyncwarning.Toavoidaconditionwherebothcontroller
nodescontinuallyupdatetheoutofsyncmembershiplistfortheothernode,
clustermembershipenforcementstops.Whenthishappens,youcansynchronize
theclustermembershiplistsfromthelocalCLIonthecontrollerandcontroller
backupnodesbyrunningtheoperationalcommandrequest high-availability
sync-to-remote running-configuration.Ifthereisamismatchbetweenthe
primarycontrollernodesconfigurationandtheconfigurationonthecontroller
backupnode,theconfigurationontheprimarycontrollernodeoverridesthe
configurationonthecontrollerbackupnode.Oneachcontrollernode,runshow
cluster all-peersandcompareandcorrectthemembershiplists.
Aclustercanhaveonlytwocontrollernodes(primaryandbackup);attemptsto
locallyaddathirdcontrollernodetoaclusterfail.(ThePanoramawebinterface
automaticallypreventsyoufromaddingathirdcontrollernode.)Thethirdandall
subsequentnodesaddedtoaclustermustbeworkernodes.
AcharacteristicofHAconfigurationsisthattheclusterdistributesandretains
multiplecopiesofthedatabase,queuingservices,andsamplesubmissionsto
provideredundancyincaseofaclusternodefailure.Runningtheadditional
servicesrequiredtoprovideredundancyforHAhasaminimalimpacton
throughput.
TheclusterautomaticallychecksforduplicateIPaddressesusedfortheanalysis
environmentnetwork.
Ifanodebelongstoaclusterandyouwanttomoveittoadifferentcluster,you
mustfirstremovethenodefromitscurrentcluster.
84 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireApplianceClusters WildFireApplianceClusterManagement
Category Description
Firewallregistration WildFireapplianceclusterspusharegistrationlistthatcontainsallofthenodesina
clustertoeveryfirewallconnectedtoaclusternode.Whenyouregisterafirewall
withanapplianceinacluster,thefirewallreceivestheregistrationlist.Whenyouadd
astandaloneWildFireappliancethatalreadyhasconnectedfirewallstoaclusterso
thatitbecomesaclusternode,thosefirewallsreceivetheregistrationlist.
Ifanodefails,theconnectedfirewallsusetheregistrationlisttoregisterwiththe
nextnodeonthelist.
Clusterdataretention DataretentionpoliciesdeterminehowlongtheWildFireapplianceclusterstores
policies differenttypesofsamples.
BenignandgraywaresamplesTheclusterretainsbenignandgraywaresamples
for1to90days(defaultis14).
MalicioussamplesTheclusterretainsmalicioussamplesforaminimumof1day
(defaultisindefiniteneverdeleted).Malicioussamplesmayincludephishing
verdictsamples.
Configurethesamedataretentionpolicythroughoutacluster(Step 3inConfigure
GeneralClusterSettingsLocallyorStep 1inConfigureGeneralClusterSettingson
Panorama).
Networking NocommunicationbetweenWildFireapplianceclustersisallowed.Nodes
communicatewitheachotherwithinagivencluster,butdonotcommunicatewith
nodesinotherclusters.
Allclustermembersmust:
Useadedicatedclustermanagementinterfaceforclustermanagementand
communication(enforcedinPanorama).
HaveastaticIPaddressinthesamesubnet.
Uselowlatencyconnectionsbetweenclusternodes.Themaximumlatencyfora
connectionshouldbenogreaterthan500ms.
Dedicatedcluster Thededicatedclustermanagementinterfaceenablesthecontrollernodestomanage
managementinterface theclusterandisadifferentinterfacethanthestandardmanagementinterface
(Ethernet0).Panoramaenforcesconfiguringadedicatedclustermanagement
interface.
Iftheclustermanagementlinkgoesdownbetweentwocontrollernodesina
twonodeconfiguration,thecontrollerbackupnodeservicesandsample
analysiscontinuetoruneventhoughthereisnomanagementcommunication
withtheprimarycontrollernode.Thisisbecausewhenthecluster
managementlinkgoesdown,thecontrollerbackupnodedoesnotknowifthe
primarycontrollernodeisstillfunctional,resultinginasplitbraincondition.
Thecontrollerbackupnodemustcontinuetoprovideclusterservicesincase
theprimarycontrollernodeisnotfunctional.Whentheclustermanagement
linkisrestored,thedatafromeachcontrollernodeismerged.
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 85
WildFireApplianceClusterManagement WildFireApplianceClusters
Category Description
DNS YoucanusethecontrollernodeinaWildFireapplianceclusterastheauthoritative
DNSserverforthecluster.(AnauthoritativeDNSserverservestheactualIP
addressesoftheclustermembers,asopposedtoarecursiveDNSserver,which
queriestheauthoritativeDNSserverandpassestherequestedinformationtothe
hostthatmadetheinitialrequest.)
FirewallsthatsubmitsamplestotheWildFireapplianceclustershouldsendDNS
queriestotheirregularDNSserver,forexample,aninternalcorporateDNSserver.
TheinternalDNSserverforwardstheDNSquerytotheWildFireappliancecluster
controller(basedonthequerysdomain).UsingtheclustercontrollerastheDNS
serverprovidesmanyadvantages:
AutomaticloadbalancingWhentheclustercontrollerresolvestheservice
advertisementhostname,thehostclusternodesareinarandomorder,whichhas
theeffectoforganicallybalancingtheloadonthenodes.
FaulttoleranceIfoneclusternodefails,theclustercontrollerautomatically
removesitfromtheDNSresponse,sofirewallssendnewrequeststonodesthat
areupandrunning.
FlexibilityandeaseofmanagementWhenyouaddnodestothecluster,because
thecontrollerupdatestheDNSresponseautomatically,youdontneedtomake
anychangesonthefirewallandrequestsautomaticallygotothenewnodesaswell
asthepreviouslyexistingnodes.
AlthoughtheDNSrecordshouldnotbecached,fortroubleshooting,iftheDNS
lookupsucceeds,theTTLis0.However,whentheDNSlookupreturnsNXDOMAIN,
theTTLandminimumTTLareboth0.
Administration YoucanadministerWildFireclustersusingthelocalWildFireCLIorthrough
Panorama.TherearetwoadministrativerolesavailablelocallyonWildFirecluster
nodes:
SuperreaderReadonlyaccess.
SuperuserReadandwriteaccess.
Clusterupgrades WildFireappliancesinaclustercanoperateusingdifferentversions,howeveritisa
bestpracticetorunthesameversion.
86 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireApplianceClusters ConfigureaClusterLocallyonWildFireAppliances
ConfigureaClusterLocallyonWildFireAppliances
BeforeyouconfigureaWildFireapplianceclusterlocally,havetwoWildFireappliancesavailableto
configureasahighavailabilitycontrollernodepairandanyadditionalWildFireappliancesneededtoserve
asworkernodestoincreasetheanalysis,storagecapacity,andresiliencyofthecluster.
IftheWildFireappliancesarenew,checkGetStartedwithWildFiretoensurethatyoucompletebasicsteps
suchasconfirmingyourWildFirelicenseisactive,enablinglogging,connectingfirewallstoWildFire
appliances,andconfiguringbasicWildFirefeatures.
TocreateWildFireapplianceclusters,youmustupgradealloftheWildFireappliancesthatyouwanttoplacein
aclustertoPANOS8.0.1orlater.OneachWildFireappliancethatyouwanttoaddtoacluster,runshow
system info | match versionontheWildFireapplianceCLItoensurethattheapplianceisrunning
PANOS8.0.1orlater.
Afteryoucreateacluster,performallconfigurationandcommitoperationsontheactive(primary)controller
node.Donotconfigureandcommitfromthebackup(passive)controllernode.
WhenyourWildFireappliancesareavailable,performtheappropriatetasks:
ConfigureaClusterandAddNodesLocally
ConfigureGeneralClusterSettingsLocally
RemoveaNodefromaClusterLocally
ConfigureaClusterandAddNodesLocally
Whenyouaddnodestoacluster,theclusterautomaticallysetsupcommunicationbetweennodesbasedon
theinterfacesyouconfigureforthecontrollernode.
ConfigureaClusterandAddNodesLocallyUsingtheWildFireapplianceCLI
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 87
ConfigureaClusterLocallyonWildFireAppliances WildFireApplianceClusters
ConfigureaClusterandAddNodesLocallyUsingtheWildFireapplianceCLI(Continued)
88 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireApplianceClusters ConfigureaClusterLocallyonWildFireAppliances
ConfigureaClusterandAddNodesLocallyUsingtheWildFireapplianceCLI(Continued)
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 89
ConfigureaClusterLocallyonWildFireAppliances WildFireApplianceClusters
ConfigureaClusterandAddNodesLocallyUsingtheWildFireapplianceCLI(Continued)
90 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireApplianceClusters ConfigureaClusterLocallyonWildFireAppliances
ConfigureaClusterandAddNodesLocallyUsingtheWildFireapplianceCLI(Continued)
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 91
ConfigureaClusterLocallyonWildFireAppliances WildFireApplianceClusters
ConfigureaClusterandAddNodesLocallyUsingtheWildFireapplianceCLI(Continued)
92 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireApplianceClusters ConfigureaClusterLocallyonWildFireAppliances
ConfigureaClusterandAddNodesLocallyUsingtheWildFireapplianceCLI(Continued)
ConfigureGeneralClusterSettingsLocally
Somegeneralsettingsareoptionalandsomegeneralsettingsareprepopulatedwithdefaultvalues.Itsbest
toatleastcheckthesesettingstoensurethattheclusterconfigurationmatchesyourneeds.Generalsettings
include:
ConnectingtotheWildFirepubliccloudandsubmittingsamplestothepubliccloud.
Configuringdataretentionpolicies.
Configuringlogging.
Settingtheanalysisenvironment(theVMimagethatbestmatchesyourenvironment)andcustomizing
theanalysisenvironmenttobestservicethetypesofsamplesthefirewallssubmittoWildFire.
SetIPaddressesfortheDNSserver,NTPserver,andmore.
ConfigureWildFiresettingsusingtheCLIontheclustersprimarycontrollernode.Therestofthecluster
nodesusethesettingsconfiguredontheclustercontroller.
ConfigureGeneralClusterSettingsLocallyUsingthePrimaryControllerNodeCLI
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 93
ConfigureaClusterLocallyonWildFireAppliances WildFireApplianceClusters
ConfigureGeneralClusterSettingsLocallyUsingthePrimaryControllerNodeCLI(Continued)
94 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireApplianceClusters ConfigureaClusterLocallyonWildFireAppliances
ConfigureGeneralClusterSettingsLocallyUsingthePrimaryControllerNodeCLI(Continued)
RemoveaNodefromaClusterLocally
YoucanremovenodesfromaclusterusingthelocalCLI.Theproceduretoremoveanodeisdifferentina
twonodeclusterthaninaclusterwiththreeormorenodes.
RemoveaNodefromaClusterLocallyonWildFireAppliances
Removeaworkernode 1. DecommissiontheworkernodefromtheworkernodesCLI:
fromaclusterwiththree admin@WF-500> request cluster decommission start
ormorenodes. Thedecommissioncommandonlyworkswithclustersthathavethreeor
morenodes.Donotusedecommissiontoremoveanodeinatwonode
cluster.
2. Confirmthatdecommissioningthenodewassuccessful:
admin@WF-500> show cluster membership
Thiscommandreportsdecommission: successaftertheworkernodeis
removedfromthecluster.Ifthecommanddoesnotdisplaysuccessful
decommission,waitafewminutestoallowthedecommissiontofinishandthen
runthecommandagain.
3. Checkthatallprocessesarerunning:
admin@WF-500> show system software status
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 95
ConfigureaClusterLocallyonWildFireAppliances WildFireApplianceClusters
RemoveaNodefromaClusterLocallyonWildFireAppliances(Continued)
Removeacontroller Eachclustermusthavetwocontrollernodesinahighavailabilityconfigurationunder
nodefromatwonode normalconditions.However,maintenanceorswappingoutcontrollernodesmay
cluster. requireremovingacontrollernodefromaclusterusingtheCLI:
1. Onthecontrollernodeyouwanttoremove,deletethehighavailability
configuration.Thisexampleshowsremovingthecontrollerbackupnode:
admin@WF-500(passive-controller)> configure
admin@WF-500(passive-controller)# delete deviceconfig
high-availability
2. Deletetheclusterconfiguration:
admin@WF-500(passive-controller)# delete deviceconfig cluster
3. Committheconfiguration:
admin@WF-500(passive-controller)# commit
4. Waitforservicestocomebackup.Runshow cluster membershipandcheck
theApplication status,whichshowsallservicesandthesiggen-dbina
Readystatewhenallservicesareup.TheNode modeshouldbestand_alone.
5. Ontheremainingclusternode,checktoensurethatthenodewasremoved:
admin@WF-500(active-controller)> show cluster all-peers
Thecontrollernodeyouremoveddoesnotappearinthelistofclusternodes.
6. IfyouhaveanotherWildFireapplianceready,addittotheclusterassoonas
possibletorestorehighavailability(ConfigureaClusterandAddNodesLocally).
IfyoudonothaveanotherWildFireappliancereadytoreplacetheremoved
clusternode,youshouldremovethehighavailabilityandclusterconfigurations
fromtheremainingclusternodebecauseonenodeclustersarenot
recommendedanddonotprovidehighavailability.Itisbettertomanageasingle
WildFireapplianceasastandaloneappliance,notasaonenodecluster.
Toremovethehighavailabilityandclusterconfigurationsfromtheremaining
node(inthisexample,theprimarycontrollernode):
admin@WF-500(active-controller)> configure
admin@WF-500(active-controller)# delete deviceconfig
high-availability
admin@WF-500(active-controller)# delete deviceconfig cluster
admin@WF-500(active-controller)# commit
Waitforservicestocomebackup.Runshow cluster membershipandcheck
theApplication status,whichshowsallservicesandthesiggen-dbina
Readystatewhenallservicesareup.TheNode modeshouldbestand_alone.
96 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireApplianceClusters UpgradeWildFireAppliancesinaCluster
UpgradeWildFireAppliancesinaCluster
YoucanyouusetheCLItoupgradeWildFireappliancesenrolledinaclusterindividually,orusePanorama
toupgradetheclusterasagroup.
DependingonthenumberofsamplestheWildFireappliancehasanalyzedandstored,thetimerequiredto
upgradetheappliancesoftwarevaries;thisisbecauseupgradingrequiresthemigrationofallmalware
samplesand14daysofbenignsamples.Allow30to60minutesforeachWildFireappliancethatyouhave
usedinaproductionenvironment.
PaloAltoNetworksrecommendsrunningthesameversionoftheoperatingsystemacrossall
nodesinacluster.
PanoramacanmanageWildFireappliancesandapplianceclustersrunningPANOSsoftware
versions8.0.1orlater.
Ensurethedevicesareconnectedtoareliablepowersource.Alossofpowerduringanupgrade
canmakethedevicesunusable.
Dependingonyourdeployment,performoneofthefollowingtaskstoupgradeyourWildFirecluster:
UpgradeaClusterLocally
UpgradeaClusterCentrallyonPanoramawithanInternetConnection
UpgradeaClusterCentrallyonPanoramawithoutanInternetConnection
UpgradeaClusterLocally
Toupgradeaclusterlocally,youmustindividuallyupgradeeachWildFireapplianceenrolledinacluster.
Whenanappliancefinishesupgrading,itautomaticallyreenrollsintotheclusterthatitwasoriginally
assignedto.
UpgradeWildFireAppliancesinaClusterLocallyUsingtheWildFireapplianceCLI
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 97
UpgradeWildFireAppliancesinaCluster WildFireApplianceClusters
UpgradeWildFireAppliancesinaClusterLocallyUsingtheWildFireapplianceCLI(Continued)
Step7 Repeatsteps17foreachWildFireworkernodeinthecluster.
98 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
WildFireApplianceClusters UpgradeWildFireAppliancesinaCluster
UpgradeaClusterCentrallyonPanoramawithanInternetConnection
WildFireappliancesinaclustercanbeupgradedinparallelwhentheyaremanagedbyPanorama.If
PanoramahasadirectconnectiontotheInternet,youcancheckforanddownloadnewreleasesdirectly
fromPanorama.
PanoramacanonlymanageWildFireappliancesandapplianceclustersoperatingthesamesoftwareversionora
latersoftwareversion.
InstallWildFireSoftwareUpgradesinaClusterusingPanoramawithInternetAccess
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 99
UpgradeWildFireAppliancesinaCluster WildFireApplianceClusters
InstallWildFireSoftwareUpgradesinaClusterusingPanoramawithInternetAccess
UpgradeaClusterCentrallyonPanoramawithoutanInternetConnection
WildFireappliancesinaclustercanbeupgradedinparallelwhentheyaremanagedbyPanorama.If
PanoramadoesnothaveadirectconnectiontotheInternet,youmustdownloadthesoftwarecontentand
updatesfromthePaloAltoNetworksSupportsiteandhostthemonaninternalserverbeforetheycanbe
distributedbyPanorama.
PanoramacanonlymanageWildFireappliancesandapplianceclustersoperatingthesamesoftwareversionora
latersoftwareversion.
InstallWildFireSoftwareUpgradesinaClusterUsingPanoramawithoutInternetAccess
InstallWildFireSoftwareUpgradesinaClusterUsingPanoramawithoutInternetAccess
InstallWildFireSoftwareUpgradesinaClusterUsingPanoramawithoutInternetAccess
ConfigureaClusterCentrallyonPanorama
BeforeyouconfigureaWildFireapplianceclusteronaPanoramaMSeriesorvirtualappliance,havetwo
WildFireappliancesavailabletoconfigureasahighavailabilitycontrollernodepairandanyadditional
WildFireappliancesneededtoserveasworkernodestoincreasetheanalysis,storagecapacity,and
resiliencyofthecluster.
IftheWildFireappliancesarenew,checkGetStartedwithWildFiretoensurethatyoucompletebasicsteps
suchasconfirmingyourWildFirelicenseisactive,enablinglogging,connectingfirewallstoWildFire
appliances,andconfiguringbasicWildFirefeatures.
TocreateWildFireapplianceclusters,youmustupgradealloftheWildFireappliancesthatyouwanttoplacein
aclustertoPANOS8.0.1orlater.IfyouusePanoramatomanageWildFireapplianceclusters,Panoramaalso
mustrunPANOS8.0.1orlater.OneachWildFireappliancethatyouwanttoaddtoacluster,runshow system
info | match versionontheWildFireapplianceCLItoensurethattheapplianceisrunningPANOS8.0.1
orlater.OneachPanoramaapplianceyouusetomanageclusters(orstandaloneappliances),Dashboard >
General Information > Software Versiondisplaystherunningsoftwareversion.
WhenyourWildFireappliancesareavailable,performtheappropriatetasks:
ConfigureaClusterandAddNodesonPanorama
ConfigureGeneralClusterSettingsonPanorama
RemoveaClusterfromPanoramaManagement
RemovinganodefromaclusterusingPanoramaisnotsupported.Instead,RemoveaNodefromaClusterLocally
usingthelocalWildFireCLI.
ConfigureaClusterandAddNodesonPanorama
BeforeconfiguringaWildFireapplianceclusterfromPanorama,youmustupgradePanoramato8.0.1orlater
andupgradeallWildFireappliancesyouplantoaddtotheclusterto8.0.1orlater.AllWildFireappliances
mustrunthesameversionofPANOS.
Youcanmanageupto200WildFireapplianceswithaPanoramaMSeriesorvirtualappliance.The200
WildFireappliancelimitisthecombinedtotalofstandaloneappliancesandWildFireapplianceclusternodes
(ifyoualsoAddStandaloneWildFireAppliancestoManagewithPanorama).Exceptwherenoted,
configurationtakesplaceonPanorama.
EachWildFireapplianceclusternodemusthaveastaticIPaddressinthesamesubnetandhavelowlatency
connections.
ConfigureaClusterUsingaPanoramaMSeriesorVirtualAppliance
ConfigureaClusterUsingaPanoramaMSeriesorVirtualAppliance(Continued)
ConfigureaClusterUsingaPanoramaMSeriesorVirtualAppliance(Continued)
ConfigureaClusterUsingaPanoramaMSeriesorVirtualAppliance(Continued)
ConfigureGeneralClusterSettingsonPanorama
Somegeneralsettingsareoptionalandsomegeneralsettingsareprepopulatedwithdefaultvalues.Itsbest
toatleastcheckthesesettingstoensurethattheclusterconfigurationmatchesyourneeds.Generalsettings
include:
ConnectingtotheWildFirepubliccloudandsubmittingsamplestothepubliccloud.
Configuringdataretentionpolicies.
Configuringlogging.
Settingtheanalysisenvironment(theVMimagethatbestmatchesyourenvironment)andcustomizing
theanalysisenvironmenttobestservicethetypesofsamplesthefirewallssubmittoWildFire.
SetIPaddressesfortheDNSserver,NTPserver,andmore.
ConfigureGeneralClusterSettingsUsingaPanoramaMSeriesorVirtualAppliance
ConfigureGeneralClusterSettingsUsingaPanoramaMSeriesorVirtualAppliance(Continued)
RemoveaClusterfromPanoramaManagement
IfyouremoveaWildFireapplianceclusterfromPanoramamanagement,thePanoramawebinterfaceplaces
theWildFireappliancesinthatclusterintoreadonlymode.AlthoughtheWildFireappliancesintheremoved
clusterdisplayinthePanoramawebinterface,wheninreadonlymode,youcantpushconfigurationstothe
WildFireappliancesormanagethemwithPanorama.AfterbeingremovedfromPanoramamanagement,the
WildFireapplianceclustermembersusethelocalclusterconfigurationandyoucanmanagetheclusterusing
thelocalCLI.
TomanagetheWildFireappliancesintheclusterwithPanoramaafteryouremovetheclusterfrom
Panoramamanagement,importtheclusterbackintoPanorama(Panorama > Managed WildFire Clusters >
Import Cluster Config).
ImportaClusterBackintoPanorama
Step1 Selecttheclusterscontrollernode.TheclusternamepopulatesClusterautomatically.
Step2 ClickOK.Theclusterbackupcontrollernodeandworkernodespopulateautomatically.
Step3 ClickOKtoimportthecluster.
Step4 Committhechanges.
WildFireApplianceSoftwareCLIConcepts
ThissectionintroducesanddescribeshowtousetheWildFireappliancesoftwarecommandlineinterface
(CLI):
WildFireApplianceSoftwareCLIStructure
WildFireApplianceSoftwareCLICommandConventions
WildFireApplianceCLICommandMessages
WildFireApplianceCommandOptionSymbols
WildFireAppliancePrivilegeLevels
WildFireApplianceSoftwareCLIStructure
TheWildFireappliancesoftwareCLIisusedtomanagetheappliance.TheCLIistheonlyinterfacetothe
appliance.Useittoviewstatusandconfigurationinformationandmodifytheapplianceconfiguration.
AccesstheWildFireappliancesoftwareCLIoverSSHorbydirectconsoleaccessusingtheconsoleport.
TheWildFireappliancesoftwareCLIoperatesintwomodes:
OperationalmodeViewthestateofthesystem,navigatetheWildFireappliancesoftwareCLI,and
enterconfigurationmode.
ConfigurationmodeViewandmodifytheconfigurationhierarchy.
WildFireApplianceSoftwareCLICommandConventions
Thebasiccommandpromptincorporatestheusernameandhostnameoftheappliance:
username@hostname>
Example:
admin@WF-500>
WhenenteringConfigurationmode,thepromptchangesfrom>to#:
username@hostname>(Operational mode)
username@hostname> configure
Entering configuration mode
[edit]
username@hostname# (Configuration mode)
InConfigurationmode,thecurrenthierarchycontextisshownbythe[edit...]bannerpresentedin
squarebracketswhenacommandisissued.
WildFireApplianceCLICommandMessages
Messagesmaybedisplayedwhenissuingacommand.Themessagesprovidecontextinformationandcan
helpincorrectinginvalidcommands.Inthefollowingexamples,themessageisshowninbold.
Example:Unknowncommand
username@hostname# application-group
Unknown command: application-group
[edit network]
username@hostname#
Example:Changingmodes
username@hostname# exit
Exiting configuration mode
username@hostname>
Example:Invalidsyntax
username@hostname> debug 17
Unrecognized command
Invalid syntax.
username@hostname>
TheCLIchecksthesyntaxofeachcommand.Ifthesyntaxiscorrect,itexecutesthecommandandthe
candidatehierarchychangesarerecorded.Ifthesyntaxisincorrect,aninvalidsyntaxmessageispresented,
asinthefollowingexample:
username@hostname# set deviceconfig setting wildfire cloud-intelligence
submit-sample yes
Unrecognized command
Invalid syntax.
[edit]
username@hostname#
WildFireApplianceCommandOptionSymbols
Thesymbolprecedinganoptioncanprovideadditionalinformationaboutcommandsyntax.
Symbol Description
* Thisoptionisrequired.
> Thereareadditionalnestedoptionsforthiscommand.
+ Thereareadditionalcommandoptionsforthiscommandatthislevel.
| Thereisanoptiontospecifyanexceptvalueoramatchvalueto
restrictthecommand.
Symbol Description
Althoughthedoublequoteisnotacommandoptionsymbol,itmustbe
usedwhenenteringmultiwordphrasesinCLIcommands.Forexample,
tocreateanaddressgroupnamedTestGroupandtoaddtheusernamed
user1tothisgroup,youmustsurroundthegroupnamewithdouble
quotesasfollows:
setaddressgroupTestGroupuser1.
Ifyoudonotputadoublequotesurroundingthegroupname,theCLI
wouldinterpretthewordTestasthegroupnameandGroupasthe
usernameandthefollowingerrorwoldbedisplayed:test is not a
valid name.
Asinglequotewouldalsobeinvalidinthisexample.
Thefollowingexamplesshowhowthesesymbolsareused.
Example:Inthefollowingcommand,thekeywordfromisrequired:
username@hostname> scp import configuration ?
+ remote-port SSH port number on remote host
* from Source (username@host:path)
username@hostname> scp import configuration
Example: This command output shows options designated with + and >.
username@hostname# set rulebase security rules rule1 ?
+ action action
+ application application
+ destination destination
+ disabled disabled
+ from from
+ log-end log-end
+ log-setting log-setting
+ log-start log-start
+ negate-destination negate-destination
+ negate-source negate-source
+ schedule schedule
+ service service
+ source source
+ to to
> profiles profiles
<Enter> Finish input
[edit]
username@hostname# set rulebase security rules rule1
Eachoptionlistedwith+canbeaddedtothecommand.
Theprofileskeyword(with>)hasadditionaloptions:
username@hostname# set rulebase security rules rule1 profiles ?
+ virus Help string for virus
+ spyware Help string for spyware
+ vulnerability Help string for vulnerability
+ group Help string for group
<Enter> Finish input
[edit]
username@hostname# set rulebase security rules rule1 profiles
WildFireAppliancePrivilegeLevels
Privilegelevelsdeterminewhichcommandstheuserispermittedtoexecuteandtheinformationtheuseris
permittedtoview.
Level Description
superreader Hascompletereadonlyaccesstotheappliance.
superuser Hascompletereadwriteaccesstotheappliance.
WildFireCLICommandModes
ThefollowingtopicsdescribethemodesusedtointeractwiththeWildFireappliancesoftwareCLI:
WildFireApplianceCLIConfigurationMode
WildFireApplianceCLIOperationalMode
WildFireApplianceCLIConfigurationMode
Enteringcommandsinconfigurationmodemodifiesthecandidateconfiguration.Themodifiedcandidate
configurationisstoredintheappliancememoryandmaintainedwhiletheapplianceisrunning.
Eachconfigurationcommandinvolvesanaction,andmayalsoincludekeywords,options,andvalues.
ThissectiondescribesConfigurationmodeandtheconfigurationhierarchy:
ConfigurationModeCommandUsage
ConfigurationHierarchy
NavigatetheHierarchy
ConfigurationModeCommandUsage
Usethefollowingcommandstostoreandapplyconfigurationchanges:
saveSavesthecandidateconfigurationinthenonvolatilestorageontheappliance.Thesaved
configurationisretaineduntiloverwrittenbysubsequentsavecommands.Notethatthiscommanddoes
notmaketheconfigurationactive.
commitAppliesthecandidateconfigurationtotheappliance.Acommittedconfigurationbecomesthe
activeconfigurationforthedevice.
setChangesavalueinthecandidateconfiguration.
loadAssignsthelastsavedconfigurationoraspecifiedconfigurationtobethecandidateconfiguration.
Whenexitingconfigurationmodewithoutissuingthesaveorcommitcommand,the
configurationchangescouldbelostiftheappliancelosespower.
Maintainingacandidateconfigurationandseparatingthesaveandcommitstepsconfersimportant
advantageswhencomparedwithtraditionalCLIarchitectures:
Distinguishingbetweenthesaveandcommitconceptsallowsmultiplechangestobemadeatthesame
timeandreducessystemvulnerability.
Commandscaneasilybeadaptedforsimilarfunctions.Forexample,whenconfiguringtwoEthernet
interfaces,eachwithadifferentIPaddress,youcanedittheconfigurationforthefirstinterface,copythe
command,modifyonlytheinterfaceandIPaddress,andthenapplythechangetothesecondinterface.
Thecommandstructureisalwaysconsistent.
Becausethecandidateconfigurationisalwaysunique,allauthorizedchangestothecandidateconfiguration
areconsistentwitheachother.
ConfigurationHierarchy
Theconfigurationfortheapplianceisorganizedinahierarchicalstructure.Todisplayasegmentofthe
currenthierarchylevel,usetheshowcommand.Enteringshowdisplaysthecompletehierarchy,while
enteringshowwithkeywordsdisplaysasegmentofthehierarchy.Forexample,whenrunningthecommand
show fromthetoplevelofconfigurationmode,theentireconfigurationisdisplayed.Whenrunningthe
commandedit mgt-config andyouentershow,orbyrunningshowmgtconfig,onlythemgtconfig
partofthehierarchydisplays.
HierarchyPaths
Whenenteringcommands,thepathistracedthroughthehierarchyasfollows:
Forexample,thefollowingcommandassignstheprimaryDNSserver10.0.0.246fortheappliance:
[edit]
username@hostname# set deviceconfig system dns-setting servers primary
10.0.0.246
Thiscommandgeneratesanewelementinthehierarchyandintheoutputofthefollowingshowcommand:
[edit]
username@hostname# show deviceconfig system dns-settings
dns-setting {
servers {
primary 10.0.0.246
}
}
[edit]
username@hostname#
NavigatetheHierarchy
The[edit...]bannerpresentedbelowtheConfiguremodecommandpromptlineshowsthecurrenthierarchy
context.
[edit]
indicatesthattherelativecontextisthetoplevelofthehierarchy,whereas
[edit deviceconfig]
indicatesthattherelativecontextisatthedeviceconfiglevel.
Usethecommandslistedintonavigatethroughtheconfigurationhierarchy.
Level Description
edit Setsthecontextforconfigurationwithinthecommandhierarchy.
up Changesthecontexttothenexthigherlevelinthehierarchy.
top Changesthecontexttothehighestlevelinthehierarchy.
Thesetcommandissuedafterusingtheupandtopcommandsstartsfromthenewcontext.
WildFireApplianceCLIOperationalMode
Attheinitiallogintothedevice,theWildFireappliancesoftwareCLIopensinOperationalmode.Operational
modecommandsinvolveactionsthatareexecutedimmediately.Theydonotinvolvechangestothe
configuration,anddonotneedtobesavedorcommitted.
Operationalmodecommandsareofseveraltypes:
NetworkaccessOpenawindowtoanotherhost.SSHissupported.
MonitoringandtroubleshootingPerformdiagnosisandanalysis.Includesdebugandpingcommands.
DisplaycommandsDisplayorclearcurrentinformation.Includesclearandshowcommands.
WildFireappliancesoftwareCLInavigationcommandsEnterConfiguremodeorexittheWildFire
appliancesoftwareCLI.Includesconfigure,exit,andquitcommands.
SystemcommandsMakesystemlevelrequestsorrestart.Includessetandrequestcommands.
AccesstheWildFireApplianceCLI
ThissectiondescribeshowtoaccessWildFireappliancesoftwareCLI:
EstablishaDirectConsoleConnection
EstablishanSSHConnection
EstablishaDirectConsoleConnection
Usethefollowingsettingsfordirectconsoleconnection:
Datarate:9600
Databits:8
Parity:none
Stopbits:1
Flowcontrol:None
EstablishanSSHConnection
ToaccesstheWildFireappliancesoftwareCLI:
LaunchtheWildFireCLI
Step1 UseterminalemulationsoftwaretoestablishanSSHconsoleconnectionwiththe
WildFireappliance.
Step2 Entertheadministrativeusername.Thedefaultisadmin.
Step3 Entertheadministrativepassword.Thedefaultisadmin.
TheWildFireappliancesoftwareCLIopensinOperationalmode,andtheCLIpromptis
displayed:
username@hostname>
WildFireApplianceCLIOperations
AccessWildFireApplianceOperationalandConfigurationModes
DisplayWildFireApplianceSoftwareCLICommandOptions
RestrictWildFireApplianceCLICommandOutput
SettheOutputFormatforWildFireApplianceConfigurationCommands
AccessWildFireApplianceOperationalandConfigurationModes
Whenloggingin,theWildFireappliancesoftwareCLIopensinOperationalmode.Youcannavigatebetween
OperationalandConfigurationmodesatanytime.
ToenterConfigurationmodefromOperationalmode,usetheconfigurecommand:
username@hostname> configure
Entering configuration mode
[edit]
username@hostname#
ToleaveConfigurationmodeandreturntoOperationalmode,usethequitorexitcommand:
username@hostname# quit
Exiting configuration mode
username@hostname>
ToenteranOperationalmodecommandwhileinConfigurationmode,usetheruncommand.Forexample,
toshowsystemresourcesfromconfiguremode,userun show system resources.
DisplayWildFireApplianceSoftwareCLICommandOptions
Use?(orMetaH)todisplayalistofcommandoptions,basedoncontext:
Todisplayalistofoperationalcommands,enter?atthecommandprompt.
username@hostname> ?
clear Clear runtime parameters
configure Manipulate software configuration information
create create commands
debug Debug and diagnose
delete Remove files from hard disk
disable disable commands
edit edit commands
exit Exit this session
find Find CLI commands with keyword
grep Searches file for lines containing a pattern match
less Examine debug file content
ping Ping hosts and networks
quit Exit this session
request Make system-level requests
scp Use scp to import / export files
RestrictWildFireApplianceCLICommandOutput
Someoperationalcommandsincludeanoptiontorestrictthedisplayedoutput.Torestricttheoutput,enter
apipesymbolfollowedbyexceptormatchandthevaluethatistobeexcludedorincluded:
Example:
Thefollowingsampleoutputisfortheshowsysteminfocommand:
username@hostname> show system info
hostname: WildFire
ip-address: 192.168.2.20
netmask: 255.255.255.0
default-gateway: 192.168.2.1
mac-address: 00:25:90:95:84:76
vm-interface-ip-address: 10.16.0.20
vm-interface-netmask: 255.255.252.0
vm-interface-default-gateway: 10.16.0.1
vm-interface-dns-server: 10.0.0.247
time: Mon Apr 15 13:31:39 2013
uptime: 0 days, 0:02:35
family: m
model: WF-500
serial: 009707000118
sw-version: 8.0.1
wf-content-version: 702-283
wf-content-release-date: unknown
logdb-version: 8.0.15
platform-family: m
operational-mode: normal
username@hostname>
The following sample displays only the system model information:
username@hostname>
SettheOutputFormatforWildFireApplianceConfigurationCommands
WildFireApplianceConfigurationModeCommand
Reference
ThissectioncontainscommandreferenceinformationforthefollowingConfigurationmodecommandsthat
arespecifictotheWildFireappliancesoftware.AllothercommandsthatarepartoftheWildFireappliance
softwareareidenticaltoPANOSasdescribedinthePANOS8.0CLIQuickStart.
setdeviceconfigcluster
setdeviceconfighighavailability
setdeviceconfigsettingmanagement
setdeviceconfigsettingwildfire
setdeviceconfigsystemeth2
setdeviceconfigsystemeth3
setdeviceconfigsystempanoramaserver
setdeviceconfigsystempanoramaserver2
setdeviceconfigsystemupdateschedule
setdeviceconfigsystemvminterface
setdeviceconfigcluster
Description
ConfigureWildfireapplianceclustersettingsontheWildFireappliance.Youcanconfiguretheclustername,
theinterfaceusedforclustercommunication,andthemode(role)oftheapplianceintheclustercontroller
orworker.OnWildFireappliancesthatyouconfigureasclustercontrollers,youcanaddWildFireappliances
totheclusterandsetwhetherthecontrollerprovidesDNSserviceonitsmanagementinterface.
HierarchyLocation
set deviceconfig
Syntax
cluster {
cluster-name <name>;
interface {eth2 | eth3};
mode {
controller {
service-advertisement dns-service enabled {no | yes};
worker-list {ip-address}
}
worker;
}
}
Options
+ cluster-nameNamethecluster.Thenamemustbeavaliddomainnamesection.
+ interfaceConfiguretheinterfacetouseforclustercommunication.Theclustercommunication
interfacemustbethesameonallclustermembers.
> modeConfigurewhethertheWildFireapplianceisacontrollernodeoraworkernode.Forcontroller
nodes,configurewhetherthecontrollerprovidesDNSserviceonthemanagementinterface
(service-advertisement)andaddworkernodestothecluster(worker-list).EachWildFireappliancecluster
shouldhavetwocontrollernodestoprovidehighavailability.Youcanaddtwocontrollersandupto18
workernodestoacluster,foramaximumtotalof20nodes.
SampleOutput
RequiredPrivilegeLevel
superuser,deviceadmin
setdeviceconfighighavailability
Description
ConfigureWildfireapplianceclusterhighavailability(HA)settings.
HierarchyLocation
set deviceconfig
Syntax
high-availability {
enabled {no | yes};
election-option {
preemptive {no | yes};
priority {primary | secondary};
timers {
advanced {heartbeat interval <value> | hello-interval <value> |
preemption-hold-time <value> | promotion-hold-time <value>}
aggressive;
recommended;
}
}
interface {
ha1 {
peer-ip-address <ip-address>;
port {eth2 | eth3 | management};
encryption enabled {no | yes};
}
ha1-backup {
peer-ip-address <ip-address>;
port {eth2 | eth3 | management};
}
}
}
Options
+ enabledEnableHAonbothcontrollernodestoprovidefaulttoleranceforthecluster.EachWildFire
applianceclustershouldhavetwocontrollernodesconfiguredasanHApair.
> election-optionConfigurethepreemptive,priority,andtimerHAoptionvalues.
+ preemptiveElectionoptiontoenablethepassiveHApeer(thecontrollerbackupnode)topreemptthe
activeHApeer(theprimarycontrollernode)basedontheHAprioritysetting.Forexample,iftheprimary
controllernodegoesdown,thesecondary(passive)controllernodetakesoverclustercontrol.Whenthe
primarycontrollernodecomesbackup,ifyoudonotconfigurepreemption,thesecondarycontroller
continuestocontroltheclusterandtheprimarycontrolleractsasthecontrollerbackupnode.However,if
youconfigurepreemptiononbothHApeers,thenwhentheprimarycontrollercomesbackup,itpreempts
thesecondarycontrollerbytakingbackcontrolofthecluster.Thesecondarycontrollerresumesitsformer
roleasthecontrollerbackupnode.YoumustconfigurethepreemptivesettingonbothoftheHApeersfor
preemptiontowork.
+ priorityElectionoptiontoconfigurethepreemptionpriorityofeachcontrollerintheHApair.
ConfigurepreemptiononbothmembersoftheHAcontrollerpair.
> timersConfigurethetimersforHAelectionoptions.TheWildFireapplianceprovidestwo
preconfiguredtimeroptions(aggressiveandrecommendedsettings),oryoucanconfigureeachtimer
individually.TheAdvancedtimersenableyoutoconfigurevaluesindividually:
Theheartbeat-intervalsetsthetimeinmillisecondstosendheartbeatpings.Therangeofvaluesis
100060,000ms,withadefaultvalueof2000ms.
Thehello-intervalsetsthetimeinmillisecondstosendHellomessages.Therangeofvaluesis
800060,000ms,withadefaultvalueof8000ms.
Thepreemption-hold-timesetsthetimeinminutestoremaininpassive(controllerbackup)modebefore
preemptingtheactive(primary)controllernode.Therangeofvaluesis160minutes,withadefaultvalue
of1minute.
Thepromtion-hold-timesetsthetimeinmillisecondstochangestatefrompassive(controllerbackup)to
active(primary)state.Therangeofvaluesis060,000ms,withadefaultvalueof2000ms.
> interfaceConfigureHAinterfacesettingsfortheprimary(ha1)andbackup(ha1-backup)controllink
interfaces.ThecontrollinkinterfacesenabletheHAcontrollerpairtoremainsynchronizedandpreparedto
failoverincasetheprimarycontrollernodegoesdown.Configuringboththeha1interfaceandthe
ha1-backupinterfaceprovidesredundantconnectivitybetweencontrollersincaseofalinkfailure.Set:
Thepeer-ip-address.Foreachinterface,configuretheIPaddressoftheHApeer.Theha1interfacepeer
istheha1interfaceIPaddressontheothercontrollernodeintheHApair.Theha1-backupinterfacepeer
istheha1-backupinterfaceIPaddressontheothercontrollernodeintheHApair.
Theport.Oneachcontrollernode,configuretheporttousefortheha1interfaceandtheporttousefor
theha-backupinterface.Youcanuseeth2,eth3,orthemanagementport(eth0)fortheHAcontrollink
interfaces.YoucannotusetheAnalysisEnvironmentNetworkinterface(eth1)asanha1orha1-backup
controllinkinterface.UsethesameinterfaceonbothHApeersastheha1interface,andusethesame
interface(butnottheha1interface)onbothHApeersastheha1-backupinterface.Forexample,configure
eth3astheha1interfaceonbothcontrollernodesandconfigurethemanagementinterfaceasthe
ha1-backupinterfaceonbothcontrollernodes.
SampleOutput
}
ha1-backup {
peer-ip-address 10.10.10.160;
port management
}
}
}
RequiredPrivilegeLevel
superuser,deviceadmin
setdeviceconfigsettingmanagement
Description
ConfigureadministrativemanagementsessionsettingsontheWildFireappliance.Youcanconfigure
timeoutstoendadministrativesessionsiftheyareidletoolongandhowmanyloginretries(failedlogin
attempts)ittakestolockoutanadministrator.
HierarchyLocation
Syntax
management {
idle-timeout {0 | <value>}
admin-lockout {
failed-attempts <value>
lockout-time <value>
}
}
Options
+ idle-timeoutDefaultadministrativesessionidletimeoutinminutes.Configureanidletimeoutfrom
11440minutes,orsetthetimeoutvalueto0(zero)tonevertimeoutthesession.
> admin-lockoutConfigurethenumberoffailed-attemptstologintotheappliancebeforethe
administratorislockedoutofthesystem(010),andthelockout-timeinminutes(060)tolockoutan
administratoriftheadministratorcrossesthefailed-attemptsthreshold.
SampleOutput
management {
idle-timeout 0;
admin-lockout {
failed-attempts 3;
lockout-time 5;
}
}
setdeviceconfigsettingwildfire
Description
ConfigureWildfiresettingsontheWildFireappliance.Youcanconfigureforwardingofmaliciousfiles,define
thecloudserverthatreceivesmalwareinfectedfiles,andenableordisablethevminterface.
HierarchyLocation
Syntax
wildfire {
active-vm {vm-1 | vm-2 | vm-3 | vm-4 | vm-5 | <value>};
cloud-server <value>;
custom-dns-name <value>;
preferred-analysis-environment {Documents | Executables | default};
vm-network-enable {no | yes};
vm-network-use-tor {enable | disable};
cloud-intelligence {
cloud-query {no | yes};
submit-diagnostics {no | yes};
submit-report {no | yes};
submit-sample {no | yes};
}
file-retention {
malicious {indefinite | <1-2000>};
non-malicious <1-90>
}
signature-generation {
av {no | yes};
dns {no | yes};
url {no | yes};
}
}
Options
+ active-vmSelectthevirtualmachineenvironmentthatWildFirewilluseforsampleanalysis.Eachvm
hasadifferentconfiguration,suchasWindowsXP,aspecificversionsofFlash,Adobereader,etc.Toview
whichVMisselected,runthefollowingcommand:show wildfire statusandviewtheSelectedVMfield.
ToviewtheVMenvironmentinformation,runthe following command: show wildfire vm-images.
+ cloud-serverHostnameforthecloudserverthattheappliancewillforwardmalicioussamples/reports
toforareanalysis.Thedefaultcloudserveriswildfirepubliccloud.Toconfigureforwarding,usethe
followingcommand: set deviceconfig setting wildfire cloud-intelligence.
+ custom-dns-nameConfigureacustomDNSnametouseinservercertificatesandtheWildFireserverlist
insteadofthedefaultDNSnamewfpc.sevice.<clustername>.<domain>.
+ preferred-analysis-environmentAllocatethemajorityoftheresourcestodocumentanalysisorto
executableanalysis,dependingonthetypeofsamplesmostoftenanalyzedinyourenvironment.Thedefault
allocationbalancesresourcesbetweendocumentandexecutablesamples.Forexample,toallocatethe
majorityoftheanalysisresourcestodocuments:set deviceconfig setting wildfire
preferred-analysis-environment Documents.
+ vm-network-enableEnableordisablethevmnetwork.Whenenabled,samplefilesrunninginthevirtual
machinesandboxcanaccesstheInternet.ThishelpsWildFirebetteranalyzethebehaviorofthemalwareto
lookforthingslikephonehomeactivity.
+ vm-network-use-torEnableordisabletheTornetworkforthevminterface.Whenthisoptionisenabled,
anymalicioustrafficcomingfromthesandboxsystemsontheWildFireapplianceduringsampleanalysisis
sentthroughtheTornetwork.TheTornetworkwillmaskyourpublicfacingIPaddress,sotheownersofthe
malicioussitecannotdeterminethesourceofthetraffic.
> cloud-intelligenceConfiguretheappliancetosubmitWildFirediagnostics,reportsorsamplestothe
PaloAltoNetworksWildFirecloud,ortoautomaticallyquerythepublicWildFirecloudbeforeperforming
localanalysistoconserveWildFireapplianceresources.Thesubmitreportoptionsendsreportsformalicious
samplestothecloudforstatisticalgathering.Thesubmitsampleoptionsendsmalicioussamplestothe
cloud.Ifsubmitsampleenabled,youdontneedtoenablesubmitreportbecausethecloudreanalyzesthe
sampleandanewreportandsignatureisgeneratedifthesampleismalicious.
> file-retentionConfigurehowlongtosavemalicious(malwareandphishing)samplesandnonmalicious
(graywareandbenign)samples.Thedefaultformalicioussamplesisindefinite(neverdelete).Thedefaultfor
nonmalicioussamplesis14days.Forexample,toretainnonmalicioussamplesfor30days:set
deviceconfig setting wildfire file-retention non-malicious 30.
> signature-generationEnabletheappliancetogeneratesignatureslocally,eliminatingtheneedtosend
anydatatothepubliccloudinordertoblockmaliciouscontent.TheWildFireappliancewillanalyzefiles
forwardedtoitfromPaloAltoNetworksfirewallsorfromtheWildFireAPIandgenerateantivirusandDNS
signaturesthatblockboththemaliciousfilesaswellasassociatedcommandandcontroltraffic.Whenthe
appliancedetectsamaliciousURL,itsendstheURLtoPANDBandPANDBassignsitthemalware
category.
SampleOutput
ThefollowingshowsanexampleoutputoftheWildFiresettings.
admin@WF-500# show deviceconfig setting wildfire
wildfire {
signature-generation {
av yes;
dns yes;
url yes;
}
cloud-intelligence {
submit-report no;
submit-sample yes;
submit-diagnostics yes;
cloud-query yes;
}
file-retention {
non-malicious 30;
malicious 1000;
{
active-vm vm-5;
cloud-server wildfire-public-cloud;
vm-network-enable yes;
}
setdeviceconfigsystem
Description
ConfigureWildfiresettingsontheWildFireappliance.Youcanconfigureforwardingofmaliciousfiles,define
thecloudserverthatreceivesmalwareinfectedfiles,andenableordisablethevminterface.
HierarchyLocation
Syntax
wildfire {
active-vm {vm-1 | vm-2 | vm-3 | vm-4 | vm-5 | <value>};
cloud-server <value>;
custom-dns-name <value>;
preferred-analysis-environment {Documents | Executables | default};
vm-network-enable {no | yes};
vm-network-use-tor {enable | disable};
cloud-intelligence {
cloud-query {no | yes};
submit-diagnostics {no | yes};
submit-report {no | yes};
submit-sample {no | yes};
}
file-retention {
malicious {indefinite | <1-2000>};
non-malicious <1-90>
}
signature-generation {
av {no | yes};
dns {no | yes};
url {no | yes};
}
}
Options
+ active-vmSelectthevirtualmachineenvironmentthatWildFirewilluseforsampleanalysis.Eachvm
hasadifferentconfiguration,suchasWindowsXP,aspecificversionsofFlash,Adobereader,etc.Toview
whichVMisselected,runthefollo
RequiredPrivilegeLevel
superuser,deviceadmin
setdeviceconfigsystemeth2
Description
Configuretheeth2interface.
HierarchyLocation
Syntax
eth2 {
default-gateway <ip-address>;
ip-address <ip-address>;
mtu <value>;
netmask <ip-netmask>;
speed-duplex {100Mbps-full-duplex | 100Mbps-half-duplex | 10Mbps-full-duplex |
10Mbps-half-duplex | 1Gbps-full-duplex | 1Gbps-half-duplex | auto-negotiate};
permitted-ip <ip-address/netmask>;
service disable-icmp {no | yes};
}
Options
+ default-gatewayIPaddressofthedefaultgatewayfortheeth2interface.
+ ip-addressIPaddressfortheeth2interface.
+ mtuMaximumTransmissionUnit(MTU)fortheeth2interface.
+ netmaskNetmaskfortheeth2interface.
+ speed-duplexInterfacespeed(10Mbps,100Mbps,1Gbps,orautonegotiate)andduplexmode(fullor
half)fortheeth2interface.
> permitted-ipIPaddressesallowedtoaccesstheeth2interface.IfyouspecifyanetmaskwiththeIP
address,thenetmaskmustbeinslashnotation.Forexample,tospecifyaClassCaddress,enter:
10.10.10.100/24(not10.10.10.100255.255.255.0).
> service-disableDisableICMPfortheeth2interface.
SampleOutput
RequiredPrivilegeLevel
superuser,deviceadmin
setdeviceconfigsystemeth3
Description
Configuretheeth3interface.
HierarchyLocation
Syntax
eth3 {
default-gateway <ip-address>;
ip-address <ip-address>;
mtu <value>;
netmask <ip-netmask>;
speed-duplex {100Mbps-full-duplex | 100Mbps-half-duplex | 10Mbps-full-duplex |
10Mbps-half-duplex | 1Gbps-full-duplex | 1Gbps-half-duplex | auto-negotiate};
permitted-ip <ip-address/netmask>;
service disable-icmp {no | yes};
}
Options
+ default-gatewayIPaddressofthedefaultgatewayfortheeth3interface.
+ ip-addressIPaddressfortheeth3interface.
+ mtuMaximumTransmissionUnit(MTU)fortheeth3interface.
+ netmaskNetmaskfortheeth3interface.
+ speed-duplexInterfacespeed(10Mbps,100Mbps,1Gbps,orautonegotiate)andduplexmode(fullor
half)fortheeth3interface.
> permitted-ipIPaddressesallowedtoaccesstheeth3interface.IfyouspecifyanetmaskwiththeIP
address,thenetmaskmustbeinslashnotation.Forexample,tospecifyaClassCaddress,enter:
10.10.10.100/24(not10.10.10.100255.255.255.0).
> service-disableDisableICMPfortheeth3interface.
SampleOutput
RequiredPrivilegeLevel
superuser,deviceadmin
setdeviceconfigsystempanoramaserver
Description
ConfiguretheprimaryPanoramaserverformanagingtheWildFireapplianceorappliancecluster.
HierarchyLocation
Syntax
Options
+ panorama-serverConfiguretheIPaddressorthefullyqualifieddomainname(FQDN)oftheprimary
PanoramaserveryouwillusetomanagetheWildFireapplianceorappliancecluster.
SampleOutput
TheoutputistruncatedtoshowonlytheoutputstanzathatdisplaysthePanoramaserversettings.
admin@wf-500(active-controller)# show deviceconfig system
system {
panorama-server 10.10.10.100;
panorama-server-2 10.10.10.110
hostname myhost;
ip-address 10.10.20.120;
netmask 255.255.255.0;
default-gateway 10.10.10.1;
update-server updates.paloaltonetworks.com;
service {
disable-icmp no;
disable-ssh no;
disable-snmp yes;
}
...
RequiredPrivilegeLevel
superuser,deviceadmin
setdeviceconfigsystempanoramaserver2
Description
ConfigurethebackupPanoramaserverformanagingtheWildFireapplianceorappliancecluster.
ConfiguringabackupPanoramaserverprovideshighavailabilityforclusterorindividualappliance
management.
HierarchyLocation
Syntax
Options
+ panorama-server-2ConfiguretheIPaddressorthefullyqualifieddomainname(FQDN)ofthebackup
PanoramaserveryouwillusetomanagetheWildFireapplianceorappliancecluster.
SampleOutput
TheoutputistruncatedtoshowonlytheoutputstanzathatdisplaysthePanoramaserversettings.
admin@wf-500(active-controller)# show deviceconfig system
system {
panorama-server 10.10.10.100;
panorama-server-2 10.10.10.110
hostname myhost;
ip-address 10.10.20.120;
netmask 255.255.255.0;
default-gateway 10.10.10.1;
update-server updates.paloaltonetworks.com;
service {
disable-icmp no;
disable-ssh no;
disable-snmp yes;
}
...
RequiredPrivilegeLevel
superuser,deviceadmin
setdeviceconfigsystemupdateschedule
Description
SchedulecontentupdatesonaWildFireappliance.Thesecontentupdatesequiptheappliancewiththemost
uptodatethreatinformationforaccuratemalwaredetectionandimprovetheappliance'sabilityto
differentiatethemaliciousfromthebenign.
HierarchyLocation
Syntax
wf-content recurring {
daily at <value> action {download-and-install | download-only};
weekly {
action {download-and-install | download-only};
at <value>;
day-of-week {friday | monday | saturday | sunday | thursday | tuesday | wednesday};
}
}
Options
> wf-contentWildFirecontentupdates.
> dailyScheduleupdateeveryday.
+ actionSpecifytheactiontotake.Youcanscheduletheappliancetodownloadandinstalltheupdateor
downloadonlyandthenyouinstallmanually.
+ atTimespecificationhh:mm(e.g.20:10).
> hourlyScheduleupdateeveryhour.
+ actionSpecifytheactiontotake.Youcanscheduletheappliancetodownloadandinstalltheupdateor
downloadonlyandthenyouinstallmanually.
+ atMinutespastthehour.
> weeklyScheduleupdateonceaweek.
+ actionSpecifytheactiontotake.Youcanscheduletheappliancetodownloadandinstalltheupdateor
downloadonlyandthenyouinstallmanually.
+ at Timespecificationhh:mm(e.g.20:10).
+ day-of-weekDayoftheweek(Friday,Monday,Saturday,Sunday,Thursday,Tuesday,Wednesday).
SampleOutput
admin@WF-500# show
update-schedule {
wf-content {
recurring {
weekly {
at 19:00;
action download-and-install;
day-of-week friday;
}
}
}
}
RequiredPrivilegeLevel
superuser,deviceadmin
setdeviceconfigsystemvminterface
Description
ThevminterfaceisusedbymalwarerunningontheWildFireappliancevirtualmachinesandboxtoaccess
theInternet.ActivatingthisportisrecommendedandwillhelpWildFirebetteridentifymaliciousactivityif
themalwareaccessestheInternetforphonehomeorotheractivity.Itisimportantthatthisinterfacehasan
isolatedconnectiontotheInternet.Formoreinformation,seeSetUptheWildFireApplianceVMInterface.
Afterconfiguringthevminterface,enableitbyrunningthefollowingcommand:
set deviceconfig setting wildfire vm-network-enable yes
HierarchyLocation
Syntax
set vm-interface {
default-gateway <ip_address>;
dns-server <ip_address>;
ip-address <ip_address>;
link-state;
mtu;
netmask <ip_address>;
speed-duplex;
{
Options
SampleOutput
Thefollowingshowsaconfiguredvminterface.
vm-interface {
ip-address 10.16.0.20;
netmask 255.255.252.0;
default-gateway 10.16.0.1;
dns-server 10.0.0.246;
}
RequiredPrivilegeLevel
superuser,deviceadmin
WildFireApplianceOperationalModeCommandReference
ThissectioncontainscommandreferenceinformationforthefollowingOperationalmodecommandsthat
arespecifictotheWildFireappliancesoftware.AllothercommandsthatarepartoftheWildFireappliance
softwareareidenticaltoPANOS;refertothePANOS8.0CLIQuickStartforinformationonthose
commands.
clearhighavailability
createwildfireapikey
deletehighavailabilitykey
deletewildfireapikey
deletewildfiremetadata
disablewildfire
editwildfireapikey
loadwildfireapikey
requestclusterdecommission
requestclusterrebootlocalnode
requesthighavailabilitystate
requesthighavailabilitysynctoremote
requestsystemraid
requestwildfiresampleredistribution
requestsystemwildfirevmimage
requestwfcontent
savewildfireapikey
setwildfireportaladmin
showclusterallpeers
showclustercontroller
showclustermembership
showclustertask
showhighavailabilityall
showhighavailabilitycontrollink
showhighavailabilitystate
showhighavailabilitytransitions
showsystemraid
showwildfire
showwildfireglobal
showwildfirelocal
submitwildfirelocalverdictchangetestwildfireregistration
clearhighavailability
Description
Clearhighavailability(HA)controllinkstatisticsinformationandtransitionsstatisticsonthecontrollernode
ofaWildFireappliancecluster.
Syntax
create {
high-availability {
control-link {
statistics;
}
transitions;
}
}
Options
SampleOutput
Afteryouclearcontrollinkortransitionstatistics,theWildFireclusterresetsallvaluestozero(0).
admin@wf-500(active-controller)> show high-availability control-link statistics
High-Availability:
Control Link Statistics:
HA1:
Messages-TX : 0
Messages-RX : 0
Capability-Msg-TX : 0
Capability-Msg-RX : 0
Error-Msg-TX : 0
Error-Msg-RX : 0
Preempt-Msg-TX : 0
Preempt-Msg-RX : 0
Preempt-Ack-Msg-TX : 0
Preempt-Ack-Msg-RX : 0
Primary-Msg-TX : 0
Primary-Msg-RX : 0
Primary-Ack-Msg-TX : 0
Primary-Ack-Msg-RX : 0
Hello-Msg-TX : 0
Hello-Msg-RX : 0
Hello-Timeouts : 0
Hello-Failures : 0
MasterKey-Msg-TX : 0
MasterKey-Msg-RX : 0
MasterKey-Ack-Msg-TX : 0
MasterKey-Ack-Msg-RX : 0
Connection-Failures : 0
Connection-Tries-Failures : 0
Connection-Listener-Tries : 0
Connection-Active-Tries : 0
Ping-TX : 0
Ping-Fail-TX : 0
Ping-RX : 0
Ping-Timeouts : 0
Ping-Failures : 0
Ping-Error-Msgs : 0
Ping-Other-Msgs : 0
Ping-Last-Rsp : 0
RequiredPrivilegeLevel
superuser,deviceadmin
createwildfireapikey
Description
GenerateAPIkeysonaWildFireappliancethatyouwilluseonanexternalsystemtosubmitsamplestothe
appliance,queryreports,orretrievesamplesandPacketCaptures(PCAPS)fromtheappliance.
Syntax
create {
wildfire {
api-key {
key <value>;
name <value>;
{
{
{
Options
+ key Create an API key by manually entering a key value. The value must be 64 alpha
characters (a-z) or numbers (0-9). If you do not specify the key option, the appliance
generates a key automatically.
+ name Optionally enter a name for the API key. An API key name is simply used to
label the keys to make it easier to identify keys assigned for specific uses and has no
impact on the functionality of the key.
SampleOutput
ThefollowingoutputshowsthattheappliancehasthreeAPIkeysandonekeyisnamedmy-api-key.
admin@WF-500> show wildfire global api-keys all
+-----------------------------------------------------------------+------------+
| Apikey | Name |
+-----------------------------------------------------------------+------------+
| C625DE87CBFB6EF0B1A8183A74AB5B61287F7F63B6E14E2FFC704AABF5640D62| my-api-key |
| D414CC910E93E9E05942A5E6F94DA36777B444543E71761CF5E9ACFA547F7D6F| |
| 73585ACAFEC0109CB65EB944B8DFC0B341B9B73A6FA7F43AA9862CAD47D0884C| |
+-----------------------------------------------------------------+------------+
+---------+---------------------+---------------------+
| Status | Create Time | Last Used Time |
+---------+---------------------+---------------------+
| Enabled | 2017-03-02 19:14:36 | 2017-03-02 19:14:36 |
| Enabled | 2016-02-06 12:13:22 | 2017-03-01 12:10:20 |
| Enabled | 2014-08-04 17:00:42 | 2017-03-01 11:12:52 |
+---------+---------------------+---------------------+
RequiredPrivilegeLevel
superuser,deviceadmin
deletehighavailabilitykey
Description
Deletethepeerencryptionkeyusedforhighavailability(HA)ontheclustercontrollinksofaWildFire
applianceclusterscontrollernode.
Syntax
delete {
high-availability-key;
}
Options
Noadditionaloptions.
SampleOutput
ThehighlightedlineintheoutputshowsthatencryptionisntenabledontheHAcontrollinks.
admin@wf-500(active-controller)> show high-availability state
High-Availability:
Local Information:
Version: 1
State: active-controller (last 1 days)
Device Information:
Management IPv4 Address: 10.10.10.14/24
Management IPv6 Address:
HA1 Control Links Joint Configuration:
Encryption Enabled: no
Election Option Information:
Priority: primary
Preemptive: no
Version Compatibility:
Software Version: Match
Application Content Compatibility: Match
Anti-Virus Compatibility: Match
Peer Information:
Connection status: up
Version: 1
State: passive-controller (last 1 days)
Device Information:
Management IPv4 Address: 10.10.20.112/24
Management IPv6 Address:
Connection up; Primary HA1 link
Election Option Information:
Priority: secondary
Preemptive: no
Configuration Synchronization:
Enabled: yes
Running Configuration: synchronized
RequiredPrivilegeLevel
superuser,deviceadmin
deletewildfireapikey
Description
DeleteanAPIkeyfromtheWildFireappliance.SystemsconfiguredtousetheAPItoperformAPIfunctions
ontheappliancewillnolongerbeabletoaccesstheapplianceafteryoudeletethekey.
Syntax
delete {
wildfire {
api-key {
key <value>;
{
{
{
Options
SampleOutput
RequiredPrivilegeLevel
superuser,deviceadmin
deletewildfiremetadata
Description
DeletecontentupdatesontheWildFireappliance.Formoreinformationoncontentupdatesandhowto
installthem,seerequestwfcontent.
Syntax
delete {
wildfire-metadata update <value>;
{
Options
SampleOutput
Theoutputthatfollowsshowsthedeletionofanupdatenamed
panup-all-wfmeta-2-181.candidate.tgz.
admin@WF-500> delete wildfire-metadata update panup-all-wfmeta-2-181.candidate.tgz
successfully removed panup-all-wfmeta-2-181.candidate.tgz
RequiredPrivilegeLevel
superuser,deviceadmin
disablewildfire
Description
DisablesthedomainsignatureorsamplesignaturesothatitisexcludedfromthenextWildFirecontent
packagerelease.
Syntax
disable wildfire {
domain-signature {
domain <value>;
}
OR...
sample-signature {
sha256 {
equal <value>;
}
}
Options
SampleOutput
Asuccessfullydisabledsampleordomaindoesnotdisplayanyoutput.
admin@WF-500> disable wildfire sample-signature sha256 equal
d1378bda0672de58d95f3bff3cb42385f2d806a4a15b89cdecfedbdb1ec08228
RequiredPrivilegeLevel
superuser,deviceadmin
editwildfireapikey
Description
ModifyanAPIkeynameorthekeystatus(enabled/disabled)onaWildFireappliance.
Syntax
edit {
wildfire {
api-key [name | status] key <value>;
{
{
Options
+ nameChangethenameofanAPIkey
+ statusEnableordisableanAPIkey
* keySpecifythekeytomodify
SampleOutput
Thekeyvalueinthiscommandisrequired.Forexample,tochangethenameofakeynamedstuto
stu-key1,enterthefollowingcommand:
Inthefollowingcommand,youdonotneedtoentertheoldkeyname;onlyenterthenewkey
name.
RequiredPrivilegeLevel
superuser,deviceadmin
loadwildfireapikey
Description
AfterimportingAPIkeystotheWildFireappliance,youmustusetheloadcommandtomakethekeys
availableforuse.UsethiscommandtoreplaceallexistingAPIkeys,oryoucanmergethekeysintheimport
filewiththeexistingkeydatabase.
Syntax
load {
wildfire {
from <value> mode [merge | replace];
{
{
Options
* fromSpecifytheAPIkeyfilenamethatyouwanttoimport.Thekeyfilesusethe.keysfileextension.For
example,myapikeys.keys.Toviewalistofkeysthatareavailableforimport,enterthefollowingcommand:
admin@WF-500> load wildfire api-key from ?
+ modeOptionallyenterthemodefortheimport(merge/replace).Forexample,toreplacethekeydatabase
ontheappliancewiththecontentsofthecontentsofthenewkeyfile,enterthefollowingcommand:
admin@WF-500> load wildfire api-key mode replace from my-api-keys.keys
Ifyoudonotspecifythemodeoption,thedefaultactionwillmergethekeys.
RequiredPrivilegeLevel
superuser,deviceadmin
requestclusterdecommission
Description
RemoveaWildFireapplianceclusternodefromaclusterthathasthreeormoremembernodes.Donotuse
thiscommandtoremoveanodefromatwonodecluster.Instead,RemoveaNodefromaClusterLocally
usingthedelete deviceconfig high-availabilityanddelete deviceconfig cluster
commands.
HierarchyLocation
requestcluster
Syntax
request {
cluster {
decommission {
show;
start;
stop;
}
}
}
Options
showDisplaythestatusofthenodedecommissionjob.
startBeginthenodedecommissionjob.
stopAbortthenodedecommissionjob.
SampleOutput
TheNode modefieldconfirmsthattheclusternodedecommissionworkedbecausethemodeis
stand_aloneinsteadofcontrollerorworker.
admin@wf-500> show cluster membership
Service Summary: wfpc signature
Cluster name:
Address: 10.10.10.86
Host name: wf-500
Node name: wfpc-009707000xxx-internal
Serial number: 009707000xxx
Node mode: stand_alone
Server role: True
HA priority:
Last changed: Wed, 15 Feb 2017 00:05:11 -0800
Services: wfcore signature wfpc infra
Monitor status:
Serf Health Status: passing
Agent alive and reachable
Application status:
wildfire-apps-service: Ready
global-db-service: ReadyStandalone
global-queue-service: ReadyStandalone
local-db-service: ReadyMaster
RequiredPrivilegeLevel
superuser,deviceadmin
requestclusterrebootlocalnode
Description
GracefullyrebootthelocalWildFireclusternode.
HierarchyLocation
requestcluster
Syntax
request {
cluster {
reboot-local-node;
}
}
Options
Noadditionaloptions.
SampleOutput
Youcanverifythatthelocalclusternodehasrebootedorisintheprocessofrebootinginseveralways:
show cluster task localdisplaytasksrequestedonthelocalnode.
show cluster task currentdisplaycurrentlyrunningtasksonthelocalnodeorthelastcompleted
task(controllernodesonly).
show cluster task pendingdisplaytasksthatarequeuedbuthavenotrunyetonthelocalnode
(controllernodesonly).
show cluster task historydisplaytasksthathavebeenrunonthelocalnode(controllernodes
only).
Forexample,thefollowingcommandshowsthattwoclusternodereboottaskshavecompletedsuccessfully:
admin@qa15(passive-controller)> show cluster task history
RequiredPrivilegeLevel
superuser,deviceadmin
requesthighavailabilitystate
Description
OnaWildFireappliancecluster,makethehighavailability(HA)stateofthelocalcontrollernodeorofthe
peercontrollernodefunctional.
HierarchyLocation
requesthighavailability
Syntax
request {
high-availability {
state {
functional;
}
peer {
functional;
}
}
}
Options
> functionalMaketheHAstateofthelocalcontrollernodefunctional.
> peerMaketheHAstateofthepeercontrollernodefunctional.
SampleOutput
ThehighlightedlinesintheoutputshowthattheHAstateofthelocalcontrollernodeisfunctionalinthe
active(primary)controllerroleandthattheHAstateofthepeercontrollernodeisfunctionalinthepassive
(backup)controllerrole.
admin@wf-500(active-controller)> show high-availability state
High-Availability:
Local Information:
Version: 1
State: active-controller (last 1 days)
Device Information:
Management IPv4 Address: 10.10.10.14/24
Management IPv6 Address:
HA1 Control Links Joint Configuration:
Encryption Enabled: no
Election Option Information:
Priority: primary
Preemptive: no
Version Compatibility:
Software Version: Match
Application Content Compatibility: Match
Anti-Virus Compatibility: Match
Peer Information:
Connection status: up
Version: 1
State: passive-controller (last 1 days)
Device Information:
Management IPv4 Address: 10.10.20.112/24
Management IPv6 Address:
Connection up; Primary HA1 link
Election Option Information:
Priority: secondary
Preemptive: no
Configuration Synchronization:
Enabled: yes
Running Configuration: synchronized
RequiredPrivilegeLevel
superuser,deviceadmin
requesthighavailabilitysynctoremote
Description
OnaWildFireappliancecluster,synchronizethelocalcontrollernodescandidateconfigurationorrunning
configuration,orthelocalcontrollernodesclock(timeanddate)totheremotehighavailability(HA)peer
controllernode.
HierarchyLocation
requesthighavailability
Syntax
request {
high-availability {
sync-to-remote {
candidate-config;
clock;
running-config;
}
}
}
Options
> candidate-configSynchronizethecandidateconfigurationonthelocalpeercontrollernodetothe
remoteHApeercontrollernode.
> clockSynchronizetheclock(timeanddate)onthelocalpeercontrollernodetotheremoteHApeer
controllernode.
> running-configSynchronizetherunningconfigurationonthelocalpeercontrollernodetotheremote
HApeercontrollernode.
SampleOutput
ThehighlightedlineintheoutputshowsthattheHAconfigurationstateissynchronizedontheHApeer
controllernode.
RequiredPrivilegeLevel
superuser,deviceadmin
requestsystemraid
Description
UsethisoptiontomanagetheRAIDpairsinstalledintheWildFireappliance.TheWF500applianceships
withfourdrivesinthefirstfourdrivebays(A1,A2,B1,B2).DrivesA1andA2areaRAID1pairanddrives
B1andB2areasecondRAID1pair.
HierarchyLocation
requestsystem
Syntax
raid {
remove <value>;
OR...
copy {
from <value>;
to <value>;
}
OR...
add {
Options
> addAddadriveintothecorrespondingRAIDDiskPair
> copyCopyandmigratefromonedrivetootherdriveinthebay
> removeDrivetoremovefromRAIDDiskPair
SampleOutput
ThefollowingoutputshowsaWF500appliancewithacorrectlyconfiguredRAID.
admin@WF-500> show system raid
RequiredPrivilegeLevel
superuser,deviceadmin
requestwildfiresampleredistribution
Description
RedistributesamplesfromthelocalWildFireapplianceclusternodetoanotherclusternodewhileoptionally
retainingsamplesonthelocalnode.
HierarchyLocation
requestsystem
Syntax
request {
wildfire {
sample {
redistribution {
keep-local-copy {no | yes};
serial-number <value>;
}
}
}
}
Options
* keep-local-copyKeepordonotkeepacopyoftheredistributedsamplesonthelocalWildFireappliance
node.
* serial-numberSerialnumberofthenodetowhichyouredistributesamples.
SampleOutput
Storage Nodesdisplaystheothernodetowhichthelocalnoderedistributessamples.Ifthelocalnodeis
notredistributingsamples,onlyonestoragenodelocationdisplays.Ifthelocalnodeisredistributingsamples,
Storage Nodesshowstwostoragenodelocations.Thehighlightedoutputshowsthetwostoragenodes
thatstoresamples(thelocalnodeandthenodetowhichthelocalnoderedistributessamples)andverifies
thatsampleredistributionisoccurring.
admin@WF-500> show wildfire global sample-analysis
Last Created 100 Malicious Samples
+-----------------------------------------------------------------------
| SHA256 | Finish Date | Create Date | Malicious |
+-----------------------------------------------------------------------
| <HASH VALUE> | 2017-03-02 07:50:00 | 2017-03-02 07:50:00 | Yes |
| <HASH VALUE> | 2017-03-01 22:34:25 | 2017-03-01 22:28:25 | Yes |
| <HASH VALUE> | 2017-03-02 07:16:56 | 2017-03-02 07:11:28 | Yes |
| <HASH VALUE> | 2017-03-02 07:08:48 | 2017-03-02 07:02:54 | Yes |
| <HASH VALUE> | 2017-03-02 07:08:58 | 2017-03-02 07:02:51 | Yes |
-----------------------------------------------------------------------------------------------
| Storage Nodes | Analysis Nodes | Status | File Type |
-----------------------------------------------------------------------------------------------
| 009701000026:ld2_2,009707000529:ld2_2 | qa120 | Notify Finish | Elink File |
| 009701000026:ld1_2,009701000043:ld1_2 | qa15 | Notify Finish | Java Class |
| 009701000026:ld2_2,009701000044:ld2_2 | qa16 | Notify Finish | MS Office document |
| 009701000043:ld2_2,009701000026:ld2_2 | qa14 | Notify Finish | PE32 executable |
| 009701000044:ld2_2,009701000026:ld2_2 | qa16 | Notify Finish | PE32 executable |
-----------------------------------------------------------------------------------------------
lines 1-10
RequiredPrivilegeLevel
superuser,deviceadmin
requestsystemwildfirevmimage
PerformupgradesontheWildFireappliancevirtualmachine(VM)sandboximagesusedtoanalyzefiles.To
retrievenewVMimagesfromthePaloAltoNetworksUpdateServer,youmustfirstdownloadtheimage
manually,hostitonanSCPenabledserver,andthenretrievetheimagefromtheapplianceusingtheSCP
client.Afterdownloadingtheimagetotheappliance,youcantheninstallitusingthiscommand.
HierarchyLocation
requestsystem
Syntax
request {
system {
wildfire-vm-image {
upgrade install file <value>;
}
}
}
Options
> wildfire-vm-imageInstallVirtualMachine(VM)images.
SampleOutput
TolistavailableVMimages,runthefollowingcommand:
admin@WF-500> request system wildfire-vm-image upgrade install file ?
To install a VM image (Windows 7 64-bit in this example), run the following command:
admin@WF-500> request system wildfire-vm-image upgrade install file
WFWin7_64Base_m-1.0.0_64base
RequiredPrivilegeLevel
superuser,deviceadmin
requestwfcontent
PerformcontentupdatesonaWildFireappliance.Thesecontentupdatesequiptheappliancewiththemost
uptodatethreatinformationforaccuratemalwaredetectionandimprovetheappliance'sabilityto
differentiatethemaliciousfromthebenign.Toschedulecontentupdatestoinstallautomatically,seeset
deviceconfigsystemupdatescheduleandtodeletecontentupdatesontheWildFireappliance,seedelete
wildfiremetadata.
HierarchyLocation
request
Syntax
request wf-content
{
downgrade install {previous | <value>};
upgrade
{
check
download latest
info
install {
file <filename>
version latest;
}
}
}
Options
> downgradeInstallsapreviouscontentversion.Usethepreviousoptiontoinstallthepreviouslyinstalled
contentpackageorenteravaluetodowngradetoaspecificcontentpackagenumber.
> upgradePerformscontentupgradefunctions
> checkObtaininformationonavailablecontentpackagesfromthePaloAltoNetworksUpdateServer
> downloadDownloadacontentpackage
> infoShowinformationaboutavailablecontentpackages
> installInstallacontentpackage
> fileSpecifythenameofthefilecontainingthecontentpackage
> versionDownloadorupgradebasedontheversionnumberofthecontentpackage
SampleOutput
Tolistavailablecontentupdates,runthefollowingcommand:
admin@WF-500> request wf-content upgrade check
RequiredPrivilegeLevel
superuser,deviceadmin
savewildfireapikey
Description
UsethesavecommandtosaveallAPIkeysontheWildFireappliancetoafile.Youcanthenexportthekey
fileforbackuppurposesortomodifythekeysinbulk.FordetailsonusingtheWildFireAPIonaWildFire
appliance,seetheWildFireAPIReference.
HierarchyLocation
save
Syntax
save {
wildfire {
api-key to <value>;
{
{
Options
* to Enter the filename for key export. For example, to export all of the API keys on
the WildFire appliance to a file named my-wf-keys, enter the following command:
admin@WF-500> save wildfire api-key to my-wf-keys
RequiredPrivilegeLevel
superuser,deviceadmin
setwildfireportaladmin
Description
SetstheportaladminaccountpasswordthatanadministratorwillusetoviewWildFireanalysisreports
generatedbyaWildFireappliance.Theaccountname(admin)andpasswordisrequiredwhenviewingthe
reportonthefirewallorfromPanoramainMonitor > WildFire Submissions >View WildFire Report.Thedefault
usernameandpasswordisadmin/admin.
Theportaladminaccountistheonlyaccountthatyouconfigureontheappliancetoviewreports
fromthefirewallorPanorama.Youcannotcreatenewaccountsorchangetheaccountname.This
isnotthesameadminaccountusedtomanagetheappliance.
HierarchyLocation
setwildfire
Syntax
set {
wildfire {
portal-admin {
password <value>;
}
SampleOutput
Thefollowingshowstheoutputofthiscommand.
admin@WF-500> set wildfire portal-admin password
Enter password:
Confirm password:
RequiredPrivilegeLevel
superuser,deviceadmin
showclusterallpeers
Description
OnaWildFireapplianceclustercontrollernode,displaythestatusofallWildFireapplianceclustermembers,
includingtheWildFireappliancemode(controllerorworker),connectionstatus,andapplicationservice
status.
HierarchyLocation
show cluster
Syntax
all-peers;
Options
Noadditionaloptions.
SampleOutput
Diag report:
10.10.10.112: reported leader '10.10.10.112', age 0.
10.10.10.14: local node passed sanity check.
RequiredPrivilegeLevel
superuser,deviceadmin
showclustercontroller
Description
OnaWildFireapplianceclustercontrollernode,displaythestatusoftheWildFireappliancecluster
controllers,includingtheclusternameandtheroleofthelocalcontrollernode(iftheActive Controller
fielddisplaysTrue,thelocalcontrolleristheprimarycontroller,iftheActive Controllerfielddisplays
False,thelocalcontrolleristhebackupcontroller).
HierarchyLocation
show cluster
Syntax
controller;
Options
Noadditionaloptions.
SampleOutput
RequiredPrivilegeLevel
superuser,deviceadmin
showclustermembership
Description
ShowWildFireapplianceclustermembershipinformationfortheclusternodeorstandaloneWildFire
appliance,includingtheIPaddress,hostname,WildFireapplianceserialnumber,theappliancesrole(Node
mode),highavailabilitypriority,andapplicationstatus.
HierarchyLocation
show cluster
Syntax
membership;
Options
Noadditionaloptions.
SampleOutput
YoucandisplayclustermembershipinformationforWildFireapplianceclusternodemembers(controller
andworkernodes)andstandaloneWildFireappliancestocheckwhethertheybelongtoacluster,their
applicationstatus,andotherlocalhostinformation.TheoutputdiffersslightlydependingontheWildFire
appliancesrole.Thedifferencesare:
Thepromptindicatestheactive(primary)controllernodeandthepassive(backup)controllernode,but
doesnotindicateaworkernodeorstandalonerole.
TheNode modeindicatesiftheWildFireapplianceisacontrollernode,aworkernode,ora
stand_aloneWildFireappliance.
HA prioritydisplaysprimaryfortheactivecontrollernode,secondaryforthepassive(backup)
controllernode,andthefieldisblankforworkernodesandstandaloneWildFireappliances.
Application statusfieldsdisplaydifferentvaluesinsomefields.Forglobal-db-serviceand
global-queue-service,clustermembersdisplayReadyLeaderorJoinedCluster,and
standaloneappliancesdisplayReadyStandalone.
Forsiggen-db,theprimarycontrollernodeoftheWildFireapplianceclusterdisplaysReadyMaster,
thesecondarycontrollernodeoftheWildFireapplianceclusterdisplaysReadySlave,WildFire
applianceclusterworknodesdisplayReady,andstandaloneWildFireappliancesdisplayReadyMaster.
ThelastfourdigitsofeachWildFireapplianceserialnumberischangedtoxxxxinthedisplaystoavoidrevealing
realserialnumbers.
OutputontheprimarycontrollernodeinaWildFireappliancecluster:
admin@thing1(active-controller)> show cluster membership
Service Summary: wfpc signature
Cluster name: satriani1
Address: 10.10.10.14
Host name: thing1
Node name: wfpc-00970100xxxx-internal
Serial number: 00970100xxxx
Node mode: controller
Server role: True
HA priority: primary
Last changed: Wed, 15 Feb 2017 09:12:01 -0800
Services: wfcore signature wfpc infra
Monitor status:
Serf Health Status: passing
Agent alive and reachable
Application status:
wildfire-apps-service: Ready
global-db-service: JoinedCluster
global-queue-service: JoinedCluster
siggen-db: ReadyMaster
OutputonthecontrollerbackupnodeinaWildFireappliancecluster:
admin@thing2(passive-controller)> show cluster membership
Service Summary: wfpc signature
Cluster name: satriani1
Address: 10.10.10.112
Host name: thing2
Node name: wfpc-00970700xxxx-internal
Serial number: 009707000xxxx
Node mode: controller
Server role: True
HA priority: secondary
Last changed: Wed, 15 Feb 2017 09:13:10 -0800
Services: wfcore signature wfpc infra
Monitor status:
Serf Health Status: passing
Agent alive and reachable
Application status:
wildfire-apps-service: Ready
global-db-service: ReadyLeader
global-queue-service: ReadyLeader
siggen-db: ReadySlave
OutputonaworkernodeinaWildFireappliancecluster:
admin@grinch> show cluster membership
Service Summary: wfpc
Cluster name: satriani1
Address: 10.10.10.19
Host name: grinch
Node name: wfpc-00970100xxxx-internal
Serial number: 00970100xxxx
Node mode: worker
Server role: True
HA priority:
Last changed: Thu, 09 Feb 2017 15:55:55 -0800
Services: wfcore wfpc infra
Monitor status:
Serf Health Status: passing
Agent alive and reachable
Application status:
wildfire-apps-service: Ready
global-db-service: JoinedCluster
global-queue-service: JoinedCluster
siggen-db: Ready
OutputonastandaloneWildFireappliance(notaWildFireapplianceclustermember):
admin@max> show cluster membership
Service Summary: wfpc signature
Cluster name:
Address: 10.10.10.90
RequiredPrivilegeLevel
superuser,deviceadmin
showclustertask
Description
ShowWildFireapplianceclustertaskinformationforthelocalclusternodeorforallclusternodes,ordisplay
thecompletedclustertaskhistoryorpendingclustertasks.
HierarchyLocation
show cluster
Syntax
task {
current;
history;
local;
pending;
}
Options
> currentDisplaytaskscurrentlyallowedontheWildFireappliancecluster.Availableonlyoncluster
controllernodes.
> historyDisplaycompletedclustertasks.Availableonlyonclustercontrollernodes.
> localDisplaypendingtasksonthelocalWildFireapplianceclusternode.
> pendingDisplaypendingtasksfortheentireWildFireappliancecluster.Availableonlyoncluster
controllernodes.
SampleOutput
RequiredPrivilegeLevel
superuser,deviceadmin
showhighavailabilityall
Description
ShowallWildFireapplianceclusterhighavailability(HA)information,includingHAcontrollink,HAstate,
andHAtransitioninformation,peersoftware,contentupdate,andantiviruscompatibilityinformation,and
peerconnectionandroleinformation.
HierarchyLocation
show high-availability
Syntax
all;
Options
Noadditionaloptions.
SampleOutput
Encryption Enabled: no
HA1 Control Link Information:
IP Address: 10.10.10.140/24
MAC Address: 00:00:5e:00:53:ff
Interface: eth3
Link State: Up; Setting: 1Gb/s-full
Key Imported : no
Election Option Information:
Priority: primary
Preemptive: no
Promotion Hold Interval: 2000 ms
Hello Message Interval: 8000 ms
Heartbeat Ping Interval: 2000 ms
Preemption Hold Interval: 1 min
Monitor Fail Hold Up Interval: 0 ms
Addon Master Hold Up Interval: 500 ms
Version Information:
Build Release: 8.0.1-c31
URL Database: Not Installed
Application Content: 497-2688
Anti-Virus: 0
Version Compatibility:
Software Version: Match
Application Content Compatibility: Match
Anti-Virus Compatibility: Match
Peer Information:
Connection status: up
Version: 1
State: passive-controller (last 1 days)
Device Information:
Management IPv4 Address: 10.10.10.30/24
Management IPv6 Address:
HA1 Control Link Information:
IP Address: 10.10.10.130
MAC Address: 00:00:5e:00:53:00
Connection up; Primary HA1 link
Election Option Information:
Priority: secondary
Preemptive: no
Version Information:
Build Release: 8.0.1-c31
URL Database: Not Installed
Application Content: 497-2688
Anti-Virus: 0
Initial Monitor Hold inactive; Allow Network/Links to Settle:
Link and path monitoring failures honored
Configuration Synchronization:
Enabled: yes
Running Configuration: synchronized
RequiredPrivilegeLevel
superuser,deviceadmin
showhighavailabilitycontrollink
Description
ShowWildFireapplianceclusterhighavailability(HA)statisticsfortheHAcontrollinkbetweentheprimary
andbackupcontrollernodes,includingthenumberofdifferenttypesofmessagestransmittedandreceived
ontheHAcontrollink,connectionfailures,andpingactivity.
HierarchyLocation
show high-availability
Syntax
control-link {
statistics;
}
Options
> statisticsDisplayWildFireapplianceclustercontrollernodeHAcontrollinkstatistics.
SampleOutput
Primary-Msg-RX : 1
Primary-Ack-Msg-TX : 1
Primary-Ack-Msg-RX : 1
Hello-Msg-TX : 13402
Hello-Msg-RX : 13402
Hello-Timeouts : 0
Hello-Failures : 0
MasterKey-Msg-TX : 1
MasterKey-Msg-RX : 1
MasterKey-Ack-Msg-TX : 1
MasterKey-Ack-Msg-RX : 1
Connection-Failures : 0
Connection-Tries-Failures : 12
Connection-Listener-Tries : 1
Connection-Active-Tries : 12
Ping-TX : 53614
Ping-Fail-TX : 0
Ping-RX : 53613
Ping-Timeouts : 0
Ping-Failures : 0
Ping-Error-Msgs : 0
Ping-Other-Msgs : 0
Ping-Last-Rsp : 1
RequiredPrivilegeLevel
superuser,deviceadmin
showhighavailabilitystate
Description
ShowWildFireapplianceclusterhighavailability(HA)stateinformationforthelocalandpeercluster
controllernodes,includingwhetherthecontrollernodeisactive(primary)orpassive(backup)andhowlong
thecontrollernodehasbeeninthatstate,theHAconfiguration,whetherthelocalandpeercontrollernode
configurationsaresynchronized,andsoftware,contentupdate,andantivirusversioncompatibilitybetween
controllernodepeers.
HierarchyLocation
show high-availability
Syntax
state;
Options
Noadditionaloptions.
SampleOutput
High-Availability:
Local Information:
Version: 1
State: active-controller (last 1 days)
Device Information:
Management IPv4 Address: 10.10.10.14/24
Management IPv6 Address:
HA1 Control Links Joint Configuration:
Encryption Enabled: no
Election Option Information:
Priority: primary
Preemptive: no
Version Compatibility:
Software Version: Match
Application Content Compatibility: Match
Anti-Virus Compatibility: Match
Peer Information:
Connection status: up
Version: 1
State: passive-controller (last 1 days)
Device Information:
Management IPv4 Address: 10.10.10.30/24
Management IPv6 Address:
Connection up; Primary HA1 link
Election Option Information:
Priority: secondary
Preemptive: no
Configuration Synchronization:
Enabled: yes
Running Configuration: synchronized
RequiredPrivilegeLevel
superuser,deviceadmin
showhighavailabilitytransitions
Description
ShowWildFireapplianceclusterhighavailability(HA)transitioninformationabouteventsthatoccurduring
HAswitchoversfortheclustercontrollernodes.
HierarchyLocation
show high-availability
Syntax
transitions;
Options
Noadditionaloptions.
SampleOutput
RequiredPrivilegeLevel
superuser,deviceadmin
showsystemraid
Description
ShowtheRAIDconfigurationoftheWildFireappliance.TheWF500applianceshipswithfourdrivesinthe
firstfourdrivebays(A1,A2,B1,B2).DrivesA1andA2areaRAID1pairanddrivesB1andB2areasecond
RAID1pair.
HierarchyLocation
show system
Syntax
raid {
detail;
{
Options
Noadditionaloptions.
SampleOutput
ThefollowingshowstheRAIDconfigurationonafunctioningWF500appliance.
admin@WF-500> show system raid detail
RequiredPrivilegeLevel
superuser,superreader
submitwildfirelocalverdictchange
Description
ChangeslocallygeneratedWildFireverdictsforsamplessubmittedfromtheFirewall.Verdictchangesapply
onlytothosesamplessubmittedtotheWildFireappliance,andtheverdictforthesamesampleremains
unchangedintheWildFireglobalcloud.Youcanviewsampleswithchangedverdictsusingtheshow
wildfire globalcommand.
TheWildFireprivatecloudcontentpackageisupdatedtoreflectanyverdictchangesthatyoumake(onthe
firewall,selectDevice > Dynamic Updates > WF-PrivatetoenableWildFireprivatecloudcontentupdates).
Whenyouchangeasampleverdicttomalicious,theWildFireappliancegeneratesanewsignaturetodetect
themalwareandaddsthatsignaturetotheWildFireprivatecloudcontentpackage.Whenyouchangea
sampleverdicttobenign,theWildFireapplianceremovesthesignaturefromtheWildFireprivatecloud
contentpackage.
ThereisalsoanAPIcallwhichcanbeusedtochangetheverdictsoflocalsamples.RefertotheWildFireAPI
Referenceformoreinformation.
HierarchyLocation
submit wildfire
Syntax
submit {
wildfire {
local-verdict-change {
hash <value>;
verdict <value>;
comment <value>;
}
}
Options
* hashSpecifytheSHA256hashofthefileforwhichyouwantchangetheverdict.
* verdictEnterthenewfileverdict:0indicatesabenignsample;1indicatesmalware;2indicatesgrayware.
* commentIncludeacommenttodescribetheverdictchange.
SampleOutput
Thefollowingshowstheoutputofthiscommand.
admin@WF-500> submit wildfire local-verdict-change comment test hash
c323891a87a8c43780b0f2377de2efc8bf856f02dd6b9e46e97f4a9652814b5c verdict 2
Please enter 'Y' to commit: (y or n)
RequiredPrivilegeLevel
superuser,deviceadmin
showwildfire
Description
ShowsvariousinformationabouttheWildFireappliance,suchglobalandlocaldeviceandsamplerelated
details,appliancestatus,,andthevirtualmachinethatisselectedtoperformanalysis.
HierarchyLocation
show wildfire
Syntax
status |
vm-images |
}
Options
> statusDisplaythestatusoftheapplianceaswellasconfigurationinformationsuchastheVirtual
Machine(VM)usedforsampleanalysis,whetherornotsamples/reportsaresenttothecloud,vmnetwork,
andregistrationinformation.
> vm-imagesDisplaytheattributesoftheavailablevirtualmachineimagesusedforsampleanalysis.To
viewthecurrentactiveimage,runthefollowingcommand:admin@WF-500> show wildfire status andview
theSelectVM field.
SampleOutput
Thefollowingshowstheoutputforthiscommand.
Connection info:
Wildfire cloud: s1.wildfire.paloaltonetworks.com
Status: Idle
Submit sample: disabled
Submit report: disabled
Selected VM: vm-5
VM internet connection: disabled
VM network using Tor: disabled
Best server: s1.wildfire.paloaltonetworks.com
Device registered: yes
Service route IP address: 10.3.4.99
Signature verification: enable
Server selection: enable
Through a proxy: no
Supported VM images:
vm-1
Windows XP, Adobe Reader 9.3.3, Flash 9, Office 2003. Support PE, PDF, Office 2003 and
earlier
vm-2
Windows XP, Adobe Reader 9.4.0, Flash 10n, Office 2007. Support PE, PDF, Office 2007
and earlier
vm-3
Windows XP, Adobe Reader 11, Flash 11, Office 2010. Support PE, PDF, Office 2010 and
earlier
vm-4
Windows 7 32bit, Adobe Reader 11, Flash 11, Office 2010. Support PE, PDF, Office 2010
and earlier
vm-5
Windows 7 64bit, Adobe Reader 11, Flash 11, Office 2010. Support PE, PDF, Office 2010
and earlier
vm-6
Windows XP, Internet Explorer 8, Flash 11. Support E-MAIL Links
RequiredPrivilegeLevel
superuser,superreader
showwildfireglobal
Description
Showsvariousinformationaboutglobaldevicesandthestatusofsamples,suchasavailableAPIkeys,
registrationinformation,sampleverdictchanges,activity,andrecentsamplesthattheapplianceanalyzed.
HierarchyLocation
Syntax
api-keys {
all {
details;
}
key <value>;
}
devices-reporting-data;
last-device-registration {
all;
}
local-verdict-change {
all;
sha256 <value>;
}
}
sample-analysis {
number;
type;
}
}
sample-status {
sha256 {
equal <value>;
}
}
signature-status {
sha256 {
equal <value>;
}
}
Options
SampleOutput
Thefollowingshowstheoutputforthiscommand.
admin@WF-500> show wildfire global api-keys all
+------------+-----------+---------+---------------------+---------------------+
| Apikey | Name | Status | Create Time | Last Used Time |
+------------+-----------+---------+---------------------+---------------------+
| <API KEY> | happykey1 | Enabled | 2017-03-01 23:21:02 | 2017-03-01 23:21:02 |
+------------+-----------+---------+---------------------+---------------------+
+---------------------+---------------------+-----------+----------------------------+
| Finish Date | Create Date | Malicious | Storage Nodes |
+---------------------+---------------------+-----------+----------------------------+
| 2017-03-01 22:34:17 | 2017-03-01 22:28:23 | No | 009026:smp_27,097010smp_27 |
+---------------------+---------------------+-----------+----------------------------+
+----------------+---------------+------------------+
| Analysis Nodes | Status | File Type |
+----------------+---------------+------------------+
| qa15 | Notify Finish | Adobe Flash File |
+----------------+---------------+------------------+
+---------------+---------------------+---------+-------------+----------+
| 155392 | 2017-02-03 10:11:06 | 5000259 | 10411 | released |
+---------------+---------------------+---------+-------------+----------+
RequiredPrivilegeLevel
superuser,superreader
showwildfirelocal
Description
Showsvariousinformationaboutlocaldevicesandsamples,activity,recentsamplesthattheappliance
analyzed,andbasicWildFirestatistics.
HierarchyLocation
Syntax
latest {
analysis {
filter malicious|benign;
sort-by SHA256|Submit Time|Start Time|Finish Time|Malicious|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
OR...
samples {
filter malicious|benign;
sort-by SHA256|Create Time|File Name|File Type|File Size|Malicious|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
sample-status {
sha256 {
equal <value>;
}
}
statistics days <1-31> | hours <0-24> | minutes <0-60>;
Options
SampleOutput
Thefollowingshowstheoutputforthiscommand.
Sample information:
+---------------------+-----------+-----------------------------------+
| Create Time | File Name | File Type |
+---------------------+-----------+-----------------------------------+
| 2017-03-01 22:28:24 | rmr.doc | Microsoft Word 97 - 2003 Document |
+---------------------+-----------+-----------------------------------+
+-----------+-----------+-------------------+
| File Size | Malicious | Status |
+-----------+-----------+-------------------+
| 133120 | Yes | analysis complete |
+-----------+-----------+-------------------+
Analysis information:
+---------------------+---------------------+---------------------+------------+
| Submit Time | Start Time | Finish Time | Malicious |
+---------------------+---------------------+---------------------+------------+
| 2017-03-01 22:28:24 | 2017-03-01 22:28:24 | 2017-03-01 22:28:24 | Suspicious |
| 2017-03-01 22:28:24 | 2017-03-01 22:28:24 | 2017-03-01 22:34:07 | Yes |
+---------------------+---------------------+---------------------+------------+
+-----------------------------------------------------------+-----------+
| VM Image | Status |
+-----------------------------------------------------------+-----------+
| DOC/CDF Static Analyzer | completed |
| Windows 7 x64 SP1, Adobe Reader 11, Flash 11, Office 2010 | completed |
+-----------------------------------------------------------+-----------+
-------------------------------------------------------------------------------------
| Wildfire Stats |
+-----------------------------------------------------------------------------------+
|+----------------------------------------------------------------------------------+|
|| Executable ||
|+---------------------------------------------------------------------------------+|
|| FileType | Submitted | Analyzed | Pending | Malware | Grayware | Benign | Error ||
|+---------------------------------------------------------------------------------+|
|| exe | 2 | 2 | 0 | 0 | 0 | 2 | 0 ||
|+---------------------------------------------------------------------------------+|
|| dll | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
Files Analyzed : 2
+-----------------------------------------------------------------------------------+
|| Non-Executable ||
|+---------------------------------------------------------------------------------+|
|| FileType | Submitted | Analyzed | Pending | Malware | Grayware | Benign | Error ||
|+---------------------------------------------------------------------------------+|
|| pdf | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| jar | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| doc | 1 | 1 | 0 | 1 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| ppt | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| xls | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| docx | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| pptx | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| xlsx | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| rtf | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| class | 2 | 2 | 0 | 1 | 0 | 1 | 0 ||
|+---------------------------------------------------------------------------------+|
|| swf | 1 | 1 | 0 | 0 | 0 | 1 | 0 ||
|+---------------------------------------------------------------------------------+|
+-----------------------------------------------------------------------------------+
|| Links ||
|+---------------------------------------------------------------------------------+|
|| FileType | Submitted | Analyzed | Pending | Malware | Grayware | Benign | Error ||
|+---------------------------------------------------------------------------------+|
|| elink | 1 | 1 | 0 | 1 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
----------------------------------------------------------
| General Stats |
+--------------------------------------------------------+
||+---------------------------+----------+-+-----------+||
|+--------------------------+---------------------------+|
||| Verdicts |||
||+-------------------------+--------------------------+||
||| Malware | Grayware | Benign | Error |||
||+-----------------------------+----------------------+||
||| 3 | 0 | 4 | 0 |||
||+--------------------------+-----------+-+----------+|||
|+--------------------------+---------------------------+|
||| Session and Upload Count |||
||+------------------------+---------------------------+||
||| Sessions | Uploads |||
||+---------------------------+------------------------+||
||| 7 | 5 |||
||+---------------------------+------------------------+||
RequiredPrivilegeLevel
superuser,superreader
testwildfireregistration
Description
PerformsatesttochecktheregistrationstatusofaWildFireapplianceorPaloAltoNetworksfirewalltoa
WildFireserver.Ifthetestissuccessful,theIPaddressorservernameoftheWildFireserverisdisplayed.A
successfulregistrationisrequiredbeforeaWildFireapplianceorfirewallcanforwardfilestotheWildFire
server.
Syntax
test {
wildfire {
registration;
}
}
Options
Noadditionaloptions.
SampleOutput
ThefollowingshowsasuccessfuloutputonafirewallthatcancommunicatewithaWildFireappliance.Ifthis
isaWildFireappliancepointingtothePaloAltoNetworksWildFirecloud,theservernameofoneofthe
cloudserversisdisplayedintheselect the best server:field.
Test wildfire
wildfire registration: successful
download server list: successful
select the best server: ca-s1.wildfire.paloaltonetworks.com
RequiredPrivilegeLevel
superuser,superreader