WildFire Administrator Guide-8.0

WildFire
Administrators
Guide
Version8.0
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
AboutthisGuide
ThisguidedescribeshowtoconfigureyourPaloAltoNetworksfirewallstosubmitsamplestotheWildFirecloud
andhowtomanageaWildFireapplianceforuseinprivatecloudorhybridclouddeployments:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseanddiscussionforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandWildFire8.0releaseinformation,goto
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:June5,2017
2 WildFire8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
WildFireOverview .................................................... 7
AboutWildFire..................................................................... 8
WildFireConcepts.................................................................. 9
WildFireDeployments.............................................................14
WildFireFileTypeSupport.........................................................16
WildFireSubscription ..............................................................17
GetStartedwithWildFire ..........................................................18
SubmitFilesforWildFireAnalysis...................................... 21
WildFireBestPractices ............................................................22
ForwardFilesforWildFireAnalysis ..................................................24
ForwardDecryptedSSLTrafficforWildFireAnalysis ..................................30
VerifyWildFireSubmissions........................................................31
TestaSampleMalwareFile.....................................................31
VerifyFileForwarding..........................................................32
ManuallyUploadFilestotheWildFirePortal..........................................36
SubmitMalwareorReportsfromtheWildFireAppliance ...............................37
FirewallFileForwardingCapacitybyModel...........................................38
SetUpandManageaWildFireAppliance ............................... 39
AbouttheWildFireAppliance .......................................................40
ConfiguretheWildFireAppliance ...................................................42
SetUptheWildFireApplianceVMInterface ..........................................48
VirtualMachineInterfaceOverview..............................................48
ConfiguretheVMInterfaceontheWildFireAppliance.............................49
ConnecttheFirewalltotheWildFireApplianceVMInterface .......................50
EnableWildFireApplianceAnalysisFeatures..........................................52
SetUpWildFireApplianceContentUpdates......................................52
EnableLocalSignatureandURLCategoryGeneration ..............................54
SubmitLocallyDiscoveredMalwareorReportstotheWildFirePublicCloud .............56
UpgradeaWildFireAppliance.......................................................57
MonitorWildFireActivity ............................................. 59
AboutWildFireLogsandReporting ..................................................60
UsetheFirewalltoMonitorMalware ................................................61
ConfigureWildFireSubmissionsLogSettings......................................61
MonitorWildFireSubmissionsandAnalysisReports ...............................63
SetUpAlertsforMalware ......................................................65
PaloAltoNetworks,Inc. WildFire8.0AdministratorsGuide 3
TableofContents
UsetheWildFirePortaltoMonitorMalware.......................................... 67
ConfigureWildFirePortalSettings ............................................... 67
AddWildFirePortalUsers....................................................... 68
ViewReportsontheWildFirePortal.............................................. 69
WildFireAnalysisReportsCloseUp ................................................. 70
WildFireExample .................................................................. 74
WildFireApplianceClusters...........................................79
AboutWildFireApplianceClusters ................................................... 80
WildFireApplianceClusterResiliencyandScale ....................................... 81
WildFireApplianceClusterManagement ............................................. 84
ConfigureaClusterLocallyonWildFireAppliances .................................... 87
ConfigureaClusterandAddNodesLocally........................................ 87
ConfigureGeneralClusterSettingsLocally........................................ 93
RemoveaNodefromaClusterLocally............................................ 95
UpgradeWildFireAppliancesinaCluster ............................................. 97
UpgradeaClusterLocally....................................................... 97
UpgradeaClusterCentrallyonPanoramawithanInternetConnection ............... 99
UpgradeaClusterCentrallyonPanoramawithoutanInternetConnection...........101
ConfigureaClusterCentrallyonPanorama ..........................................104
ConfigureaClusterandAddNodesonPanorama .................................104
ConfigureGeneralClusterSettingsonPanorama..................................108
RemoveaClusterfromPanoramaManagement...................................110
UsetheWildFireApplianceCLI ...................................... 113

WildFireApplianceSoftwareCLIConcepts ..........................................114
WildFireApplianceSoftwareCLIStructure .......................................114
WildFireApplianceSoftwareCLICommandConventions ..........................114
WildFireApplianceCLICommandMessages .....................................115
WildFireApplianceCommandOptionSymbols ...................................115
WildFireAppliancePrivilegeLevels..............................................117
WildFireCLICommandModes.....................................................118
WildFireApplianceCLIConfigurationMode ......................................118
WildFireApplianceCLIOperationalMode........................................121
AccesstheWildFireApplianceCLI ..................................................122
WildFireApplianceCLIOperations..................................................123
AccessWildFireApplianceOperationalandConfigurationModes ...................123
DisplayWildFireApplianceSoftwareCLICommandOptions .......................123
RestrictWildFireApplianceCLICommandOutput ................................124
SettheOutputFormatforWildFireApplianceConfigurationCommands.............125
WildFireApplianceConfigurationModeCommandReference..........................126
setdeviceconfigcluster ........................................................126
setdeviceconfighighavailability ................................................128
setdeviceconfigsettingmanagement............................................130
setdeviceconfigsettingwildfire.................................................131
setdeviceconfigsystem........................................................133
setdeviceconfigsystemeth2 ...................................................134
setdeviceconfigsystemeth3 ...................................................135
TableofContents
setdeviceconfigsystempanoramaserver........................................ 137
setdeviceconfigsystempanoramaserver2...................................... 138
setdeviceconfigsystemupdateschedule ........................................ 139
setdeviceconfigsystemvminterface ........................................... 140
WildFireApplianceOperationalModeCommandReference........................... 142
clearhighavailability .......................................................... 143
createwildfireapikey......................................................... 144
deletehighavailabilitykey..................................................... 145
deletewildfireapikey......................................................... 147
deletewildfiremetadata....................................................... 148
disablewildfire............................................................... 148
editwildfireapikey ........................................................... 149
loadwildfireapikey .......................................................... 150
requestclusterdecommission.................................................. 151
requestclusterrebootlocalnode............................................... 153
requesthighavailabilitystate .................................................. 154
requesthighavailabilitysynctoremote ......................................... 156
requestsystemraid........................................................... 157
requestwildfiresampleredistribution........................................... 159
requestsystemwildfirevmimage.............................................. 160
requestwfcontent ........................................................... 161
savewildfireapikey .......................................................... 162
setwildfireportaladmin....................................................... 163
showclusterallpeers......................................................... 164
showclustercontroller........................................................ 165
showclustermembership ...................................................... 166
showclustertask............................................................. 169
showhighavailabilityall ....................................................... 171
showhighavailabilitycontrollink............................................... 173
showhighavailabilitystate .................................................... 174
showhighavailabilitytransitions ............................................... 176
showsystemraid............................................................. 177
submitwildfirelocalverdictchange............................................. 178
showwildfire................................................................. 179
showwildfireglobal ........................................................... 181
showwildfirelocal ............................................................ 184
testwildfireregistration....................................................... 188
TableofContents
WildFireOverview
WildFireprovidesdetectionandpreventionofzerodaymalwareusingacombinationofdynamicand
staticanalysistodetectthreatsandcreateprotectionstoblockmalware.WildFireextendsthecapabilities
ofPaloAltoNetworksnextgenerationfirewallstoidentifyandblocktargetedandunknownmalware.
AboutWildFire
WildFireConcepts
WildFireDeployments
WildFireFileTypeSupport
WildFireSubscription
GetStartedwithWildFire
AboutWildFire WildFireOverview
AboutWildFire
TheWildFireVirtualEnvironmentidentifiespreviouslyunknownmalwareandgeneratessignaturesthatPalo
AltoNetworksfirewallscanusetothendetectandblockthemalware.WhenaPaloAltoNetworksfirewall
detectsanunknownsample(afileoralinkincludedinanemail),thefirewallcanautomaticallyforwardthe
sampleforWildFireanalysis.Basedontheproperties,behaviors,andactivitiesthesampledisplayswhen
analyzedandexecutedintheWildFiresandbox,WildFiredeterminesthesampletobebenign,grayware,
phishing,ormalicious.WildFirethengeneratessignaturestorecognizethenewlydiscoveredmalware,and
makesthelatestsignaturesgloballyavailableeveryfiveminutes.AllPaloAltoNetworksfirewallscanthen
compareincomingsamplesagainstthesesignaturestoautomaticallyblockthemalwarefirstdetectedbya
singlefirewall.
TolearnmoreaboutWildFire,ortogetstartedwithWildFirenow,seethefollowingtopics:
ReviewWildFireConceptstolearnmoreaboutthetypesofsamplesyoucansubmitforWildFire
analysis,WildFireverdicts,andWildFiresignatures.
LearnmoreaboutWildFireDeploymentsdeploymentsyoucansetupwiththefirewall.Youcansubmit
samplesyouwouldliketohaveanalyzedtoaPaloAltoNetworkshostedWildFirecloud,a
locallyhostedWildFireprivatecloud,oryoucanuseahybridcloud,wherethefirewallsubmitscertain
samplestothepubliccloudandcertainsamplestoaprivatecloud.
GetStartedwithWildFiretodefinethesamplesthatyouwanttosubmitforanalysis,andtobegin
submittedsamplestoaWildFirecloud.
ManageWildFireAppliancesusingPanoramatomanageupto200WildFireappliancescentrallyinstead
ofindividually.
CreateWildFireApplianceClusterstoincreaseanalysisandstoragecapacity,supportmorefirewallson
asinglenetwork,andimplementhighavailabilitytoprovidefaulttolerance.YoucanmanageWildFire
applianceclustersusingthelocalWildFireCLIorusingPanorama.
WildFireOverview WildFireConcepts
WildFireConcepts
Samples
FirewallForwarding
SessionInformationSharing
VirtualEnvironment
Verdicts
FileAnalysis
EmailLinkAnalysis
CompressedandEncodedFileAnalysis
WildFireSignatures
Samples
SamplesareallfiletypesandemaillinkssubmittedforWildFireanalysisfromthefirewallandthepublicAPI.
SeeFileAnalysisandEmailLinkAnalysisfordetailsonthefiletypesandlinksthatafirewallcansubmitfor
WildFireanalysis.
FirewallForwarding
Thefirewallforwardsunknownsamples,aswellasblockedfilesthatmatchantivirussignatures,forWildFire
analysisbasedontheconfiguredWildFireAnalysisprofilesettings(Objects > Security Profiles > WildFire
Analysis).Inadditiontodetectinglinksincludedinemails,filesthatareattachedtoemails,andbrowserbased
filedownloads,thefirewallleveragesthePaloAltoNetworksAppIDfeaturetodetectfiletransferswithin
applications.Forsamplesthatthefirewalldetects,thefirewallanalyzesthestructureandcontentofthe
sampleandcomparesitagainstexistingsignatures.Ifthesamplematchesasignature,thefirewallappliesthe
defaultactiondefinedforthesignature(allow,alert,orblock).Ifthesamplematchesanantivirussignature
orifthesampleremainsunknownaftercomparingitagainstWildFiresignatures,thefirewallforwardsitfor
WildFireanalysis.
Bydefault,thefirewallalsoforwardsinformationaboutthesessioninwhichanunknownsamplewas
detected.Tomanagethesessioninformationthatthefirewallforwards,selectDevice > Setup > WildFireand
editSessionInformationSettings.
SessionInformationSharing
Inadditiontoforwardingunknownandblockedsamplesforanalysis,thefirewallalsoforwardsinformation
aboutthenetworksessionforasample.PaloAltoNetworksusessessioninformationtolearnmoreabout
thecontextofthesuspiciousnetworkevent,indicatorsofcompromiserelatedtothemalware,affected
hostsandclients,andapplicationsusedtodeliverthemalware.
WildFireConcepts WildFireOverview
Thefirewallisenabledtoforwardsessioninformationbydefault;however,youcanadjustthedefault
settingsandchoosewhattypeofsessioninformationthefirewallforwardstoWildFire.Onthefirewall,
selectDevice > Setup > WildFireandselectorclearthefollowingSession Information Settings:
Source IPForwardthesourceIPaddressthatsenttheunknownfile.
Source PortForwardthesourceportthatsenttheunknownfile.
Destination IPForwardthedestinationIPaddressfortheunknownfile.
Destination PortForwardthedestinationportfortheunknownfile.
Virtual SystemForwardthevirtualsystemthatdetectedtheunknownfile.
ApplicationForwardtheuserapplicationthattransmittedtheunknownfile.
UserForwardthetargeteduser.
URLForwardtheURLassociatedwiththeunknownfile.
FilenameForwardthenameoftheunknownfile.
Email senderForwardthesenderofanunknownemaillink(thenameoftheemailsenderalsoappears
inWildFirelogsandreports).
Email recipientForwardtherecipientofanunknownemaillink(thenameoftheemailrecipientalso
appearsinWildFirelogsandreports).
Email subjectForwardthesubjectofanunknownemaillink(theemailsubjectalsoappearsinWildFire
logsandreports).
VirtualEnvironment
MultiplevirtualmachinesrunintheWildFirepubliccloudtorepresentavarietyofoperatingsystemsand
applications.WildFireexecutessamplesinavirtualenvironmentandobservessamplebehaviorforsignsof
maliciousactivities,suchaschangestobrowsersecuritysettings,injectionofcodeintootherprocesses,
modificationoffilesintheWindowssystemfolder,orattemptsbythesampletoaccessmaliciousdomains.
TheWildFirepubliccloudalsoanalyzesfilesacrossapplicationversionsinordertoidentifymalware
intendedtouniquelytargetspecificversionsofclientapplications(theWildFireprivateclouddoesnot
supportmultiversionanalysis,anddoesnotanalyzeapplicationspecificfilesareanalyzedacrossseveral
versionsoftheapplication).Forlinksthatthefirewallextractsfromemailmessagesandforwardsto
WildFire,WildFirevisitsthelinkstodetermineifthecorrespondingwebpagehostsanyexploits.When
WildFirecompletesanalysis,itgeneratesadetailedforensicsreportthatsummarizessamplebehaviorsand
assignsaverdictofmalware,benign,grayware,orphishingtothesample.
WildFirerunsvirtualenvironmentswitheachofthefollowingoperatingsystems:
MicrosoftWindowsXP32bit
MicrosoftWindows732bit(SupportedasanoptionforWildFireapplianceonly)
MicrosoftWindows764bit
Verdicts
WhenWildFireanalyzesapreviouslyunknownsampleinthePaloAltoNetworkshostedWildFireglobal
cloudoralocallyhostedWildFireprivatecloud,averdictisproducedthatidentifiessamplesasmalicious,
unwanted(graywareisconsideredobtrusivebutnotmalicious),phishing,orbenign:
BenignThesampleissafeanddoesnotexhibitmaliciousbehavior.
GraywareThesampledoesnotposeadirectsecuritythreat,butmightdisplayotherwiseobtrusive
behavior.Graywaretypicallyincludesadware,spyware,andBrowserHelperObjects(BHOs).
PhishingThelinkdirectsuserstoaphishingsiteandposesasecuritythreat.Phishingsitesaresitesthat
attackersdisguiseaslegitimatewebsiteswiththeaimtostealuserinformation,especiallycorporate
passwordsthatunlockaccesstoyournetwork.TheWildFireappliancedoesnotsupportthephishing
verdictandcontinuestoclassifythesetypesoflinksasmalicious.
MaliciousThesampleismalwareandposesasecuritythreat.Malwarecanincludeviruses,worms,
Trojans,RemoteAccessTools(RATs),rootkits,andbotnets.Forfilesidentifiedasmalware,WildFire
generatesanddistributesasignaturetopreventagainstfutureexposuretothethreat.
VerdictsthatyoususpectareeitherfalsepositivesorfalsenegativescanbesubmittedtothePaloAltoNetworks
threatteamforadditionalanalysis.YoucanalsomanuallychangeverdictsofsamplessubmittedtoWildFire
appliances.
FileAnalysis
APaloAltoNetworksfirewallconfiguredwithaWildFireanalysisprofileforwardssamplesforWildFire
analysisbasedonfiletype(includingemaillinks).Additionally,thefirewalldecodesfilesthathavebeen
encodedorcompresseduptofourtimes(suchasfilesinZIPformat);ifthedecodedfilematchesWildFire
Analysisprofilecriteria,thefirewallforwardsthedecodedfileforWildFireanalysis.
Whilethefirewallcanforwardallthefiletypeslistedbelow,WildFireanalysissupportcanvarydepending
ontheWildFirecloudtowhichyouaresubmittedsamples.ReviewWildFireFileTypeSupporttolearnmore.
FileTypesSupportedfor Description
WildFireForwarding
apk AndroidApplicationPackage(APK)files.APKfilesarenotsupportedforWildFire
privatecloudanalysisusingaWildFireappliance.
flash AdobeFlashappletsandFlashcontentembeddedinwebpages.
jar Javaapplets(JAR/classfilestypes).
ms-office MicrosoftOfficefiles,includingdocuments(DOC,DOCX,RTF),workbooks(XLS,
XLSX),andPowerPoint(PPT,PPTX)presentations,andOfficeOpenXML(OOXML)
2007+documents.
pe PortableExecutable(PE)files.PEsincludeexecutablefiles,objectcode,DLLs,and
FON(fonts).AsubscriptionisnotrequiredtoforwardPEfilesforWildFireanalysis,
butisrequiredforallothersupportedfiletypes.
pdf PortableDocumentFormat(PDF)files.
MacOSX MachO,DMG,andPKGfilesaresupportedwithcontentversion599.Youcanalso
manuallyorprogrammaticallysubmitallMacOSXsupportedfiletypesforanalysis
(includingapplicationbundles,forwhichthefirewalldoesnotsupportautomatic
forwarding).
email-link HTTP/HTTPSlinkscontainedinSMTPandPOP3emailmessages.SeeEmailLink
Analysis.
WildFireConcepts WildFireOverview
EmailLinkAnalysis
APaloAltoNetworksfirewallcanextractHTTP/HTTPSlinkscontainedinSMTPandPOP3emailmessages
andforwardthelinksforWildFireanalysis.Thefirewallonlyextractslinksandassociatedsession
information(sender,recipient,andsubject)fromemailmessages;itdoesnotreceive,store,forward,orview
theemailmessage.
WildFirevisitssubmittedlinkstodetermineifthecorrespondingwebpagehostsanyexploitsordisplays
phishingactivity.AlinkthatWildFirefindstobemaliciousorphishingis:
RecordedonthefirewallasaWildFireSubmissionslogentry.TheWildFireanalysisreportthatdetails
thebehaviorandactivityobservedforthelinkisavailableforeachWildFireSubmissionslogentry.The
logentryalsoincludestheemailheaderinformationemailsender,recipient,andsubjectsothatyou
canidentifythemessageanddeleteitfromthemailserver,ormitigatethethreatiftheemailhasbeen
deliveredoropened.
AddedtoPANDBandtheURLiscategorizedasmalware.
Thefirewallforwardsemaillinksinbatchesof100emaillinksoreverytwominutes(dependingonwhich
limitishitfirst).EachbatchuploadtoWildFirecountsasoneuploadtowardtheuploadperminutecapacity
forthegivenfirewallmodel(FirewallFileForwardingCapacitybyModel).Ifalinkincludedinanemail
correspondstoafiledownloadinsteadofaURL,thefirewallforwardsthefileonlyifthecorrespondingfile
typeisenabledforWildFireanalysis.
ToenablethefirewalltoforwardlinksincludedinemailsforWildFireanalysis,seeForwardFilesforWildFire
Analysis.WithaPANDBURLFilteringlicense,youcanalsoblockuseraccesstomaliciousandphishingsites.
CompressedandEncodedFileAnalysis
Bydefault,thefirewalldecodesfilesthathavebeenencodedorcompresseduptofourtimes,includingfiles
thathavebeencompressedusingtheZIPformat.Thefirewalltheninspectsandenforcespolicyonthe
decodedfile;ifthefileisunknown,thefirewallforwardsthedecodedfileforWildFireanalysis.
WildFireSignatures
WildFirecandiscoverzerodaymalwareinwebtraffic(HTTP/HTTPS),emailprotocols(SMTP,IMAP,and
POP),andFTPtrafficandcanquicklygeneratesignaturestoidentifyandprotectagainstfutureinfections
fromthemalwareitdiscovers.WildFireautomaticallygeneratesasignaturebasedonthemalwarepayload
ofthesampleandtestsitforaccuracyandsafety.
EachWildFirecloudglobal,regional,andprivateanalyzessamplesandgeneratesmalwaresignatures
independentlyoftheotherWildFireclouds.WiththeexceptionofWildFireprivatecloudsignatures,
WildFiresignaturesaresharedglobally,enablingWildFireusersworldwidetobenefitfrommalware
coverageregardlessofthelocationinwhichthemalwarewasfirstdetected.Becausemalwareevolves
rapidly,thesignaturesthatWildFiregeneratesaddressmultiplevariantsofthemalware.
FirewallswithanactiveWildFirelicensecanretrievethelatestWildFiresignatureseveryfiveminutes.Ifyou
donothaveaWildFiresubscription,signaturesaremadeavailablewithin2448hoursaspartoftheantivirus
updateforfirewallswithanactiveThreatPreventionlicense.
Assoonasthefirewalldownloadsandinstallsthenewsignature,thefirewallcanblockthefilesthatcontain
thatmalware(oravariantofthemalware).Malwaresignaturesdonotdetectmaliciousandphishinglinks;
toenforcetheselinks,youmusthaveaPANDBURLFilteringlicense.Youcanthenblockuseraccessto
maliciousandphishingsites.
WildFireDeployments WildFireOverview
WildFireDeployments
YoucansetupaPaloAltoNetworksfirewalltosubmitunknownsamplestothePaloAltoNetworkshosted
WildFireglobalcloud,toalocallyhostedWildFireprivatecloud,oryoucanenablethefirewalltoforward
certainsamplestoaWildFireglobalcloudandcertainsamplestoaWildFireprivatecloud:
WildFireGlobalCloud
WildFirePrivateCloud
WildFireHybridCloud
WildFireGlobalCloud
APaloAltoNetworksfirewallwithcanforwardunknownfilesandemaillinkstotheWildFireglobalcloudor
tooneofthreeWildFireregionalcloudsthatPaloAltoNetworksownsandmaintains.ChoosetheWildFire
publiccloudtowhichyouwanttosubmitsamplesforanalysisbasedonyourlocationandyourorganizations
needs:
WildFireGlobalCloud
TheWildFireglobalcloudisapubliccloudenvironmenthostedintheUnitedStates.
UsethefollowingURLtosubmitfilestotheWildFireglobalcloudforanalysisandtoaccesstheWildFire
globalportal:wildfire.paloaltonetworks.com.
WildFireEuropeCloud
TheWildFireEuropecloudisaregionalpubliccloudenvironmenthostedinTheNetherlands.Itis
designedtoadheretoEuropeanUnion(EU)dataprivacyregulationsandsamplessubmittedtothe
WildFireEuropecloudremainwithinEUborders.
UsethefollowingURLtosubmitfilestotheWildFireEuropecloudforanalysisandtoaccesstheWildFire
Europecloudportal:eu.wildfire.paloaltonetworks.com.
WildFireJapanCloud
TheWildFireJapancloudisaregionalpubliccloudenvironmenthostedinJapan.
UsethefollowingURLtosubmitfilestotheWildFireJapancloudforanalysisandtoaccesstheWildFire
Japancloudportal:jp.wildfire.paloaltonetworks.com.
WildFireSingaporeCloud
TheWildFireSingaporecloudisaregionalpubliccloudenvironmenthostedinSingapore.
UsethefollowingURLtosubmitfilestotheWildFireSingaporecloudforanalysisandtoaccessthe
WildFireSingaporecloudportal:sg.wildfire.paloaltonetworks.com.
EachWildFirecloudglobalandregionalanalyzessamplesandgeneratesmalwaresignatures
independentlyoftheotherWildFireclouds.WildFiresignaturesarethensharedglobally,enablingWildFire
usersworldwidetobenefitfrommalwarecoverageregardlessofthelocationinwhichthemalwarewasfirst
detected.ReviewWildFireFileTypeSupporttolearnmoreaboutthefiletypesthateachcloudanalyzes.
IfyouhaveaWildFireappliance,youcanenableaWildFireHybridClouddeployment,wherethefirewall
canforwardcertainfilestoaWildFirepubliccloud,andotherfilestoaWildFireprivatecloudforlocal
analysis.TheWildFireappliancecanalsobeconfiguredtoquicklygatherverdictsforknownsamplesby
queryingtheglobalcloudbeforeperforminganalysis.ThisallowstheWildFireappliancetodedicateanalysis
resourcestosamplesthatareunknowntobothyourprivatenetworkandtheglobalWildFirecommunity.
WildFireOverview WildFireDeployments
WildFirePrivateCloud
InaPaloAltoNetworksprivateclouddeployment,PaloAltoNetworksfirewallsforwardfilestoaWildFire
applianceonyourcorporatenetworkthatisbeingusedtohostaprivatecloudanalysislocation.AWildFire
privatecloudcanreceiveandanalyzefilesfromupto100PaloAltoNetworksfirewalls.
BecausetheWildFireprivatecloudisalocalsandbox,benign,grayware,andphishingsamplesthatare
analyzedneverleaveyournetwork.Bydefault,theprivatecloudalsodoesnotsenddiscoveredmalware
outsideofyournetwork;however,youcanchoosetoautomaticallyforwardmalwaretotheWildFirepublic
cloudforsignaturegenerationanddistribution.Inthiscase,TheWildFirepubliccloudreanalyzesthe
sample,generatesasignaturetoidentifythesample,anddistributesthesignaturetoallPaloAltoNetworks
firewallswithThreatPreventionandWildFirelicenses.
IfyoudonotwanttheWildFireprivatecloudtoforwardevenmalicioussamplesoutsideofyournetwork,
youcan:
EnabletheWildFireappliancetoforwardthemalwarereport(andnotthesampleitself)totheWildFire
publiccloud.WildFirereportsprovidestatisticalinformationthathelpsPaloAltoNetworksassessthe
pervasivenessandpropagationofthemalware.Formoredetails,seeSubmitMalwareorReportsfrom
theWildFireAppliance.
ManuallyUploadFilestotheWildFirePortal(insteadofautomaticallyforwardingallmalware)orUsethe
WildFireAPItosubmitfilestotheWildFirepubliccloud.
YoucanalsoEnableLocalSignatureandURLCategoryGenerationontheWildFireappliance.Signaturesthe
WildFireappliancegeneratesaredistributedtoconnectedfirewallssothatthefirewallscaneffectivelyblock
themalwarethenexttimeitisdetected.
AndroidApplicationPackage(APK)andMACOSXfilesarenotsupportedforWildFireprivatecloudanalysis.
WildFireHybridCloud
AfirewallinaWildFirehybridclouddeploymentcanforwardcertainsamplestothePaloAlto
NetworkshostedWildFireglobalcloudandothersamplestoaWildFireprivatecloudhostedbyaWildFire
appliance.AWildFirehybridclouddeploymentallowstheflexibilitytoanalyzeprivatedocumentslocallyand
insideyournetwork,whiletheWildFirepubliccloudanalyzesfilesfromtheInternet.Forexample,forward
PaymentCardIndustry(PCI)andProtectedHealthInformation(PHI)dataexclusivelytotheWildFireprivate
cloudforanalysis,whileforwardingPortableExecutables(PEs)totheWildFirepubliccloudforanalysis.Ina
WildFirehybridclouddeployment,offloadingfilestothepubliccloudforanalysisallowsyoubenefitfroma
promptverdictforfilesthathavebeenpreviouslyprocessedintheWildFirepubliccloud,andalsofreesup
theWildFireappliancecapacitytoprocesssensitivecontent.Additionally,youcanforwardcertainfiletypes
totheWildFirepubliccloudthatarenotcurrentlysupportedforWildFireapplianceanalysis,suchasAndroid
ApplicationPackage(APK)files.
InaWildFirehybridclouddeployment,theremightbesomecaseswhereasinglefilematchesyourcriteria
forbothpubliccloudanalysisandprivatecloudanalysis;inthesecases,thefileissubmittedonlytothe
privatecloudforanalysisasacautionarymeasure.
Tosetuphybridcloudforwarding,seeForwardFilesforWildFireAnalysis.
WildFireFileTypeSupport WildFireOverview
WildFireFileTypeSupport
ThefollowingtableliststhefiletypesthataresupportedforanalysisintheWildFirecloudenvironments.
FileTypesSupportedfor WildFire WildFire WildFireJapan WildFire WildFire

Analysis GlobalCloud EuropeCloud Cloud Singapore PrivateCloud
Cloud (WildFire
appliance)
Linkscontainedinemails
Androidapplicationpackage
(APK)files
AdobeFlashfiles
JavaArchive(JAR)files
MicrosoftOfficefiles
Portableexecutable(PE)files
Portabledocumentformat
(PDF)files
MacOSXfiles
Lookingformore?
FordetailsoneachWildFirecloudanalysisenvironment,seeWildFireDeployments.
FordetailsabouteachfiletypesupportedforWildFireanalysis,seeFileAnalysis.
WildFireOverview WildFireSubscription
WildFireSubscription
ThebasicWildFireserviceisincludedaspartofthePaloAltoNetworksnextgenerationfirewallanddoes
notrequireaWildFiresubscription.WiththebasicWildFireservice,thefirewallcanforwardportable
executable(PE)filesforWildFireanalysis,andcanretrieveWildFiresignaturesonlywithantivirusand/or
ThreatPreventionupdateswhicharemadeavailableevery2448hours.
AWildFiresubscriptionunlocksthefollowingWildFirefeatures:
WildFireDynamicUpdatesTheWildFirepubliccloudandaWildFireprivatecloudcangenerateand
distributenewWildFiresignatureseveryfiveminutes,andyoucansetthefirewalltoretrieveandinstall
thesesignatureseveryminute(thisallowsthefirewalltogetthelatestsignatureswithinaminuteof
availability).SelectDevice > Dynamic UpdatestoEnablethefirewalltogetthelatestWildFiresignatures.
DependingonyourWildFiredeployment,youcansetuponeorbothofthefollowingsignaturepackage
updates:
WildFireGetthelatestsignaturesfromtheWildFirepubliccloud.
WFPrivateGetthelatestsignaturesfromaWildFireappliancethatisconfiguredtolocally
generatesignaturesandURLcategories.
WildFireAdvancedFileTypeSupportInadditiontoPEs,forwardadvancedfiletypesforWildFire
analysis,includingAPKs,Flashfiles,PDFs,MicrosoftOfficefiles,JavaApplets,Javafiles(.jarand.class),
andHTTP/HTTPSemaillinkscontainedinSMTPandPOP3emailmessages.(WildFireprivatecloud
analysisdoesnotsupportAPKfiles).
WildFireAPIAccesstotheWildFireAPI,whichenablesdirectprogrammaticaccesstotheWildFire
publiccloudoraWildFireprivatecloud.UsetheWildFireAPItosubmitfilesforanalysisandtoretrieve
thesubsequentWildFireanalysisreports.TheWildFireAPIsupportsupto1,000filesubmissionsandup
to10,000queriesaday.
WildFirePrivateandHybridCloudSupportForwardfilestoaWildFireappliance.WildFireprivate
cloudandWildFirehybridclouddeploymentsbothrequirethefirewalltobeabletosubmitsamplestoa
WildFireappliance.EnablingaWildFireappliancerequiresonlyasupportlicense.
GetStartedwithWildFire WildFireOverview
ThefollowingstepsprovideaquickworkflowtogetstartedwithWildFire.Ifyoudliketolearnmoreabout
WildFirebeforegettingstarted,takealookattheWildFireOverviewandreviewWildFireBestPractices.
Step1 GetyourWildFireSubscription.IfyoudonothaveaWildFiresubscription,youcanstillforwardPEsfor
WildFireanalysis.
Step2 DecidewhichoftheWildFireDeploymentsworksforyou:
WildFireGlobalCloudForwardsamplestoaPaloAltoNetworkshostedWildFirepubliccloud.
WildFirePrivateCloud(RequiresaWildFireappliance)ForwardsamplestoalocalWildFireappliancethat
residesonyournetwork.
WildFireHybridCloud(RequiresaWildFireappliance)ForwardsomesamplestotheWildFirepublic
cloudandsomesamplestoaWildFireprivatecloud.
Step3 (WildFireprivateandhybridcloudonly)SetUpandManageaWildFireAppliance,includingupgradingthe
WildFireappliancetothelatestreleaseversion.Firewallsconnectedtotheappliancemustberunningthe
samereleaseversion.
Step4 ConfirmyourWildFirelicenseisactive 1. Logintothefirewall.

onthefirewall. 2. SelectDevice > LicensesandcheckthattheWildFireLicense
isactive.
IftheWildFireLicenseisnotdisplayed,selectoneofthe
LicenseManagementoptionstoactivatethelicense.
Step5 ConnectthefirewalltoWildFireand 1. SelectDevice > Setup > WildFire andeditGeneralSettings.

configureWildFiresettings. 2. UsetheWildFire Private CloudandWildFire Public Cloud
fieldstoSpecifytheWildFireDeploymentstowhichyouwant
toforwardsamples.
3. Definethesizelimitsforfilesthefirewallforwardsand
configureWildFireloggingandreportingsettings.
ItisarecommendedWildFirebestpracticetosetthe
File SizeforPEstothemaximumsizelimitof10MB,
andtoleavetheFile Sizeforallotherfiletypessetto
thedefaultvalue.
4. ClickOKtosavetheWildFireGeneralSettings.
Step6 EnablethefirewalltoForwardDecryptedSSLTrafficforWildFireAnalysis.
ThisisarecommendedWildFirebestpractice.
WildFireOverview GetStartedwithWildFire
GetStartedwithWildFire(Continued)
Step7 StartsubmittingsamplesforWildFire 1. DefinetraffictoforwardforWildFireanalysis.(SelectObjects

analysis. > Security Profiles > WildFire Analysis andmodifyorAdda
WildFireAnalysisprofile).
Asabestpractice,usetheWildFireAnalysisdefault
profiletoensurecompleteWildFirecoveragefor
trafficthefirewallallows.Ifyoustilldecidetocreatea
customWildFireAnalysisprofile,settheprofileto
forwardAnyfiletypethisenablesthefirewallto
automaticallystartforwardingnewlysupportedfile
typesforanalysis.
2. Foreachprofilerule,settheWildFireDeployments
Destination towhichyouwantthefirewalltoforwardsamples
foranalysispublic-cloudortheprivate-cloud.
3. AttachtheWildFireAnalysisprofiletoasecuritypolicyrule.
TrafficmatchedtothepolicyruleisforwardedforWildFire
analysis(Policies > SecurityandAddormodifyasecurity
policyrule).
Step8 Enablethefirewalltogetthelatest 1. SelectDevice > Dynamic Updates:

WildFiresignatures. (WildFirepublicandhybridcloud)CheckthatWildFire
NewWildFiresignaturesaremade updatesaredisplayed.
availableeveryfiveminutestodetect (WildFireprivateandhybridcloud)CheckthatWF-Private
andidentifymalware. updatesaredisplayed.Forthefirewalltoreceivesignatures
fromaWildFireappliance,youmustenabletheWildFire
appliancetolocallygeneratesignaturesandURL
categories.
Select Check Now toretrievethelatestsignatureupdate
packages.
2. SettheScheduletodownloadandinstallthelatestWildFire
signatures.
3. UsetheRecurrencefieldtosetthefrequencyatwhichthe
firewallchecksfornewupdatestoEvery Minute.
AsnewWildFiresignaturesareavailableeveryfive
minutes,thissettingensuresthefirewallretrieves
thesesignatureswithinaminuteofavailability.
4. EnablethefirewalltoDownload and Installtheseupdatesas
thefirewallretrievesthem.
5. ClickOK.
Step9 Startscanningtrafficforthreats, AttachthedefaultAntivirusprofiletoasecuritypolicyruletoscan

includingmalwarethatWildFire traffictherulesallowsbasedonWildFireantivirussignatures
identifies. (selectPolicies > SecurityandaddoramodifythedefinedActions
forarule).
GetStartedwithWildFire WildFireOverview
GetStartedwithWildFire(Continued)
Step10 Controlsiteaccesstowebsiteswhere ToconfigureURLFiltering:

WildFirehasidentifiedtheassociated 1. SelectObjects > Security Profiles > URL Filtering andAdd or
linkasmaliciousorphishing. modifyaURLFilteringprofile.
ThisoptionrequiresaPANDB
2. SelectCategories anddefine Site Access forthephishingand
URLFilteringlicense.Learnmore
maliciousURLcategories.
aboutURLFilteringandhowit
enablesyoutocontrolwebsite 3. Blockusersfromaccessingsitesinthesecategories
accessandcorporatecredential altogether,orinstead,allowaccessbutgenerateanAlert
submissions(topreventphishing whenusersaccesssitesinthesecategories,toensureyou
attempts)basedonURL havevisibilityintosuchevents.
category. 4. EnableCredentialPhishingPreventiontostopusersfrom
submittingcredentialstountrustedsites,withoutblocking
theiraccesstothesesites.
5. ApplytheneworupdatedURLFilteringprofile,andattachit
toasecuritypolicyruletoapplytheprofilesettingstoallowed
traffic:
a. SelectPolicies > SecurityandAddormodifyasecurity
policyrule.
b. SelectActionsandintheProfileSettingsection,setthe
Profile Typetoprofiles.
c. AttachtheneworupdatedURL Filteringprofiletothe
securitypolicyrule.
d. ClickOK tosavethesecuritypolicyrule.
Step11 Confirmthatthefirewallissuccessfully IfyouenabledloggingofbenignfilesinStep 4,selectMonitor >

forwardingsamples. WildFire Submissionsandcheckthatentriesarebeinglogged
forbenignfilessubmittedtoWildFire.(Ifyoudliketodisable
loggingofbenignfilesafterconfirmingthatthefirewallis
connectedtoWildFire,selectDevice > Setup > WildFireand
clearReport Benign Files).
OtheroptionstoVerifyFileForwardingallowyoutoconfirmthat
thefirewallforwardedaspecificsample,viewsamplesthe
firewallforwardsaccordingtofiletype,andtoviewthetotal
numberofsamplesthefirewallforwards.
TestaSampleMalwareFiletotestyourcompleteWildFire
configuration.
Step12 InvestigateWildFireanalysisresults. FindWildFireanalysisresults:

UsetheFirewalltoMonitorMalwareandviewWildFire
analysisreportsforasample.
ViewReportsontheWildFirePortalforallsamples
submittedtotheWildFirepubliccloud,includingsamples
thatyoumanuallysubmittedtotheWildFirepubliccloud.
UsetheWildFireAPItoretrievesampleverdictsandreports
fromaWildFireappliance.
Assesstheriskofmalwareyoufindonyournetworkwiththe
AutoFocusthreatintelligenceportal.AutoFocuslayersdatafrom
globalWildFiresubmissionswithstatisticstoidentifypervasive
andtargetedmalware,bothonyournetwork,withinour
industry,andglobally.
Step13 Nextstep: ReviewandimplementWildFireBestPractices.
SubmitFilesforWildFireAnalysis
ThefollowingtopicsdescribehowtosubmitfilesforWildFireanalysis.YoucansetupPaloAltoNetworks
firewallstoautomaticallyforwardunknownfilestotheWildFirepubliccloudoraWildFireprivatecloud,and
youcanalsomanuallysubmitfilesforanalysisusingtheWildFireportal.SamplessubmittedforWildFire
analysisreceiveaverdictofbenign,grayware,malicious,orphishing,andadetailedanalysisreportis
generatedforeachsample.
WildFireBestPractices
ForwardFilesforWildFireAnalysis
ForwardDecryptedSSLTrafficforWildFireAnalysis
VerifyWildFireSubmissions
ManuallyUploadFilestotheWildFirePortal
SubmitMalwareorReportsfromtheWildFireAppliance
FirewallFileForwardingCapacitybyModel
WildFireBestPractices SubmitFilesforWildFireAnalysis
WildFireBestPractices
FollowthebestpracticestosecureyournetworkfromLayer4andLayer7evasionstoensurereliable
contentidentificationandanalysis.SpecificallymakesuretoimplementthebestpracticesforTCP
settings(Device > Setup > Session > TCP Settings)andContentIDsettings(Device > Setup > Content-ID >
Content-ID Settings).
MakesurethatyoualsohaveanactiveThreatPreventionsubscription.Together,WildFireandThreat
Preventionenablecomprehensivethreatdetectionandprevention.
IfthefirewallisconfiguredtodecryptSSLtraffic,enablethefirewalltoForwardDecryptedSSLTraffic
forWildFireAnalysis.Onlyasuperusercanenablethisoption.
UsethedefaultWildFireAnalysisprofiletodefinethetrafficthefirewallshouldforwardforWildFire
analysis(Objects > Security Profiles > WildFire Analysis).ThedefaultWildFireAnalysisprofileensures
completeWildFirecoverageforalltrafficyoursecuritypolicyallowsitspecifiesthatallsupportedfile
typesacrossallapplicationsareforwardedforWildFireanalysis,regardlessofwhetherthefilesare
uploadedordownloaded.
IfyouchoosetocreateacustomWildFireAnalysisprofile,itisabestpracticetostillsettheprofileto
forwardanyfiletype.Thisallowsthefirewalltoautomaticallybeginforwardingfiletypesastheybecome
supportedforWildFireanalysis.
FordetailsonapplyingaWildFireAnalysisprofiletofirewalltraffic,reviewhowtoForwardFilesfor
WildFireAnalysis.
WhileyouareconfiguringthefirewalltoforwardfilesforWildFireanalysis,reviewthefileSize Limitfor
allsupportedfiletypes.SettheSize Limitforportableexecutables(PEs)tothemaximumsupportedfile
sizelimit:10MB.LeavetheSize Limit forallotherfiletypessettothedefaultlimit.(SelectDevice > Setup
> WildFireandedittheGeneralSettingstoadjustfilesizelimitsbasedonfiletype.ClicktheHelpiconto
findthedefaultsizelimitforeachfiletype).
AbouttheDefaultFileSizeLimitsforWildFireForwarding
Thedefaultfilesizelimitsonthefirewallaredesignedtoincludethelargemajorityofmalwareinthewild
(whichissmallerthanthedefaultsizelimits)andexcludelargefilesthatareveryunlikelytobemalicious
andcanimpactWildFireforwardingcapacity.Becausethefirewallhasaspecificcapacityreservedto
forwardfilesforWildFireanalysis,forwardinghighnumbersoflargefilesmightcausethefirewalltoskip
forwardingsomefiles.Thisconditionmightoccurwhenthemaximumfilesizelimitsareconfiguredfora
filetypethatistraversingthefirewallatahighrate.Inthiscase,apotentiallymaliciousfilemightnotbe
forwardedforWildFireanalysis.Considerthispossibleconditionifyouwouldliketoincreasethesize
limitforfilesotherthanPEsbeyondthedefaultsizelimit.
Thefollowinggraphisarepresentativeillustrationofthedistributionoffilesizesformalware,as
observedbythePaloAltoNetworksthreatresearchteam.Thefirewalldefaultfilesizessettingscanbe
increasedtothemaximumfilesizesettingtogainarelativelysmallincreaseinthemalwarecatchratefor
eachfiletype.
SubmitFilesforWildFireAnalysis WildFireBestPractices
RecommendedFileSizeLimitstoCatchUncommonlyLargeMaliciousFiles
Ifyouarespecificallyconcernedaboutuncommonlylargemaliciousfilesmightwanttoincreasefilesize
limitsbeyondthedefaultsettings.Inthesecases,thefollowingsettingsarerecommendedtocatchrare,
verylargemaliciousfiles.
SelectDevice > Setup > WildFire,andeditGeneralSettingstoadjusttheSize Limitforeachfiletype:
pe10MB
apk30MB
pdf1,000KB
ms-office2,000KB
jar5MB
flash5MB
MacOSX1MB
ForwardFilesforWildFireAnalysis SubmitFilesforWildFireAnalysis
ForwardFilesforWildFireAnalysis
ConfigurePaloAltoNetworksfirewallstoforwardunknownfilesoremaillinksandblockedfilesthatmatch
existingantivirussignaturesforanalysis.UsetheWildFire Analysisprofiletodefinefilestoforwardtothe
WildFirecloud(usethepubliccloudoraprivatecloud),andthenattachtheprofiletoasecurityruletotrigger
inspectionforzerodaymalware.
Specifytraffictobeforwardedforanalysisbasedontheapplicationinuse,thefiletypedetected,links
containedinemailmessages,orthetransmissiondirectionofthesample(upload,download,orboth).For
example,youcansetupthefirewalltoforwardPortableExecutables(PEs)oranyfilesthatusersattemptto
downloadduringawebbrowsingsession.Inadditiontounknownsamples,thefirewallforwardsblocked
filesthatmatchexistingantivirussignatures.ThisprovidesPaloAltoNetworksavaluablesourceofthreat
intelligencebasedonmalwarevariantsthatsignaturessuccessfullypreventedbutneitherWildFirenorthe
firewallhasseenbefore.
IfyouareusingaWildFireappliancetohostaWildFireprivatecloud,youcanextendWildFireanalysis
resourcestoaWildFireHybridCloud,byconfiguringthefirewalltocontinuetoforwardsensitivefilesto
yourWildFireprivatecloudforlocalanalysis,andforwardlesssensitiveorunsupportedfiletypestothe
WildFirepubliccloud.
Additionally,youcandedicateWildFireapplianceresourcestoanalyzespecificfiletypes:eitherdocuments
(MicrosoftOfficefilesandPDFs)orPEs.Forexample,ifyoudeployaWildFirehybridcloudtoanalyze
documentslocallyandPEsintheWildFireglobalcloud,youcandedicateallanalysisenvironmentsto
documents.ThisallowsyoutooffloadanalysisofPEstothepubliccloud,allowingyoutoallocateadditional
WildFireapplianceresourcestoprocesssensitivedocuments.
Beforeyoubegin:
IfanotherfirewallresidesbetweenthefirewallyouareconfiguringtoforwardfilesandtheWildFire
cloudorWildFireappliance,makesurethatthefirewallinthemiddleallowsthefollowingports:
TheWildFirepubliccloudusesport443forregistrationandfilesubmissions.
TheWildFireapplianceusesport443forregistrationand10443forfilesubmissions.
(PA7000SeriesFirewallsOnly)ToenableaPA7000Seriesfirewalltoforwardfilesandemaillinksfor
WildFireanalysis,youmustfirstconfigureadataportonanNPCasaLogCardinterface.
SubmitFilesforWildFireAnalysis ForwardFilesforWildFireAnalysis
ConfigureaFirewalltoForwardFilesandEmailLinkstoWildFire
Step1 SpecifytheWildFireDeploymentsto SelectDevice > Setup > WildFireandedittheGeneralSettings

whichyouwanttoforwardsamples. basedonyourWildFireclouddeployment(public,private,or
hybrid).
WildFirePublicCloud:
1. EntertheWildFire Public CloudURL:
UnitedStates:wildfire.paloaltonetworks.com
Europe:eu.wildfire.paloaltonetworks.com
Japan:wildfire.paloaltonetworks.jp
Singapore:sg.wildfire.paloaltonetworks.com
2. MakesuretheWildFire Private Cloudfieldisclear.
WildFirePrivateCloud:
1. EntertheIPaddressorFQDNoftheWildFireapplianceinthe
WildFire Private Cloud field.
2. CleartheWildFire Public Cloudfield.
WildFireHybridCloud:
1. EntertheWildFire Public CloudURL:
UnitedStates:wildfire.paloaltonetworks.com
Europe:eu.wildfire.paloaltonetworks.com
Japan:wildfire.paloaltonetworks.jp
Singapore:sg.wildfire.paloaltonetworks.com
2. EntertheIPaddressorFQDNoftheWildFireapplianceinthe
WildFire Private Cloud field.
Step2 Definethesizelimitsforfilesthefirewall ContinueeditingWildFireGeneralSettings(Device > Setup >

forwardsandconfigureWildFirelogging WildFire).
andreportingsettings. Reviewthe File Size Limitsforfilesforwardedfromthefirewall.
ItisarecommendedWildFirebestpracticetosettheFile
SizeforPEstothemaximumsizelimitof10MB,andto
leavetheFile Sizeforallotherfiletypessettothe
defaultvalue.
Select Report Benign Filestoallowloggingforfilesthatreceive
aWildFireverdictofbenign.
SelectReport Grayware Filestoallowloggingforfilesthat
receiveaWildFireverdictofgrayware.
DefinewhatsessioninformationisrecordedinWildFireanalysis
reportsbyeditingtheSessionInformationSettings.Bydefault,
allsessioninformationisdisplayedinWildFireanalysisreports.
Clearthecheckboxestoremovethecorrespondingfieldsfrom
WildFireanalysisreportsandclickOK tosavethesettings.
ConfigureaFirewalltoForwardFilesandEmailLinkstoWildFire(Continued)
Step3 (PanoramaOnly)ConfigurePanoramato Select Panorama > Setup > WildFireandenteraWildFire Server if

gatheradditionalinformationabout youdliketomodifythedefaultsettingtoinsteadallowPanorama
samplescollectedfromfirewallsrunning togatherdetailsfromthespecifiedWildFirecloudorfroma
aPANOSversionpriortoPANOS7.0. WildFireappliance.
SomeWildFireSubmissionslogfields
introducedinPANOS7.0arenot
populatedforsamplessubmittedby
firewallsrunningearliersoftware
versions.IfyouareusingPanoramato
managefirewallsrunningsoftware
versionsearlierthanPANOS7.0,
Panoramacancommunicatewith
WildFiretogathercompleteanalysis
informationforsamplessubmittedby
thosefirewallsfromthedefined
WildFire Server(theWildFireglobal
cloud,bydefault)tocompletethelog
details.
Step4 DefinetraffictoforwardforWildFire 1. SelectObjects > Security Profiles > WildFire Analysis, Adda
analysis. newWildFireanalysisprofile,andgivetheprofileadescriptive
IfyouhaveaWildFireappliance Name.
setup,youcanuseboththe 2. Addaprofileruletodefinetraffictobeforwardedforanalysis
privatecloudandthepubliccloud andgivetheruleadescriptiveName,suchas
inahybridclouddeployment. localPDFanalysis.
Analyzesensitivefileslocallyon
3. Definefortheprofileruletomatchtounknowntrafficandto
yournetwork,whilesendingall
forwardsamplesforanalysisbasedon:
otherunknownfilestothe
WildFirepubliccloudfor ApplicationsForwardfilesforanalysisbasedonthe
comprehensiveanalysisand applicationinuse.
promptverdictreturns. File TypesForwardfilesforanalysisbasedonfiletypes,
includinglinkscontainedinemailmessages.Forexample,
selectPDF toforwardunknownPDFsdetectedbythe
firewallforanalysis.
DirectionForwardfilesforanalysisbasedthetransmission
directionofthefile(upload,download,orboth).For
example,selectbothtoforwardallunknownPDFsfor
analysis,regardlessofthetransmissiondirection.
4. SettheAnalysislocationtowhichthefirewallforwardsfiles
matchedtotherule.
Selectpublic-cloudtoforwardmatchingsamplestothe
WildFirepubliccloudforanalysis.
Selectprivate-cloudtoforwardmatchingsamplestoa
WildFireprivatecloudforanalysis.
Forexample,toanalyzePDFsthatcouldcontainsensitiveor
proprietaryinformationwithoutsendingthesedocuments
outofyournetwork,settheAnalysislocationfortherule
localPDFanalysistoprivate-cloud.
Differentrulescanforwardmatchedsamplesto
differentanalysislocations,dependingonyour
needs.Theexampleaboveshowsarulethat
forwardssensitivefiletypesforlocalanalysisina
WildFireprivatecloud.Youcouldcreateanother
ruletoforwardlesssensitivefiletypes,suchasPEs,
totheWildFirepubliccloud.Thisflexibilityis
supportedwithaWildFireHybridCloud
deployment.
Inahybridclouddeployment,filesthatmatchto
bothprivate-cloudandpublic-cloud rulesare
forwardedonlytotheprivatecloudasacautionary
measure.
5. (Optional)ContinuetoaddrulestotheWildFireanalysis
profileasneeded.Forexample,youcouldaddasecondruleto
theprofiletoforwardAndroidapplicationpackage(APK),
PortableExecutable(PE),andFlashfilestotheWildFirepublic
cloudforanalysis.
6. ClickOKtosavetheWildFireanalysisprofile.
7. (Optional)ContinuetoaddrulestotheWildFireanalysis
profileasneeded.Forexample,youcouldaddasecondruleto
theprofiletoforwardAndroidapplicationpackage(APK),
PortableExecutable(PE),andFlashfilestotheWildFirepublic
cloudforanalysis.
8. ClickOKtosavetheWildFireanalysisprofile.
Step5 (Optional)AllocateWildFireappliance UsethefollowingCLIcommand:

resourcestoanalyzeeitherdocumentsor admin@WF-500# set deviceconfig setting wildfire
executables. preferred-analysis-environment documents | executables
Ifyouaredeployingahybrid | default
cloudtoanalyzespecificfile andchoosefromoneofthefollowingoptions:
typeslocallyandintheWildFire documentsDedicateanalysisresourcestoconcurrently
globalcloud,youcandedicate analyze25documents,1PE,and2emaillinks.
analysisenvironmentstoprocess executablesDedicateanalysisresourcestoconcurrently
afiletype.Thisallowsyouto analyze25PEs,1documents,and2emaillinks.
betterallocateresources
defaultTheapplianceconcurrentlyanalyzes16documents,10
accordingtoyouranalysis
portableexecutables(PE),and2emaillinks.
environmentconfiguration.Ifyou
donotdedicateresourcesforan ConfirmthatallWildFireappliancesprocessesarerunning
analysisenvironment,resources byrunningthefollowingcommand:
areallocatedusingdefault admin@WF-500> show system software status
settings.
Step6 AttachtheWildFireAnalysisprofiletoa 1. SelectPolicies > SecurityandAdd ormodifyapolicyrule.

securitypolicyrule. 2. ClicktheActions tabwithinthepolicyrule.
Trafficallowedbythesecuritypolicyrule
3. IntheProfileSettingssection,selectProfilesastheProfile
isevaluatedagainsttheattached
TypeandselectaWildFire Analysisprofiletoattachtothe
WildFireanalysisprofile;thefirewalls
policyrule
forwardstrafficmatchedtotheprofile
.
forWildFireanalysis.
Step7 MakesuretoenablethefirewalltoalsoForwardDecryptedSSLTrafficforWildFireAnalysis.
ThisisarecommendedWildFirebestpractice.
Step8 ReviewandimplementWildFireBestPractices.
Step9 Click CommittoapplytheWildFiresettings.
Step10 Choosewhattodonext... VerifyWildFireSubmissionstoconfirmthatthefirewallis

successfullyforwardingfilesforWildFireanalysis.
(WildFirePrivateCloudOnly)SubmitMalwareorReportsfrom
theWildFireAppliance.Enablethisfeaturetoautomatically
forwardmalwareidentifiedinyourWildFireprivatecloudtothe
WildFirepubliccloud.TheWildFirepubliccloudreanalyzesthe
sampleandgeneratesasignatureifthesampleismalware.The
signatureisdistributedtoglobalusersthroughWildfiresignature
updates.
MonitorWildFireActivitytoassessalertsanddetailsreportedfor
malware.
ForwardDecryptedSSLTrafficforWildFireAnalysis SubmitFilesforWildFireAnalysis
ForwardDecryptedSSLTrafficforWildFireAnalysis
EnablethefirewalltoforwarddecryptedSSLtrafficforWildFireanalysis.Trafficthatthefirewalldecrypts
isevaluatedagainstsecuritypolicyrules;ifitmatchestheWildFireanalysisprofileattachedtothesecurity
rule,thedecryptedtrafficisforwardedforWildFireanalysisbeforethefirewallreencryptsit.Onlyasuper
usercanenablethisoption.
ForwardingdecryptedSSLtrafficforWildFireanalysisisaWildFirebestpractice.
ForwardDecryptedSSLTraffic
Onafirewallthatdoesnothavemultiplevirtual 1. Ifyouhavenotalready,enablethefirewalltoperform
systemsenabled: decryptionandForwardFilesforWildFireAnalysis.
2. SelectDevice > Setup > Content-ID.
3. EdittheContentIDsettingsandAllow Forwarding of
Decrypted Content.
4. ClickOKtosavethechanges.
Onafirewallwithvirtualsystemsenabled: 1. Ifyouhavenotalready,enabledecryptionandForwardFiles
forWildFireAnalysis.
2. SelectDevice > Virtual Systems,clickthevirtualsystemyou
wanttomodify,andAllow Forwarding of Decrypted Content.
SubmitFilesforWildFireAnalysis VerifyWildFireSubmissions
VerifyWildFireSubmissions
TestyourWildFiresetupusingmalwaretestsamples,andalsoverifythatthefirewalliscorrectlyforwarding
filesforWildFireanalysis.
TestaSampleMalwareFile
VerifyFileForwarding
TestaSampleMalwareFile
PaloAltoNetworksprovidesasamplemalwarefilethatyoucanusetotestaWildFireconfiguration.Take
thefollowingstepstodownloadthemalwaresamplefile,verifythatthefileisforwardedforWildFire
analysis,andviewtheanalysisresults.
UseaSampleMalwareFiletoTesttheWildFireConfiguration
Step1 Downloadthemalwaretestfile:https://wildfire.paloaltonetworks.com/publicapi/test/pe.IfyouhaveSSL
decryptionenabledonthefirewall,usethefollowingURLinstead:
http://wildfire.paloaltonetworks.com/publicapi/test/pe.
Thetestfileisnamedwildfiretestpefile.exeandeachtestfilehasauniqueSHA256hashvalue.
YoucanalsousetheWildFireAPItoretrieveamalwaretestfile.SeetheWildFireAPIReferencefor
details.
Step2 Onthefirewallwebinterface,selectMonitor > WildFire Submissionstoconfirmthatthefilewasforwarded

foranalysis.
ItmighttakeaboutfiveminutesforanalysisresultstobedisplayedforthefileontheWildFire Submissions
page.Theverdictforthetestfilewillalwaysdisplayasmalware.
VerifyWildFireSubmissions SubmitFilesforWildFireAnalysis
AfterthefirewallissetuptoForwardFilesforWildFireAnalysis,usethefollowingoptionstoverifythe
connectionbetweenthefirewallandtheWildFirepublicorprivatecloud,andtomonitorfileforwarding.
SeveraloftheoptionstoverifythatafirewallisforwardingsamplesforWildFireanalysisareCLI
commands;fordetailsongettingstartedwithandusingtheCLI,refertothePANOSCLIQuick
StartGuide.
Verifythatthefirewalliscommunicatingwith Usethetest wildfire registrationcommandtoverifythatthe

aWildFireserver(s). firewallisconnectedtoaWildFireprivatecloud,theWildFire
publiccloud,orboth.
ThefollowingexampleoutputisforafirewallinaWildFirePrivate
Clouddeployment:
Theexampleoutputconfirmsthatthefirewallisconnectedtothe
WildFireprivatecloud,andisnotconnectedtotheWildFirepublic
cloud(publiccloudregistrationfails).
IfthefirewallisconfiguredinaWildFireHybridClouddeployment,
checkthatthefirewallissuccessfullyregisteredwithand
connectedtoboththeWildFirepubliccloudandaWildFireprivate
cloud.
VerifyFileForwarding(Continued)
Verifythestatusofthefirewallconnectionto Usetheshow wildfire status commandto:

theWildFirepublicand/orprivatecloud, CheckthestatusoftheWildFirepublicand/orprivatecloudto
includingthetotalnumberoffilesforwarded whichthefirewallisconnected.Thestatus Idleindicatesthat
bythefirewallforanalysis. theWildFirecloud(publicorprivate)isreadytoreceivefilesfor
analysis.
Confirmtheconfiguredsizelimitsforfilesforwardedbythe
firewall(Device > Setup > WildFire).
Monitorfileforwarding,includinghowthetotalcountoffiles
forwardedbythefirewallforWildFireanalysis.Ifthefirewallis
inaWildFirehybridclouddeployment,thenumberoffiles
forwardedtotheWildFirepubliccloudandtheWildFireprivate
cloudarealsodisplayed.
Thefollowingexampleshowstheshow wildfire status output
forafirewallinaWildFireprivateclouddeployment:
ToviewforwardinginformationforonlytheWildFirepubliccloud
orWildFireprivatecloud,usethefollowingcommands:
show wildfire status channel public
show wildfire status channel private
VerifyWildFireSubmissions SubmitFilesforWildFireAnalysis
Viewsamplesforwardedbythefirewall Usetheshow wildfire statisticscommandtoconfirmthefile

accordingtofiletype(includingemaillinks). typesbeingforwardedtotheWildFirepublicorprivatecloud:
Usethisoptiontoconfirmthatemail Thecommanddisplaystheoutputofaworkingfirewalland
linksarebeingforwardedforWildFire showscountersforeachfiletypethatthefirewallforwardsfor
analysis,sinceonlyemaillinksthat WildFireanalysis.Ifacounterfieldshows0,thefirewallisnot
receiveamaliciousorphishingverdict forwardingthatfiletype.
areloggedasWildFire Submissions Confirmthatemaillinksarebeingforwardedforanalysisby
entriesonthefirewall,evenifloggingfor checkingthatthefollowingcountersdonotshowzero:
benignandgraywaresamplesisenabled. FWD_CNT_APPENDED_BATCHIndicatesthenumberofemail
Thisisduetothesheernumberof linksaddedtoabatchwaitingforuploadtoWildFire.
WildFireSubmissionsentriesthatwould
FWD_CNT_LOCAL_FILEIndicatesthetotalnumberofemail
beloggedforbenignemaillinks.
linksuploadedtoWildFire.
Verifythataspecificsamplewasforwardedby ExecutethefollowingCLIcommandsonthefirewalltoview
thefirewallandcheckthatstatusofthat samplesthefirewallhasforwardedWildFireanalysis:
sample. ViewallsamplesforwardedbythefirewallwiththeCLI
Thisoptioncanbehelpfulwhen commanddebug wildfire upload-log.
troubleshootingto: ViewonlysamplesforwardedtotheWildFirepubliccloudwith
Confirmthatsamplesthathavenotyet theCLIcommanddebug wildfire upload-log channel
receivedaWildFireverdictwere public.
correctlyforwardedbythefirewall. ViewonlysamplesforwardedtotheWildFireprivatecloudwith
BecauseWildFire Submissionsare theCLIcommanddebug wildfire upload-log channel
loggedonthefirewallonlywhen private.
WildFireanalysisiscompleteandthe Thefollowingexampleshowstheoutputforthethreecommands
samplehasreceivedaWildFireverdict, listedabovewhenissuedonafirewallinaWildFirepubliccloud
usethisoptiontoverifythefirewall deployment:
forwardedasamplethatiscurrently
undergoingWildFireanalysis.
Trackthestatusforasinglefileor
emaillinkthatwasallowedaccordingto
yoursecuritypolicy,matchedtoa
WildFireAnalysisprofile,andthen
forwardedforWildFireanalysis.
CheckthatafirewallinaWildFire
HybridClouddeploymentisforwarding
thecorrectfiletypesandemaillinksto
eithertheWildFirepubliccloudora
WildFireprivatecloud.
Monitorsamplessuccessfullysubmittedfor Usingthefirewallwebinterface,selectMonitor > Logs > WildFire

WildFireanalysis. Submissions.AllfilesforwardedbyafirewalltotheWildFirepublic
orprivatecloudforanalysisareloggedontheWildFireSubmissions
page.
ChecktheWildFireverdictforasample:
Bydefault,onlysamplesthatreceivemaliciousorphishing
verdictsaredisplayedasWildFire Submissions entries.To
enableloggingforbenignand/orgraywaresamples,select
Device > Setup > WildFire > Report Benign Files/ Report
Grayware Files.
Enableloggingforbenignfilesasaquicktroubleshooting
steptoverifythatthefirewallisforwardingfiles.Check
theWildFire Submissionslogstoverifythatfilesare
beingsubmittedforanalysisandreceivingWildFire
verdicts(inthiscase,abenignverdict).
Confirmtheanalysislocationforasample:
TheWildFire Cloudcolumndisplaysthelocationtowhichthe
filewasforwardedandwhereitwasanalyzed(publiccloudor
privatecloud).ThisisusefulwhendeployingaWildFireHybrid
Cloud.
ManuallyUploadFilestotheWildFirePortal SubmitFilesforWildFireAnalysis
ManuallyUploadFilestotheWildFirePortal
AllPaloAltoNetworkscustomerswithasupportaccountcanusethePaloAltoNetworksWildFireportalto
manuallysubmituptofivesamplesadayforWildFireanalysis.IfyouhaveaWildFiresubscription,youcan
manuallysubmitsamplestotheportalaspartofyour1000sampleuploadsdailylimit;however,keepinmind
thatthe1000sampledailylimitalsoincludesWildFireAPIsubmissions.
UploadSamplestheWildFirePortal
Step1 ManuallyuploadfilesorURLstothe 1. LogintotheWildFirePortal.

WildFireportalforanalysis. 2. ClickUpload Sampleonthemenubar.
Tosubmitfilesforanalysis,selectFile UploadandOpenthe
filesyouwanttosubmitforWildFireanalysis.ClickStartto
beginWildFireanalysisofasinglefile,orclickStart Upload
tosubmitallthefilesyouaddedforWildFireanalysis.
TosubmitaURLforanalysis,clickURL Upload,enteraURL,
andSubmitforWildFireanalysis.
3. ClosetheUploaded File Informationpopup.
Step2 ViewtheWildFireverdictandanalysis 1. ReturntotheWildFirePortaldashboard.

resultsforthefile. 2. InthePrevious1Hoursection,selectManualunderthesource
WildFiretakesapproximatelyfive columntoviewanalysisinformationforthelatest
minutestocompleteafileanalysis. manuallysubmittedsamples.
Becauseamanualuploadisnot 3. FindthefilesorURLsyouuploadedandclickthedetailiconto
associatedwithaspecific theleftoftheReceivedTime.
firewall,manualuploadsdonot
showsessioninformationinthe
reports.
SubmitFilesforWildFireAnalysis SubmitMalwareorReportsfromtheWildFireAppliance
SubmitMalwareorReportsfromtheWildFireAppliance
EnabletheWildFireappliancecloudintelligencefeaturetoautomaticallysubmitmalwaresamples
discoveredintheWildFireprivatecloudtotheWildFirepubliccloud.TheWildFirepubliccloudfurther
analyzesthemalwareandgeneratesasignaturetoidentifythesample.Thesignatureisthenaddedto
WildFiresignatureupdates,anddistributedtoglobaluserstopreventfutureexposuretothethreat.Ifyou
donotwanttoforwardmalwaresamplesoutsideofyournetwork,youcaninsteadchoosetosubmitonly
WildFirereportsforthemalwarediscoveredonyournetworktocontributetoWildFirestatisticsandthreat
intelligence.
EnabletheWildFireAppliancetoSubmitMalwareorReportstotheWildFirePublicCloud
SubmitMalwaretotheWildFirePublicCloud ExecutethefollowingCLIcommandfromtheWildFireapplianceto
enabletheappliancetoautomaticallysubmitmalwaresamplesto
theWildFirepubliccloud:
admin@WF-500admin@WF-500# set deviceconfig setting
wildfire cloud-intelligence submit-sample yes
Ifthefirewallthatoriginallysubmittedthesamplefor
WildFireprivatecloudanalysishaspacketcaptures(PCAPs)
enabled,thePCAPsforthemalwarewillalsobeforwarded
totheWildFirepubliccloud.
SubmitMalwareReportstotheWildFirePublic ToenabletheWildFireappliancetoautomaticallysubmitmalware
Cloud reportstotheWildFirepubliccloud(andnotthemalwaresample),
IftheWildFireapplianceisenabledto executethefollowingCLIcommandontheWildFireappliance:
SubmitMalwaretotheWildFirePublic admin@WF-500# set deviceconfig setting wildfire
Cloud,youdonotneedtoalsoenablethe cloud-intelligence submit-report yes
appliancetosubmitmalwarereportstothe
publiccloud.Whenmalwareissubmitted
totheWildFirepubliccloud,thepublic
cloudgeneratesanewmalwarereportfor
thesample.
VerifyCloudIntelligenceSettings Checktoconfirmthatcloudintelligenceisenabledtoeithersubmit
malwareorsubmitmalwarereportstotheWildFirepubliccloudby
runningthefollowingcommand:
admin@WF-500> show wildfire status
RefertotheSubmit sample andSubmit reportfields.
FirewallFileForwardingCapacitybyModel SubmitFilesforWildFireAnalysis
FirewallFileForwardingCapacitybyModel
FileforwardingcapacityisthemaximumrateperminuteatwhicheachPaloAltoNetworksfirewallmodel
cansubmitfilestotheWildFirecloudoraWildFireapplianceforanalysis.Ifthefirewallreachesthe
perminutelimit,itqueuesanyremainingsamples.
TheReservedDriveSpacecolumninthefollowingtableliststheamountofdrivespaceonthefirewallthat
isreservedforqueuingfiles.Ifthefirewallreachesthedrivespacelimit,itcancelsforwardingofnewfilesto
WildFireuntilmorespaceinthequeueisavailable.
ThespeedatwhichthefirewallcanforwardfilestoWildFirealsodependsonthebandwidthof
theuploadlinktotheWildFiresystems.
Platform MaximumFilesPerMinute ReservedDriveSpace
VM50 5 100MB
VM100 5 100MB
VM200 10 200MB
VM300 20 200MB
VM500 25 250MB
VM700 30 250MB
PA200 5 100MB
PA220 10 100MB
PA500 10 200MB
PA820 30 300MB
PA850 30 300MB
PA3020 50 200MB
PA3050/3060 50 500MB
PA5000Series 50 500MB
PA5200Series 150 1500MB
PA7000Series 100 1GB
SetUpandManageaWildFire
Appliance
TheWildFireappliancecanbeconfiguredasalocallyhostedWildFireprivatecloud.Thefollowingtopics
describereadyingtheWildFireappliancetoreceivefilesforanalysis,howtomanagetheappliance,andhow
toenabletheappliancetolocallygeneratethreatsignaturesandURLcategories.
AbouttheWildFireAppliance
ConfiguretheWildFireAppliance
SetUptheWildFireApplianceVMInterface
EnableWildFireApplianceAnalysisFeatures
UpgradeaWildFireAppliance
AbouttheWildFireAppliance SetUpandManageaWildFireAppliance
AbouttheWildFireAppliance
TheWildFireapplianceprovidesanonpremisesWildFireprivatecloud,enablingyoutoanalyzesuspicious
filesinasandboxenvironmentwithoutrequiringthefirewalltosendsfilesoutofnetwork.Tousethe
WildFireappliancetohostaWildFireprivatecloud,configurethefirewalltosubmitsamplestotheWildFire
applianceforanalysis.TheWildFireappliancesandboxesallfileslocallyandanalyzesthemformalicious
behaviorsusingthesameenginetheWildFirepublicclouduses.Withinminutes,theprivatecloudreturns
analysisresultstothefirewallWildFire Submissionslogs.
YoucanenableaWildFireapplianceto:
LocallygenerateantivirusandDNSsignaturesfordiscoveredmalware,andtoassignaURLcategoryto
maliciouslinks.YoucanthenenableconnectedfirewallstoretrievethelatestsignaturesandURL
categorieseveryfiveminutes.
SubmitmalwaretotheWildFirepubliccloud.TheWildFirepubliccloudreanalyzesthesampleand
generatesasignaturetodetectthemalwarethissignaturecanbemadeavailablewithinminutesto
protectglobalusers
Submitlocallygeneratedmalwarereports(withoutsendingtherawsamplecontent)totheWildFire
publiccloud,tocontributetomalwarestatisticsandthreatintelligence.
Youcanconfigureupto100PaloAltoNetworksfirewalls,eachwithvalidWildFiresubscriptions,toforward
toasingleWildFireappliance.BeyondtheWildFirefirewallsubscriptions,noadditionalWildFire
subscriptionisrequiredtoenableaWildFireprivateclouddeployment.
YoucanmanageWildFireappliancesusingthelocalapplianceCLI,oryoucancentrallyManageWildFire
ApplianceswithPanorama.StartingwithPANOS8.0.1,youcanalsogroupWildFireappliancesinto
WildFireApplianceClustersandmanagetheclusterslocallyorfromPanorama.
WildFireApplianceInterfaces
TheWF500appliancesareequippedwithfourRJ45Ethernetportslocatedatthebackoftheappliance.
TheseportsarelabeledMGT,1,2,and3andcorrespondtospecificinterfaces.
TheWildFireappliancehasthreeinterfaces:
MGTReceivesallfilesforwardedfromthefirewallsandreturnslogsdetailingtheresultsbacktothe
firewalls.SeeConfiguretheWildFireAppliance.
VirtualMachineInterface(VMinterface)ProvidesnetworkaccessfortheWildFiresandboxsystemsto
enablesamplefilestocommunicatewiththeInternet,whichallowsWildFiretobetteranalyzethe
behaviorofthesample.WhentheVMinterfaceisconfigured,WildFirecanobservemaliciousbehaviors
thatthemalwarewouldnotnormallyperformwithoutnetworkaccess,suchasphonehomeactivity.
However,topreventmalwarefromenteringyournetworkfromthesandbox,configuretheVMinterface
onanisolatednetworkwithanInternetconnection.YoucanalsoenabletheToroptiontohidethepublic
IPaddressusedbyyourcompanyfrommalicioussitesthatareaccessedbythesample.Formore
informationontheVMinterface,seeSetUptheWildFireApplianceVMInterface.
ClusterManagementInterfaceProvidesclusterwidecommunicationamongtheWildFireappliance
nodesthataremembersofaWildFireappliancecluster.ThisisadifferentinterfacethantheMGT
interfaceforfirewalloperations.YoucanconfiguretheEthernet2interfaceortheEthernet3interface
(labeled2 and3,respectively)astheclustermanagementinterface.
SetUpandManageaWildFireAppliance AbouttheWildFireAppliance
ObtaintheinformationrequiredtoconfigurenetworkconnectivityontheMGTport,theVMinterface,and
theclustermanagementinterface(forWildFireapplianceclustersonly)fromyournetworkadministrator(IP
address,subnetmask,gateway,hostname,DNSserver).Allcommunicationbetweenthefirewallsandthe
applianceoccursovertheMGTport,includingfilesubmissions,WildFirelogdelivery,andappliance
administration.Therefore,ensurethatthefirewallshaveconnectivitytotheMGTportontheappliance.In
addition,theappliancemustbeabletoconnecttoupdates.paloaltonetworks.comtoretrieveitsoperating
systemsoftwareupdates.
ConfiguretheWildFireAppliance SetUpandManageaWildFireAppliance
ThissectiondescribesthestepsrequiredtointegrateaWildFireapplianceintoanetworkandperformbasic
setup.
Step1 RackmountandcabletheWildFire RefertotheWildFireApplianceHardwareReferenceGuidefor

appliance. instructions.
Step2 Connectacomputertotheappliance 1. ConnecttotheconsoleportortheMGTport.Botharelocated

usingtheMGTorConsoleportand onthebackoftheappliance.
powerontheappliance. ConsolePortThisisa9pinmaleserialconnector.Usethe
followingsettingsontheconsoleapplication:96008N1.
Connecttheprovidedcabletotheserialportonthe
managementcomputerorUSBToSerialconverter.
MGTPortThisisanEthernetRJ45port.Bydefault,the
MGTportIPaddressis192.168.1.1.Theinterfaceonyour
managementcomputermustbeonthesamesubnetasthe
MGTport.Forexample,settheIPaddressonthe
managementcomputerto192.168.1.5.
2. Powerontheappliance.
Theappliancewillpoweronassoonasyouconnect
powertothefirstpowersupplyandawarningbeepwill
sounduntilyouconnectthesecondpowersupply.If
theapplianceisalreadypluggedinandisinthe
shutdownstate,usethepowerbuttononthefrontof
theappliancetopoweron.
SetUpandManageaWildFireAppliance ConfiguretheWildFireAppliance
ConfiguretheWildFireAppliance(Continued)
Step3 RegistertheWildFireappliance. 1. ObtaintheserialnumberfromtheS/Ntagontheappliance,or

runthefollowingcommandandrefertotheserialfield:
admin@WF-500> show system info
2. Fromabrowser,navigatetothePaloAltoNetworksSupport
Portalandlogin.
3. Registerthedeviceasfollows:
IfthisisthefirstPaloAltoNetworksdevicethatyouare
registeringandyoudonothavealogin,clickRegisteratthe
bottomofthepage.
Toregister,provideanemailaddressandtheserialnumber
ofthedevice.Whenprompted,setupausernameand
passwordforaccesstothePaloAltoNetworkssupport
community.
Forexistingaccounts,loginandthenclickMyDevices.
ScrolldowntotheRegisterDevicesectionatthebottomof
thescreenandentertheserialnumberofthedevice,the
cityandpostalcode,andthenclickRegisterDevice.
4. ToconfirmWildFireregistrationontheWildFireappliance,log
intotheappliancewithanSSHclientorbyusingtheConsole
port.Enterausername/passwordofadmin/adminandenter
thefollowingcommandontheappliance:
admin@WF-500> test wildfire registration
Thefollowingoutputindicatesthattheapplianceisregistered
withoneofthePaloAltoNetworksWildFirecloudservers.
Test wildfire
wildfire registration: successful
download server list: successful
select the best server:
cs-s1.wildfire.paloaltonetworks.com
Step4 Resettheadminpassword. 1. Setanewpasswordbyrunningthecommand:

admin@WF-500> set password
2. Typetheoldpassword,pressenterandthenenterandconfirm
thenewpassword.Committheconfigurationtoensurethat
thenewpasswordissavedintheeventofarestart.
3. Typeexittologoutandthenlogbackintoconfirmthatthe
newpasswordisset.
Step5 Configurethemanagementinterface 1. LogintotheappliancewithanSSHclientorbyusingthe

settings. Consoleportandenterconfigurationmode:
Thisexampleusesthefollowingvalues: admin@WF-500> configure
IPv4address10.10.0.5/22 2. SettheIPinformation:
SubnetMask255.255.252.0 admin@WF-500# set deviceconfig system ip-address
DefaultGateway10.10.0.1 10.10.0.5 netmask 255.255.252.0 default-gateway
10.10.0.1 dns-setting servers primary 10.0.0.246
Hostnamewildfirecorp1
ConfigureasecondaryDNSserverbyreplacing
DNSServer10.0.0.246
primarywithsecondaryintheabovecommand,
excludingtheotherIPparameters.Forexample:
admin@WF-500# set deviceconfig system
dns-setting servers secondary 10.0.0.247
3. Setthehostname(wildfirecorp1inthisexample):
admin@WF-500# set deviceconfig system hostname
wildfire-corp1
4. Committheconfigurationtoactivatethenewmanagement
(MGT)portconfiguration:
admin@WF-500# commit
5. ConnecttheMGTinterfaceporttoanetworkswitch.
6. PutthemanagementPCbackonyourcorporatenetwork,or
whatevernetworkisrequiredtoaccesstheapplianceonthe
managementnetwork.
7. Fromyourmanagementcomputer,useanSSHclientto
connecttothenewIPaddressorhostnameassignedtothe
MGTportontheappliance.Inthisexample,theIPaddressis
10.10.0.5.
Step6 ActivatetheappliancewiththeWildFire 1. Changetooperationalmode:

authorizationcodethatyoureceived admin@WF-500# exit
fromPaloAltoNetworks.
2. FetchandinstalltheWildFirelicense:
Thoughitwillfunctionwithout admin@WF-500> request license fetch auth-code
anauthcode,theWildFire <auth-code>
appliancecannotretrieve
softwareorcontentupdates 3. Verifythelicense:
withoutavalidauthcode. admin@WF-500> request support check
Informationaboutthesupportsiteandthesupportcontract
dateisdisplayed.Confirmthatthedatedisplayedisvalid.
Step7 SettheWildFireapplianceclock. Tosettheclockmanually,enterthefollowingcommands:

Therearetwowaystodothis.Youcan admin@WF-500> set clock date <YY/MM/DD> time
eithermanuallysetthedate,time,and <hh:mm:ss>
timezoneoryoucanconfigurethe admin@WF-500> configure
WildFireappliancetosynchronizeits admin@WF-500# set deviceconfig system timezone
localclockwithaNetworkTimeProtocol <timezone>
(NTP)server. ThetimestampthatwillappearontheWildFiredetailed
reportwillusethetimezonesetontheappliance.If
administratorsinvariousregionswillviewreports,
considersettingthetimezonetoUTC.
ToconfiguretheWildFireappliancetosynchronizewithanNTP
server,enterthefollowingcommands:
admin@WF-500> configure
admin@WF-500# set deviceconfig system ntp-servers
primary-ntp-server ntp-server-address <NTP primary
server IP address>
secondary-ntp-server ntp-server-address <NTP
secondary server IP address>
TheWildFireappliancedoesnotprioritizetheprimaryor
secondaryNTPserver;itsynchronizeswitheitherserver.
Step8 (OptionalforNTPconfiguration)Setup DisableNTPauthentication:

NTPauthentication. admin@WF-500# set deviceconfig system ntp-servers
primary-ntp-server authentication-type none
Enablesymmetrickeyexchange(sharedsecrets)toauthenticate
theNTPservertimeupdates:
primary-ntp-server authentication-type symmetric-key
Continuetoenterthekey-ID(165534),choosethealgorithm
touseinNTPauthentication(MD5orSHA1),andthenenterand
confirmtheauthenticationalgorithmauthentication-key.
Useautokey(publickeycryptography)toauthenticatetheNTP
servertimeupdates:
primary-ntp-server authentication-type autokey
Step9 Choosethevirtualmachineimageforthe Toviewalistofavailablevirtualmachinestodeterminewhich

appliancetousetoanalyzefiles. onebestrepresentsyourenvironment:
Theimageshouldbebasedonthe admin@WF-500> show wildfire vm-images
attributesthatmostaccuratelyrepresent Viewthecurrentvirtualmachineimagebyrunningthefollowing
thesoftwareinstalledonyourenduser commandandrefertotheSelected VMfield:
computers.Eachvirtualimagecontains admin@WF-500> show wildfire status
differentversionsofoperatingsystems Selecttheimagethattheappliancewilluseforanalysis:
andsoftware,suchasWindowsXPor admin@WF-500# set deviceconfig setting wildfire
Windows732bitor64bitandspecific active-vm <vm-image-number>
versionsofAdobeReader,andFlash. Forexample,tousevm1:
Althoughyouconfiguretheapplianceto admin@WF-500# set deviceconfig setting wildfire
useonevirtualmachineimage active-vm vm-1
configuration,theapplianceuses
multipleinstancesoftheimageto
improveperformance.
Step10 EnabletheWildFireappliancetoobserve SetUptheWildFireApplianceVMInterface.

maliciousbehaviorswherethefilebeing
analyzedseeksnetworkaccess.
Step11 (Optional)EnabletheWildFireappliance ThefollowingCLIcommandenablestheWildFireapplianceto

toperformquickverdictlookupsand performverdictlookupsandsynchronizeverdictswiththeWildFire
synchronizeverdictswiththeWildFire globalcloud.Thisfeatureisdisabledbydefault;setthecommand
globalcloud. toyestoenablethefeature.
admin@WF-500# set deviceconfig setting wildfire
cloud-intelligence cloud-query yes | no
Step12 (Optional)EnabletheWildFireappliance EnableWildFireApplianceAnalysisFeatures

togetdailyPaloAltoNetworkscontent
updatestofacilitateandimprove
malwareanalysis.
Step13 (Optional)EnabletheWildFireappliance EnableLocalSignatureandURLCategoryGeneration

togenerateDNSandantivirussignatures
andURLcategories,andtodistribute
newsignaturesandURLcategorizations
toconnectedfirewalls.
Step14 (Optional)Automaticallysubmitmalware SubmitMalwaretotheWildFirePublicCloud..

theWildFireprivateclouddiscoversto
theWildFirepubliccloud,tosupport
globalprotectionagainstthemalware.
Step15 (Optional)Ifyoudonotwanttoforward SubmitAnalysisReportstotheWildFirePublicCloud.

malwaresamplesoutsideoftheWildFire
privatecloud,insteadsubmitWildFire
analysisreportstotheWildFirepublic
cloud.
Ifyoudonotwanttosubmit
locallydiscoveredmalwaretothe
WildFirepubliccloud,itisabest
practicetoenablemalwareanalysis
reportsubmissionstoimproveand
refineWildFirethreatintelligence.
Step16 (Optional)Allowadditionalusersto Inthisexample,youwillcreateasuperreaderaccountfortheuser

managetheWildFireappliance. bsimpson:
Youcanassigntworoletypes:superuser 1. Enterconfigurationmode:
andsuperreader.Superuserisequivalent admin@WF-500> configure
totheadminaccount,andsuperreader
onlyhasreadaccess. 2. Createtheuseraccount:
admin@WF-500# set mgt-config users bsimpson
<password>
3. Enterandconfirmanewpassword.
4. Assignthesuperreaderrole:
admin@WF-500# set mgt-config users bsimpson
permissions role-based superreader yes
Step17 ConfigureRADIUSauthenticationfor 1. CreateaRADIUSprofileusingthefollowingoptions:

administratoraccess. admin@WF-500# set shared server-profile radius
<profile-name>
(ConfiguretheRADIUSserverandotherattributes.)
2. Createanauthenticationprofile:
admin@WF-500# set shared authentication-profile
<profile-name> method radius server-profile
<server-profile-name>
3. Assigntheprofiletoalocaladminaccount:
admin@WF-500# set mgt-config users username
authentication-profile authentication-profile-name>
SetUptheWildFireApplianceVMInterface SetUpandManageaWildFireAppliance
SetUptheWildFireApplianceVMInterface
Thevirtualmachineinterface(vminterface)providesexternalnetworkconnectivityfromthesandbox
virtualmachinesintheWildFireappliancetoenableobservationofmaliciousbehaviorsinwhichthefile
beinganalyzedseeksnetworkaccess.ThefollowingsectionsdescribetheVMinterfaceandthesteps
requiredforconfiguringit.YoucanoptionallyenabletheTorfeaturewiththeVMinterface,whichwillmask
anymalicioustrafficsentfromtheWildFireappliancethroughtheVMinterface,sothemalwaresitesthat
thetrafficmaybesenttocannotdetectyourpublicfacingIPaddress.
ThissectionalsodescribesthestepsrequiredtoconnecttheVMinterfacetoadedicatedportonaPaloAlto
NetworksfirewalltoenableInternetconnectivity.
VirtualMachineInterfaceOverview
ConfiguretheVMInterfaceontheWildFireAppliance
ConnecttheFirewalltotheWildFireApplianceVMInterface
VirtualMachineInterfaceOverview
TheVMinterface(labeled1onthebackoftheappliance)isusedbyWildFiretoimprovemalwaredetection
capabilities.TheinterfaceallowsasamplerunningontheWildFirevirtualmachinestocommunicatewiththe
InternetsothattheWildFireappliancecanbetteranalyzethebehaviorofthesamplefiletodetermineifit
exhibitscharacteristicsofmalware.
WhileitisrecommendedthatyouenabletheVMinterface,itisveryimportantthatyoudonot
connecttheinterfacetoanetworkthatallowsaccesstoanyofyourservers/hostsbecause
malwarethatrunsintheWildFirevirtualmachinescouldpotentiallyusethisinterfaceto
propagateitself.
ThisconnectioncanbeadedicatedDSLlineoranetworkconnectionthatonlyallowsdirect
accessfromtheVMinterfacetotheInternetandrestrictsanyaccesstointernalservers/client
hosts.
ThefollowingillustrationshowstwooptionsforconnectingtheVMinterfacetothenetwork.
SetUpandManageaWildFireAppliance SetUptheWildFireApplianceVMInterface
VirtualMachineInterfaceExample
Option1(recommended)ConnecttheVMinterfacetoaninterfaceinadedicatedzoneonafirewall
thathasapolicythatonlyallowsaccesstotheInternet.Thisisimportantbecausemalwarethatrunsin
theWildFirevirtualmachinescanpotentiallyusethisinterfacetopropagateitself.Thisisthe
recommendedoptionbecausethefirewalllogswillprovidevisibilityintoanytrafficthatisgeneratedby
theVMinterface.
Option2UseadedicatedInternetproviderconnection,suchasaDSL,toconnecttheVMinterfaceto
theInternet.Ensurethatthereisnoaccessfromthisconnectiontointernalservers/hosts.Althoughthis
isasimplesolution,trafficgeneratedbythemalwareouttheVMinterfacewillnotbeloggedunlessyou
placeafirewalloratrafficmonitoringtoolbetweentheWildFireapplianceandtheDSLconnection.
ConfiguretheVMInterfaceontheWildFireAppliance
ThissectiondescribesthestepsrequiredtoconfiguretheVMinterfaceontheWildFireapplianceusingthe
Option1configurationdetailedintheVirtualMachineInterfaceExample.AfterconfiguringtheVMinterface
usingthisoption,youmustalsoconfigureaninterfaceonaPaloAltoNetworksfirewallthroughwhichtraffic
fromtheVMinterfaceisroutedasdescribedinConnecttheFirewalltotheWildFireApplianceVMInterface.
Bydefault,theVMinterfacehasthefollowingsettings:
IPAddress:192.168.2.1
Netmask:255.255.255.0
DefaultGateway:192.168.2.254
DNS:192.168.2.254
SetUptheWildFireApplianceVMInterface SetUpandManageaWildFireAppliance
Ifyouplanonenablingthisinterface,configureitwiththeappropriatesettingsforyournetwork.Ifyoudo
notplanonusingthisinterface,leavethedefaultsettings.Notethatthisinterfacemusthavenetworkvalues
configuredoracommitfailurewilloccur.
ConfiguretheVMInterface
Step1 SettheIPinformationfortheVM 1. Enterconfigurationmode:

interfaceontheWildFireappliance. admin@WF-500 > configure
Thefollowingsettingsareusedinthis
2. SettheIPinformationfortheVMinterface:
example:
admin@WF-500# set deviceconfig system vm-interface
IPv4address10.16.0.20/22 ip-address 10.16.0.20 netmask 255.255.252.0
SubnetMask255.255.252.0 default-gateway 10.16.0.1 dns-server 10.0.0.246
DefaultGateway10.16.0.1 YoucanonlyconfigureoneDNSserverontheVM
DNSServer10.0.0.246 interface.Asabestpractice,usetheDNSserverfrom
TheVMinterfacecannotbeon yourISPoranopenDNSservice.
thesamenetworkasthe
managementinterface(MGT).
Step2 EnabletheVMinterface. 1. EnabletheVMinterface:

vm-network-enable yes
2. Committheconfiguration:
Step3 TestconnectivityoftheVMinterface. PingasystemandspecifytheVMinterfaceasthesource.For

example,iftheVMinterfaceIPaddressis10.16.0.20,runthe
followingcommandwhereiporhostnameistheIPorhostnameof
aserver/networkthathaspingenabled:
admin@WF-500> ping source 10.16.0.20 host
ip-or-hostname
Forexample:
admin@WF-500> ping source 10.16.0.20 host 10.16.0.1
Step4 (Optional)Sendanymalicioustrafficthat 1. EnabletheTornetwork:

themalwaregeneratestotheInternet. admin@WF-500# set deviceconfig setting wildfire
TheTornetworkmasksyourpublic vm-network-use-tor
facingIPaddress,sotheownersofthe 2. Committheconfiguration:
malicioussitecannotdeterminethe
sourceofthetraffic.
Step5 ConnecttheFirewalltotheWildFireApplianceVMInterface.
ConnecttheFirewalltotheWildFireApplianceVMInterface
ThefollowingexampleworkflowdescribeshowtoconnecttheVMinterfacetoaportonaPaloAlto
Networksfirewall.BeforeconnectingtheVMinterfacetothefirewall,thefirewallmustalreadyhavean
UntrustzoneconnectedtotheInternet.Inthisexample,youconfigureanewzonenamedwfvmzonethat
willcontaintheinterfaceusedtoconnecttheVMinterfaceontheappliancetothefirewall.Thepolicy
associatedwiththewfvmzonewillonlyallowcommunicationfromtheVMinterfacetotheUntrustzone.
SetUpandManageaWildFireAppliance SetUptheWildFireApplianceVMInterface
ConfiguretheFirewalltoControlTrafficfortheWildFireApplianceVMInterface
Step1 Configuretheinterfaceonthefirewall 1. Fromthewebinterfaceonthefirewall,selectNetwork >

thattheVMinterfacewillconnectto Interfacesandthenselectaninterface,forexample
andsetthevirtualrouter. Ethernet1/3.
Thewfvmzoneshouldonly 2. IntheInterface Type dropdown,selectLayer3.
containtheinterface
3. OntheConfigtab,fromtheSecurity Zonedropdownbox,
(ethernet1/3inthisexample)
selectNew Zone.
usedtoconnecttheVMinterface
ontheappliancetothefirewall. 4. IntheZonedialogNamefield,enterwfvmzoneandclickOK.
Thisisdonetoavoidhavingany 5. IntheVirtual Routerdropdownbox,selectdefault.
trafficgeneratedbythemalware
fromreachingothernetworks. 6. ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
10.16.0.0/22.
7. Tosavetheinterfaceconfiguration,clickOK.
Step2 Createasecuritypolicyonthefirewallto 1. SelectPolicies > SecurityandclickAdd

allowaccessfromtheVMinterfaceto 2. IntheGeneraltab,enteraName.
theInternetandblockallincoming
traffic.Inthisexample,thepolicynameis 3. IntheSourcetab,settheSource Zone towf-vm-zone.
WildFireVMInterface.Becauseyouwill 4. IntheDestinationtab,settheDestination ZonetoUntrust.
notcreateasecuritypolicyfromthe
5. IntheApplication andService/ URL Categorytabs,leavethe
Untrustzonetothewfvminterface
defaultasAny.
zone,allinboundtrafficisblockedby
default. 6. IntheActionstab,settheAction SettingtoAllow.
7. UnderLog Setting,selecttheLog at Session Endcheckbox.
Ifthereareconcernsthatsomeonemightinadvertently
addotherinterfacestothewfvmzone,clonethe
WildFireVMInterfacesecuritypolicyandtheninthe
Actiontabfortheclonedrule,selectDeny.Makesure
thisnewsecuritypolicyislistedbelowtheWildFireVM
interfacepolicy.Thiswilloverridetheimplicit
intrazoneallowrulethatallowscommunications
betweeninterfacesinthesamezoneandwill
deny/blockallintrazonecommunication.
Step3 Connectthecables. PhysicallyconnecttheVMinterfaceontheWildFireapplianceto

theportyouconfiguredonthefirewall(Ethernet1/3inthis
example)usingastraightthroughRJ45cable.TheVMinterfaceis
labeled1onthebackoftheappliance.
Step4 VerifythattheVMinterfaceis 1. ViewtheVMinterfacesettings:

transmittingandreceivingtraffic. admin@WF-500> show interface vm-interface
2. Verifythatreceived/transmittedcountersareincrementing.
Youcanrunthefollowingcommandtogeneratepingtraffic
fromtheVMinterfacetoanexternaldevice:
admin@WF-500> ping source vm-interface-ip host
<gateway-ip>
Forexample:
admin@WF-500> ping source 10.16.0.20 host 10.16.0.1
EnableWildFireApplianceAnalysisFeatures SetUpandManageaWildFireAppliance
EnableWildFireApplianceAnalysisFeatures
SetUpWildFireApplianceContentUpdates
EnableLocalSignatureandURLCategoryGeneration
SubmitLocallyDiscoveredMalwareorReportstotheWildFirePublicCloud
SetUpWildFireApplianceContentUpdates
ConfiguredailycontentupdatesfortheWildFireappliance.WildFirecontentupdatesprovidetheappliance
withthreatintelligencetofacilitateaccuratemalwaredetection,improveappliancecapabilityto
differentiatemalicioussamplesfrombenignsamples,andensurethattheappliancehasthemostrecent
informationneededtogeneratesignatures.
InstallWildFireContentUpdatesDirectlyfromtheUpdateServer
InstallWildFireContentUpdatesfromanSCPEnabledServer
InstallWildFireContentUpdatesDirectlyfromtheUpdateServer
InstallThreatIntelligenceContentUpdatesDirectlyfromtheUpdateServer
Step1 Verifyconnectivityfromtheappliance 1. LogintotheWildFireapplianceandrunthefollowing

totheupdateserverandidentifythe commandtodisplaythecurrentcontentversion:
contentupdatetoinstall. admin@WF-500> show system info | match
wf-content-version
2. ConfirmthattheappliancecancommunicatewiththePalo
AltoNetworksUpdateServerandviewavailableupdates:
admin@WF-500> request wf-content upgrade check
ThecommandqueriesthePaloAltoNetworksUpdateServer
andprovidesinformationaboutavailableupdatesand
identifiestheversionthatiscurrentlyinstalledonthe
appliance.
Version Size Released on Downloaded Installed
---------------------------------------------------------
2-253 57MB 2014/09/20 20:00:08 PDT no no
2-39 44MB 2014/02/12 14:04:27 PST yes current
Iftheappliancecannotconnecttotheupdateserver,youwill
needtoallowconnectivityfromtheappliancetothePaloAlto
NetworksUpdateServer(updates.paloaltonetworks.com),or
downloadandinstalltheupdateusingSCPasdescribedin
InstallWildFireContentUpdatesfromanSCPEnabledServer.
SetUpandManageaWildFireAppliance EnableWildFireApplianceAnalysisFeatures
InstallThreatIntelligenceContentUpdatesDirectlyfromtheUpdateServer(Continued)
Step2 Downloadandinstallthelatestcontent 1. Downloadthelatestcontentupdate:

update. admin@WF-500> request wf-content upgrade download
latest
2. Viewthestatusofthedownload:
admin@WF-500> show jobs all
Youcanrunshow jobs pendingtoviewpendingjobs.The
followingoutputshowsthatthedownload(jobid5)has
finisheddownloading(StatusFIN):
Enqueued ID Type Status Result Completed
---------------------------------------------------------
2014/04/22 03:42:20 5 Downld FIN OK 03:42:23
3. Afterthedownloadiscomplete,installtheupdate:
admin@WF-500> request wf-content upgrade install
version latest
Runtheshow jobs allcommandagaintomonitorthestatus
oftheinstall.
Step3 Verifythecontentupdate. Runthefollowingcommandandrefertothewf-content-version

field:
Thefollowingshowsanexampleoutputwithcontentupdate
version2253installed:
hostname: WildFire
ip-address: 10.5.164.245
netmask: 255.255.255.0
default-gateway: 10.5.164.1
mac-address: 00:25:90:c3:ed:56
vm-interface-ip-address: 192.168.2.2
vm-interface-netmask: 255.255.255.0
vm-interface-default-gateway: 192.168.2.1
vm-interface-dns-server: 192.168.2.1
time: Mon Apr 21 09:59:07 2014
uptime: 17 days, 23:19:16
family: m
model: WildFire
serial: abcd3333
sw-version: 6.1.0
wf-content-version: 2-253
wfm-release-date: 2014/08/20 20:00:08
logdb-version: 6.1.2
platform-family: m
Step4 (Optional)Schedulecontentupdatesto 1. Scheduletheappliancetodownloadandinstallcontent

beinstalledonadailyorweeklybasis. updates:
update-schedule wf-content recurring [daily |
weekly] action [download-and-install |
download-only]
Forexample,todownloadandinstallupdatesdailyat8:00am:
update-schedule wf-content recurring daily action
download-and-install at 08:00
2. Committheconfiguration
EnableWildFireApplianceAnalysisFeatures SetUpandManageaWildFireAppliance
InstallWildFireContentUpdatesfromanSCPEnabledServer
ThefollowingproceduredescribeshowtoinstallthreatintelligencecontentupdatesonaWildFireappliance
thatdoesnothavedirectconnectivitytothePaloAltoNetworksUpdateServer.YouwillneedaSecureCopy
(SCP)enabledservertotemporarilystorethecontentupdate.
InstallThreatIntelligenceContentUpdatesfromanSCPEnabledServer
Step1 Retrievethecontentupdatefilefrom 1. LogintothePaloAltoNetworksSupportPortalandclick

theupdateserver. DynamicUpdates.
2. IntheWildFireAppliancesection,locatethelatestWildFire
appliancecontentupdateanddownloadit.
3. CopythecontentupdatefiletoanSCPenabledserverand
notethefilenameanddirectorypath.
Step2 Installthecontentupdateonthe 1. LogintotheWildFireapplianceanddownloadthecontent

WildFireappliance. updatefilefromtheSCPserver:
admin@WF-500> scp import wf-content from
username@host:path
Forexample:
admin@WF-500> scp import wf-content from
bart@10.10.10.5:c:/updates/panup-all-wfmeta-2-253.
tgz
IfyourSCPserverisrunningonanonstandardportor
ifyouneedtospecifythesourceIP,youcanalsodefine
thoseoptionsinthescp importcommand.
2. Installtheupdate:
admin@WF-500> request wf-content upgrade install
file panup-all-wfmeta-2-253.tgz
3. Viewthestatusoftheinstallation:
Step3 Verifythecontentupdate. Verifythecontentversion:

admin@WF-500> show system info | match
wf-content-version
Thefollowingoutputnowshowsversion2253:
EnableLocalSignatureandURLCategoryGeneration
TheWildFireappliancecangeneratesignatureslocallybasedonthesamplesreceivedfromconnected
firewallsandtheWildFireAPI,asanalternativetosendingmalwaretothepubliccloudforsignature
generation.Theappliancecangeneratethefollowingtypesofsignaturesforthefirewallstousetoblock
malwareandanyassociatedcommandandcontroltraffic:
AntivirussignaturesDetectandblockmaliciousfiles.WildFireaddsthesesignaturestoWildFireand
Antiviruscontentupdates.
DNSsignaturesDetectandblockcallbackdomainsforcommandandcontroltrafficassociatedwith
malware.WildFireaddsthesesignaturestoWildFireandAntiviruscontentupdates.
URLcategoriesCategorizescallbackdomainsasmalwareandupdatestheURLcategoryinPANDB.
SetUpandManageaWildFireAppliance EnableWildFireApplianceAnalysisFeatures
ConfigurethefirewallstoretrievethesignaturesgeneratedbytheWildFireapplianceasfrequentlyasevery
fiveminutes.YoucanalsosendthemalwaresampletotheWildFirepubliccloud,inordertoenablethe
signaturetobedistributedgloballythroughPaloAltoNetworkscontentreleases.
EvenifyoureusingtheWildFireapplianceforlocalfileanalysis,youcanalsoenableconnectedfirewallsto
receivethelatestsignaturesdistributedbytheWildFirepubliccloud.
EnabletheWildFireAppliancetoGenerateandDistributeSignatureandURLCategories
Step1 SetUpWildFireApplianceContent ThisallowstheWildFireappliancetoreceivethelatestthreat

Updates. intelligencefromPaloAltoNetworks.
Step2 EnablesignatureandURLcategory 1. Logintotheapplianceandtypeconfiguretoenter

generation. configurationmode.
2. Enableallthreatpreventionoptions:
signature-generation av yes dns yes url yes
Youcandisplaythestatusofasignatureforsignatures
generatedintheWildFire8.0.1orlaterenvironment
usingthecommand:
admin@WF-500# show wildfire global
signature-status sha256 equal <sha-256 value>
WildFireappliancescannotdisplaythestatusfor
signaturesgeneratedbeforetheupgradetoWildFire
8.0.1.
Step3 Setthescheduleforconnectedfirewalls FormultiplefirewallsmanagedbyPanorama:

toretrievethesignaturesandURL LaunchPanoramaandselectPanorama > Device Deployment >
categoriestheWildFireappliance Dynamic Updates,clickSchedules,andAddscheduledcontent
generates. updatesformanageddevices.
Itisabestpracticetoconfigure FordetailsonusingPanoramatosetupmanagedfirewallsto
yourfirewallstoretrievecontent receivesignaturesandURLcategoriesfromaWildFireappliance,
updatesfromboththeWildFire seeScheduleContentUpdatestoDevicesUsingPanorama.
publiccloudandWildFire Forasinglefirewall:
appliance.Thisensuresthatyour
a. LogintothefirewallwebinterfaceandselectDevice >
firewallsreceivesignaturesbased
Dynamic Updates.
onthreatsdetectedworldwide,
inadditiontothesignatures ForfirewallsconfiguredtoforwardfilestoaWildFire
generatedbythelocalappliance. appliance(ineitheraWildFireprivatecloudorhybridcloud
deployment),theWFPrivatesectionisdisplayed.
b. SettheScheduleforthefirewalltodownloadandinstall
contentupdatesfromtheWildFireappliance.
SubmitLocallyDiscoveredMalwareorReportstotheWildFirePublicCloud SetUpandManageaWildFireAppliance
SubmitLocallyDiscoveredMalwareorReportstothe
WildFirePublicCloud
EnabletheWildFireappliancetoautomaticallysubmitmalwaresamplestotheWildFirepubliccloud.The
WildFirepubliccloudfurtheranalyzesthemalwareandgeneratesasignaturetoidentifythesample.The
signatureisthenaddedtoWildFiresignatureupdates,anddistributedtoglobaluserstopreventfuture
exposuretothethreat.Ifyoudonotwanttoforwardmalwaresamplesoutsideofyournetwork,youcan
insteadchoosetosubmitonlyWildFirereportsforthemalwarediscoveredonyournetwork,inorderto
contributetoandrefineWildFirestatisticsandthreatintelligence.
EnabletheWildFireAppliancetoSubmitMalwareorReportstotheWildFirePublicCloud
SubmitMalwaretotheWildFirePublicCloud. 1. ExecutethefollowingCLIcommandfromtheWildFire
appliancetoenabletheappliancetoautomaticallysubmit
malwaresamplestotheWildFirepubliccloud:
cloud-intelligence submit-sample yes
Ifthefirewallthatoriginallysubmittedthesamplefor
WildFireprivatecloudanalysishaspacketcaptures
(PCAPs)enabled,thePCAPsforthemalwarewillalso
beforwardedtotheWildFirepubliccloud.
2. GototheWildFireportaltoviewanalysisreportsformalware
automaticallysubmittedtotheWildFirepubliccloud.When
malwareissubmittedtotheWildFirepubliccloud,thepublic
cloudgeneratesanewanalysisreportforthesample.
SubmitAnalysisReportstotheWildFirePublic ToautomaticallysubmitmalwarereportstotheWildFirepublic
Cloud cloud(andnotthemalwaresample),executethefollowingCLI
commandontheWildFireappliance:
cloud-intelligence submit-report yes
IfyouhaveenabledtheWildFireappliancetoautomatically
submitmalwaretotheWildFirepubliccloud,youdonot
needtoenablethisoptiontheWildFirepubliccloudwill
generateanewanalysisreportforthesample.
ReportssubmittedtotheWildFirepubliccloudcannotbe
viewedontheWildFireportal.TheWildFireportaldisplays
onlyWildFirepubliccloudreports.
VerifyMalwareandReportSubmissionSettings Checktoconfirmthatcloudintelligenceisenabledtoeithersubmit
malwareorsubmitreportstotheWildFirepubliccloudbyrunning
thefollowingcommand:
RefertotheSubmit sampleandSubmit reportfields.
SetUpandManageaWildFireAppliance UpgradeaWildFireAppliance
UpgradeaWildFireAppliance
UsethefollowingworkflowtoupgradetheWildFireapplianceoperatingsystem.Ifyouwanttoupgradean
appliancethatispartofaWildFirecluster,seeUpgradeWildFireAppliancesinaCluster.Theappliancecanonly
useoneenvironmentatatimetoanalyzesamples,soafterupgradingtheappliance,reviewthelistof
availableVMimagesandthenchoosetheimagethatbestfitsyourenvironment.InthecaseofWindows7,
ifyourenvironmenthasamixofWindows732bitandWindows764bitsystems,itisrecommendedthat
youchoosetheWindows764bitimage,soWildFirewillanalyzeboth32bitand64bitPEfiles.Although
youconfiguretheappliancetouseonevirtualmachineimageconfiguration,theapplianceusesmultiple
instancesoftheimagetoperformfileanalyses.
DependingonthenumberofsamplestheWildFireappliancehasanalyzedandstored,thetimerequiredto
upgradetheappliancesoftwarevaries;thisisbecauseupgradingrequiresthemigrationofallmalware
samplesand14daysofbenignsamples.Allow30to60minutestoupgradeaWildFireappliancethatyou
haveusedinaproductionenvironment.
UpgradetheWildFireAppliancetoPANOS8.0
Step1 IfyouresettingupaWildFireapplianceforthefirsttime,startbyconfiguringtheWildFireappliance.
Step2 Temporarilysuspendsampleanalysis. 1. Stopfirewallsfromforwardinganynewsamplestothe

WildFireappliance.
a. Logintothefirewallwebinterface.
b. SelectDevice > Setup > WildFireandeditGeneral Settings.
c. CleartheWildFire Private Cloudfield.
d. ClickOKandCommit.
2. Confirmthatanalysisforsamplesthefirewallsalready
submittedtotheapplianceiscomplete:
admin@WF-500> show wildfire latest samples
IfyoudonotwanttowaitfortheWildFireapplianceto
finishanalyzingrecentlysubmittedsamples,youcan
continuetothenextstep.However,considerthatthe
WildFireappliancethendropspendingsamplesfrom
theanalysisqueue.
Step3 InstallthelatestWildFireappliance admin@WF-500> request wf-content upgrade

contentupdate. install version latest
Theseupdatesequiptheappliancewith
thelatestthreatinformationto
accuratelydetectmalware.
Step4 DownloadthetargetPANOS8.0 Theexamplesinthisproceduredemonstratehowto

releasetotheWildFireappliance. upgradetoPANOS8.0.2.Replace8.0.2withthe
Youcannotskipanymajorrelease appropriatetargetreleaseforyourupgrade.
versionswhenupgradingtheWildFire DownloadthePANOS8.0.2version:
appliance.Forexample,ifyouwantto admin@WF-500> request system software
upgradefromPANOS6.1toPANOS download version 8.0.2
7.1,youmustfirstdownloadandinstall Tocheckthestatusofthedownload,usethefollowingcommand:
PANOS7.0.
Step5 Confirmthatallservicesarerunning. admin@WF-500> show system software status
UpgradeaWildFireAppliance SetUpandManageaWildFireAppliance
UpgradetheWildFireAppliancetoPANOS8.0(Continued)
Step6 InstallthePANOS8.0release. admin@WF-500> request system software install

version 8.0.2
Step7 Completethesoftwareupgrade. 1. Confirmthattheupgradeiscomplete.Runthefollowing
commandandlookforthejobtypeInstallandstatusFIN:
Enqueued Dequeued ID Type Status Result Completed

----------------------------------------------------
14:53:15 14:53:15 5 Install FIN OK 14:53:19
2. Restarttheappliance:
admin@WF-500> request restart system
Theupgradeprocesscouldtake10minutesoroveran
hour,dependingonthenumberofsamplesstoredon
theWildFireappliance.
Step8 CheckthattheWildFireapplianceis 1. Verifythatthesw-versionfieldshows8.0.2:

readytoresumesampleanalysis. admin@WF-500> show system info | match
sw-version
2. Confirmthatallprocessesarerunning:
admin@WF-500> show system software status
3. Confirmthattheautocommit(AutoCom)jobiscomplete:
Step9 (Optional)EnabletheVMimagethe Viewtheactivevirtualmachineimagebyrunningthefollowing
WildFireapplianceusestoperform commandandrefertotheSelected VM field:
analysis.EachavailableVMimage admin@WF-500> show wildfire status
representsasingleoperatingsystem,and Viewalistofavailablevirtualmachinesimages:
supportsseveraldifferentanalysis
admin@WF-500> show wildfire vm-images
environmentsbasedonthatoperating
system. Thefollowingoutputshowsthatvm-5istheWindows764bit
image:
Ifyournetworkenvironment
hasamixofWindows732bit vm-5
andWindows764bitsystems,it Windows 7 64bit, Adobe Reader 11, Flash 11,
isrecommendedthatyouchoose Office 2010. Support PE, PDF, Office 2010 and
theWindows764bitimage,so earlier
WildFirewillanalyzeboth32bit Settheimagetobeusedforanalysis:
and64bitPEfiles. admin@WF-500# set deviceconfig setting
wildfire active-vm <vm-image-number>
Forexample,tousevm5,runthefollowingcommand:
admin@WF-500# set deviceconfig setting
wildfire active-vm vm-5
Andcommittheconfiguration:
Step10 Nextsteps:
(Optional)UpgradefirewallstoPANOS8.0.SeethefirewallupgradeinstructionsincludedinthePANOS
8.0NewFeaturesGuide.FirewallsrunningearlierreleasesthanPANOS8.0cancontinuetoforward
samplestoaWildFireappliancerunningPANOS8.0.
(Troubleshooting)Ifyounoticedatamigrationissuesoranerrorfollowingtheupgrade,restarttheWildFire
appliancetorestarttheupgradeprocess.RestartingtheWildFireappliancewillnotcauselostdata.
MonitorWildFireActivity
DependingonyourWildFiredeploymentpublic,private,orhybridyoucanviewsamplessubmittedto
WildFireandanalysisresultsforeachsampleusingtheWildFireportal,byaccessingthefirewallthat
submittedthesample(orPanorama,ifyouarecentrallymanagingmultiplefirewalls),orbyusingtheWildFire
API.
AfterWildFirehasanalyzedasampleanddeliveredaverdictofmalicious,phishing,grayware,orbenign,a
detailedanalysisreportisgeneratedforthesample.WildFireanalysisreportsviewedonthefirewallthat
submittedthesamplealsoincludedetailsforthesessionduringwhichthesamplewasdetected.Forsamples
identifiedasmalware,theWildFireanalysisreportincludesdetailsonexistingWildFiresignaturesthatmight
berelatedtothenewlyidentifiedmalwareandinformationonfileattributes,behavior,andactivitythat
indicatedthesamplewasmalicious.
SeethefollowingtopicsfordetailsonhowtomonitorWildFiresubmissions,toWildFireanalysisreportsfor
samples,andtosetupalertsandnotificationsbasedonsubmissionsandanalysisresults:
AboutWildFireLogsandReporting
UsetheFirewalltoMonitorMalware
UsetheWildFirePortaltoMonitorMalware
WildFireAnalysisReportsCloseUp
WildFireExample
TheAutoFocusthreatintelligenceportalprovidesadifferentlensthroughwhichtoviewWildFire
analysisdetailsforasample.AutoFocuslayersstatisticsoverWildFireanalysisdatatoindicate
highriskartifactsfoundduringsampleanalysis(suchasanIPaddressoradomain).
AboutWildFireLogsandReporting MonitorWildFireActivity
AboutWildFireLogsandReporting
YoucanMonitorWildFireActivityonthefirewall,withtheWildFireportal,orwiththeWildFireAPI.
ForeachsampleWildFireanalyzes,WildFirecategorizesthesampleasmalware,phishing,grayware,or
benignanddetailssampleinformationandbehaviorintheWildFireanalysisreport.WildFireanalysisreports
canbefoundonthefirewallthatsubmittedthesampleandtheWildFirecloud(publicorprivate)that
analyzedthesample,orcanberetrievedusingtheWildFireAPI:
OnthefirewallAllsamplessubmittedbyafirewallforWildFireanalysisareloggedasWildFire
Submissionsentries(Monitor > WildFire Submissions).TheActioncolumnintheWildFireSubmissionslog
indicateswhetherafilewasallowedorblockedbythefirewall.ForeachWildFiresubmissionentryyou
canopenadetailedlogviewtoviewtheWildFireanalysisreportforthesampleortodownloadthereport
asaPDF.
OntheWildFireportalMonitorWildFireactivity,includingtheWildFireanalysisreportforeachsample,
whichcanalsobedownloadedasaPDF.InaWildFireprivateclouddeployment,theWildFireportal
providesdetailsforsamplesthataremanuallyuploadedtotheportalandsamplessubmittedbya
WildFireappliancewithcloudintelligenceenabled.
TheoptiontoviewWildFireanalysisreportsontheportalisonlysupportedforWildFire
applianceswiththecloudintelligencefeatureisenabled.
WiththeWildFireAPIRetrieveWildFireanalysisreportsfromaWildFireapplianceorfromtheWildFire
publiccloud.
MonitorWildFireActivity UsetheFirewalltoMonitorMalware
UsetheFirewalltoMonitorMalware
SamplesforwardedbythefirewallareaddedasentriestotheWildFire Submissionslogs.AdetailedWildFire
analysisreportisdisplayedintheexpandedviewforeachWildFireSubmissionsentry.
ConfigureWildFireSubmissionsLogSettings
MonitorWildFireSubmissionsandAnalysisReports
SetUpAlertsforMalware
ConfigureWildFireSubmissionsLogSettings
EnablethefollowingoptionsforWildFire Submissionslogs:
EnableLoggingforBenignandGraywareSamples
IncludeEmailHeaderInformationinWildFireLogsandReports
IncludeUserIDInformationinWildFireLogsandReports
Loggingforbenignandgraywaresamplesisdisabledbydefault.Emaillinksthatreceivebenignorgrayware
verdictsarenotlogged.
Step1 SelectDevice > Setup > WildFire,editGeneral Settings.
Step2 SelectReport Benign Filesand/orReport Grayware FilesandclickOKtosavethesettings.
Usethefollowingstepstoincludeemailheaderinformationemailsender,recipient(s),andsubjectin
WildFirelogsandreports.
SessioninformationisforwardedtotheWildFirecloudalongwiththesample,andusedtogeneratethe
WildFireanalysisreport.NeitherthefirewallnortheWildFirecloudreceive,store,orviewactualemail
contents.
Sessioninformationcanhelpyoutoquicklytrackdownandremediatethreatsdetectedinemailattachmentsor
links,includinghowtoidentifyrecipientswhohavedownloadedoraccessedmaliciouscontent.
Step1 SelectDevice > Setup > WildFire.
UsetheFirewalltoMonitorMalware MonitorWildFireActivity
Step2 EdittheSessionInformationSettingssectionandenableoneormoreoftheoptions(Email sender,Email

recipient,andEmail subject).
Step3 ClickOKtosave.
EnablethefirewalltomatchUserIDinformationwithemailheaderinformation,sothattheUserIDfortherecipientof
amaliciousemailattachmentorlinkisidentifiedforaWildFireentry.
Step1 SelectDevice > User Identification >Group Mapping Settings.
Step2 Selectthedesiredgroupmappingprofiletomodifyit.
Step3 IntheServer ProfiletabintheMailDomains section,populatetheDomain List field:

Mail AttributesThisfieldisautomaticallypopulatedafteryoufillintheDomain ListfieldandclickOK.The
attributesarebasedonyourLDAPservertype(Sun/RFC,ActiveDirectory,andNovell).
Domain ListEnterthelistofemaildomainsinyourorganizationusingacommaseparatedlistupto256
characters.
WhenemailheaderinformationismatchedtoaUserID,theRecipient User-IDfieldintheEmail Headers
sectionofthedetailedlogviewwilllinktoafilteredACCforthatuserorusergroup.
MonitorWildFireSubmissionsandAnalysisReports
SamplesthatfirewallssubmitforWildFireanalysisaredisplayedasentriesintheWildFire Submissionslogon
thefirewallwebinterface.ForeachWildFireentry,youcanopenanexpandedlogviewwhichdisplayslog
detailsandtheWildFireanalysisreportforthesample.
MonitorWildFireSubmissionsandReports
Step1 ForwardFilesforWildFireAnalysis.
Step2 ConfigureWildFireSubmissionsLogSettings.
Step3 ToviewsamplessubmittedbyafirewalltoaWildFirepublic,private,orhybridcloud,selectMonitor > Logs

> WildFire Submissions.WhenWildFireanalysisofasampleiscomplete,theresultsaresentbacktothe
firewallthatsubmittedthesampleandareaccessibleintheWildFireSubmissionslogs.TheVerdictcolumn
indicateswhetherthesampleisbenign,malicious,phishing,orgrayware.TheActioncolumnindicates
whetherthefirewallallowedorblockedthesample.
MonitorWildFireSubmissionsandReports(Continued)
Step4 Foranyentry,selecttheLogDetailsicontoopenadetailedlogviewforeachentry:
ThedetailedlogviewdisplaysLogInfoandtheWildFireAnalysisReportfortheentry.Ifthefirewallhas
packetcaptures(PCAPs)enabled,thesamplePCAPsarealsodisplayed.
Forallsamples,theWildFireanalysisreportdisplaysfileandsessiondetails.Formalwaresamples,the
WildFireanalysisreportisextendedtoincludedetailsonthefileattributesandbehaviorthatindicatedthe
filewasmalicious.
Step5 (Optional)Download PDFoftheWildFireAnalysisReport.
YoucanconfigureaPaloAltoNetworksfirewalltosendanalertwhenWildFireidentifiesamaliciousor
phishingsample.Youcanconfigurealertsforbenignandgraywarefilesaswell,butnotforbenignand
graywareemaillinks.Thisexampledescribeshowtoconfigureanemailalert;however,youcouldalso
configurelogforwardingtosetupalertstobedeliveredassyslogmessages,SNMPtraps,orPanoramaalerts.
Step1 Configureanemailserverprofile. 1. SelectDevice > Server Profiles > Email.

2. ClickAddandthenenteraNamefortheprofile.Forexample,
WildFireEmailProfile.
3. (Optional)Selectthevirtualsystemtowhichthisprofile
appliesfromtheLocationdropdown.
4. ClickAddtoaddanewemailserverentryandenterthe
informationrequiredtoconnecttotheSimpleMailTransport
Protocol(SMTP)serverandsendemail(uptofouremail
serverscanbeaddedtotheprofile):
ServerNametoidentifythemailserver(131characters).
Thisfieldisjustalabelanddoesnothavetobethehost
nameofanexistingSMTPserver.
Display NameThenametoshowintheFromfieldofthe
email.
FromTheemailaddresswherenotificationemailsaresent
from.
ToTheemailaddresstowhichnotificationemailsaresent.
Additional Recipient(s)Enteranemailaddresstosend
notificationstoasecondrecipient.
GatewayTheIPaddressorhostnameoftheSMTP
gatewaytousetosendtheemails.
5. ClickOKtosavetheserverprofile.
6. ClickCommittosavethechangestotherunningconfiguration.
Step2 Testtheemailserverprofile. 1. SelectMonitor > PDF Reports > Email Scheduler.

2. ClickAddandselectthenewemailprofilefromtheEmail
Profiledropdown.
3. ClicktheSend testemailbuttonandatestemailshouldbesent
totherecipientsdefinedintheemailprofile.
SetUpAlertsforMalware(Continued)
Step3 Configurealogforwardingprofile,to 1. SelectObjects > Log Forwarding.

enableWildFirelogstobeforwardedto 2. Add andnametheprofile,forexample,
Panorama,anemailaccount,SNMP, WildFireLogForwarding.
and/orasyslogserver.
3. InWildFire Settings,choosetheemailprofilefromtheEmail
Inthisexampleyouwillsetupemaillogs
columnforMaliciousasshownbelow.
forwhenasampleisdeterminedtobe
malicious.YoucanalsoenableBenign
andGraywarelogstobeforwarded,
whichwillproducemoreactivityifyou
aretesting.
Thefirewalldoesnotforward
WildFirelogsforblockedfilesto
anemailaccount.
ToforwardlogstoPanorama,selectthecheckboxes
underthePanoramacolumnforBenign,Grayware,
Phishingand/orMalicious.ForSNMPandSyslog,
selectthedropdownandchoosetheappropriate
profileorclickNewtoconfigureanewprofile.
4. ClickOKtosavethechanges.
Step4 Addthelogforwardingprofiletoa 1. SelectPolicies > Security andclickonthepolicythatisused

securitypolicybeingusedforWildFire forWildFireforwarding.
forwarding(withaWildFireAnalysis 2. IntheActionstabLog Settingsection,selecttheLog
profileattached). Forwardingprofileyouconfigured.
TheWildFireAnalysisprofiledefinesthe
3. ClickOKtosavethechangesandthenCommitthe
trafficthatthefirewallforwardsfor
configuration.
WildFireanalysis.TosetupaWildFire
analysisprofileandattachittoasecurity
policyrule,seeForwardFilesfor
WildFireAnalysis.
MonitorWildFireActivity UsetheWildFirePortaltoMonitorMalware
UsetheWildFirePortaltoMonitorMalware
LogintothePaloAltoNetworksWildFireportalusingyourPaloAltoNetworkssupportcredentialsoryour
WildFireaccount.Theportalopenstodisplaythedashboard,whichlistssummaryreportinformationforall
ofthefirewallsassociatedwiththespecificWildFiresubscriptionorsupportaccount.Foreachdevicelisted,
theportaldisplaysstatisticsforthenumberofmalwaresamplesthathavebeendetected,benignsamples
thathavebeenanalyzed,andthenumberofpendingfilesthatarewaitingtobeanalyzed.YourWildFire
portalaccountdisplaysdataforallsamplessubmittedbyfirewallsonyournetworkthatareconnectedto
theWildFirepubliccloud,aswellasdataforsamplesmanuallysubmittedtotheportal.Additionally,ifyou
haveenabledaWildFireappliancetoforwardmalwaretotheWildFirepubliccloudforsignaturegeneration
anddistribution,reportsforthosemalwaresamplescanalsobeaccessedontheportal.
SeethefollowingsectionsfordetailsonusingtheWildFireportaltomonitorWildFireactivity:
ConfigureWildFirePortalSettings
AddWildFirePortalUsers
ViewReportsontheWildFirePortal
ConfigureWildFirePortalSettings
ThissectiondescribesthesettingsthatcanbecustomizedforaWildFirecloudaccount,suchastimezone
andemailnotificationsforeachfirewallconnectedtotheaccount.Youcanalsodeletefirewalllogsstored
inthecloud.
CustomizetheWildFirePortalSettings
Step1 Accesstheportalsettings. 1. LogintotheWildFirecloud.

2. SelectSettings onthemenubar.
Step2 ConfigurethetimezonefortheWildFire SelectatimezonefromtheSet Time ZonedropdownandUpdate

cloudaccount. Time Zonetosavethechange.
ThetimestampthatappearsonWildFireanalysisreportsis
basedonthetimezoneconfiguredfortheWildFirecloud
account.
Step3 (Optional)DeleteWildFirelogshosted 1. IntheDelete WildFire Reports dropdown,selectafirewall(by

onthecloudforspecificfirewalls. serialnumber)andDelete Reportstoremovelogsforthat
firewallfromWildFireportal.Thisactiondoesnotdeletelogs
storedonthefirewall.
2. ClickOKtoproceedwiththedeletion.
UsetheWildFirePortaltoMonitorMalware MonitorWildFireActivity
CustomizetheWildFirePortalSettings(Continued)
Step4 (Optional)Configureemailnotifications 1. IntheConfigureAlertssection,selectMalware, Phishing,

basedonWildFireanalysisverdicts. Grayware,and/orBenigncheckboxestoreceiveemail
TheWildFireportaldoesnot notificationsbasedonthoseverdicts:
sendalertsforblockedfilesthat SelecttheverdictcheckboxesintheAll rowtoreceive
thefirewallforwardedfor verdictnotificationsforallsamplesuploadedtothe
WildFireanalysis. WildFirecloud.
SelecttheverdictcheckboxesintheManual rowtoreceive
verdictnotificationsforallsamplesthataremanually
uploadedtotheWildFirepubliccloudusingtheWildFire
portal.
Selecttheverdictcheckboxesforoneorseveralfirewall
serialnumberstoreceiveverdictnotificationsforsamples
submittedbythosefirewalls.
2. SelectUpdate Notificationtoenableverdictnotificationstobe
emailedtotheemailaddressassociatedwithyoursupport
account.
WildFireportalaccountsarecreatedbyasuperuser(theregisteredownerofaPaloAltoNetworksdevice)
togiveadditionaluserstheabilitytologintotheWildFirecloudandviewdevicedataforwhichtheyare
grantedaccessbythesuperuser.AWildFireusercanbeauserassociatedwithanexistingPaloAlto
NetworksaccountorausernotassociatedwithaPaloAltoNetworkssupportaccount,towhomyoucan
allowaccesstojusttheWildFirepubliccloudsandaspecificsetoffirewalldata.
Step1 Selecttheaccountforwhichyouwant 1. LogintothePaloAltoNetworksSupportPortal.

toadduserswhocanaccessthe 2. UnderManage Account,clickonUsers and Accounts.
WildFireportal.
3. Selectanexistingaccountorsubaccount.
WildFireportaluserscanviewdataforall
firewallsassociatedwiththesupport
account.
Step2 AddaWildFireuser. 1. ClickAdd WildFire User.

2. Entertheemailaddressfortheuseryouwouldliketoadd.
Theonlyrestrictionwhenaddingauseristhatthe
emailaddresscannotbefromafreewebbasedemail
account(suchasGmail,Hotmail,andYahoo).Ifanemail
addressisenteredforadomainthatisnotsupported,a
popupwarningisdisplayed.
MonitorWildFireActivity UsetheWildFirePortaltoMonitorMalware
AddWildFirePortalUsers(Continued)
Step3 Assignfirewallstothenewuseraccount Selectthefirewall(s)byserialnumberforwhichyouwanttogrant

andaccesstheWildFirecloud. accessandfillouttheoptionalaccountdetails.
Userswithanexistingsupportaccountwillreceiveanemailwitha
listofthefirewallsthatarenowavailableforWildFirereport
viewing.Iftheuserdoesnothaveasupportaccount,theportal
sendsanemailwithinstructionsonhowtoaccesstheportaland
howtosetanewpassword.
ThenewusercannowlogintotheWildFirecloudandview
WildFirereportsforthefirewallstowhichtheyhavebeengranted
access.Userscanalsoconfigureautomaticemailalertsforthese
devicesinordertoreceivealertsonfilesanalyzed.Theycanchoose
toreceivereportsonmaliciousand/orbenignfiles.
ViewReportsontheWildFirePortal
TheWildfireportaldisplaysreportsforsamplesthataresubmittedfromfirewalls,manuallyuploaded,or
uploadedusingtheWildFireAPI.SelectReportstodisplaythelatestreportsforsamplesanalyzedbythe
WildFirecloud.Foreachsamplelisted,thereportentryshowsthedateandtimethesamplewasreceived
bythecloud,theserialnumberofthefirewallthatsubmittedthefile,thefilenameorURL,andtheverdict
deliveredbyWildFire(benign,grayware,malware,orphishing).
Usethesearchoptiontosearchforreportsbasedonthefilenameorthesamplehashvalue.Youcanalso
narrowtheresultsdisplayedbyviewingonlyreportsforsamplessubmittedbyaspecificSource(viewonly
resultssubmittedmanuallyorbyaspecificfirewall)orforsamplesthatreceivedaspecificWildFireVerdict
(any,benign,malware,grayware,phishing,orpending).
Toviewanindividualreportfromtheportal,clicktheReportsicontotheleftofthereportname.Tosavethe
detailedreport,clicktheDownload as PDFbuttonontheupperrightofthereportpage.Fordetailson
WildFireanalysisreports,seeWildFireAnalysisReportsCloseUp.
Thefollowingshowsalistofsamplefilessubmittedbyaspecificfirewall:
WildFireAnalysisReportsCloseUp MonitorWildFireActivity
WildFireAnalysisReportsCloseUp
AccessWildFireanalysisreportsonthefirewall,theWildFireportal,andtheWildFireAPI.
WildFireanalysisreportsdisplaydetailedsampleinformation,aswellasinformationontargetedusers,email
headerinformation(ifenabled),theapplicationthatdeliveredthefile,andallURLsinvolvedinthedelivery
orphonehomeactivityofthefile.WildFirereportscontainsomeoralloftheinformationdescribedinthe
followingtablebasedonthesessioninformationconfiguredonthefirewallthatforwardedthefileand
dependingontheobservedbehaviorforthefile.
WhenviewingaWildFirereportforafilethatwasmanuallyuploadedtotheWildFireportalorby
usingtheWildFireAPI,thereportwillnotshowsessioninformationbecausethetrafficdidnot
traversethefirewall.Forexample,thereportwouldnotshowtheAttacker/Sourceand
Victim/Destination.
ReportHeading Description
File Information File TypeFlash,PE,PDF,APK,JAR/Class,orMSOffice.Thisfieldisnamed

URLforHTTP/HTTPSemaillinkreportsandwilldisplaytheURLthatwas
analyzed.
File SignerTheentitythatsignedthefileforauthenticitypurposes.
Hash ValueAfilehashismuchlikeafingerprintthatuniquelyidentifiesafile
toensurethatthefilehasnotbeenmodifiedinanyway.Thefollowingliststhe
hashversionsthatWildFiregeneratesforeachfileanalyzed:
SHA-1DisplaystheSHA1valueforthefile.
SHA-256DisplaystheSHA256valueforthefile.
MD5DisplaystheMD5informationforthefile.
File SizeThesize(inbytes)ofthefilethatWildFireanalyzed.
First Seen TimestampIftheWildFiresystemhasanalyzedthefilepreviously,
thisisthedate/timethatitwasfirstobserved.
VerdictDisplaysanalysisVerdicts.
Sample FileClicktheDownload Filelinktodownloadthesamplefiletoyour
localsystem.Notethatyoucanonlydownloadfileswiththemalwareverdict,
notbenign.
MonitorWildFireActivity WildFireAnalysisReportsCloseUp
Coverage Status ClicktheVirus Totallinktoviewendpointantiviruscoverageinformationfor

samplesthathavealreadybeenidentifiedbyothervendors.Ifthefilehasnever
beenseenbyanyofthelistedvendors,filenotfoundappears.
Inaddition,whenthereportisrenderedonthefirewall,uptodateinformation
aboutwhatsignatureandURLfilteringcoveragethatPaloAltoNetworks
currentlyprovidestoprotectagainstthethreatwillalsobedisplayedinthis
section.Becausethisinformationisretrieveddynamically,itwillnotappearinthe
PDFreport.
Thefollowingcoverageinformationisprovidedforactivesignatures:
Coverage TypeThetypeofprotectionprovidedbyPaloAltoNetworks(virus,
DNS,WildFire,ormalwareURL).
Signature IDAuniqueIDnumberassignedtoeachsignaturethatPaloAlto
Networksprovides.
DetailThewellknownnameofthevirus.
Date ReleasedThedatethatPaloAltoNetworksreleasedcoverageto
protectagainstthemalware.
Latest Content VersionTheversionnumberforthecontentreleasethat
providesprotectionagainstthemalware.
Session Information Containssessioninformationbasedonthetrafficasittraversedthefirewallthat

forwardedthesample.TodefinethesessioninformationthatWildFirewill
includeinthereports,selectDevice > Setup > WildFire> Session Information
Settings.
Thefollowingoptionsareavailable:
SourceIP
SourcePort
DestinationIP
DestinationPort
VirtualSystem(Ifmultivsysisconfiguredonthefirewall)
Application
User(IfUserIDisconfiguredonthefirewall)
URL
Filename
Emailsender
Emailrecipient
Emailsubject
Bydefault,sessioninformationincludesthefieldStatus,whichindicatesifthe
firewallallowedorblockedthesample.
WildFireAnalysisReportsCloseUp MonitorWildFireActivity
Dynamic Analysis IfafileislowriskandWildFirecaneasilydeterminethatitissafe,onlyastatic

analysisisperformed,insteadofadynamicanalysis.
Whenadynamicanalysisisperformed,thissectioncontainstabsforeachanalysis
environmentthatthesamplewasruninwhenitwasanalyzedintheWildFire
cloud.Forexample,VirtualMachine1tabmayhaveWindowsXP,AdobeReader
9.3.3,andOffice2003andVirtualMachine2mayhavesimilarattributes,but
withOffice2007.Whenafilegoesthroughafulldynamicanalysis,itisrunineach
virtualmachineandtheresultsofeachenvironmentcanbeviewedbyclickingany
oftheVirtualMachinetabs.
OntheWildFireappliance,onlyonevirtualmachineisusedforthe
analysis,whichyouselectbasedonanalysisenvironmentattributesthat
bestmatchyourlocalenvironment.Forexample,ifmostusershave
Windows732bit,thatvirtualmachinewouldbeselected.
Behavior Summary EachVirtualMachinetabsummarizesthebehaviorofthesamplefileinthe

specificenvironment.Examplesincludewhetherthesamplecreatedormodified
files,startedaprocess,spawnednewprocesses,modifiedtheregistry,orinstalled
browserhelperobjects.
TheSeveritycolumnindicatestheseverityofeachbehavior.Theseveritygauge
willshowonebarforlowseverityandadditionalbarsforhigherseveritylevels.
Thisinformationisalsoaddedtothedynamicandstaticanalysissections.
Thefollowingdescribesthevariousbehaviorsthatareanalyzed:
Network ActivityShowsnetworkactivityperformedbythesample,suchas
accessingotherhostsonthenetwork,DNSqueries,andphonehomeactivity.
Alinkisprovidedtodownloadthepacketcapture.
Host Activity (by process)Listsactivitiesperformedonthehost,suchas
registrykeysthatwereset,modified,ordeleted.
Process ActivityListsfilesthatstartedaparentprocess,theprocessname,
andtheactiontheprocessperformed.
FileListsfilesthatstartedachildprocesses,theprocessname,andtheaction
theprocessperformed.
MutexIfthesamplefilegeneratesotherprogramthreads,themutexname
andparentprocessisloggedinthisfield.
Activity TimelineProvidesaplaybyplaylistofallrecordedactivityofthe
sample.Thiswillhelpinunderstandingthesequenceofeventsthatoccurred
duringtheanalysis.
TheactivitytimelineinformationisonlyavailableinthePDFexportof
theWildFirereports.
Submit Malware UsethisoptiontomanuallysubmitthesampletoPaloAltoNetworks.The

WildFirecloudwillthenreanalyzethesampleandgenerateasignaturesifit
determinesthatthesampleismalicious.ThisisusefulonaWildFireappliancethat
doesnothavesignaturegenerationorcloudintelligenceenabled,whichisused
toforwardmalwarefromtheappliancetotheWildFirecloud.
MonitorWildFireActivity WildFireAnalysisReportsCloseUp
Report an Incorrect Verdict ClickthislinktosubmitthesampletothePaloAltoNetworksthreatteamifyou

feeltheverdictisafalsepositiveorfalsenegative.Thethreatteamwillperform
furtheranalysisonthesampletodetermineifitshouldbereclassified.Ifa
malwaresampleisdeterminedtobesafe,thesignatureforthefileisdisabledin
anupcomingantivirussignatureupdateorifabenignfileisdeterminedtobe
malicious,anewsignatureisgenerated.Aftertheinvestigationiscomplete,you
willreceiveanemaildescribingtheactionthatwastaken.
WildFireExample MonitorWildFireActivity
WildFireExample
ThefollowingexamplescenariosummarizesthefullWildFirelifecycle.Inthisexample,asales
representativefromPaloAltoNetworksdownloadsanewsoftwaresalestoolthatasalespartneruploaded
toDropbox.Thesalespartnerunknowinglyuploadedaninfectedversionofthesalestoolinstallfileandthe
salesrepthendownloadstheinfectedfile.
ThisexamplewilldemonstratehowaPaloAltoNetworksfirewallinconjunctionwithWildFirecandiscover
zerodaymalwaredownloadedbyanenduser,evenifthetrafficisSSLencrypted.AfterWildFireidentifies
themalwarealogissenttothefirewallandthefirewallalertstheadministratorwhothencontactstheuser
toeradicatethemalware.WildFirethengeneratesanewsignatureforthemalwareandfirewallswitha
ThreatPreventionorWildFiresubscriptionautomaticallydownloadsthesignaturetoprotectagainstfuture
exposure.Althoughsomefilesharingwebsiteshaveanantivirusfeaturethatchecksfilesastheyare
uploaded,theycanonlyprotectagainstknownmalware.
ThisexampleusesawebsitethatusesSSLencryption.Inthiscase,thefirewallhasdecryption
enabled,includingtheoptiontoforwarddecryptedcontentforanalysis.Toenabledecrypted
contenttobeforwardedtotheWildFirecloud,seeForwardFilesforWildFireAnalysis.
WildFireExample
Step1 Thesalespersonfromthepartnercompanyuploadsasalestoolfilenamedsalestool.exetohisDropbox
accountandthensendsanemailtothePaloAltoNetworkssalespersonwithalinktothefile.
Step2 ThePaloAltosalespersonreceivestheemailfromthesalespartnerandclicksthedownloadlink,whichtakes
hertotheDropboxsite.ShethenclicksDownloadtosavethefiletoherdesktop.
MonitorWildFireActivity WildFireExample
WildFireExample(Continued)
Step3 ThefirewallthatisprotectingthePaloAltosalesrephasaWildFireAnalysisprofileruleattachedtoasecurity
policyrulethatwilllookforfilesinanyapplicationthatisusedtodownloadoruploadanyofthesupported
filetypes.Thefirewallcanalsobeconfiguredtoforwardtheemaillinkfiletype,whichenablesthefirewallto
extractHTTP/HTTPSlinkscontainedinSMTPandPOP3emailmessages.Assoonasthesalesrepclicks
download,thefirewallforwardsthesalestoole.exefiletoWildFire,wherethefileisanalyzedforzeroday
malware.EventhoughthesalesrepisusingDropbox,whichisSSLencrypted,thefirewallisconfiguredto
decrypttraffic,soalltrafficcanbeinspected.ThefollowingscreenshotsshowtheWildFireAnalysisprofile
rule,thesecuritypolicyruleconfiguredwiththeWildFireanalysisprofileruleattached,andtheoptiontoallow
forwardingofdecryptedcontentenabled.
Step4 Atthispoint,WildFirehasreceivedthefileandisanalyzingitformorethan200differentmaliciousbehaviors.
VerifyFileForwardingtocheckthatthefirewallhascorrectlyforwardedafileoremaillinksforWildFire
analysis.
Step5 Withinapproximatelyfiveminutes,WildFirehascompletedthefileanalysisandthensendsaWildFirelog
backtothefirewallwiththeanalysisresults.Inthisexample,theWildFirelogshowsthatthefileismalicious.
Step6 ThefirewallisconfiguredwithalogforwardingprofilethatwillsendWildFirealertstothesecurity
administratorwhenmalwareisdiscovered.
MonitorWildFireActivity WildFireExample
Step7 Thesecurityadministratoridentifiestheuserbyname(ifUserIDisconfigured),orbyIPaddressifUserIDis
notenabled.Atthispoint,theadministratorcanshutdownthenetworkorVPNconnectionthatthesales
representativeisusingandwillthencontactthedesktopsupportgrouptoworkwiththeusertocheckand
cleanthesystem.
ByusingtheWildFiredetailedanalysisreport,thedesktopsupportpersoncandetermineiftheusersystem
isinfectedwithmalwarebylookingatthefiles,processes,andregistryinformationdetailedintheWildFire
analysisreport.Iftheuserrunsthemalware,thesupportpersoncanattempttocleanthesystemmanuallyor
reimageit.
FordetailsontheWildFirereportfields,seeWildFireAnalysisReportsCloseUp.
Step8 Nowthattheadministratorhasidentifiedthemalwareandtheusersystemisbeingchecked,howdoyou
protectfromfutureexposure?Answer:Inthisexample,theadministratorsetascheduleonthefirewallto
downloadandinstallWildFiresignaturesevery15minutesandtodownloadandinstallAntivirusupdatesonce
perday.Inlessthananhourandahalfafterthesalesrepdownloadedtheinfectedfile,WildFireidentifiedthe
zerodaymalware,generatedasignature,addedittotheWildFireupdatesignaturedatabaseprovidedbyPalo
AltoNetworks,andthefirewalldownloadedandinstalledthenewsignature.ThisfirewallandanyotherPalo
AltoNetworksfirewallconfiguredtodownloadWildFireandantivirussignaturesisnowprotectedagainstthis
newlydiscoveredmalware.ThefollowingscreenshotshowstheWildFireupdateschedule:
Allofthisoccurswellbeforemostantivirusvendorsareevenawareofthezerodaymalware.Inthisexample,
withinaveryshortperiodoftime,themalwareisnolongerconsideredzerodaybecausePaloAltoNetworks
hasalreadydiscovereditandhasprovidedprotectiontocustomerstopreventfutureexposure.
WildFireApplianceClusters
AWildFireapplianceclusterisaninterconnectedgroupofWildFireappliancesthatpoolresourcestoincrease
sampleanalysisandstoragecapacity,supportlargergroupsoffirewalls,andsimplifyconfigurationand
managementofmultipleWildFireappliances.Thisisespeciallyusefulinenvironmentswhereaccesstothe
WildFirepubliccloudisnotpermitted.YoucanconfigureandmanageuptotwentyWildFireappliancesas
aWildFireapplianceclusteronasinglenetwork.Clustersalsoprovideasinglesignaturepackagethatthe
clusterdistributestoallconnectedfirewalls,highavailability(HA)architectureforfaulttolerance,andthe
abilitytomanageclusterscentrallyusingPanorama.YoucanalsomanagestandaloneWildFireappliances
usingPanorama.
TocreateWildFireapplianceclusters,alloftheWildFireappliancesthatyouwanttoplaceinaclustermust
runPANOS8.0.1orlater.WhenyouusePanoramatomanageWildFireapplianceclusters,Panoramaalso
mustrunPANOS8.0.1orlater.YoudonotneedaseparatelicensetocreateandmanageWildFireappliance
clusters.
WildFireApplianceClusterResiliencyandScale
WildFireApplianceClusterManagement
ConfigureaClusterLocallyonWildFireAppliances
UpgradeWildFireAppliancesinaCluster
ConfigureaClusterCentrallyonPanorama
AboutWildFireApplianceClusters WildFireApplianceClusters
AboutWildFireApplianceClusters
WildFireapplianceclustersaggregatethesampleanalysisandstoragecapacityofuptotwentyWildFire
appliancessothatyoucansupportlargefirewalldeploymentsonasinglenetwork.Youhavetheflexibility
tomanageandConfigureaClusterLocallyonWildFireAppliancesusingtheCLI,ormanageandConfigure
aClusterCentrallyonPanoramaMSeriesorvirtualapplianceservers.AWildFireappliancecluster
environmentincludes:
From2to20WildFireappliancesthatyouwanttogroupandmanageasacluster.Ataminimum,acluster
musthavetwoWildFireappliancesconfiguredinahighavailability(HA)pair.
Firewallsthatforwardsamplestotheclusterfo
WildFireApplianceClusters WildFireApplianceClusterResiliencyandScale
WildFireApplianceClusterResiliencyandScale
WildFireapplianceclustersaggregatethesampleanalysisandstoragecapacityofuptotwentyWildFire
appliancessothatyoucansupportlargefirewalldeploymentsonasinglenetwork.Youhavetheflexibility
tomanageandConfigureaClusterLocallyonWildFireAppliancesusingtheCLI,ormanageandConfigure
aClusterCentrallyonPanoramaMSeriesorvirtualapplianceservers.AWildFireappliancecluster
environmentincludes:
From2to20WildFireappliancesthatyouwanttogroupandmanageasacluster.Ataminimum,acluster
musthavetwoWildFireappliancesconfiguredinahighavailability(HA)pair.
Firewallsthatforwardsamplestotheclusterfortrafficanalysisandsignaturegeneration.
(Optional)OneortwoPanoramaappliancesforcentralizedclustermanagementifyouchoosenotto
managetheclusterlocally.ToprovideHA,usetwoPanoramaappliancesconfiguredasanHApair.
EachWildFireapplianceyouaddtoaWildFireapplianceclusterbecomesanodeinthatcluster(asopposed
toastandaloneWildFireappliance).Panoramacanmanageupto10WildFireapplianceclusterswithatotal
of200WildFireclusternodes(10clusters,eachwiththemaximumof20nodes).
PanoramacanmanagestandaloneWildFireappliancesaswellasWildFireapplianceclusters.Thecombinedtotal
ofstandaloneWildFireappliancesandWildFireapplianceclusternodesthatPanoramacanmanageis200.For
example,ifPanoramamanagesthreeclusterswithatotalof15WildFireclusternodesandeightstandalone
WildFireappliances,thenPanoramamanagesatotalof23WildFireappliancesandcanmanageupto177more
WildFireappliances.
Clusternodesplayoneoftworoles:
ControllerNodeTwocontrollernodesmanagethequeuingserviceanddatabase,generatesignatures,
andmanagetheclusterlocallyifyoudontmanagetheclusterwithaPanoramaMSeriesorvirtual
appliance.Eachclustercanhaveamaximumoftwocontrollernodes.Forfaulttolerance,eachWildFire
applianceclustershouldhaveaminimumoftwonodesconfiguredasaprimarycontrollernodeanda
controllerbackupnodeHApair.Exceptduringnormalmaintenanceorfailureconditions,eachcluster
shouldhavetwocontrollernodes.
WorkerNodeClusternodesthatarenotcontrollernodesareworkernodes.Workernodesincreasethe
analysiscapacity,storagecapacity,anddataresiliencyofthecluster.
Whenafirewallregisterswithaclusternode,orwhenyouaddaWildFireappliancethatalreadyhas
registeredfirewallstoacluster,theclusterpushesaregistrationlisttotheconnectedfirewalls.The
registrationlistcontainseverynodeinthecluster.Ifaclusternodefails,thefirewallsconnectedtothatnode
reregisterwithanotherclusternode.ThistypeofresiliencyisoneofthebenefitsofcreatingWildFire
applianceclusters.
Benefit Description
Scale AWildFireapplianceclusterincreasestheanalysisthroughputandstoragecapacityavailable
onasinglenetworksothatyoucanservealargernetworkoffirewallswithoutsegmentingyour
network.
Highavailability Ifaclusternodegoesdown,HAconfigurationprovidesfaulttolerancetopreventthelossof
criticaldataandservices.IfyoumanageclusterscentrallyusingPanorama,PanoramaHA
configurationprovidescentralmanagementfaulttolerance.
Singlesignaturepackage Allfirewallsconnectedtoaclusterreceivethesamesignaturepackage,regardlessofthecluster
distribution nodethatreceivedoranalyzedthedata.Thesignaturepackageisbasedontheactivityand
resultsofallclustermembers,whichmeansthateachconnectedfirewallbenefitsfromthe
combinedclusterknowledge.
WildFireApplianceClusterResiliencyandScale WildFireApplianceClusters
Benefit Description
Centralizedmanagement YousavetimeandsimplifythemanagementprocesswhenyouusePanoramatomanage
(Panorama) WildFireapplianceclusters.InsteadofusingtheCLIandscriptingtomanageaWildFire
applianceorcluster,Panoramaprovidesasinglepaneofglassviewofyournetworkdevices.
Youcanalsopushcommonconfigurations,configurationupdates,andsoftwareupgradesto
multipleWildFireapplianceclusters,andyoucandoallofthisusingthePanoramaweb
interfaceinsteadoftheWildFireapplianceCLI.
Loadbalancing Whenaclusterhastwoormoreactivenodes,theclusterautomaticallydistributesandload
balancesanalysis,reportgeneration,signaturecreation,storage,andWildFirecontent
distributionamongthenodes.
HighavailabilityisacrucialadvantageofWildFireapplianceclustersbecauseHApreventsthelossofcritical
dataandservices.AnHAclustercopiesanddistributescriticaldata,suchasanalysisresults,reports,and
signatures,acrossnodessothatanodefailuredoesnotresultindataloss.AnHAclusteralsoprovides
redundantcriticalservices,suchasanalysisfunctionality,WildFireAPI,andsignaturegeneration,sothata
nodefailuredoesntinterruptservice.Aclustermusthaveatleasttwonodestoprovidehighavailability
benefits.
Donotconfigureaclusterwithonlyonecontrollernode.EachclustershouldhaveanHAcontrollerpair.Acluster
shouldhaveasinglecontrollernodeonlyintemporarysituations,forexample,whenyouswapcontrollernodes
orifacontrollernodefails.
InatwonodeclusterHApair,ifonecontrollernodefails,theothercontrollernodetakesovercluster
operation.Ifacontrollernodefails,replaceitassoonaspossibletorestorethefaulttolerantHA
configuration.Regardlessofclustersize,ifanodefails,theclusterqueueserviceredirectssamplestothe
nextavailablenode,includingsamplesthatthefailednodebegantoanalyzebutdonotyethaveaverdict.
Clusternodefailuredoesntaffectfirewalls,becausefirewallsregisteredtoafailednodeusethecluster
registrationlisttoregisterwithanotherclusternode.
IfyoumanageWildFireapplianceclusterswithPanorama,youcanconfiguretwoPanoramaMSeriesor
virtualappliancesasanHApairtoprovidemanagementredundancy.Ifyoudontconfigureredundant
PanoramaappliancesandthePanoramafails,thenyoucanstillmanageclusterslocallyfromacontroller
node.
IfyouareusingaPanoramaHApairtomanagetheclusterandonePanoramafails,theotherPanorama
appliancetakesovermanagementofthecluster.IfaPanoramaHApeerfails,restoreservicefromthefailed
PanoramapeerassoonaspossibletorestoremanagementHA.
Providinganalysis,storage,andcentralizedmanagementHArequiresatleasttwoWildFireappliances
configuredasclustercontrollerandcontrollerbackupnodes,andtwoPanoramaMSeriesorvirtual
appliances.
WildFireApplianceClusters WildFireApplianceClusterResiliencyandScale
FirewallsreceivearegistrationlistthatcontainsalloftheWildFireappliancesthataremembersofthe
cluster.Firewallscanregisterwithanynodeintheclusterandtheclusterautomaticallybalancestheload
amongitsnodes.
WildFireApplianceClusterManagement WildFireApplianceClusters
WildFireApplianceClusterManagement
TomanageaWildFireappliancecluster,youneedtoknowthecapabilitiesofclustersandmanagement
recommendations.
Category Description
Clusteroperationand Configureallclusternodesidenticallytoensureconsistencyinanalysisand
configuration appliancetoappliancecommunication:
AllclusternodesmustrunthesameversionofPANOS(PANOS8.0.1orlater).
Panoramamustrunthesamesoftwareversionastheclusternodesoranewer
version.Firewallscanrunthesamesoftwareversionsthatenablethemtosubmit
samplestoaWildFireappliance.Firewallsdonotrequireaparticularsoftware
versiontosubmitsamplestoaWildFireappliancecluster.
Clusternodesinherittheirconfigurationfromthecontrollernode,withthe
exceptionofinterfaceconfiguration.Clustermembersmonitorthecontrollernode
configurationandupdatetheirownconfigurationswhenthecontrollernode
commitsanupdatedconfiguration.Workernodesinheritsettingssuchascontent
updateserversettings,WildFirecloudserversettings,thesampleanalysisimage,
sampledataretentiontimeframes,analysisenvironmentsettings,signature
generationsettings,logsettings,authenticationsettings,andPanoramaserver,
DNSserver,andNTPserversettings,
WhenyoumanageaclusterwithPanorama,thePanoramaappliancepushesa
consistentconfigurationtoallclusternodes.Althoughyoucanchangethe
configurationlocallyonaWildFireappliancenode,PaloAltoNetworksdoesnot
recommendthatyoudothis,becausethenexttimethePanoramaappliance
pushesaconfiguration,itreplacestherunningconfigurationonthenode.Local
changestoclusternodesthatPanoramamanagesoftencauseOutofSyncerrors.
Iftheclusternodemembershiplistdiffersonthetwocontrollernodes,thecluster
generatesanOutofSyncwarning.Toavoidaconditionwherebothcontroller
nodescontinuallyupdatetheoutofsyncmembershiplistfortheothernode,
clustermembershipenforcementstops.Whenthishappens,youcansynchronize
theclustermembershiplistsfromthelocalCLIonthecontrollerandcontroller
backupnodesbyrunningtheoperationalcommandrequest high-availability
sync-to-remote running-configuration.Ifthereisamismatchbetweenthe
primarycontrollernodesconfigurationandtheconfigurationonthecontroller
backupnode,theconfigurationontheprimarycontrollernodeoverridesthe
configurationonthecontrollerbackupnode.Oneachcontrollernode,runshow
cluster all-peersandcompareandcorrectthemembershiplists.
Aclustercanhaveonlytwocontrollernodes(primaryandbackup);attemptsto
locallyaddathirdcontrollernodetoaclusterfail.(ThePanoramawebinterface
automaticallypreventsyoufromaddingathirdcontrollernode.)Thethirdandall
subsequentnodesaddedtoaclustermustbeworkernodes.
AcharacteristicofHAconfigurationsisthattheclusterdistributesandretains
multiplecopiesofthedatabase,queuingservices,andsamplesubmissionsto
provideredundancyincaseofaclusternodefailure.Runningtheadditional
servicesrequiredtoprovideredundancyforHAhasaminimalimpacton
throughput.
TheclusterautomaticallychecksforduplicateIPaddressesusedfortheanalysis
environmentnetwork.
Ifanodebelongstoaclusterandyouwanttomoveittoadifferentcluster,you
mustfirstremovethenodefromitscurrentcluster.
WildFireApplianceClusters WildFireApplianceClusterManagement
Firewallregistration WildFireapplianceclusterspusharegistrationlistthatcontainsallofthenodesina
clustertoeveryfirewallconnectedtoaclusternode.Whenyouregisterafirewall
withanapplianceinacluster,thefirewallreceivestheregistrationlist.Whenyouadd
astandaloneWildFireappliancethatalreadyhasconnectedfirewallstoaclusterso
thatitbecomesaclusternode,thosefirewallsreceivetheregistrationlist.
Ifanodefails,theconnectedfirewallsusetheregistrationlisttoregisterwiththe
nextnodeonthelist.
Clusterdataretention DataretentionpoliciesdeterminehowlongtheWildFireapplianceclusterstores
policies differenttypesofsamples.
BenignandgraywaresamplesTheclusterretainsbenignandgraywaresamples
for1to90days(defaultis14).
MalicioussamplesTheclusterretainsmalicioussamplesforaminimumof1day
(defaultisindefiniteneverdeleted).Malicioussamplesmayincludephishing
verdictsamples.
Configurethesamedataretentionpolicythroughoutacluster(Step 3inConfigure
GeneralClusterSettingsLocallyorStep 1inConfigureGeneralClusterSettingson
Panorama).
Networking NocommunicationbetweenWildFireapplianceclustersisallowed.Nodes
communicatewitheachotherwithinagivencluster,butdonotcommunicatewith
nodesinotherclusters.
Allclustermembersmust:
Useadedicatedclustermanagementinterfaceforclustermanagementand
communication(enforcedinPanorama).
HaveastaticIPaddressinthesamesubnet.
Uselowlatencyconnectionsbetweenclusternodes.Themaximumlatencyfora
connectionshouldbenogreaterthan500ms.
Dedicatedcluster Thededicatedclustermanagementinterfaceenablesthecontrollernodestomanage
managementinterface theclusterandisadifferentinterfacethanthestandardmanagementinterface
(Ethernet0).Panoramaenforcesconfiguringadedicatedclustermanagement
interface.
Iftheclustermanagementlinkgoesdownbetweentwocontrollernodesina
twonodeconfiguration,thecontrollerbackupnodeservicesandsample
analysiscontinuetoruneventhoughthereisnomanagementcommunication
withtheprimarycontrollernode.Thisisbecausewhenthecluster
managementlinkgoesdown,thecontrollerbackupnodedoesnotknowifthe
primarycontrollernodeisstillfunctional,resultinginasplitbraincondition.
Thecontrollerbackupnodemustcontinuetoprovideclusterservicesincase
theprimarycontrollernodeisnotfunctional.Whentheclustermanagement
linkisrestored,thedatafromeachcontrollernodeismerged.
WildFireApplianceClusterManagement WildFireApplianceClusters
DNS YoucanusethecontrollernodeinaWildFireapplianceclusterastheauthoritative
DNSserverforthecluster.(AnauthoritativeDNSserverservestheactualIP
addressesoftheclustermembers,asopposedtoarecursiveDNSserver,which
queriestheauthoritativeDNSserverandpassestherequestedinformationtothe
hostthatmadetheinitialrequest.)
FirewallsthatsubmitsamplestotheWildFireapplianceclustershouldsendDNS
queriestotheirregularDNSserver,forexample,aninternalcorporateDNSserver.
TheinternalDNSserverforwardstheDNSquerytotheWildFireappliancecluster
controller(basedonthequerysdomain).UsingtheclustercontrollerastheDNS
serverprovidesmanyadvantages:
AutomaticloadbalancingWhentheclustercontrollerresolvestheservice
advertisementhostname,thehostclusternodesareinarandomorder,whichhas
theeffectoforganicallybalancingtheloadonthenodes.
FaulttoleranceIfoneclusternodefails,theclustercontrollerautomatically
removesitfromtheDNSresponse,sofirewallssendnewrequeststonodesthat
areupandrunning.
FlexibilityandeaseofmanagementWhenyouaddnodestothecluster,because
thecontrollerupdatestheDNSresponseautomatically,youdontneedtomake
anychangesonthefirewallandrequestsautomaticallygotothenewnodesaswell
asthepreviouslyexistingnodes.
AlthoughtheDNSrecordshouldnotbecached,fortroubleshooting,iftheDNS
lookupsucceeds,theTTLis0.However,whentheDNSlookupreturnsNXDOMAIN,
theTTLandminimumTTLareboth0.
Administration YoucanadministerWildFireclustersusingthelocalWildFireCLIorthrough
Panorama.TherearetwoadministrativerolesavailablelocallyonWildFirecluster
nodes:
SuperreaderReadonlyaccess.
SuperuserReadandwriteaccess.
Clusterupgrades WildFireappliancesinaclustercanoperateusingdifferentversions,howeveritisa
bestpracticetorunthesameversion.
WildFireApplianceClusters ConfigureaClusterLocallyonWildFireAppliances
ConfigureaClusterLocallyonWildFireAppliances
BeforeyouconfigureaWildFireapplianceclusterlocally,havetwoWildFireappliancesavailableto
configureasahighavailabilitycontrollernodepairandanyadditionalWildFireappliancesneededtoserve
asworkernodestoincreasetheanalysis,storagecapacity,andresiliencyofthecluster.
IftheWildFireappliancesarenew,checkGetStartedwithWildFiretoensurethatyoucompletebasicsteps
suchasconfirmingyourWildFirelicenseisactive,enablinglogging,connectingfirewallstoWildFire
appliances,andconfiguringbasicWildFirefeatures.
TocreateWildFireapplianceclusters,youmustupgradealloftheWildFireappliancesthatyouwanttoplacein
aclustertoPANOS8.0.1orlater.OneachWildFireappliancethatyouwanttoaddtoacluster,runshow
system info | match versionontheWildFireapplianceCLItoensurethattheapplianceisrunning
PANOS8.0.1orlater.
Afteryoucreateacluster,performallconfigurationandcommitoperationsontheactive(primary)controller
node.Donotconfigureandcommitfromthebackup(passive)controllernode.
WhenyourWildFireappliancesareavailable,performtheappropriatetasks:
ConfigureaClusterandAddNodesLocally
ConfigureGeneralClusterSettingsLocally
RemoveaNodefromaClusterLocally
ConfigureaClusterandAddNodesLocally
Whenyouaddnodestoacluster,theclusterautomaticallysetsupcommunicationbetweennodesbasedon
theinterfacesyouconfigureforthecontrollernode.
ConfigureaClusterandAddNodesLocallyUsingtheWildFireapplianceCLI
Step1 EnsurethateachWildFire 1. OneachWildFireappliance,run:

appliancethatyouwantto admin@WF-500> show system info | match version
addtotheclusterisrunning
PANOS8.0.1orlater.
ConfigureaClusterLocallyonWildFireAppliances WildFireApplianceClusters
ConfigureaClusterandAddNodesLocallyUsingtheWildFireapplianceCLI(Continued)
Step1 VerifythattheWildFire 1. Oneachappliance,displaywhethertheapplianceisanalyzingsamples:

appliancesarenotanalyzing admin@WF-500> show wildfire global sample-analysis
samplesandareinstandalone Nosampleshouldshowaspending.Allsamplesshouldbeinafinished
state(notmembersof state.Ifsamplesarepending,waitforthemtofinishanalysis.Pending
anothercluster). samplesdisplayseparatelyfrommaliciousandnonmalicioussamples.
Finish Datedisplaysthedateandtimetheanalysisfinished.
2. Oneachappliance,checktoensuretheapplianceisinastandalonestate
anddoesnotalreadybelongtoacluster:
admin@WF-500> show cluster membership
Service Summary: wfpc signature
Cluster name:
Address: 10.10.10.100
Host name: WF-500
Node name: wfpc-000000000000-internal
Serial number: 000000000000
Node mode: stand_alone
Server role: True
HA priority:
Last changed: Mon, 06 Mar 2017 16:34:25 -0800
Services: wfcore signature wfpc infra
Monitor status:
Serf Health Status: passing
Agent alive and reachable
Application status:
global-db-service: ReadyStandalone
wildfire-apps-service: Ready
global-queue-service: ReadyStandalone
wildfire-management-service: Done
siggen-db: ReadyMaster
Diag report:
10.10.10.100: reported leader '10.10.10.100', age 0.
10.10.10.100: local node passed sanity check.
Thehighlightedlinesshowthatthenodeisinstandalonemodeandis
readytobeconvertedfromastandaloneappliancetoaclusternode.
The12digitserialnumberintheseexamples(000000000000)isa
genericexampleandisnotarealserialnumber.WildFire
appliancesinyournetworkhaveunique,realserialnumbers.
Step2 Configuretheprimary 1. Enablehighavailabilityandconfigurethecontrollinkinterface

controllernode. connectiontothecontrollerbackupnode,forexample,oninterfaceeth3:
Thisincludesconfiguringthe admin@WF-500# set deviceconfig high-availability enabled
nodeastheprimarycontroller yes interface ha1 port eth3 peer-ip-address
<secondary-node-eth3-ip-address>
oftheHApair,enablingHA,
2. Configuretheapplianceastheprimarycontrollernode:
anddefiningtheinterfacesthe
applianceusesfortheHA admin@WF-500# set deviceconfig high-availability
election-option priority primary
controllinkandforcluster
3. (Optional)Configurethebackuphighavailabilityinterfacebetweenthe
communicationand
controllernodeandthecontrollerbackupnode,forexample,onthe
management.
managementinterface:
admin@WF-500# set deviceconfig high-availability interface
ha1-backup peer-ip-address
<secondary-node-management-ip-address>
4. Configurethededicatedinterfaceforcommunicationandmanagement
withinthecluster,includingspecifyingtheclusternameandsettingthe
noderoletocontrollernode:
admin@WF-500# set deviceconfig cluster cluster-name <name>
interface eth2 mode controller
Thisexampleuseseth2asthededicatedclustercommunicationport.
Theclusternamemustbeavalidsubdomainnamewithamaximum
lengthof63characters.Onlylowercasecharactersandnumbersare
allowed,andhyphensandperiodsiftheyarenotatthebeginningorend
oftheclustername.
Workernodesintheclusterautomaticallyinheritthecontrollers
settingsforthededicatedmanagementandcommunication
interface.
Step3 Configurethecontroller 1. Enablehighavailabilityandconfigurethecontrollinkinterface

backupnode. connectiontotheprimarycontrollernodeonthesameinterfaceusedon
Thisincludesconfiguringthe theprimarycontrollernode(eth3inthisexample):
nodeasthebackupcontroller admin@WF-500# set deviceconfig high-availability enabled
oftheHApair,enablingHA, yes interface ha1 port eth3 peer-ip-address
<primary-node-eth3-ip-address>
anddefiningtheinterfacesthe
2. Configuretheapplianceasthecontrollerbackupnode:
applianceusesfortheHA
controllinkandforcluster admin@WF-500# set deviceconfig high-availability
election-option priority secondary
communicationand
3. (Recommended)Configurethebackuphighavailabilityinterface
management.
betweenthecontrollerbackupnodeandthecontrollernode,for
example,onthemanagementinterface:
admin@WF-500# set deviceconfig high-availability interface
ha1-backup peer-ip-address
<primary-node-management-ip-address>
4. Configurethededicatedinterfaceforcommunicationandmanagement
withinthecluster,includingspecifyingtheclusternameandsettingthe
noderoletocontrollernode:
interface eth2 mode controller
Step4 Committheconfigurationson 1. Oneachcontrollernode:

bothcontrollernodes. admin@WF-500# commit
Committingtheconfigurationonbothcontrollernodesformsa
twonodecluster.
Afterformingthecluster,performallconfigurationandcommit
actionsfromtheactive(primary)controller.
Step5 Verifytheconfigurationon 1. Ontheprimarycontrollernode:

theprimarycontrollernode. admin@WF-500(active-controller)> show cluster membership
Cluster name: mycluster
Address: 10.10.10.100
Host name: WF-500
Node mode: controller
Server role: True
HA priority: primary
Last changed: Sat, 04 Mar 2017 12:52:38 -0800
Monitor status: Serf Health Status: passing
Application status: global-db-service: JoinedCluster
global-queue-service: JoinedCluster
Diag report:
Theprompt(active-controller)andthehighlightedApplication
statuslinesshowthatthenodeisincontrollermode,isready,andisthe
mastercontrollernode.
Step6 Verifytheconfigurationon 1. Onthesecondarycontrollernode:

thesecondarycontrollernode. admin@WF-500(passive-controller)> show cluster membership
Address: 10.10.10.110
Host name: WF-500
Server role: True
HA priority: secondary
Last changed: Fri, 02 Dec 2016 16:25:57 -0800
Monitor status:
Application status:
global-db-service: JoinedCluster
siggen-db: ReadySlave
Diag report:
10.10.10.110: reported leader '10.10.10.100',
age 0.
Theprompt(passive-controller)andthehighlightedApplication
statuslinesshowthatthenodeisincontrollermode,isready,andisthe
backup(slave)controllernode.
Step7 Testthenodeconfiguration. Onanyoneofthecontrollernodes:

1. VerifythatthecontrollernodeAPIkeysareviewableglobally:
admin@WF-500(passive-controller)> show wildfire global api-keys all
TheAPIkeysforbothappliancesshouldbeviewable.
2.
Step8 Manuallysynchronizethehigh 1. Ontheprimarycontrollernode,synchronizethehighavailability

availabilityconfigurationson configurationtotheremotepeercontrollernode:
thecontrollernodes. admin@WF-500(active-controller)> request high-availability
Synchronizingthecontroller sync-to-remote running-config
nodesensuresthatthe Ifthereisamismatchbetweentheprimarycontrollernodes
configurationsmatchand configurationandtheconfigurationonthecontrollerbackupnode,the
shouldonlyneedtobedone configurationontheprimarycontrollernodeoverridestheconfiguration
onetime.Afterthehigh onthecontrollerbackupnode.
availabilityconfigurationsare 2. Committheconfiguration:
synchronized,thecontroller admin@WF-500# commit
nodeskeeptheconfigurations
synchronizedandyoudonot
needtosynchronizethem
again.
Step9 Verifythattheclusteris 1. Displaytheclusterpeerstoensurethatbothcontrollersarecluster

functioningproperly. members:
Toverify admin@WF-500(active-controller)> show cluster all-peers
firewallrelated 2. DisplayAPIkeysfrombothnodes(ifyoucreatedAPIkeys),fromeither
information,youmust controllernode:
firstconnectatleast admin@WF-500(active-controller)> show wildfire global
onefirewalltoacluster api-keys all
nodebyselecting 3. Accessanysamplefromeithercontrollernode:
Device > Setup > admin@WF-500(active-controller)> show wildfire global
WildFireandeditingthe sample-status sha256 equal <value>
General Settingstopointto 4. Firewallscanregisteranduploadfilestobothnodes.Confirmthatthe
thenode. firewallissuccessfullyforwardingsamples.
5. Bothnodescandownloadandanalyzefiles.
6. Allfilesanalyzedaftertheclusterwascreatedshowtwostorage
locations,oneoneachnode.
Step10 (Optional)Configureaworker 1. Ontheprimarycontrollernode,addtheworkertothecontrollernodes

nodeandaddittothecluster. workerlist:
Workernodesusethe admin@WF-500(active-controller)> configure
controllernodessettingsso admin@@WF-500(active-controller)#set deviceconfig cluster
thattheclusterhasa mode controller worker-list <ip>
consistentconfiguration.You The<ip>isthemanagementinterfaceIPaddressoftheworkernodeyou
canaddupto18worker wanttoaddtothecluster.Useseparatecommandstoaddeachworker
nodestoaclusterforatotalof nodetothecluster.
20nodesinacluster. 2. Committheconfigurationthecontrollernode:
admin@WF-500(active-controller)# commit
3. OntheWildFireapplianceyouwanttoconverttoaclusterworkernode,
configuretheclustertojoin,settheclustercommunicationsinterface,
andplacetheapplianceinworkermode:
admin@WF-500> configure
interface eth2 mode worker
Theclustercommunicationsinterfacemustbethesameinterface
specifiedforintraclustercommunicationsonthecontrollernodes.Inthis
example,eth2istheinterfaceconfiguredonthecontrollernodesfor
clustercommunication.
4. Committheconfigurationontheworkernode:
5. Waitforallservicestocomeupontheworkernode.Runshow cluster
membershipandchecktheApplication status,whichshowsall
servicesandthesiggen-dbinaReadystatewhenallservicesareup.
6. Oneitherclustercontrollernode,checktoensurethattheworkernode
wasadded:
admin@WF-500> show cluster all-peers
Theworkernodeyouaddedappearsinthelistofclusternodes.Ifyou
accidentallyaddedthewrongWildFireappliancetoacluster,youcan
RemoveaNodefromaClusterLocally.
Step11 Verifytheconfigurationon 1. Ontheworkernode,checktoensurethattheNode modefieldshowsthat

theworkernode. thenodeisinworkermode:
2. Verifythatfirewallscanregisterontheworkernodeandthattheworker
nodecandownloadandanalyzefiles.
ConfigureGeneralClusterSettingsLocally
Somegeneralsettingsareoptionalandsomegeneralsettingsareprepopulatedwithdefaultvalues.Itsbest
toatleastcheckthesesettingstoensurethattheclusterconfigurationmatchesyourneeds.Generalsettings
include:
ConnectingtotheWildFirepubliccloudandsubmittingsamplestothepubliccloud.
Configuringdataretentionpolicies.
Configuringlogging.
Settingtheanalysisenvironment(theVMimagethatbestmatchesyourenvironment)andcustomizing
theanalysisenvironmenttobestservicethetypesofsamplesthefirewallssubmittoWildFire.
SetIPaddressesfortheDNSserver,NTPserver,andmore.
ConfigureWildFiresettingsusingtheCLIontheclustersprimarycontrollernode.Therestofthecluster
nodesusethesettingsconfiguredontheclustercontroller.
ConfigureGeneralClusterSettingsLocallyUsingthePrimaryControllerNodeCLI
Step1 (Optional)Connecttheclustertothe 1. Benefitfromtheintelligencegatheredfromallconnected

WildFirepubliccloudandconfigurethe WildFireappliances:
cloudservicestheclusterwilluse. admin@WF-500(active-controller)# set deviceconfig
Ifbusinessreasonsdontpreventyou setting wildfire cloud-server <hostname-value>
fromconnectingtheWildFireappliance ThedefaultvaluefortheWildFirepubliccloudserver
clustertothepublicWildFirecloud, hostnameiswildfire-public-cloud.YoucanForwardFiles
connectingtheclustertothecloud forWildFireAnalysistoanypublicWildFirecloud.
providesbenefitssuchas: 2. IfyouconnecttheclustertoaWildFirepubliccloud,configure
Usingthecloudsresourcesto whethertoautomaticallyquerythepubliccloudforverdicts
performsampleanalysisinmultiple beforeperforminglocalanalysis.Queryingthepubliccloud
environments,usingdifferent firstreducestheloadonthelocalWildFirecluster:
methods. admin@WF-500(active-controller)# set deviceconfig
Automaticallyqueryingthecloudfor setting wildfire cloud-intelligence cloud-query
(no | yes)
verdictsbeforeperforminglocal
3. IfyouconnecttheclustertoaWildFirepubliccloud,configure
analysistooffloadworkfromthe
thetypesofinformationforwhichyouwanttoSubmit
cluster.(Disabledbydefault.)
LocallyDiscoveredMalwareorReportstotheWildFirePublic
Benefitingfromandcontributingto Cloud(diagnosticdata,XMLreportsaboutmalwareanalysis,
theintelligenceoftheglobalWildFire malwaresamples).Ifyousendmalwaresamples,thecluster
community. doesntsendreports.
Thefeaturesdescribedinthis admin@WF-500(active-controller)# set deviceconfig
tablerowarenotclusterspecific setting wildfire cloud-intelligence
Youcanalsoconfigurethese submit-diagnostics (no | yes) submit-report (no |
yes) submit-sample (no | yes)
featuresonstandaloneWildFire
appliances.
ConfigureGeneralClusterSettingsLocallyUsingthePrimaryControllerNodeCLI(Continued)
Step2 (Optional)Configurethecontrollernode 1. InsteadofusinganexternalDNSserver,youcanconfigurethe

asaDNSserverforthecluster. controllernodetoactastheDNSserverforthecluster:
admin@WF-500(active-controller)#set deviceconfig
cluster mode controller service-advertisement
dns-service enabled yes
Step3 (Optional)Configuredataretention 1. Selecttheamountoftimetoretaindifferenttypesofdata:

policiesformaliciousandbenignor admin@WF-500(active-controller)# set deviceconfig
graywaresamples. setting wildfire file-retention malicious
<indefinite | 1-2000> non-malicious <1-90>
Thedefaultforretainingmalicioussamplesisindefinite(donot
delete).Thedefaultforretainingnonmalicious(benignand
grayware)samplesis14days.
Step4 (Optional)Configurethepreferred 1. Ifyouranalysisenvironmentanalyzesmostlyexecutable

analysisenvironment. samplesormostlydocumentsamples,youcanallocatethe
majorityoftheclusterresourcestoanalyzingthosesample
types:
admin@WF-500(active-controller)# set deviceconfig
setting wildfire preferred-analysis-environment
(Documents | Executables | default)
ForeachWildFireapplianceinthecluster:
Thedefaultoptionconcurrentlyanalyzes16documents,
10portableexecutables(PE),and2emaillinks.
TheDocumentsoptionconcurrentlyanalyzes25
documents,1PE,and2emaillinks.
TheExecutablesoptionconcurrentlyanalyzes25PEs,1
document,and2emaillinks.
Youcanconfigureadifferentpreferredanalysisenvironment
foreachnodeinthecluster.(Ifyoumanagetheclusterfrom
Panorama,Panoramacansettheanalysisenvironmentforthe
entirecluster.)
Step5 Configuringsettingsonaclusteris 1. (Recommended)Resettheadminpassword.

similartoConfiguringtheWF500 2. Configurethemanagementinterfacesettings.SetWildFire
Appliancesettings. applianceclusternodeIPaddressesandthedefaultgateway.
EachWildFireapplianceclusternodemusthaveastaticIP
addressinthesamesubnet.AlsosettheDNSserverIP
addresses.
3. SettheWildFireapplianceclock.Settheclockeithermanually
orbyspecifyingNTPservers,andsetNTPServer
authentication.
4. Choosethevirtualmachineimagefortheappliancetouseto
analyzefiles.
5. (Optional)AllowadditionaluserstomanagetheWildFire
appliance.Addadministratoraccountsandassignthemroles
tomanagethecluster.
6. ConfigureRADIUSauthenticationforadministratoraccess.
ConfigureGeneralClusterSettingsLocallyUsingthePrimaryControllerNodeCLI(Continued)
Step6 Configurenodeanalysissettings. 1. (Optional)SetUpContentUpdatestoimprovemalware

analysis.
2. SetUptheVMInterfacetoenabletheclustertoobserve
maliciousbehaviorswherethesamplebeinganalyzedseeks
networkaccess.
3. (Optional)EnableLocalSignatureandURLCategory
GenerationtogenerateDNSandantivirussignaturesandURL
categories.
Step7 Configurelogging. 1. ConfigureWildFireSubmissionsLogSettings.
RemoveaNodefromaClusterLocally
YoucanremovenodesfromaclusterusingthelocalCLI.Theproceduretoremoveanodeisdifferentina
twonodeclusterthaninaclusterwiththreeormorenodes.
RemoveaNodefromaClusterLocallyonWildFireAppliances
Removeaworkernode 1. DecommissiontheworkernodefromtheworkernodesCLI:
fromaclusterwiththree admin@WF-500> request cluster decommission start
ormorenodes. Thedecommissioncommandonlyworkswithclustersthathavethreeor
morenodes.Donotusedecommissiontoremoveanodeinatwonode
cluster.
2. Confirmthatdecommissioningthenodewassuccessful:
Thiscommandreportsdecommission: successaftertheworkernodeis
removedfromthecluster.Ifthecommanddoesnotdisplaysuccessful
decommission,waitafewminutestoallowthedecommissiontofinishandthen
runthecommandagain.
3. Checkthatallprocessesarerunning:
admin@WF-500> show system software status
RemoveaNodefromaClusterLocallyonWildFireAppliances(Continued)
Removeacontroller Eachclustermusthavetwocontrollernodesinahighavailabilityconfigurationunder
nodefromatwonode normalconditions.However,maintenanceorswappingoutcontrollernodesmay
cluster. requireremovingacontrollernodefromaclusterusingtheCLI:
1. Onthecontrollernodeyouwanttoremove,deletethehighavailability
configuration.Thisexampleshowsremovingthecontrollerbackupnode:
admin@WF-500(passive-controller)> configure
admin@WF-500(passive-controller)# delete deviceconfig
high-availability
2. Deletetheclusterconfiguration:
admin@WF-500(passive-controller)# delete deviceconfig cluster
admin@WF-500(passive-controller)# commit
4. Waitforservicestocomebackup.Runshow cluster membershipandcheck
theApplication status,whichshowsallservicesandthesiggen-dbina
Readystatewhenallservicesareup.TheNode modeshouldbestand_alone.
5. Ontheremainingclusternode,checktoensurethatthenodewasremoved:
admin@WF-500(active-controller)> show cluster all-peers
Thecontrollernodeyouremoveddoesnotappearinthelistofclusternodes.
6. IfyouhaveanotherWildFireapplianceready,addittotheclusterassoonas
possibletorestorehighavailability(ConfigureaClusterandAddNodesLocally).
IfyoudonothaveanotherWildFireappliancereadytoreplacetheremoved
clusternode,youshouldremovethehighavailabilityandclusterconfigurations
fromtheremainingclusternodebecauseonenodeclustersarenot
recommendedanddonotprovidehighavailability.Itisbettertomanageasingle
WildFireapplianceasastandaloneappliance,notasaonenodecluster.
Toremovethehighavailabilityandclusterconfigurationsfromtheremaining
node(inthisexample,theprimarycontrollernode):
admin@WF-500(active-controller)> configure
admin@WF-500(active-controller)# delete deviceconfig
high-availability
admin@WF-500(active-controller)# delete deviceconfig cluster
admin@WF-500(active-controller)# commit
Waitforservicestocomebackup.Runshow cluster membershipandcheck
theApplication status,whichshowsallservicesandthesiggen-dbina
Readystatewhenallservicesareup.TheNode modeshouldbestand_alone.
WildFireApplianceClusters UpgradeWildFireAppliancesinaCluster
UpgradeWildFireAppliancesinaCluster
YoucanyouusetheCLItoupgradeWildFireappliancesenrolledinaclusterindividually,orusePanorama
toupgradetheclusterasagroup.
DependingonthenumberofsamplestheWildFireappliancehasanalyzedandstored,thetimerequiredto
upgradetheappliancesoftwarevaries;thisisbecauseupgradingrequiresthemigrationofallmalware
samplesand14daysofbenignsamples.Allow30to60minutesforeachWildFireappliancethatyouhave
usedinaproductionenvironment.
PaloAltoNetworksrecommendsrunningthesameversionoftheoperatingsystemacrossall
nodesinacluster.
PanoramacanmanageWildFireappliancesandapplianceclustersrunningPANOSsoftware
versions8.0.1orlater.
Ensurethedevicesareconnectedtoareliablepowersource.Alossofpowerduringanupgrade
canmakethedevicesunusable.
Dependingonyourdeployment,performoneofthefollowingtaskstoupgradeyourWildFirecluster:
UpgradeaClusterLocally
UpgradeaClusterCentrallyonPanoramawithanInternetConnection
UpgradeaClusterCentrallyonPanoramawithoutanInternetConnection
UpgradeaClusterLocally
Toupgradeaclusterlocally,youmustindividuallyupgradeeachWildFireapplianceenrolledinacluster.
Whenanappliancefinishesupgrading,itautomaticallyreenrollsintotheclusterthatitwasoriginally
assignedto.
UpgradeWildFireAppliancesinaClusterLocallyUsingtheWildFireapplianceCLI

WildFireappliance.
a. Logintothefirewallwebinterface.
b. SelectDevice > Setup > WildFireandeditGeneral
Settings.
admin@WF-500(passive-controller)> show wildfire
latest samples
IfyoudonotwanttowaitfortheWildFireappliance
tofinishanalyzingrecentlysubmittedsamples,you
cancontinuetothenextstep.However,considerthat
theWildFireappliancethendropspendingsamples
fromtheanalysisqueue.
UpgradeWildFireAppliancesinaCluster WildFireApplianceClusters
UpgradeWildFireAppliancesinaClusterLocallyUsingtheWildFireapplianceCLI(Continued)
Step2 InstallthelatestWildFireappliance admin@WF-500(passive-controller)> request wf-content

contentupdate. upgrade install version latest
Theseupdatesequiptheappliancewith
thelatestthreatinformationto
accuratelydetectmalware.
Step3 DownloadthePANOS8.0.2software Downloadthe8.0.2softwareversion:

versiontotheWildFireappliance. admin@WF-500(passive-controller)> request system
Youcannotskipanymajorrelease software download version 8.0.2
versionswhenupgradingtheWildFire Tocheckthestatusofthedownload,usethefollowingcommand:
appliance.Forexample,ifyouwantto admin@WF-500(passive-controller)> show jobs all
upgradefromPANOS6.1toPANOS
7.1,youmustfirstdownloadandinstall
PANOS7.0.
Step4 Confirmthatallservicesarerunning. admin@WF-500(passive-controller)> show system software

status
Step5 Installthe8.0.2softwareversion. admin@WF-500(passive-controller)> request system

software install version 8.0.2
Step6 Completethesoftwareupgrade. 1. Confirmthattheupgradeiscomplete.Runthefollowing

admin@WF-500(passive-controller)> show jobs all
Enqueued Dequeued ID Type Status Result Completed

----------------------------------------------------
14:53:15 14:53:15 5 Install FIN OK 14:53:19
2. Gracefullyrestarttheappliance:
admin@WF-500(passive-controller)> request cluster
reboot-local-node
Theupgradeprocesscouldtake10minutesoroveran
hour,dependingonthenumberofsamplesstoredon
theWildFireappliance.
Step7 Repeatsteps17foreachWildFireworkernodeinthecluster.
Step8 (Optional)Viewthestatusofthereboot 1. OntheWildFireclustercontrollernode,runthefollowing

tasksontheWildFirecontrollernode. commandandlookforthejobtypeInstallandstatusFIN:
admin@WF-500(active-controller)> show cluster task
pending

readytoresumesampleanalysis. 2. admin@WF-500(passive-controller)> show system info
| match sw-version
4. admin@WF-500(passive-controller)> show system
software status
UpgradeaClusterCentrallyonPanoramawithanInternetConnection
WildFireappliancesinaclustercanbeupgradedinparallelwhentheyaremanagedbyPanorama.If
PanoramahasadirectconnectiontotheInternet,youcancheckforanddownloadnewreleasesdirectly
fromPanorama.
PanoramacanonlymanageWildFireappliancesandapplianceclustersoperatingthesamesoftwareversionora
latersoftwareversion.
InstallWildFireSoftwareUpgradesinaClusterusingPanoramawithInternetAccess
Step1 UpgradePanoramatoanequalorlater 1. ForinformationonupgradingPanorama,referto:Install

releasethanthetargetsoftwarerelease ContentandSoftwareUpdatesforPanorama.
youwanttoinstallontheWildFire
cluster.

WildFireappliance.
a. LogintothePanoramawebinterface.
Settings.
b. SelectPanorama > Managed WildFire Clusters andView
theclusteranalysisenvironmentUtilization.
c. VerifythattheVirtual Machine Usagedoesnotshowany
sampleanalysisinprogress.
Step3 InstallthelatestWildFireappliance 1. DownloadtheWildFirecontentupdate:

contentupdates.Theseupdatesequip a. SelectPanorama > Device Deployment > Dynamic
theappliancewiththelatestthreat Updates.
informationtoaccuratelydetect b. SelectaWildFirecontentupdatereleasepackageandclick
malware. Download.
Youmustinstallcontentupdates
2. ClickInstall.
beforeinstallingsoftware
upgrades.RefertotheRelease 3. SelecttheWildFirecluster(s)orindividualappliancesthatyou
Notesfortheminimumcontent wanttoupgrade.
releaseversionyoumustinstall 4. ClickOKtostarttheinstallation.
foraPanoramarelease.
InstallWildFireSoftwareUpgradesinaClusterusingPanoramawithInternetAccess
Step4 DownloadthePANOSsoftwareversion 1. DownloadtheWildFiresoftwareupgrade:

totheWildFireappliance. a. SelectPanorama > Device Deployment > Software.
Youcannotskipanymajorrelease b. ClickCheckNowtoretrieveanupdatedlistofreleases.
versionswhenupgradingtheWildFire c. SelecttheWildFirereleasethatyouwishtoinstallandclick
appliance.Forexample,ifyouwantto Download.
d. ClickClosetoexittheDownload Softwarewindow.
PANOS7.0. 2. ClickInstall.
3. SelecttheWildFirecluster(s)thatyouwanttoupgrade.
4. Selectaninstallmode:
(8.0.2andlater)SelectReboot device after install.
(8.0.1only)SelectUpload only.
5. ClickOKtostarttheinstallation.
6. (Optional)MonitorinstallationprogressonPanorama.
7. (8.01only)Aftertheupgradepackagefinishesuploading,
installtheupgradeoneachnode:
a. admin@WF-500 (passive-controller)> request system
b. Confirmthattheupgradeiscomplete.Runthefollowing
EnqueuedDequeuedIDTypeStatusResultCompleted

14:53:1514:53:155InstallFINOK14:53:19
c. Gracefullyrestarttheappliance:
admin@WF-500(passive-controller)> request
cluster reboot-local-node
Theupgradeprocesscouldtake10minutesorover
anhour,dependingonthenumberofsamples
storedontheWildFireappliance.
d. Repeatstep7foreachWildFireworkernodeinthecluster.

pending

| match sw-version
software status

UpgradeaClusterCentrallyonPanoramawithoutanInternetConnection
WildFireappliancesinaclustercanbeupgradedinparallelwhentheyaremanagedbyPanorama.If
PanoramadoesnothaveadirectconnectiontotheInternet,youmustdownloadthesoftwarecontentand
updatesfromthePaloAltoNetworksSupportsiteandhostthemonaninternalserverbeforetheycanbe
distributedbyPanorama.
PanoramacanonlymanageWildFireappliancesandapplianceclustersoperatingthesamesoftwareversionora
latersoftwareversion.
InstallWildFireSoftwareUpgradesinaClusterUsingPanoramawithoutInternetAccess
Step1 UpgradePanoramatoanequalorlater 1. ForinformationonupgradingPanorama,referto:Install

releasethanthetargetsoftwarerelease ContentandSoftwareUpdatesforPanorama.
youwanttoinstallontheWildFire
cluster.

WildFireappliance.
Settings.
b. SelectPanorama > Managed WildFire Clusters andView
theclusteranalysisenvironmentUtilization.
c. VerifythattheVirtual Machine Usagedoesnotshowany
sampleanalysisinprogress.

Step3 DownloadtheWildFirecontentand 1. UseahostwithInternetaccesstologintothePaloAlto

softwareupdatestoahostthathas NetworksCustomerSupportwebsite.
Internetaccess.Panoramamusthave 2. Downloadcontentupdates:
accesstothehost.
a. ClickDynamic UpdatesintheToolssection.
b. Downloadthedesiredcontentupdateandsavethefileto
thehost.Performthisstepforeachcontenttypeyouwill
update.
3. Downloadsoftwareupdates:
a. ReturntothemainpageofthePaloAltoNetworks
CustomerSupportwebsiteandclickSoftware Updatesin
theToolssection.
b. ReviewtheDownloadcolumntodeterminetheversionto
install.Thefilenameoftheupdatepackageindicatesthe
modelandreleaseoftheupgrade:WildFire_<release>.
c. Clickthefilenameandsavethefiletothehost.
Step4 InstallthelatestWildFireappliance 1. DownloadtheWildFirecontentupdate:

contentupdates.Theseupdatesequip a. InPanorama,selectPanorama > Device Deployment >
theappliancewiththelatestthreat Dynamic Updates.
informationtoaccuratelydetect a. ClickUpload,selectthecontentType,Browsetothe
malware. WildFirecontentupdatefile,andclickOK.
Youmustinstallcontentupdates b. ClickInstall From File,selectthepackageType, theFile
beforeinstallingsoftware Name,andtheWildFireappliancesintheclusterthatyou
upgrades.RefertotheRelease wanttoupgrade,thenclickOK.
Notesfortheminimumcontent
releaseversionyoumustinstall 2. ClickOKtostarttheinstallation.
foraPanoramarelease.

Step5 DownloadthePANOSsoftwareversion 1. DownloadtheWildFiresoftwareupgrade:

totheWildFireappliance. a. SelectPanorama > Device Deployment > Software.
Youcannotskipanymajorrelease b. ClickCheckNowtoretrieveanupdatedlistofreleases.
versionswhenupgradingtheWildFire c. SelecttheWildFirereleasethatyouwishtoinstallandclick
appliance.Forexample,ifyouwantto Download.
d. ClickClosetoexittheDownload Softwarewindow.
PANOS7.0. 2. ClickInstall.
3. SelecttheWildFirecluster(s)orindividualappliancesthatyou
wanttoupgrade.
4. Selectaninstallmode:
(8.0.2andlater)SelectReboot device after install.
(8.0.1only)SelectUpload only.
5. ClickOKtostarttheinstallation.
6. (Optional)MonitorinstallationprogressonPanorama.
7. (8.01only)Aftertheupgradepackagefinishesuploading,
installtheupgradeoneachnode:
a. admin@WF-500 (passive-controller)> request system
b. Confirmthattheupgradeiscomplete.Runthefollowing
EnqueuedDequeuedIDTypeStatusResultCompleted

14:53:1514:53:155InstallFINOK14:53:19
c. Gracefullyrestarttheappliance:
admin@WF-500(passive-controller)> request
cluster reboot-local-node
Theupgradeprocesscouldtake10minutesorover
anhour,dependingonthenumberofsamples
storedontheWildFireappliance.
d. Repeatstep7foreachWildFireworkernodeinthecluster.

pending

| match sw-version
software status

ConfigureaClusterCentrallyonPanorama WildFireApplianceClusters
ConfigureaClusterCentrallyonPanorama
BeforeyouconfigureaWildFireapplianceclusteronaPanoramaMSeriesorvirtualappliance,havetwo
WildFireappliancesavailabletoconfigureasahighavailabilitycontrollernodepairandanyadditional
WildFireappliancesneededtoserveasworkernodestoincreasetheanalysis,storagecapacity,and
resiliencyofthecluster.
IftheWildFireappliancesarenew,checkGetStartedwithWildFiretoensurethatyoucompletebasicsteps
suchasconfirmingyourWildFirelicenseisactive,enablinglogging,connectingfirewallstoWildFire
appliances,andconfiguringbasicWildFirefeatures.
TocreateWildFireapplianceclusters,youmustupgradealloftheWildFireappliancesthatyouwanttoplacein
aclustertoPANOS8.0.1orlater.IfyouusePanoramatomanageWildFireapplianceclusters,Panoramaalso
mustrunPANOS8.0.1orlater.OneachWildFireappliancethatyouwanttoaddtoacluster,runshow system
info | match versionontheWildFireapplianceCLItoensurethattheapplianceisrunningPANOS8.0.1
orlater.OneachPanoramaapplianceyouusetomanageclusters(orstandaloneappliances),Dashboard >
General Information > Software Versiondisplaystherunningsoftwareversion.
WhenyourWildFireappliancesareavailable,performtheappropriatetasks:
ConfigureaClusterandAddNodesonPanorama
ConfigureGeneralClusterSettingsonPanorama
RemoveaClusterfromPanoramaManagement
RemovinganodefromaclusterusingPanoramaisnotsupported.Instead,RemoveaNodefromaClusterLocally
usingthelocalWildFireCLI.
ConfigureaClusterandAddNodesonPanorama
BeforeconfiguringaWildFireapplianceclusterfromPanorama,youmustupgradePanoramato8.0.1orlater
andupgradeallWildFireappliancesyouplantoaddtotheclusterto8.0.1orlater.AllWildFireappliances
mustrunthesameversionofPANOS.
Youcanmanageupto200WildFireapplianceswithaPanoramaMSeriesorvirtualappliance.The200
WildFireappliancelimitisthecombinedtotalofstandaloneappliancesandWildFireapplianceclusternodes
(ifyoualsoAddStandaloneWildFireAppliancestoManagewithPanorama).Exceptwherenoted,
configurationtakesplaceonPanorama.
EachWildFireapplianceclusternodemusthaveastaticIPaddressinthesamesubnetandhavelowlatency
connections.

WildFireApplianceClusters ConfigureaClusterCentrallyonPanorama
ConfigureaClusterUsingaPanoramaMSeriesorVirtualAppliance
Step1 UsingthelocalCLI,configuretheIP 1. OneachWildFireappliance,configuretheIPaddressor

addressofthePanoramaserverthatwill FQDNoftheprimaryPanoramaappliancesmanagement
managetheWildFireappliancecluster. interface:
Beforeyouregisterclusterorstandalone admin@WF-500#set deviceconfig system
WildFireappliancestoaPanorama panorama-server <ip-address | FQDN>
appliance,youmustfirstconfigurethe 2. OneachWildFireappliance,ifyouuseabackupPanorama
PanoramaIPaddressorFQDNoneach applianceforhighavailability(recommended),configuretheIP
WildFireapplianceusingthelocal addressorFQDNofthebackupPanoramaappliances
WildFireCLI.ThisishoweachWildFire managementinterface:
applianceknowswhichPanorama admin@WF-500#set deviceconfig system
appliancemanagesit. panorama-server-2 <ip-address | FQDN>
3. CommittheconfigurationoneachWildFireappliance:
admin@WF-500#commit
Step2 OntheprimaryPanoramaappliance, 1. SelectPanorama > Managed WildFire Appliances andAdd

RegistertheWildFireappliances. Appliance.
Thenewlyregisteredappliancesarein 2. EntertheserialnumberofeachWildFireapplianceona
standalonemodeunlesstheyalready separateline.IfyoudonothavealistofWildFireappliance
belongtoaclusterduetolocalcluster serialnumbers,usingthelocalCLI,runshow system infoon
configuration. eachWildFireappliancetoobtaintheserialnumber.
3. ClickOK.
Ifitisavailable,informationaboutconfigurationthatisalready
committedontheWildFireappliancesdisplays,suchasIP
addressandsoftwareversion.WildFireappliancesthat
alreadybelongtoacluster(forexample,becauseoflocal
clusterconfiguration)displaytheirclusterinformationand
connectionstatus.
Step3 (Optional)ImportWildFireappliance 1. SelectPanorama > Managed WildFire Appliances,andselect

configurationsintothePanorama theappliancesthathaveconfigurationsyouwanttoimport
appliance. fromthelistofmanagedWildFireappliances.
Importingconfigurationssavestime 2. Import Config.
becauseyoucanreuseoreditthe
3. SelectYes.
configurationsonPanoramaandthen
pushthemtooneormoreWildFire Importingconfigurationsupdatesthedisplayedinformation
applianceclustersorstandalone andmakestheimportedconfigurationspartofthePanorama
WildFireappliances.Ifthereareno appliancecandidateconfiguration.
configurationsyouwanttoimport,skip 4. Commit to PanoramatomaketheimportedWildFire
thisstep.Whenyoupushaconfiguration applianceconfigurationspartofthePanoramarunning
fromPanorama,thepushed configuration.
configurationoverwritesthelocal
configuration.

ConfigureaClusterUsingaPanoramaMSeriesorVirtualAppliance(Continued)
Step4 CreateanewWildFireappliancecluster. 1. SelectManaged WildFire Clusters.

Appliance > No Cluster Assigneddisplaysstandalone
WildFireappliances(nodes)andindicateshowmanyavailable
nodesarenotassignedtoacluster.
2. Create Cluster.
3. EnteranalphanumericclusterNameofupto63charactersin
length.TheNamecancontainlowercasecharactersand
numbers,andhyphensandperiodsiftheyarenotthefirstor
lastcharacter.Nospacesorothercharactersareallowed.
4. ClickOK.
ThenewclusternamedisplaysbuthasnoassignedWildFire
nodes.
Step5 AddWildFireappliancestothenew 1. Selectthenewcluster.

cluster. 2. SelectClustering.
ThefirstWildFireapplianceaddedtothe
3. BrowsethelistofWildFireappliancesthatdonotbelongto
clusterautomaticallybecomesthe
clusters.
controllernode,andthesecondWildFire
applianceaddedtothecluster 4. Add( )eachWildFireapplianceyouwanttoincludeinthe
automaticallybecomesthecontroller cluster.Youcanadduptotwentynodestoacluster.Each
backupnode.AllsubsequentWildFire WildFireappliancethatyouaddtotheclusterisdisplayed
appliancesaddedtotheclusterbecome alongwithitsautomaticallyassignedrole.
workernodes.Workernodesusethe 5. ClickOK.
controllernodesettingssothatthe
clusterhasaconsistentconfiguration.

Step6 ConfiguretheManagement,Analysis 1. Selectthenewcluster.

Environment Network,HA,andcluster 2. SelectClustering.
managementinterfaces.
3. Ifthemanagementinterfaceisnotconfiguredonacluster
ConfiguretheManagement,Analysis
node,selectInterface Name > ManagementandentertheIP
Environment Network,andcluster
address,netmask,services,andotherinformationforthe
managementinterfacesoneachcluster
interface.
member(controllerandworkernodes)if
theyarenotalreadyconfigured.The 4. IftheinterfacefortheAnalysisEnvironmentNetworkisnot
clustermanagementinterfaceisa configuredonaclusternode,selectInterface Name >
dedicatedinterfaceformanagementand Analysis Environment NetworkandentertheIPaddress,
communicationwithintheclusterandis netmask,services,andotherinformationfortheinterface.
notthesameastheManagement 5. Onboththecontrollernodeandcontrollerbackupnode,
interface. selecttheinterfacetousefortheHAcontrollink.Youmust
ConfiguretheHAinterfacesindividually configurethesameinterfaceonbothcontrollernodesforthe
onboththecontrollernodeandthe HAservice.Forexample,onthecontrollernodeandthenon
controllerbackupnode.TheHA thecontrollerbackupnode,selectEthernet3.
interfacesconnecttheprimaryand
6. Foreachcontrollernode,selectClustering Services > HA.
backupcontrollernodesandenable
(TheHAoptionisnotavailableforworkernodes.)Ifyoualso
themtoremaininsyncandreadyto
wanttheabilitytopingtheinterface,selectManagement
respondtoafailover.
Services > Ping.
ClusternodesneedIPaddresses
foreachofthefourWildFire 7. ClickOK.
applianceinterfaces.Youcannot 8. (Recommended)SelecttheinterfacetouseasthebackupHA
configureHAservicesonworker controllinkbetweenthecontrollernodeandthecontroller
nodes. backupnode.Youmustusethesameinterfaceonbothnodes
fortheHAbackupservice.Forexample,onbothnodes,select
Management.
SelectClustering Services > HA Backupforbothnodes.You
canalsoselectPing,SSH,andSNMPifyouwantthose
Management Services ontheinterface.
TheAnalysis Environment Networkinterfacecannot
beanHAorHABackupinterfaceoracluster
managementinterface.
9. Selectthededicatedinterfacetouseformanagementand
communicationwithinthecluster.Youmustusethesame
interfaceonbothnodes,forexample,Ethernet2.
10. SelectClustering Services > Cluster Managementforboth
nodes.Ifyoualsowanttheabilitytopingontheinterface,
selectManagement Services > Ping.
Workernodesintheclusterautomaticallyinheritthe
controllernodessettingsforthededicated
managementandcommunicationinterface.
Step7 Committheconfigurationonthe 1. Commit and Push.

Panoramaapplianceandpushittothe 2. IfthereareconfigurationsonthePanoramaappliancethatyou
cluster. donotwanttopush,Edit Selectionstochoosetheappliances
towhichyoupushconfigurations.Thepushedconfiguration
overwritestherunningconfigurationontheclusternodesso
thatallclusternodesrunthesameconfiguration.

Step8 Verifytheconfiguration. 1. SelectPanorama > Managed WildFire Clusters.

2. Checkthefollowingfields:
ApplianceInsteadofdisplayingasstandaloneappliances,
theWildFirenodesaddedtotheclusterdisplayunderthe
clustername.
Cluster NameTheclusternamedisplaysforeachnode.
RoleTheappropriaterole(Controller,Controller Backup,
orWorker)displaysforeachnode.
Config StatusStatusisIn Sync.
Last Commit StateCommit succeeded.
Step9 UsingthelocalCLIontheprimary 1. Ontheprimarycontrollernode,checktoensurethatthe

controllernode(notthePanoramaweb configurationsaresynchronized:
interface),checktoensurethatthe admin@WF-500(active-controller)> show
configurationsaresynchronized. high-availability all
Iftheyarenotsynchronized,manually Attheendoftheoutput,lookfortheConfiguration
synchronizethehighavailability Synchronizationoutput:
configurationsonthecontrollernodes Configuration Synchronization:
andcommittheconfiguration. Enabled: yes
Eventhoughyoucanperformmostother Running Configuration: synchronized
configurationonPanorama, Iftherunningconfigurationissynchronized,youdonotneed
synchronizingthecontrollernodehigh tomanuallysynchronizetheconfiguration.However,ifthe
availabilityconfigurationsmustbedone configurationisnotsynchronized,youneedtosynchronize
ontheprimarycontrollernodesCLI. theconfigurationmanually.
2. Iftheconfigurationisnotsynchronized,ontheprimary
controllernode,synchronizethehighavailabilityconfiguration
totheremotepeercontrollernode:
admin@WF-500(active-controller)> request
high-availability sync-to-remote running-config
Ifthereisamismatchbetweentheprimarycontrollernodes
configurationandtheconfigurationonthecontrollerbackup
node,theconfigurationontheprimarycontrollernode
overridestheconfigurationonthecontrollerbackupnode.
ConfigureGeneralClusterSettingsonPanorama
Somegeneralsettingsareoptionalandsomegeneralsettingsareprepopulatedwithdefaultvalues.Itsbest
toatleastcheckthesesettingstoensurethattheclusterconfigurationmatchesyourneeds.Generalsettings
include:
ConnectingtotheWildFirepubliccloudandsubmittingsamplestothepubliccloud.
Configuringdataretentionpolicies.
Configuringlogging.
Settingtheanalysisenvironment(theVMimagethatbestmatchesyourenvironment)andcustomizing
theanalysisenvironmenttobestservicethetypesofsamplesthefirewallssubmittoWildFire.
SetIPaddressesfortheDNSserver,NTPserver,andmore.

ConfigureGeneralClusterSettingsUsingaPanoramaMSeriesorVirtualAppliance
Step1 Configuregeneralclustersettings. 1. Selectthenewcluster>General.

Manysettingsareprepopulatedwith 2. (Optional)Enable DNSforthecontrollernodetoprovideDNS
eitherdefaults,informationfrom servicestothecluster.TheclustercontrollerprovidesDNS
previouslyexistingsettingsonthe servicesonthemanagement(MGT)interfaceport.
controllernode,orthesettingsyoujust
3. Register Firewall Totheclusterdomainname.Usetheform:
configured.
wfpc.service.<cluster-name>.<domain>
Forexample,aclusternamedmyclusterinthe
paloaltonetworks.comdomainwouldhavethedomainname:
wfpc.service.mycluster.paloaltonetworks.com
4. EntertheContent Update Serverforthecluster.Usethe
defaultupdates.paloaltonetworks.comFQDNtoconnect
totheclosestserver.Check Server Identitytoconfirmthe
updateserveridentitybymatchingthecommonname(CN)in
thecertificatewiththeIPaddressorFQDNoftheserver(this
ischeckedbydefault).
5. (Optional)EnterthepublicWildFire Cloud Serverlocationor
usethedefaultwildfire.paloaltonetworks.comsothatthe
cluster(orstandaloneappliancemanagedbyPanorama)can
sendinformationtotheclosestWildFirecloudserver.Ifyou
leavethisfieldblankanddonotconnecttoaWildFirecloud
server,theclustercantreceivesignatureupdatesdirectly
fromtheWildFirepubliccloud,andcantsendsamplesfor
analysisorcontributedatatothepubliccloud.
6. IfyouconnecttheclustertothepublicWildFirecloud,select
thecloudservicesyouwanttoenable:
Send Analysis DataSendanXMLreportaboutlocal
malwareanalysis.Ifyousendtheactualsamples,thecluster
doesntsendreports.
Send Malicious SamplesSendmalwaresamples.
Send DiagnosticsSenddiagnosticdata.
Verdict LookupAutomaticallyquerytheWildFirepublic
cloudforverdictsbeforeperforminglocalanalysisto
reducetheloadonthelocalWildFireappliancecluster.
7. SelecttheSample Analysis Imagetouse,basedonthetypes
ofsamplestheclusterwillanalyze.
8. (Configuretheamountoftimefortheclustertoretain
Benign/Graywaresampledata(190dayrange,14day
default)andMalicioussampledata(minimum1day,no
maximum(indefinite),defaultisindefinite).Malicioussample
dataincludesphishingverdicts.
9. (Optional)SelectPreferred Analysis Environmenttoallocate
moreresourcestoExecutablesorDocuments,dependingon
yourenvironment.TheDefaultallocationisbalancedbetween
ExecutablesandDocuments.Theavailableresourceamount
dependsonthenumberofWildFirenodesinthecluster.

ConfigureGeneralClusterSettingsUsingaPanoramaMSeriesorVirtualAppliance(Continued)
Step2 Checktoensurethattheprimaryand 1. Selectthecluster.

backupPanoramaserversare 2. SelectAppliance.
configured.
3. Check(orenter)theIPaddressorFQDNoftheprimary
Ifyoudidnotconfigureabackup
Panorama ServerandofthebackupPanorama Server 2if
Panoramaserverandwanttodoso,you
youareusingahighavailabilityconfigurationforcentralized
canaddthebackupPanoramaserver.
clustermanagement.
Step3 ConfiguresettingsfortheWildFire 1. Selectthecluster.

applianceclusternodes. 2. SelectAppliance.
Manysettingsareprepopulatedwith
3. Enternewinformation,keeptheprepopulatedinformation
eitherdefaults,informationfrom
fromtheclustercontrollernode,oredittheprepopulated
previouslyexistingsettingsonthe
information,including:
controllernode,orthesettingsyoujust
configured. Domainname.
IPaddressofthePrimary DNS ServerandtheSecondary
DNS Server.
NTP Server AddressandAuthentication Typeofthe
Primary NTP ServerandtheSecondary NTP Server.The
Authentication TypeoptionsareNone,Symmetric Key,
andAutoKey.
Step4 (Optional)Configuresystemand 1. Selectthecluster.

configurationlogsettingsforthecluster, 2. SelectLogging.
includinglogforwarding.
3. SelectSystemorConfigurationtoconfigureasystemor
configurationlog,respectively.Theprocessforconfiguring
themissimilar.
4. Add( )andNamethelogforwardinginstance,selectthe
Filter,andconfiguretheForward Method(SNMP,Email,
Syslog,orHTTP).
Step5 Configureadministratorauthentication. 1. Selectthecluster.

2. SelectAuthentication.
3. SelecttheAuthentication Profile,eitherNoneorradius.
RADIUSistheonlysupportedexternalauthentication
method.
4. SettheLocal Authenticationmodeforadminusersaseither
PasswordorPassword Hash,andenterthePassword.
Step6 Committheconfigurationonthe 1. Commit and Push.

Panoramaapplianceandpushittothe 2. IfthereareconfigurationsonthePanoramaappliancethatyou
cluster. donotwanttopush,Edit Selectionstochoosetheappliances
towhichyoupushconfigurations.Thepushedconfiguration
overwritestherunningconfigurationontheclusternodesso
thatallclusternodesrunthesameconfiguration.
RemoveaClusterfromPanoramaManagement
ToremoveaclusterfromPanoramamanagement,Panorama > Managed WildFire Clustersandselecttherow

oftheclusteryouwanttoremove(donotclicktheclustername)andRemove From Panorama.

IfyouremoveaWildFireapplianceclusterfromPanoramamanagement,thePanoramawebinterfaceplaces
theWildFireappliancesinthatclusterintoreadonlymode.AlthoughtheWildFireappliancesintheremoved
clusterdisplayinthePanoramawebinterface,wheninreadonlymode,youcantpushconfigurationstothe
WildFireappliancesormanagethemwithPanorama.AfterbeingremovedfromPanoramamanagement,the
WildFireapplianceclustermembersusethelocalclusterconfigurationandyoucanmanagetheclusterusing
thelocalCLI.
TomanagetheWildFireappliancesintheclusterwithPanoramaafteryouremovetheclusterfrom
Panoramamanagement,importtheclusterbackintoPanorama(Panorama > Managed WildFire Clusters >
Import Cluster Config).
ImportaClusterBackintoPanorama
Step1 Selecttheclusterscontrollernode.TheclusternamepopulatesClusterautomatically.
Step2 ClickOK.Theclusterbackupcontrollernodeandworkernodespopulateautomatically.
Step3 ClickOKtoimportthecluster.
Step4 Committhechanges.


UsetheWildFireApplianceCLI
ThefollowingtopicsdescribetheCLIcommandsthatarespecifictotheWildFireappliancesoftware.All
othercommands,suchasconfiguringinterfaces,committingtheconfiguration,andsettingsystem
informationareidenticaltoPANOSandarealsoshowninthehierarchy.ForinformationonthePANOS
commands,refertothePANOSCLIQuickStart.
WildFireApplianceSoftwareCLIConcepts
WildFireCLICommandModes
AccesstheWildFireApplianceCLI
WildFireApplianceCLIOperations
WildFireApplianceConfigurationModeCommandReference
WildFireApplianceOperationalModeCommandReference

WildFireApplianceSoftwareCLIConcepts UsetheWildFireApplianceCLI
WildFireApplianceSoftwareCLIConcepts
ThissectionintroducesanddescribeshowtousetheWildFireappliancesoftwarecommandlineinterface
(CLI):
WildFireApplianceSoftwareCLIStructure
WildFireApplianceSoftwareCLICommandConventions
WildFireApplianceCLICommandMessages
WildFireApplianceCommandOptionSymbols
WildFireAppliancePrivilegeLevels
WildFireApplianceSoftwareCLIStructure
TheWildFireappliancesoftwareCLIisusedtomanagetheappliance.TheCLIistheonlyinterfacetothe
appliance.Useittoviewstatusandconfigurationinformationandmodifytheapplianceconfiguration.
AccesstheWildFireappliancesoftwareCLIoverSSHorbydirectconsoleaccessusingtheconsoleport.
TheWildFireappliancesoftwareCLIoperatesintwomodes:
OperationalmodeViewthestateofthesystem,navigatetheWildFireappliancesoftwareCLI,and
enterconfigurationmode.
ConfigurationmodeViewandmodifytheconfigurationhierarchy.
WildFireApplianceSoftwareCLICommandConventions
Thebasiccommandpromptincorporatestheusernameandhostnameoftheappliance:
username@hostname>
Example:
admin@WF-500>
WhenenteringConfigurationmode,thepromptchangesfrom>to#:
username@hostname>(Operational mode)
username@hostname> configure
Entering configuration mode
[edit]
username@hostname# (Configuration mode)
InConfigurationmode,thecurrenthierarchycontextisshownbythe[edit...]bannerpresentedin
squarebracketswhenacommandisissued.

UsetheWildFireApplianceCLI WildFireApplianceSoftwareCLIConcepts
WildFireApplianceCLICommandMessages
Messagesmaybedisplayedwhenissuingacommand.Themessagesprovidecontextinformationandcan
helpincorrectinginvalidcommands.Inthefollowingexamples,themessageisshowninbold.
Example:Unknowncommand
username@hostname# application-group
Unknown command: application-group
[edit network]
username@hostname#
Example:Changingmodes
username@hostname# exit
Exiting configuration mode
username@hostname>
Example:Invalidsyntax
username@hostname> debug 17
Unrecognized command
Invalid syntax.
username@hostname>
TheCLIchecksthesyntaxofeachcommand.Ifthesyntaxiscorrect,itexecutesthecommandandthe
candidatehierarchychangesarerecorded.Ifthesyntaxisincorrect,aninvalidsyntaxmessageispresented,
asinthefollowingexample:
username@hostname# set deviceconfig setting wildfire cloud-intelligence
submit-sample yes
Unrecognized command
Invalid syntax.
[edit]
username@hostname#
WildFireApplianceCommandOptionSymbols
Thesymbolprecedinganoptioncanprovideadditionalinformationaboutcommandsyntax.
Symbol Description
* Thisoptionisrequired.
> Thereareadditionalnestedoptionsforthiscommand.
+ Thereareadditionalcommandoptionsforthiscommandatthislevel.
| Thereisanoptiontospecifyanexceptvalueoramatchvalueto
restrictthecommand.

WildFireApplianceSoftwareCLIConcepts UsetheWildFireApplianceCLI
Symbol Description
Althoughthedoublequoteisnotacommandoptionsymbol,itmustbe
usedwhenenteringmultiwordphrasesinCLIcommands.Forexample,
tocreateanaddressgroupnamedTestGroupandtoaddtheusernamed
user1tothisgroup,youmustsurroundthegroupnamewithdouble
quotesasfollows:
setaddressgroupTestGroupuser1.
Ifyoudonotputadoublequotesurroundingthegroupname,theCLI
wouldinterpretthewordTestasthegroupnameandGroupasthe
usernameandthefollowingerrorwoldbedisplayed:test is not a
valid name.
Asinglequotewouldalsobeinvalidinthisexample.
Thefollowingexamplesshowhowthesesymbolsareused.
Example:Inthefollowingcommand,thekeywordfromisrequired:
username@hostname> scp import configuration ?
+ remote-port SSH port number on remote host
* from Source (username@host:path)
username@hostname> scp import configuration
Example: This command output shows options designated with + and >.
username@hostname# set rulebase security rules rule1 ?
+ action action
+ application application
+ destination destination
+ disabled disabled
+ from from
+ log-end log-end
+ log-setting log-setting
+ log-start log-start
+ negate-destination negate-destination
+ negate-source negate-source
+ schedule schedule
+ service service
+ source source
+ to to
> profiles profiles
<Enter> Finish input
[edit]
username@hostname# set rulebase security rules rule1
Eachoptionlistedwith+canbeaddedtothecommand.
Theprofileskeyword(with>)hasadditionaloptions:
username@hostname# set rulebase security rules rule1 profiles ?
+ virus Help string for virus
+ spyware Help string for spyware
+ vulnerability Help string for vulnerability
+ group Help string for group
<Enter> Finish input
[edit]
username@hostname# set rulebase security rules rule1 profiles

UsetheWildFireApplianceCLI WildFireApplianceSoftwareCLIConcepts
WildFireAppliancePrivilegeLevels
Privilegelevelsdeterminewhichcommandstheuserispermittedtoexecuteandtheinformationtheuseris
permittedtoview.
Level Description
superreader Hascompletereadonlyaccesstotheappliance.
superuser Hascompletereadwriteaccesstotheappliance.

WildFireCLICommandModes UsetheWildFireApplianceCLI
WildFireCLICommandModes
ThefollowingtopicsdescribethemodesusedtointeractwiththeWildFireappliancesoftwareCLI:
WildFireApplianceCLIConfigurationMode
WildFireApplianceCLIOperationalMode
WildFireApplianceCLIConfigurationMode
Enteringcommandsinconfigurationmodemodifiesthecandidateconfiguration.Themodifiedcandidate
configurationisstoredintheappliancememoryandmaintainedwhiletheapplianceisrunning.
Eachconfigurationcommandinvolvesanaction,andmayalsoincludekeywords,options,andvalues.
ThissectiondescribesConfigurationmodeandtheconfigurationhierarchy:
ConfigurationModeCommandUsage
ConfigurationHierarchy
NavigatetheHierarchy
ConfigurationModeCommandUsage
Usethefollowingcommandstostoreandapplyconfigurationchanges:
saveSavesthecandidateconfigurationinthenonvolatilestorageontheappliance.Thesaved
configurationisretaineduntiloverwrittenbysubsequentsavecommands.Notethatthiscommanddoes
notmaketheconfigurationactive.
commitAppliesthecandidateconfigurationtotheappliance.Acommittedconfigurationbecomesthe
activeconfigurationforthedevice.
setChangesavalueinthecandidateconfiguration.

UsetheWildFireApplianceCLI WildFireCLICommandModes
loadAssignsthelastsavedconfigurationoraspecifiedconfigurationtobethecandidateconfiguration.
Whenexitingconfigurationmodewithoutissuingthesaveorcommitcommand,the
configurationchangescouldbelostiftheappliancelosespower.
Maintainingacandidateconfigurationandseparatingthesaveandcommitstepsconfersimportant
advantageswhencomparedwithtraditionalCLIarchitectures:
Distinguishingbetweenthesaveandcommitconceptsallowsmultiplechangestobemadeatthesame
timeandreducessystemvulnerability.
Commandscaneasilybeadaptedforsimilarfunctions.Forexample,whenconfiguringtwoEthernet
interfaces,eachwithadifferentIPaddress,youcanedittheconfigurationforthefirstinterface,copythe
command,modifyonlytheinterfaceandIPaddress,andthenapplythechangetothesecondinterface.
Thecommandstructureisalwaysconsistent.
Becausethecandidateconfigurationisalwaysunique,allauthorizedchangestothecandidateconfiguration
areconsistentwitheachother.
ConfigurationHierarchy
Theconfigurationfortheapplianceisorganizedinahierarchicalstructure.Todisplayasegmentofthe
currenthierarchylevel,usetheshowcommand.Enteringshowdisplaysthecompletehierarchy,while
enteringshowwithkeywordsdisplaysasegmentofthehierarchy.Forexample,whenrunningthecommand
show fromthetoplevelofconfigurationmode,theentireconfigurationisdisplayed.Whenrunningthe
commandedit mgt-config andyouentershow,orbyrunningshowmgtconfig,onlythemgtconfig
partofthehierarchydisplays.

WildFireCLICommandModes UsetheWildFireApplianceCLI
HierarchyPaths
Whenenteringcommands,thepathistracedthroughthehierarchyasfollows:
Forexample,thefollowingcommandassignstheprimaryDNSserver10.0.0.246fortheappliance:
[edit]
username@hostname# set deviceconfig system dns-setting servers primary
10.0.0.246
Thiscommandgeneratesanewelementinthehierarchyandintheoutputofthefollowingshowcommand:
[edit]
username@hostname# show deviceconfig system dns-settings
dns-setting {
servers {
primary 10.0.0.246
}
}
[edit]
username@hostname#

UsetheWildFireApplianceCLI WildFireCLICommandModes
NavigatetheHierarchy
The[edit...]bannerpresentedbelowtheConfiguremodecommandpromptlineshowsthecurrenthierarchy
context.
[edit]
indicatesthattherelativecontextisthetoplevelofthehierarchy,whereas
[edit deviceconfig]
indicatesthattherelativecontextisatthedeviceconfiglevel.
Usethecommandslistedintonavigatethroughtheconfigurationhierarchy.
Level Description
edit Setsthecontextforconfigurationwithinthecommandhierarchy.
up Changesthecontexttothenexthigherlevelinthehierarchy.
top Changesthecontexttothehighestlevelinthehierarchy.
Thesetcommandissuedafterusingtheupandtopcommandsstartsfromthenewcontext.
WildFireApplianceCLIOperationalMode
Attheinitiallogintothedevice,theWildFireappliancesoftwareCLIopensinOperationalmode.Operational
modecommandsinvolveactionsthatareexecutedimmediately.Theydonotinvolvechangestothe
configuration,anddonotneedtobesavedorcommitted.
Operationalmodecommandsareofseveraltypes:
NetworkaccessOpenawindowtoanotherhost.SSHissupported.
MonitoringandtroubleshootingPerformdiagnosisandanalysis.Includesdebugandpingcommands.
DisplaycommandsDisplayorclearcurrentinformation.Includesclearandshowcommands.
WildFireappliancesoftwareCLInavigationcommandsEnterConfiguremodeorexittheWildFire
appliancesoftwareCLI.Includesconfigure,exit,andquitcommands.
SystemcommandsMakesystemlevelrequestsorrestart.Includessetandrequestcommands.

AccesstheWildFireApplianceCLI UsetheWildFireApplianceCLI
AccesstheWildFireApplianceCLI
ThissectiondescribeshowtoaccessWildFireappliancesoftwareCLI:
EstablishaDirectConsoleConnection
EstablishanSSHConnection
EstablishaDirectConsoleConnection
Usethefollowingsettingsfordirectconsoleconnection:
Datarate:9600
Databits:8
Parity:none
Stopbits:1
Flowcontrol:None
EstablishanSSHConnection
ToaccesstheWildFireappliancesoftwareCLI:
LaunchtheWildFireCLI
Step1 UseterminalemulationsoftwaretoestablishanSSHconsoleconnectionwiththe
WildFireappliance.
Step2 Entertheadministrativeusername.Thedefaultisadmin.
Step3 Entertheadministrativepassword.Thedefaultisadmin.
TheWildFireappliancesoftwareCLIopensinOperationalmode,andtheCLIpromptis
displayed:
username@hostname>

UsetheWildFireApplianceCLI WildFireApplianceCLIOperations
WildFireApplianceCLIOperations
AccessWildFireApplianceOperationalandConfigurationModes
DisplayWildFireApplianceSoftwareCLICommandOptions
RestrictWildFireApplianceCLICommandOutput
SettheOutputFormatforWildFireApplianceConfigurationCommands
AccessWildFireApplianceOperationalandConfigurationModes
Whenloggingin,theWildFireappliancesoftwareCLIopensinOperationalmode.Youcannavigatebetween
OperationalandConfigurationmodesatanytime.
ToenterConfigurationmodefromOperationalmode,usetheconfigurecommand:
username@hostname> configure
Entering configuration mode
[edit]
username@hostname#
ToleaveConfigurationmodeandreturntoOperationalmode,usethequitorexitcommand:
username@hostname# quit
Exiting configuration mode
username@hostname>
ToenteranOperationalmodecommandwhileinConfigurationmode,usetheruncommand.Forexample,
toshowsystemresourcesfromconfiguremode,userun show system resources.
DisplayWildFireApplianceSoftwareCLICommandOptions
Use?(orMetaH)todisplayalistofcommandoptions,basedoncontext:
Todisplayalistofoperationalcommands,enter?atthecommandprompt.
username@hostname> ?
clear Clear runtime parameters
configure Manipulate software configuration information
create create commands
debug Debug and diagnose
delete Remove files from hard disk
disable disable commands
edit edit commands
exit Exit this session
find Find CLI commands with keyword
grep Searches file for lines containing a pattern match
less Examine debug file content
ping Ping hosts and networks
quit Exit this session
request Make system-level requests
scp Use scp to import / export files

WildFireApplianceCLIOperations UsetheWildFireApplianceCLI
set Set operational parameters

show Show operational parameters
ssh Start a secure shell to another host
submit submit commands
tail Print the last 10 lines of debug file content
telnet Start a telnet session to another host
test verify system settings with test cases
tftp Use tftp to import / export files
traceroute Print the route packets take to network host
username@hostname>
Todisplaytheavailableoptionsforaspecifiedcommand,enterthecommandfollowedby?.
Example:
username@hostname> ping ?
+ bypass-routing Bypass routing table, use specified interface
+ count Number of requests to send (1..2000000000 packets)
+ do-not-fragment Don't fragment echo request packets (IPv4)
+ interval Delay between requests (seconds)
+ no-resolve Don't attempt to print addresses symbolically
+ pattern Hexadecimal fill pattern
+ size Size of request packets (0..65468 bytes)
+ source Source address of echo request
+ tos IP type-of-service value (0..255)
+ ttl IP time-to-live value (IPv6 hop-limit value) (0..255 hops)
+ verbose Display detailed output
* host Hostname or IP address of remote host
RestrictWildFireApplianceCLICommandOutput
Someoperationalcommandsincludeanoptiontorestrictthedisplayedoutput.Torestricttheoutput,enter
apipesymbolfollowedbyexceptormatchandthevaluethatistobeexcludedorincluded:
Example:
Thefollowingsampleoutputisfortheshowsysteminfocommand:
username@hostname> show system info
hostname: WildFire
ip-address: 192.168.2.20
netmask: 255.255.255.0
default-gateway: 192.168.2.1
mac-address: 00:25:90:95:84:76
vm-interface-ip-address: 10.16.0.20
vm-interface-netmask: 255.255.252.0
vm-interface-default-gateway: 10.16.0.1
vm-interface-dns-server: 10.0.0.247
time: Mon Apr 15 13:31:39 2013
uptime: 0 days, 0:02:35
family: m
model: WF-500
serial: 009707000118
sw-version: 8.0.1

UsetheWildFireApplianceCLI WildFireApplianceCLIOperations
wf-content-release-date: unknown
logdb-version: 8.0.15
platform-family: m
operational-mode: normal
username@hostname>
The following sample displays only the system model information:
username@hostname> show system info | match model

model: WF-500
username@hostname>
SettheOutputFormatforWildFireApplianceConfigurationCommands
Changetheoutputformatfortheconfigurationcommandsbyusingtheset cli config-output-format

commandinOperationalmode.Optionsincludethedefaultformat,JSON(JavaScriptObjectNotation),set
format,andXMLformat.Thedefaultformatisahierarchalformatwhereconfigurationsectionsareindented
andenclosedincurlybrackets.

WildFireApplianceConfigurationModeCommandReference UsetheWildFireApplianceCLI
WildFireApplianceConfigurationModeCommand
Reference
ThissectioncontainscommandreferenceinformationforthefollowingConfigurationmodecommandsthat
arespecifictotheWildFireappliancesoftware.AllothercommandsthatarepartoftheWildFireappliance
softwareareidenticaltoPANOSasdescribedinthePANOS8.0CLIQuickStart.
setdeviceconfigcluster
setdeviceconfighighavailability
setdeviceconfigsettingmanagement
setdeviceconfigsettingwildfire
setdeviceconfigsystemeth2
setdeviceconfigsystempanoramaserver
setdeviceconfigsystempanoramaserver2
setdeviceconfigsystemupdateschedule
setdeviceconfigsystemvminterface
setdeviceconfigcluster
Description
ConfigureWildfireapplianceclustersettingsontheWildFireappliance.Youcanconfiguretheclustername,
theinterfaceusedforclustercommunication,andthemode(role)oftheapplianceintheclustercontroller
orworker.OnWildFireappliancesthatyouconfigureasclustercontrollers,youcanaddWildFireappliances
totheclusterandsetwhetherthecontrollerprovidesDNSserviceonitsmanagementinterface.
HierarchyLocation
set deviceconfig

UsetheWildFireApplianceCLI WildFireApplianceConfigurationModeCommandReference
Syntax
cluster {
cluster-name <name>;
interface {eth2 | eth3};
mode {
controller {
service-advertisement dns-service enabled {no | yes};
worker-list {ip-address}
}
worker;
}
}
Options
+ cluster-nameNamethecluster.Thenamemustbeavaliddomainnamesection.
+ interfaceConfiguretheinterfacetouseforclustercommunication.Theclustercommunication
interfacemustbethesameonallclustermembers.
> modeConfigurewhethertheWildFireapplianceisacontrollernodeoraworkernode.Forcontroller
nodes,configurewhetherthecontrollerprovidesDNSserviceonthemanagementinterface
(service-advertisement)andaddworkernodestothecluster(worker-list).EachWildFireappliancecluster
shouldhavetwocontrollernodestoprovidehighavailability.Youcanaddtwocontrollersandupto18
workernodestoacluster,foramaximumtotalof20nodes.
SampleOutput
admin@wf-500(active-controller)# show deviceconfig cluster

cluster {
cluster-name sid-6;
interface eth2;
mode {
controller {
worker-list {
2.2.2.115;
}
}
}
}
RequiredPrivilegeLevel
superuser,deviceadmin

setdeviceconfighighavailability
Description
ConfigureWildfireapplianceclusterhighavailability(HA)settings.
HierarchyLocation
set deviceconfig
Syntax
high-availability {
enabled {no | yes};
election-option {
preemptive {no | yes};
priority {primary | secondary};
timers {
advanced {heartbeat interval <value> | hello-interval <value> |
preemption-hold-time <value> | promotion-hold-time <value>}
aggressive;
recommended;
}
}
interface {
ha1 {
peer-ip-address <ip-address>;
port {eth2 | eth3 | management};
encryption enabled {no | yes};
}
ha1-backup {
peer-ip-address <ip-address>;
port {eth2 | eth3 | management};
}
}
}
Options
+ enabledEnableHAonbothcontrollernodestoprovidefaulttoleranceforthecluster.EachWildFire
applianceclustershouldhavetwocontrollernodesconfiguredasanHApair.
> election-optionConfigurethepreemptive,priority,andtimerHAoptionvalues.
+ preemptiveElectionoptiontoenablethepassiveHApeer(thecontrollerbackupnode)topreemptthe
activeHApeer(theprimarycontrollernode)basedontheHAprioritysetting.Forexample,iftheprimary
controllernodegoesdown,thesecondary(passive)controllernodetakesoverclustercontrol.Whenthe

primarycontrollernodecomesbackup,ifyoudonotconfigurepreemption,thesecondarycontroller
continuestocontroltheclusterandtheprimarycontrolleractsasthecontrollerbackupnode.However,if
youconfigurepreemptiononbothHApeers,thenwhentheprimarycontrollercomesbackup,itpreempts
thesecondarycontrollerbytakingbackcontrolofthecluster.Thesecondarycontrollerresumesitsformer
roleasthecontrollerbackupnode.YoumustconfigurethepreemptivesettingonbothoftheHApeersfor
preemptiontowork.
+ priorityElectionoptiontoconfigurethepreemptionpriorityofeachcontrollerintheHApair.
ConfigurepreemptiononbothmembersoftheHAcontrollerpair.
> timersConfigurethetimersforHAelectionoptions.TheWildFireapplianceprovidestwo
preconfiguredtimeroptions(aggressiveandrecommendedsettings),oryoucanconfigureeachtimer
individually.TheAdvancedtimersenableyoutoconfigurevaluesindividually:
Theheartbeat-intervalsetsthetimeinmillisecondstosendheartbeatpings.Therangeofvaluesis
100060,000ms,withadefaultvalueof2000ms.
Thehello-intervalsetsthetimeinmillisecondstosendHellomessages.Therangeofvaluesis
800060,000ms,withadefaultvalueof8000ms.
Thepreemption-hold-timesetsthetimeinminutestoremaininpassive(controllerbackup)modebefore
preemptingtheactive(primary)controllernode.Therangeofvaluesis160minutes,withadefaultvalue
of1minute.
Thepromtion-hold-timesetsthetimeinmillisecondstochangestatefrompassive(controllerbackup)to
active(primary)state.Therangeofvaluesis060,000ms,withadefaultvalueof2000ms.
> interfaceConfigureHAinterfacesettingsfortheprimary(ha1)andbackup(ha1-backup)controllink
interfaces.ThecontrollinkinterfacesenabletheHAcontrollerpairtoremainsynchronizedandpreparedto
failoverincasetheprimarycontrollernodegoesdown.Configuringboththeha1interfaceandthe
ha1-backupinterfaceprovidesredundantconnectivitybetweencontrollersincaseofalinkfailure.Set:
Thepeer-ip-address.Foreachinterface,configuretheIPaddressoftheHApeer.Theha1interfacepeer
istheha1interfaceIPaddressontheothercontrollernodeintheHApair.Theha1-backupinterfacepeer
istheha1-backupinterfaceIPaddressontheothercontrollernodeintheHApair.
Theport.Oneachcontrollernode,configuretheporttousefortheha1interfaceandtheporttousefor
theha-backupinterface.Youcanuseeth2,eth3,orthemanagementport(eth0)fortheHAcontrollink
interfaces.YoucannotusetheAnalysisEnvironmentNetworkinterface(eth1)asanha1orha1-backup
controllinkinterface.UsethesameinterfaceonbothHApeersastheha1interface,andusethesame
interface(butnottheha1interface)onbothHApeersastheha1-backupinterface.Forexample,configure
eth3astheha1interfaceonbothcontrollernodesandconfigurethemanagementinterfaceasthe
ha1-backupinterfaceonbothcontrollernodes.
SampleOutput
admin@wf-500(active-controller)# show deviceconfig high-availability

high-availability {
election-option {
priority primary;
}
enabled no;
interface {
ha1 {
peer-ip-address 10.10.10.150;
port eth2

}
ha1-backup {
peer-ip-address 10.10.10.160;
port management
}
}
}
setdeviceconfigsettingmanagement
Description
ConfigureadministrativemanagementsessionsettingsontheWildFireappliance.Youcanconfigure
timeoutstoendadministrativesessionsiftheyareidletoolongandhowmanyloginretries(failedlogin
attempts)ittakestolockoutanadministrator.
HierarchyLocation
set deviceconfig setting
Syntax
management {
idle-timeout {0 | <value>}
admin-lockout {
failed-attempts <value>
lockout-time <value>
}
}
Options
+ idle-timeoutDefaultadministrativesessionidletimeoutinminutes.Configureanidletimeoutfrom
11440minutes,orsetthetimeoutvalueto0(zero)tonevertimeoutthesession.
> admin-lockoutConfigurethenumberoffailed-attemptstologintotheappliancebeforethe
administratorislockedoutofthesystem(010),andthelockout-timeinminutes(060)tolockoutan
administratoriftheadministratorcrossesthefailed-attemptsthreshold.

SampleOutput
management {
idle-timeout 0;
admin-lockout {
failed-attempts 3;
lockout-time 5;
}
}
setdeviceconfigsettingwildfire
Description
ConfigureWildfiresettingsontheWildFireappliance.Youcanconfigureforwardingofmaliciousfiles,define
thecloudserverthatreceivesmalwareinfectedfiles,andenableordisablethevminterface.
HierarchyLocation
Syntax
wildfire {
active-vm {vm-1 | vm-2 | vm-3 | vm-4 | vm-5 | <value>};
cloud-server <value>;
custom-dns-name <value>;
preferred-analysis-environment {Documents | Executables | default};
vm-network-enable {no | yes};
vm-network-use-tor {enable | disable};
cloud-intelligence {
cloud-query {no | yes};
submit-diagnostics {no | yes};
submit-report {no | yes};
submit-sample {no | yes};
}
file-retention {
malicious {indefinite | <1-2000>};
non-malicious <1-90>
}
signature-generation {
av {no | yes};
dns {no | yes};
url {no | yes};
}
}

Options
+ active-vmSelectthevirtualmachineenvironmentthatWildFirewilluseforsampleanalysis.Eachvm
hasadifferentconfiguration,suchasWindowsXP,aspecificversionsofFlash,Adobereader,etc.Toview
whichVMisselected,runthefollowingcommand:show wildfire statusandviewtheSelectedVMfield.
ToviewtheVMenvironmentinformation,runthe following command: show wildfire vm-images.
+ cloud-serverHostnameforthecloudserverthattheappliancewillforwardmalicioussamples/reports
toforareanalysis.Thedefaultcloudserveriswildfirepubliccloud.Toconfigureforwarding,usethe
followingcommand: set deviceconfig setting wildfire cloud-intelligence.
+ custom-dns-nameConfigureacustomDNSnametouseinservercertificatesandtheWildFireserverlist
insteadofthedefaultDNSnamewfpc.sevice.<clustername>.<domain>.
+ preferred-analysis-environmentAllocatethemajorityoftheresourcestodocumentanalysisorto
executableanalysis,dependingonthetypeofsamplesmostoftenanalyzedinyourenvironment.Thedefault
allocationbalancesresourcesbetweendocumentandexecutablesamples.Forexample,toallocatethe
majorityoftheanalysisresourcestodocuments:set deviceconfig setting wildfire
preferred-analysis-environment Documents.
+ vm-network-enableEnableordisablethevmnetwork.Whenenabled,samplefilesrunninginthevirtual
machinesandboxcanaccesstheInternet.ThishelpsWildFirebetteranalyzethebehaviorofthemalwareto
lookforthingslikephonehomeactivity.
+ vm-network-use-torEnableordisabletheTornetworkforthevminterface.Whenthisoptionisenabled,
anymalicioustrafficcomingfromthesandboxsystemsontheWildFireapplianceduringsampleanalysisis
sentthroughtheTornetwork.TheTornetworkwillmaskyourpublicfacingIPaddress,sotheownersofthe
malicioussitecannotdeterminethesourceofthetraffic.
> cloud-intelligenceConfiguretheappliancetosubmitWildFirediagnostics,reportsorsamplestothe
PaloAltoNetworksWildFirecloud,ortoautomaticallyquerythepublicWildFirecloudbeforeperforming
localanalysistoconserveWildFireapplianceresources.Thesubmitreportoptionsendsreportsformalicious
samplestothecloudforstatisticalgathering.Thesubmitsampleoptionsendsmalicioussamplestothe
cloud.Ifsubmitsampleenabled,youdontneedtoenablesubmitreportbecausethecloudreanalyzesthe
sampleandanewreportandsignatureisgeneratedifthesampleismalicious.
> file-retentionConfigurehowlongtosavemalicious(malwareandphishing)samplesandnonmalicious
(graywareandbenign)samples.Thedefaultformalicioussamplesisindefinite(neverdelete).Thedefaultfor
nonmalicioussamplesis14days.Forexample,toretainnonmalicioussamplesfor30days:set
deviceconfig setting wildfire file-retention non-malicious 30.
> signature-generationEnabletheappliancetogeneratesignatureslocally,eliminatingtheneedtosend
anydatatothepubliccloudinordertoblockmaliciouscontent.TheWildFireappliancewillanalyzefiles
forwardedtoitfromPaloAltoNetworksfirewallsorfromtheWildFireAPIandgenerateantivirusandDNS
signaturesthatblockboththemaliciousfilesaswellasassociatedcommandandcontroltraffic.Whenthe
appliancedetectsamaliciousURL,itsendstheURLtoPANDBandPANDBassignsitthemalware
category.
SampleOutput
ThefollowingshowsanexampleoutputoftheWildFiresettings.
admin@WF-500# show deviceconfig setting wildfire
wildfire {
av yes;

dns yes;
url yes;
}
submit-report no;
submit-sample yes;
submit-diagnostics yes;
cloud-query yes;
}
file-retention {
non-malicious 30;
malicious 1000;
{
active-vm vm-5;
cloud-server wildfire-public-cloud;
vm-network-enable yes;
}
setdeviceconfigsystem
Description
ConfigureWildfiresettingsontheWildFireappliance.Youcanconfigureforwardingofmaliciousfiles,define
thecloudserverthatreceivesmalwareinfectedfiles,andenableordisablethevminterface.
HierarchyLocation
Syntax
wildfire {
active-vm {vm-1 | vm-2 | vm-3 | vm-4 | vm-5 | <value>};
cloud-server <value>;
custom-dns-name <value>;
preferred-analysis-environment {Documents | Executables | default};
vm-network-enable {no | yes};
vm-network-use-tor {enable | disable};
cloud-query {no | yes};
submit-diagnostics {no | yes};
submit-report {no | yes};
submit-sample {no | yes};
}
file-retention {
malicious {indefinite | <1-2000>};

non-malicious <1-90>
}
av {no | yes};
dns {no | yes};
url {no | yes};
}
}
Options
+ active-vmSelectthevirtualmachineenvironmentthatWildFirewilluseforsampleanalysis.Eachvm
hasadifferentconfiguration,suchasWindowsXP,aspecificversionsofFlash,Adobereader,etc.Toview
whichVMisselected,runthefollo
Description
Configuretheeth2interface.
HierarchyLocation
set deviceconfig system
Syntax
eth2 {
default-gateway <ip-address>;
ip-address <ip-address>;
mtu <value>;
netmask <ip-netmask>;
speed-duplex {100Mbps-full-duplex | 100Mbps-half-duplex | 10Mbps-full-duplex |
10Mbps-half-duplex | 1Gbps-full-duplex | 1Gbps-half-duplex | auto-negotiate};
permitted-ip <ip-address/netmask>;
service disable-icmp {no | yes};
}

Options
+ default-gatewayIPaddressofthedefaultgatewayfortheeth2interface.
+ ip-addressIPaddressfortheeth2interface.
+ mtuMaximumTransmissionUnit(MTU)fortheeth2interface.
+ netmaskNetmaskfortheeth2interface.
+ speed-duplexInterfacespeed(10Mbps,100Mbps,1Gbps,orautonegotiate)andduplexmode(fullor
half)fortheeth2interface.
> permitted-ipIPaddressesallowedtoaccesstheeth2interface.IfyouspecifyanetmaskwiththeIP
address,thenetmaskmustbeinslashnotation.Forexample,tospecifyaClassCaddress,enter:
10.10.10.100/24(not10.10.10.100255.255.255.0).
> service-disableDisableICMPfortheeth2interface.
SampleOutput
admin@wf-500(active-controller)# show deviceconfig system eth2

eth2 {
ip-address 10.10.10.120;
netmask 255.255.255.0;
service {
disable-icmp no;
}
speed-duplex auto-negotiate;
mtu 1500;
}
Description
Configuretheeth3interface.
HierarchyLocation

Syntax
eth3 {
default-gateway <ip-address>;
ip-address <ip-address>;
mtu <value>;
netmask <ip-netmask>;
speed-duplex {100Mbps-full-duplex | 100Mbps-half-duplex | 10Mbps-full-duplex |
10Mbps-half-duplex | 1Gbps-full-duplex | 1Gbps-half-duplex | auto-negotiate};
permitted-ip <ip-address/netmask>;
service disable-icmp {no | yes};
}
Options
+ default-gatewayIPaddressofthedefaultgatewayfortheeth3interface.
+ ip-addressIPaddressfortheeth3interface.
+ mtuMaximumTransmissionUnit(MTU)fortheeth3interface.
+ netmaskNetmaskfortheeth3interface.
+ speed-duplexInterfacespeed(10Mbps,100Mbps,1Gbps,orautonegotiate)andduplexmode(fullor
half)fortheeth3interface.
> permitted-ipIPaddressesallowedtoaccesstheeth3interface.IfyouspecifyanetmaskwiththeIP
address,thenetmaskmustbeinslashnotation.Forexample,tospecifyaClassCaddress,enter:
10.10.10.100/24(not10.10.10.100255.255.255.0).
> service-disableDisableICMPfortheeth3interface.
SampleOutput
admin@wf-500(active-controller)# show deviceconfig system eth3

eth3 {
ip-address 10.10.20.120;
netmask 255.255.255.0;
service {
disable-icmp no;
}
speed-duplex auto-negotiate;
mtu 1500;
}

setdeviceconfigsystempanoramaserver
Description
ConfiguretheprimaryPanoramaserverformanagingtheWildFireapplianceorappliancecluster.
HierarchyLocation
Syntax
panorama-server {IP address | FQDN};
Options
+ panorama-serverConfiguretheIPaddressorthefullyqualifieddomainname(FQDN)oftheprimary
PanoramaserveryouwillusetomanagetheWildFireapplianceorappliancecluster.
SampleOutput
TheoutputistruncatedtoshowonlytheoutputstanzathatdisplaysthePanoramaserversettings.
admin@wf-500(active-controller)# show deviceconfig system
system {
panorama-server 10.10.10.100;
panorama-server-2 10.10.10.110
hostname myhost;
ip-address 10.10.20.120;
netmask 255.255.255.0;
default-gateway 10.10.10.1;
update-server updates.paloaltonetworks.com;
service {
disable-icmp no;
disable-ssh no;
disable-snmp yes;
}
...

setdeviceconfigsystempanoramaserver2
Description
ConfigurethebackupPanoramaserverformanagingtheWildFireapplianceorappliancecluster.
ConfiguringabackupPanoramaserverprovideshighavailabilityforclusterorindividualappliance
management.
HierarchyLocation
Syntax
panorama-server-2 {IP address | FQDN};
Options
+ panorama-server-2ConfiguretheIPaddressorthefullyqualifieddomainname(FQDN)ofthebackup
PanoramaserveryouwillusetomanagetheWildFireapplianceorappliancecluster.
SampleOutput
TheoutputistruncatedtoshowonlytheoutputstanzathatdisplaysthePanoramaserversettings.
admin@wf-500(active-controller)# show deviceconfig system
system {
panorama-server 10.10.10.100;
panorama-server-2 10.10.10.110
hostname myhost;
ip-address 10.10.20.120;
netmask 255.255.255.0;
update-server updates.paloaltonetworks.com;
service {
disable-icmp no;
disable-ssh no;
disable-snmp yes;
}
...

setdeviceconfigsystemupdateschedule
Description
SchedulecontentupdatesonaWildFireappliance.Thesecontentupdatesequiptheappliancewiththemost
uptodatethreatinformationforaccuratemalwaredetectionandimprovetheappliance'sabilityto
differentiatethemaliciousfromthebenign.
HierarchyLocation
set deviceconfig system update-schedule
Syntax
wf-content recurring {
daily at <value> action {download-and-install | download-only};
weekly {
action {download-and-install | download-only};
at <value>;
day-of-week {friday | monday | saturday | sunday | thursday | tuesday | wednesday};
}
}
Options
> wf-contentWildFirecontentupdates.
> dailyScheduleupdateeveryday.
+ actionSpecifytheactiontotake.Youcanscheduletheappliancetodownloadandinstalltheupdateor
downloadonlyandthenyouinstallmanually.
+ atTimespecificationhh:mm(e.g.20:10).
> hourlyScheduleupdateeveryhour.
+ atMinutespastthehour.
> weeklyScheduleupdateonceaweek.
+ at Timespecificationhh:mm(e.g.20:10).
+ day-of-weekDayoftheweek(Friday,Monday,Saturday,Sunday,Thursday,Tuesday,Wednesday).

SampleOutput
admin@WF-500# show
update-schedule {
wf-content {
recurring {
weekly {
at 19:00;
action download-and-install;
day-of-week friday;
}
}
}
}
setdeviceconfigsystemvminterface
Description
ThevminterfaceisusedbymalwarerunningontheWildFireappliancevirtualmachinesandboxtoaccess
theInternet.ActivatingthisportisrecommendedandwillhelpWildFirebetteridentifymaliciousactivityif
themalwareaccessestheInternetforphonehomeorotheractivity.Itisimportantthatthisinterfacehasan
isolatedconnectiontotheInternet.Formoreinformation,seeSetUptheWildFireApplianceVMInterface.
Afterconfiguringthevminterface,enableitbyrunningthefollowingcommand:
set deviceconfig setting wildfire vm-network-enable yes
HierarchyLocation
Syntax
set vm-interface {
default-gateway <ip_address>;
dns-server <ip_address>;
ip-address <ip_address>;
link-state;
mtu;
netmask <ip_address>;
speed-duplex;
{

Options
admin@WF-500# set vm-interface

+ default-gateway Default gateway for the VM interface
+ dns-server dns server for the VM interface
+ ip-address IP address for VM interface
+ link-state Set the link state to up or down
+ mtu Maximum Transmission Unit for the VM interface
+ netmask IP netmask for the VM interface
+ speed-duplex Speed and duplex for the VM interface
SampleOutput
Thefollowingshowsaconfiguredvminterface.
vm-interface {
ip-address 10.16.0.20;
netmask 255.255.252.0;
dns-server 10.0.0.246;
}

WildFireApplianceOperationalModeCommandReference UsetheWildFireApplianceCLI
WildFireApplianceOperationalModeCommandReference
ThissectioncontainscommandreferenceinformationforthefollowingOperationalmodecommandsthat
arespecifictotheWildFireappliancesoftware.AllothercommandsthatarepartoftheWildFireappliance
softwareareidenticaltoPANOS;refertothePANOS8.0CLIQuickStartforinformationonthose
commands.
clearhighavailability
createwildfireapikey
deletehighavailabilitykey
deletewildfireapikey
deletewildfiremetadata
disablewildfire
editwildfireapikey
loadwildfireapikey
requestclusterdecommission
requestclusterrebootlocalnode
requesthighavailabilitystate
requesthighavailabilitysynctoremote
requestsystemraid
requestwildfiresampleredistribution
requestsystemwildfirevmimage
requestwfcontent
savewildfireapikey
setwildfireportaladmin
showclusterallpeers
showclustercontroller
showclustermembership
showclustertask
showhighavailabilityall
showhighavailabilitycontrollink
showhighavailabilitystate
showhighavailabilitytransitions
showsystemraid
showwildfire
showwildfireglobal
showwildfirelocal

UsetheWildFireApplianceCLI WildFireApplianceOperationalModeCommandReference
submitwildfirelocalverdictchangetestwildfireregistration
clearhighavailability
Description
Clearhighavailability(HA)controllinkstatisticsinformationandtransitionsstatisticsonthecontrollernode
ofaWildFireappliancecluster.
Syntax
create {
high-availability {
control-link {
statistics;
}
transitions;
}
}
Options
> control-link> ClearHAcontrollinkstatistics.

> transitions> ClearHAtransitionsstatistics(eventsthatoccurduringHAswitchovers).
SampleOutput
Afteryouclearcontrollinkortransitionstatistics,theWildFireclusterresetsallvaluestozero(0).
admin@wf-500(active-controller)> show high-availability control-link statistics
High-Availability:
Control Link Statistics:
HA1:
Messages-TX : 0
Messages-RX : 0
Capability-Msg-TX : 0
Capability-Msg-RX : 0
Error-Msg-TX : 0
Error-Msg-RX : 0
Preempt-Msg-TX : 0
Preempt-Msg-RX : 0
Preempt-Ack-Msg-TX : 0
Preempt-Ack-Msg-RX : 0
Primary-Msg-TX : 0
Primary-Msg-RX : 0

Primary-Ack-Msg-TX : 0
Primary-Ack-Msg-RX : 0
Hello-Msg-TX : 0
Hello-Msg-RX : 0
Hello-Timeouts : 0
Hello-Failures : 0
MasterKey-Msg-TX : 0
MasterKey-Msg-RX : 0
MasterKey-Ack-Msg-TX : 0
MasterKey-Ack-Msg-RX : 0
Connection-Failures : 0
Connection-Tries-Failures : 0
Connection-Listener-Tries : 0
Connection-Active-Tries : 0
Ping-TX : 0
Ping-Fail-TX : 0
Ping-RX : 0
Ping-Timeouts : 0
Ping-Failures : 0
Ping-Error-Msgs : 0
Ping-Other-Msgs : 0
Ping-Last-Rsp : 0
admin@wf-500(active-controller)> show high-availability transitions

High-Availability:
Transition Statistics:
Unknown : 0
Suspended : 0
Initial : 0
Non-Functional : 0
Passive : 0
Active : 0
createwildfireapikey
Description
GenerateAPIkeysonaWildFireappliancethatyouwilluseonanexternalsystemtosubmitsamplestothe
appliance,queryreports,orretrievesamplesandPacketCaptures(PCAPS)fromtheappliance.

Syntax
create {
wildfire {
api-key {
key <value>;
name <value>;
{
{
{
Options
+ key Create an API key by manually entering a key value. The value must be 64 alpha
characters (a-z) or numbers (0-9). If you do not specify the key option, the appliance
generates a key automatically.
+ name Optionally enter a name for the API key. An API key name is simply used to
label the keys to make it easier to identify keys assigned for specific uses and has no
impact on the functionality of the key.
SampleOutput
ThefollowingoutputshowsthattheappliancehasthreeAPIkeysandonekeyisnamedmy-api-key.
admin@WF-500> show wildfire global api-keys all
+-----------------------------------------------------------------+------------+
| Apikey | Name |
+-----------------------------------------------------------------+------------+
| C625DE87CBFB6EF0B1A8183A74AB5B61287F7F63B6E14E2FFC704AABF5640D62| my-api-key |
| D414CC910E93E9E05942A5E6F94DA36777B444543E71761CF5E9ACFA547F7D6F| |
| 73585ACAFEC0109CB65EB944B8DFC0B341B9B73A6FA7F43AA9862CAD47D0884C| |
+-----------------------------------------------------------------+------------+
+---------+---------------------+---------------------+
| Status | Create Time | Last Used Time |
+---------+---------------------+---------------------+
| Enabled | 2017-03-02 19:14:36 | 2017-03-02 19:14:36 |
| Enabled | 2016-02-06 12:13:22 | 2017-03-01 12:10:20 |
| Enabled | 2014-08-04 17:00:42 | 2017-03-01 11:12:52 |
+---------+---------------------+---------------------+
deletehighavailabilitykey
Description
Deletethepeerencryptionkeyusedforhighavailability(HA)ontheclustercontrollinksofaWildFire
applianceclusterscontrollernode.

Syntax
delete {
high-availability-key;
}
Options
Noadditionaloptions.
SampleOutput
ThehighlightedlineintheoutputshowsthatencryptionisntenabledontheHAcontrollinks.
admin@wf-500(active-controller)> show high-availability state
High-Availability:
Local Information:
Version: 1
State: active-controller (last 1 days)
Device Information:
Management IPv4 Address: 10.10.10.14/24
Management IPv6 Address:
HA1 Control Links Joint Configuration:
Encryption Enabled: no
Election Option Information:
Priority: primary
Preemptive: no
Version Compatibility:
Software Version: Match
Application Content Compatibility: Match
Anti-Virus Compatibility: Match
Peer Information:
Connection status: up
Version: 1
State: passive-controller (last 1 days)
Device Information:
Connection up; Primary HA1 link
Priority: secondary
Preemptive: no
Configuration Synchronization:
Enabled: yes
Running Configuration: synchronized

deletewildfireapikey
Description
DeleteanAPIkeyfromtheWildFireappliance.SystemsconfiguredtousetheAPItoperformAPIfunctions
ontheappliancewillnolongerbeabletoaccesstheapplianceafteryoudeletethekey.
Syntax
delete {
wildfire {
api-key {
key <value>;
{
{
{
Options
+ key <value> Thekeyvalueforthekeythatyouwanttodelete.ToviewalistofAPIkeys,runthe

followingcommand:admin@WF-500> show wildfire global api-keys all
SampleOutput
admin@WF-500> delete wildfire api-key key

A0418F8EADABA4C78CD3106D71147321462C5AA085B2979136447B1EC334655A
APIKey A0418F8EADABA4C78CD3106D71147321462C5AA085B2979136447B1EC334655A
deleted

deletewildfiremetadata
Description
DeletecontentupdatesontheWildFireappliance.Formoreinformationoncontentupdatesandhowto
installthem,seerequestwfcontent.
Syntax
delete {
wildfire-metadata update <value>;
{
Options
+ update <value> Definethecontentupdatethatyouwanttodelete.
SampleOutput
Theoutputthatfollowsshowsthedeletionofanupdatenamed
panup-all-wfmeta-2-181.candidate.tgz.
admin@WF-500> delete wildfire-metadata update panup-all-wfmeta-2-181.candidate.tgz
successfully removed panup-all-wfmeta-2-181.candidate.tgz
disablewildfire
Description
DisablesthedomainsignatureorsamplesignaturesothatitisexcludedfromthenextWildFirecontent
packagerelease.
Syntax
disable wildfire {
domain-signature {
domain <value>;

}
OR...
sample-signature {
sha256 {
equal <value>;
}
}
Options
admin@WF-500> disable wildfire

> domain-signatureSetsthestatusofthedomainsignaturetodisabledsothatitisexcludedfromthenext
WildFirecontentrelease.
>sample-signatureSetsthestatusofthesamplesignaturetodisabledsothatitisexcludedfromthenext
WildFirecontentrelease.
SampleOutput
Asuccessfullydisabledsampleordomaindoesnotdisplayanyoutput.
admin@WF-500> disable wildfire sample-signature sha256 equal
d1378bda0672de58d95f3bff3cb42385f2d806a4a15b89cdecfedbdb1ec08228
editwildfireapikey
Description
ModifyanAPIkeynameorthekeystatus(enabled/disabled)onaWildFireappliance.
Syntax
edit {
wildfire {
api-key [name | status] key <value>;
{
{

Options
+ nameChangethenameofanAPIkey
+ statusEnableordisableanAPIkey
* keySpecifythekeytomodify
SampleOutput
Thekeyvalueinthiscommandisrequired.Forexample,tochangethenameofakeynamedstuto
stu-key1,enterthefollowingcommand:
Inthefollowingcommand,youdonotneedtoentertheoldkeyname;onlyenterthenewkey
name.
admin@WF-500> edit wildfire api-key name stu-key1 key

B870210A6BDF2615D5A40B2DE515A6F5E66186BE28E4FFAC4405F22E83329288
Tochangethestatusofstukey1todisabled,enterthefollowingcommand:
admin@WF-500> edit wildfire api-key status disable key
B870210A6BDF2615D5A40B2DE515A6F5E66186BE28E4FFAC4405F22E83329288
Exampleoutputthatshowsthatstukey1isdisabled:
+-----------------------------------------------------------------+------------+
| Apikey | Name |
+-----------------------------------------------------------------+------------+
| B870210A6BDF2615D5A40B2DE515A6F5E66186BE28E4FFAC4405F22E83329288| stu-key1 |
+-----------------------------------------------------------------+------------+
+----------+---------------------+---------------------+
| Status | Create Time | Last Used Time |
+----------+---------------------+---------------------+
| Disabled | 2017-03-02 19:14:36 | 2017-03-02 19:14:36 |
+----------+---------------------+---------------------+
loadwildfireapikey
Description
AfterimportingAPIkeystotheWildFireappliance,youmustusetheloadcommandtomakethekeys
availableforuse.UsethiscommandtoreplaceallexistingAPIkeys,oryoucanmergethekeysintheimport
filewiththeexistingkeydatabase.

Syntax
load {
wildfire {
from <value> mode [merge | replace];
{
{
Options
* fromSpecifytheAPIkeyfilenamethatyouwanttoimport.Thekeyfilesusethe.keysfileextension.For
example,myapikeys.keys.Toviewalistofkeysthatareavailableforimport,enterthefollowingcommand:
admin@WF-500> load wildfire api-key from ?
+ modeOptionallyenterthemodefortheimport(merge/replace).Forexample,toreplacethekeydatabase
ontheappliancewiththecontentsofthecontentsofthenewkeyfile,enterthefollowingcommand:
admin@WF-500> load wildfire api-key mode replace from my-api-keys.keys
Ifyoudonotspecifythemodeoption,thedefaultactionwillmergethekeys.
requestclusterdecommission
Description
RemoveaWildFireapplianceclusternodefromaclusterthathasthreeormoremembernodes.Donotuse
thiscommandtoremoveanodefromatwonodecluster.Instead,RemoveaNodefromaClusterLocally
usingthedelete deviceconfig high-availabilityanddelete deviceconfig cluster
commands.
HierarchyLocation
requestcluster
Syntax
request {
cluster {
decommission {
show;

start;
stop;
}
}
}
Options
showDisplaythestatusofthenodedecommissionjob.
startBeginthenodedecommissionjob.
stopAbortthenodedecommissionjob.
SampleOutput
TheNode modefieldconfirmsthattheclusternodedecommissionworkedbecausethemodeis
stand_aloneinsteadofcontrollerorworker.
admin@wf-500> show cluster membership
Cluster name:
Address: 10.10.10.86
Host name: wf-500
Node name: wfpc-009707000xxx-internal
Serial number: 009707000xxx
Server role: True
HA priority:
Last changed: Wed, 15 Feb 2017 00:05:11 -0800
Monitor status:
Application status:
local-db-service: ReadyMaster

requestclusterrebootlocalnode
Description
GracefullyrebootthelocalWildFireclusternode.
HierarchyLocation
requestcluster
Syntax
request {
cluster {
reboot-local-node;
}
}
Options
SampleOutput
Youcanverifythatthelocalclusternodehasrebootedorisintheprocessofrebootinginseveralways:
show cluster task localdisplaytasksrequestedonthelocalnode.
show cluster task currentdisplaycurrentlyrunningtasksonthelocalnodeorthelastcompleted
task(controllernodesonly).
show cluster task pendingdisplaytasksthatarequeuedbuthavenotrunyetonthelocalnode
(controllernodesonly).
show cluster task historydisplaytasksthathavebeenrunonthelocalnode(controllernodes
only).
Forexample,thefollowingcommandshowsthattwoclusternodereboottaskshavecompletedsuccessfully:
admin@qa15(passive-controller)> show cluster task history
Request: reboot from qa16 (009701000044/35533) at 2017-02-17 19:21:53 UTC

Reboot requested by admin
Response: permit by qa15 at 2017-02-17 22:11:31 UTC
request not affecting healthy core server.
Progress: Wait for kv store ready for query...
KV store is ready, wait for cluster leader available...
Cluster leader is 2.2.2.16...

Checking is sysd and clusterd are alive...

Checking if cluster-mgr is ready...
Checking global-db-cluster readiness...
Stopping global-queue server and leaving cluster...
Stopping global-db servers and doing failover...
rebooting...
Finished: success at 2017-02-17 22:17:56 UTC
Request: reboot from qa16 (009701000044/35535) at 2017-02-17 22:45:50 UTC

Response: permit by qa15 at 2017-02-17 23:06:44 UTC
rebooting...
requesthighavailabilitystate
Description
OnaWildFireappliancecluster,makethehighavailability(HA)stateofthelocalcontrollernodeorofthe
peercontrollernodefunctional.
HierarchyLocation
requesthighavailability
Syntax
request {
high-availability {
state {
functional;

}
peer {
functional;
}
}
}
Options
> functionalMaketheHAstateofthelocalcontrollernodefunctional.
> peerMaketheHAstateofthepeercontrollernodefunctional.
SampleOutput
ThehighlightedlinesintheoutputshowthattheHAstateofthelocalcontrollernodeisfunctionalinthe
active(primary)controllerroleandthattheHAstateofthepeercontrollernodeisfunctionalinthepassive
(backup)controllerrole.
High-Availability:
Local Information:
Version: 1
Device Information:
Priority: primary
Preemptive: no
Peer Information:
Version: 1
Device Information:
Priority: secondary
Preemptive: no
Enabled: yes

requesthighavailabilitysynctoremote
Description
OnaWildFireappliancecluster,synchronizethelocalcontrollernodescandidateconfigurationorrunning
configuration,orthelocalcontrollernodesclock(timeanddate)totheremotehighavailability(HA)peer
controllernode.
HierarchyLocation
requesthighavailability
Syntax
request {
high-availability {
sync-to-remote {
candidate-config;
clock;
running-config;
}
}
}
Options
> candidate-configSynchronizethecandidateconfigurationonthelocalpeercontrollernodetothe
remoteHApeercontrollernode.
> clockSynchronizetheclock(timeanddate)onthelocalpeercontrollernodetotheremoteHApeer
controllernode.
> running-configSynchronizetherunningconfigurationonthelocalpeercontrollernodetotheremote
HApeercontrollernode.
SampleOutput
ThehighlightedlineintheoutputshowsthattheHAconfigurationstateissynchronizedontheHApeer
controllernode.


High-Availability:
Local Information:
Version: 1
Device Information:
Priority: primary
Preemptive: no
Peer Information:
Version: 1
Device Information:
Priority: secondary
Preemptive: no
Enabled: yes
requestsystemraid
Description
UsethisoptiontomanagetheRAIDpairsinstalledintheWildFireappliance.TheWF500applianceships
withfourdrivesinthefirstfourdrivebays(A1,A2,B1,B2).DrivesA1andA2areaRAID1pairanddrives
B1andB2areasecondRAID1pair.

HierarchyLocation
requestsystem
Syntax
raid {
remove <value>;
OR...
copy {
from <value>;
to <value>;
}
OR...
add {
Options
> addAddadriveintothecorrespondingRAIDDiskPair
> copyCopyandmigratefromonedrivetootherdriveinthebay
> removeDrivetoremovefromRAIDDiskPair
SampleOutput
ThefollowingoutputshowsaWF500appliancewithacorrectlyconfiguredRAID.
admin@WF-500> show system raid
Disk Pair A Available

Disk id A1 Present
Disk id A2 Present
Disk Pair B Available
Disk id B1 Present
Disk id B2 Present

requestwildfiresampleredistribution
Description
RedistributesamplesfromthelocalWildFireapplianceclusternodetoanotherclusternodewhileoptionally
retainingsamplesonthelocalnode.
HierarchyLocation
requestsystem
Syntax
request {
wildfire {
sample {
redistribution {
keep-local-copy {no | yes};
serial-number <value>;
}
}
}
}
Options
* keep-local-copyKeepordonotkeepacopyoftheredistributedsamplesonthelocalWildFireappliance
node.
* serial-numberSerialnumberofthenodetowhichyouredistributesamples.
SampleOutput
Storage Nodesdisplaystheothernodetowhichthelocalnoderedistributessamples.Ifthelocalnodeis
notredistributingsamples,onlyonestoragenodelocationdisplays.Ifthelocalnodeisredistributingsamples,
Storage Nodesshowstwostoragenodelocations.Thehighlightedoutputshowsthetwostoragenodes
thatstoresamples(thelocalnodeandthenodetowhichthelocalnoderedistributessamples)andverifies
thatsampleredistributionisoccurring.
admin@WF-500> show wildfire global sample-analysis
Last Created 100 Malicious Samples
+-----------------------------------------------------------------------
| SHA256 | Finish Date | Create Date | Malicious |
+-----------------------------------------------------------------------
| <HASH VALUE> | 2017-03-02 07:50:00 | 2017-03-02 07:50:00 | Yes |
| <HASH VALUE> | 2017-03-01 22:34:25 | 2017-03-01 22:28:25 | Yes |
| <HASH VALUE> | 2017-03-02 07:16:56 | 2017-03-02 07:11:28 | Yes |
| <HASH VALUE> | 2017-03-02 07:08:48 | 2017-03-02 07:02:54 | Yes |
| <HASH VALUE> | 2017-03-02 07:08:58 | 2017-03-02 07:02:51 | Yes |

-----------------------------------------------------------------------------------------------
| Storage Nodes | Analysis Nodes | Status | File Type |
-----------------------------------------------------------------------------------------------
| 009701000026:ld2_2,009707000529:ld2_2 | qa120 | Notify Finish | Elink File |
| 009701000026:ld1_2,009701000043:ld1_2 | qa15 | Notify Finish | Java Class |
| 009701000026:ld2_2,009701000044:ld2_2 | qa16 | Notify Finish | MS Office document |
| 009701000043:ld2_2,009701000026:ld2_2 | qa14 | Notify Finish | PE32 executable |
| 009701000044:ld2_2,009701000026:ld2_2 | qa16 | Notify Finish | PE32 executable |
-----------------------------------------------------------------------------------------------
lines 1-10
requestsystemwildfirevmimage
PerformupgradesontheWildFireappliancevirtualmachine(VM)sandboximagesusedtoanalyzefiles.To
retrievenewVMimagesfromthePaloAltoNetworksUpdateServer,youmustfirstdownloadtheimage
manually,hostitonanSCPenabledserver,andthenretrievetheimagefromtheapplianceusingtheSCP
client.Afterdownloadingtheimagetotheappliance,youcantheninstallitusingthiscommand.
HierarchyLocation
requestsystem
Syntax
request {
system {
wildfire-vm-image {
upgrade install file <value>;
}
}
}
Options
> wildfire-vm-imageInstallVirtualMachine(VM)images.
+ upgrade install filePerformanupgradetotheVMimage.Afterthefileoption,type?toviewalistof

availableVMimages.Forexample,runthefollowingcommandtolistavailableimages:
admin@WF-500> request system wildfire-vm-image upgrade install file ?

SampleOutput
TolistavailableVMimages,runthefollowingcommand:
admin@WF-500> request system wildfire-vm-image upgrade install file ?
To install a VM image (Windows 7 64-bit in this example), run the following command:
admin@WF-500> request system wildfire-vm-image upgrade install file
WFWin7_64Base_m-1.0.0_64base
requestwfcontent
PerformcontentupdatesonaWildFireappliance.Thesecontentupdatesequiptheappliancewiththemost
uptodatethreatinformationforaccuratemalwaredetectionandimprovetheappliance'sabilityto
differentiatethemaliciousfromthebenign.Toschedulecontentupdatestoinstallautomatically,seeset
deviceconfigsystemupdatescheduleandtodeletecontentupdatesontheWildFireappliance,seedelete
wildfiremetadata.
HierarchyLocation
request
Syntax
request wf-content
{
downgrade install {previous | <value>};
upgrade
{
check
download latest
info
install {
file <filename>
version latest;
}
}
}

Options
> downgradeInstallsapreviouscontentversion.Usethepreviousoptiontoinstallthepreviouslyinstalled
contentpackageorenteravaluetodowngradetoaspecificcontentpackagenumber.
> upgradePerformscontentupgradefunctions
> checkObtaininformationonavailablecontentpackagesfromthePaloAltoNetworksUpdateServer
> downloadDownloadacontentpackage
> infoShowinformationaboutavailablecontentpackages
> installInstallacontentpackage
> fileSpecifythenameofthefilecontainingthecontentpackage
> versionDownloadorupgradebasedontheversionnumberofthecontentpackage
SampleOutput
Tolistavailablecontentupdates,runthefollowingcommand:
admin@WF-500> request wf-content upgrade check
Version Size Released on Downloaded Installed

-------------------------------------------------------------------------
2-217 58MB 2014/07/29 13:04:55 PDT yes current
2-188 58MB 2014/07/01 13:04:48 PDT yes previous
2-221 59MB 2014/08/02 13:04:55 PDT no no
savewildfireapikey
Description
UsethesavecommandtosaveallAPIkeysontheWildFireappliancetoafile.Youcanthenexportthekey
fileforbackuppurposesortomodifythekeysinbulk.FordetailsonusingtheWildFireAPIonaWildFire
appliance,seetheWildFireAPIReference.
HierarchyLocation
save

Syntax
save {
wildfire {
api-key to <value>;
{
{
Options
* to Enter the filename for key export. For example, to export all of the API keys on
the WildFire appliance to a file named my-wf-keys, enter the following command:
admin@WF-500> save wildfire api-key to my-wf-keys
setwildfireportaladmin
Description
SetstheportaladminaccountpasswordthatanadministratorwillusetoviewWildFireanalysisreports
generatedbyaWildFireappliance.Theaccountname(admin)andpasswordisrequiredwhenviewingthe
reportonthefirewallorfromPanoramainMonitor > WildFire Submissions >View WildFire Report.Thedefault
usernameandpasswordisadmin/admin.
Theportaladminaccountistheonlyaccountthatyouconfigureontheappliancetoviewreports
fromthefirewallorPanorama.Youcannotcreatenewaccountsorchangetheaccountname.This
isnotthesameadminaccountusedtomanagetheappliance.
HierarchyLocation
setwildfire
Syntax
set {
wildfire {
portal-admin {
password <value>;
}

SampleOutput
Thefollowingshowstheoutputofthiscommand.
admin@WF-500> set wildfire portal-admin password
Enter password:
Confirm password:
showclusterallpeers
Description
OnaWildFireapplianceclustercontrollernode,displaythestatusofallWildFireapplianceclustermembers,
includingtheWildFireappliancemode(controllerorworker),connectionstatus,andapplicationservice
status.
HierarchyLocation
show cluster
Syntax
all-peers;
Options
SampleOutput
admin@thing1(active-controller)> show cluster all-peers

Address Mode Server Node Name
------- ---- ------ ---------
10.10.10.14 controller Self True thing1
Service: infra signature wfcore wfpc

Status: Connected, Server role applied

Changed: Wed, 15 Feb 2017 09:12:01 -0800
WF App:
10.10.10.112 controller Peer True thing2

Service: infra signature wfcore wfpc
Status: Connected, Server role applied
Changed: Wed, 15 Feb 2017 09:13:00 -0800
WF App:
global-db-service: ReadyLeader
global-queue-service: ReadyLeader
Diag report:
showclustercontroller
Description
OnaWildFireapplianceclustercontrollernode,displaythestatusoftheWildFireappliancecluster
controllers,includingtheclusternameandtheroleofthelocalcontrollernode(iftheActive Controller
fielddisplaysTrue,thelocalcontrolleristheprimarycontroller,iftheActive Controllerfielddisplays
False,thelocalcontrolleristhebackupcontroller).
HierarchyLocation
show cluster
Syntax
controller;

Options
SampleOutput
admin@thing1(active-controller)> show cluster controller

Cluster name: satriani1
K/V API online: True
Task processing: on
Active Controller: True
DNS Advertisement:
App Service DNS Name:
App Service Avail: 10.10.10.112, 10.10.10.14
Core Servers:
009707000742: 10.10.10.112
009701000043: 10.10.10.14
Good Core Servers: 2
Suspended Nodes:
Current Task:
no tasks found
showclustermembership
Description
ShowWildFireapplianceclustermembershipinformationfortheclusternodeorstandaloneWildFire
appliance,includingtheIPaddress,hostname,WildFireapplianceserialnumber,theappliancesrole(Node
mode),highavailabilitypriority,andapplicationstatus.
HierarchyLocation
show cluster
Syntax
membership;

Options
SampleOutput
YoucandisplayclustermembershipinformationforWildFireapplianceclusternodemembers(controller
andworkernodes)andstandaloneWildFireappliancestocheckwhethertheybelongtoacluster,their
applicationstatus,andotherlocalhostinformation.TheoutputdiffersslightlydependingontheWildFire
appliancesrole.Thedifferencesare:
Thepromptindicatestheactive(primary)controllernodeandthepassive(backup)controllernode,but
doesnotindicateaworkernodeorstandalonerole.
TheNode modeindicatesiftheWildFireapplianceisacontrollernode,aworkernode,ora
stand_aloneWildFireappliance.
HA prioritydisplaysprimaryfortheactivecontrollernode,secondaryforthepassive(backup)
controllernode,andthefieldisblankforworkernodesandstandaloneWildFireappliances.
Application statusfieldsdisplaydifferentvaluesinsomefields.Forglobal-db-serviceand
global-queue-service,clustermembersdisplayReadyLeaderorJoinedCluster,and
standaloneappliancesdisplayReadyStandalone.
Forsiggen-db,theprimarycontrollernodeoftheWildFireapplianceclusterdisplaysReadyMaster,
thesecondarycontrollernodeoftheWildFireapplianceclusterdisplaysReadySlave,WildFire
applianceclusterworknodesdisplayReady,andstandaloneWildFireappliancesdisplayReadyMaster.
ThelastfourdigitsofeachWildFireapplianceserialnumberischangedtoxxxxinthedisplaystoavoidrevealing
realserialnumbers.
OutputontheprimarycontrollernodeinaWildFireappliancecluster:
admin@thing1(active-controller)> show cluster membership
Address: 10.10.10.14
Host name: thing1
Node name: wfpc-00970100xxxx-internal
Serial number: 00970100xxxx
Server role: True
HA priority: primary
Monitor status:
Application status:

OutputonthecontrollerbackupnodeinaWildFireappliancecluster:
admin@thing2(passive-controller)> show cluster membership
Address: 10.10.10.112
Host name: thing2
Server role: True
HA priority: secondary
Monitor status:
Application status:
global-db-service: ReadyLeader
global-queue-service: ReadyLeader
OutputonaworkernodeinaWildFireappliancecluster:
admin@grinch> show cluster membership
Service Summary: wfpc
Address: 10.10.10.19
Host name: grinch
Node mode: worker
Server role: True
HA priority:
Last changed: Thu, 09 Feb 2017 15:55:55 -0800
Services: wfcore wfpc infra
Monitor status:
Application status:
siggen-db: Ready
OutputonastandaloneWildFireappliance(notaWildFireapplianceclustermember):
admin@max> show cluster membership
Cluster name:
Address: 10.10.10.90

Host name: max

Server role: True
HA priority:
Last changed: Mon, 13 Feb 2017 02:54:52 -0800
Monitor status:
Application status:
showclustertask
Description
ShowWildFireapplianceclustertaskinformationforthelocalclusternodeorforallclusternodes,ordisplay
thecompletedclustertaskhistoryorpendingclustertasks.
HierarchyLocation
show cluster
Syntax
task {
current;
history;
local;
pending;
}

Options
> currentDisplaytaskscurrentlyallowedontheWildFireappliancecluster.Availableonlyoncluster
controllernodes.
> historyDisplaycompletedclustertasks.Availableonlyonclustercontrollernodes.
> localDisplaypendingtasksonthelocalWildFireapplianceclusternode.
> pendingDisplaypendingtasksfortheentireWildFireappliancecluster.Availableonlyoncluster
controllernodes.
SampleOutput
admin@WF-500(active-controller)> show cluster task local

Request: reboot from WF-500 (009701000034/74702) at 2017-02-21 03:06:45 UTC
Queued: by WF-500
2/3 core servers available. reboot not allowed to maintain quorum

Queued: by WF-500
admin@WF-500(active-controller)> show cluster task current

no tasks found
admin@WF-500(active-controller)> show cluster task pending

Queued: by WF-500

Queued: by WF-500
admin@WF-500B(passive-controller)> show cluster task history

Response: permit by WF-500B at 2017-02-17 22:11:31 UTC


rebooting...
showhighavailabilityall
Description
ShowallWildFireapplianceclusterhighavailability(HA)information,includingHAcontrollink,HAstate,
andHAtransitioninformation,peersoftware,contentupdate,andantiviruscompatibilityinformation,and
peerconnectionandroleinformation.
HierarchyLocation
show high-availability
Syntax
all;
Options
SampleOutput
admin@thing1(active-controller)> show high-availability all

High-Availability:
Local Information:
Version: 1
Device Information:
Link Monitor Interval: 3000 ms

HA1 Control Link Information:
IP Address: 10.10.10.140/24
MAC Address: 00:00:5e:00:53:ff
Interface: eth3
Link State: Up; Setting: 1Gb/s-full
Key Imported : no
Priority: primary
Preemptive: no
Promotion Hold Interval: 2000 ms
Hello Message Interval: 8000 ms
Heartbeat Ping Interval: 2000 ms
Preemption Hold Interval: 1 min
Monitor Fail Hold Up Interval: 0 ms
Addon Master Hold Up Interval: 500 ms
Version Information:
Build Release: 8.0.1-c31
URL Database: Not Installed
Application Content: 497-2688
Anti-Virus: 0
Peer Information:
Version: 1
Device Information:
HA1 Control Link Information:
IP Address: 10.10.10.130
MAC Address: 00:00:5e:00:53:00
Priority: secondary
Preemptive: no
Version Information:
Build Release: 8.0.1-c31
URL Database: Not Installed
Application Content: 497-2688
Anti-Virus: 0
Initial Monitor Hold inactive; Allow Network/Links to Settle:
Link and path monitoring failures honored
Enabled: yes

showhighavailabilitycontrollink
Description
ShowWildFireapplianceclusterhighavailability(HA)statisticsfortheHAcontrollinkbetweentheprimary
andbackupcontrollernodes,includingthenumberofdifferenttypesofmessagestransmittedandreceived
ontheHAcontrollink,connectionfailures,andpingactivity.
HierarchyLocation
Syntax
control-link {
statistics;
}
Options
> statisticsDisplayWildFireapplianceclustercontrollernodeHAcontrollinkstatistics.
SampleOutput
admin@thing1(active-controller)> show high-availability control-link statistics

High-Availability:
Control Link Statistics:
HA1:
Messages-TX : 13408
Messages-RX : 13408
Capability-Msg-TX : 2
Capability-Msg-RX : 2
Error-Msg-TX : 0
Error-Msg-RX : 0
Preempt-Msg-TX : 0
Preempt-Msg-RX : 0
Preempt-Ack-Msg-TX : 0
Preempt-Ack-Msg-RX : 0
Primary-Msg-TX : 1

Primary-Msg-RX : 1
Primary-Ack-Msg-TX : 1
Primary-Ack-Msg-RX : 1
Hello-Msg-TX : 13402
Hello-Msg-RX : 13402
Hello-Timeouts : 0
Hello-Failures : 0
MasterKey-Msg-TX : 1
MasterKey-Msg-RX : 1
MasterKey-Ack-Msg-TX : 1
MasterKey-Ack-Msg-RX : 1
Connection-Failures : 0
Connection-Tries-Failures : 12
Connection-Listener-Tries : 1
Connection-Active-Tries : 12
Ping-TX : 53614
Ping-Fail-TX : 0
Ping-RX : 53613
Ping-Timeouts : 0
Ping-Failures : 0
Ping-Error-Msgs : 0
Ping-Other-Msgs : 0
Ping-Last-Rsp : 1
showhighavailabilitystate
Description
ShowWildFireapplianceclusterhighavailability(HA)stateinformationforthelocalandpeercluster
controllernodes,includingwhetherthecontrollernodeisactive(primary)orpassive(backup)andhowlong
thecontrollernodehasbeeninthatstate,theHAconfiguration,whetherthelocalandpeercontrollernode
configurationsaresynchronized,andsoftware,contentupdate,andantivirusversioncompatibilitybetween
controllernodepeers.
HierarchyLocation

Syntax
state;
Options
SampleOutput
admin@thing1(active-controller)> show high-availability state
High-Availability:
Local Information:
Version: 1
Device Information:
Priority: primary
Preemptive: no
Peer Information:
Version: 1
Device Information:
Priority: secondary
Preemptive: no
Enabled: yes

showhighavailabilitytransitions
Description
ShowWildFireapplianceclusterhighavailability(HA)transitioninformationabouteventsthatoccurduring
HAswitchoversfortheclustercontrollernodes.
HierarchyLocation
Syntax
transitions;
Options
SampleOutput
admin@thing1(active-controller)> show high-availability transitions

High-Availability:
Transition Statistics:
Unknown : 1
Suspended : 0
Initial : 0
Non-Functional : 0
Passive : 0
Active : 3

showsystemraid
Description
ShowtheRAIDconfigurationoftheWildFireappliance.TheWF500applianceshipswithfourdrivesinthe
firstfourdrivebays(A1,A2,B1,B2).DrivesA1andA2areaRAID1pairanddrivesB1andB2areasecond
RAID1pair.
HierarchyLocation
show system
Syntax
raid {
detail;
{
Options
SampleOutput
ThefollowingshowstheRAIDconfigurationonafunctioningWF500appliance.
admin@WF-500> show system raid detail
Disk Pair A Available

Status clean
Disk id A1 Present
model : ST91000640NS
size : 953869 MB
partition_1 : active sync
Disk id A2 Present
size : 953869 MB
Disk Pair B Available
Status clean
Disk id B1 Present
size : 953869 MB


Disk id B2 Present
size : 953869 MB
superuser,superreader
submitwildfirelocalverdictchange
Description
ChangeslocallygeneratedWildFireverdictsforsamplessubmittedfromtheFirewall.Verdictchangesapply
onlytothosesamplessubmittedtotheWildFireappliance,andtheverdictforthesamesampleremains
unchangedintheWildFireglobalcloud.Youcanviewsampleswithchangedverdictsusingtheshow
wildfire globalcommand.
TheWildFireprivatecloudcontentpackageisupdatedtoreflectanyverdictchangesthatyoumake(onthe
firewall,selectDevice > Dynamic Updates > WF-PrivatetoenableWildFireprivatecloudcontentupdates).
Whenyouchangeasampleverdicttomalicious,theWildFireappliancegeneratesanewsignaturetodetect
themalwareandaddsthatsignaturetotheWildFireprivatecloudcontentpackage.Whenyouchangea
sampleverdicttobenign,theWildFireapplianceremovesthesignaturefromtheWildFireprivatecloud
contentpackage.
ThereisalsoanAPIcallwhichcanbeusedtochangetheverdictsoflocalsamples.RefertotheWildFireAPI
Referenceformoreinformation.
HierarchyLocation
submit wildfire
Syntax
submit {
wildfire {
local-verdict-change {
hash <value>;
verdict <value>;
comment <value>;
}
}

Options
* hashSpecifytheSHA256hashofthefileforwhichyouwantchangetheverdict.
* verdictEnterthenewfileverdict:0indicatesabenignsample;1indicatesmalware;2indicatesgrayware.
* commentIncludeacommenttodescribetheverdictchange.
SampleOutput
Thefollowingshowstheoutputofthiscommand.
admin@WF-500> submit wildfire local-verdict-change comment test hash
c323891a87a8c43780b0f2377de2efc8bf856f02dd6b9e46e97f4a9652814b5c verdict 2
Please enter 'Y' to commit: (y or n)
verdict is changed (old verdict: 1, new verdict:2)
showwildfire
Description
ShowsvariousinformationabouttheWildFireappliance,suchglobalandlocaldeviceandsamplerelated
details,appliancestatus,,andthevirtualmachinethatisselectedtoperformanalysis.
HierarchyLocation
show wildfire
Syntax
status |
vm-images |
}
Options
admin@WF-500> show wildfire

> statusDisplaythestatusoftheapplianceaswellasconfigurationinformationsuchastheVirtual
Machine(VM)usedforsampleanalysis,whetherornotsamples/reportsaresenttothecloud,vmnetwork,
andregistrationinformation.
> vm-imagesDisplaytheattributesoftheavailablevirtualmachineimagesusedforsampleanalysis.To
viewthecurrentactiveimage,runthefollowingcommand:admin@WF-500> show wildfire status andview
theSelectVM field.
SampleOutput
Thefollowingshowstheoutputforthiscommand.
Connection info:
Wildfire cloud: s1.wildfire.paloaltonetworks.com
Status: Idle
Submit sample: disabled
Submit report: disabled
Selected VM: vm-5
VM internet connection: disabled
VM network using Tor: disabled
Best server: s1.wildfire.paloaltonetworks.com
Device registered: yes
Service route IP address: 10.3.4.99
Signature verification: enable
Server selection: enable
Through a proxy: no
admin@WF-500> show wildfire vm-images
Supported VM images:
vm-1
Windows XP, Adobe Reader 9.3.3, Flash 9, Office 2003. Support PE, PDF, Office 2003 and
earlier
vm-2
Windows XP, Adobe Reader 9.4.0, Flash 10n, Office 2007. Support PE, PDF, Office 2007
and earlier
vm-3
Windows XP, Adobe Reader 11, Flash 11, Office 2010. Support PE, PDF, Office 2010 and
earlier
vm-4
Windows 7 32bit, Adobe Reader 11, Flash 11, Office 2010. Support PE, PDF, Office 2010
and earlier
vm-5
Windows 7 64bit, Adobe Reader 11, Flash 11, Office 2010. Support PE, PDF, Office 2010
and earlier
vm-6
Windows XP, Internet Explorer 8, Flash 11. Support E-MAIL Links

showwildfireglobal
Description
Showsvariousinformationaboutglobaldevicesandthestatusofsamples,suchasavailableAPIkeys,
registrationinformation,sampleverdictchanges,activity,andrecentsamplesthattheapplianceanalyzed.
HierarchyLocation
show wildfire global
Syntax
api-keys {
all {
details;
}
key <value>;
}
devices-reporting-data;
last-device-registration {
all;
}
local-verdict-change {
all;
sha256 <value>;
}
}
sample-analysis {
number;
type;
}
}
sample-status {
sha256 {
equal <value>;
}
}
signature-status {
sha256 {
equal <value>;

}
}
Options
admin@WF-500> show wildfire global

> api-keysShowdetailsabouttheAPIkeysgeneratedontheWildFireappliance.Youcanviewthelast
timethekeywasused,thekeyname,status(EnabledorDisabled),andthedate/timethekeywasgenerated.
>devices-reporting-data Showlistoflatestregistrationactivities.
>last-device-registration Showlistoflatestregistrationactivities.
>local-verdict-change Showssampleswithchangedverdicts.
>sample-analysisShowwildfireanalysisresultsforuptoamaximumof1,000samples.
>sample-statusShowwildfiresamplestatus.EntertheSHA256valueofthefiletoviewthecurrent
analysisstatus.
>signature-statusShowwildfiresignaturestatus.EntertheSHA256valueofthefiletoviewthecurrent
analysisstatus.
SampleOutput
+------------+-----------+---------+---------------------+---------------------+
| Apikey | Name | Status | Create Time | Last Used Time |
+------------+-----------+---------+---------------------+---------------------+
| <API KEY> | happykey1 | Enabled | 2017-03-01 23:21:02 | 2017-03-01 23:21:02 |
+------------+-----------+---------+---------------------+---------------------+
admin@WF-500> show wildfire global devices-reporting-data

+------------+---------------------+-------------+------------+----------+--------+
| _Device ID | Last Registered | Device IP | SW Version | HW Model | Status |
+------------+---------------------+-------------+------------+----------+--------+
| test_WF500 | 2017-03-01 22:28:25 | 10.1.1.1 | 8.0 | PA-200 | OK |
+------------+---------------------+-------------+------------+----------+--------+
admin@WF-500> show wildfire global last-device-registration all

+--------------+---------------------+-------------+------------+----------+--------+
| Device ID | Last Registered | Device IP | SW Version | HW Model | Status |
+--------------+---------------------+-------------+------------+----------+--------+
| 001606000114 | 2014-07-31 12:35:53 | 10.43.14.24 | 6.1.0-b14 | PA-200 | OK |
+--------------+---------------------+-------------+------------+----------+--------+
admin@WF-500> show wildfire global local-verdict-change

+-----------------------------------------------------------------+---------+--------+
| SHA256 | Verdict | Source |
+-----------------------------------------------------------------+---------+--------+

| c883b5d2e16d22b09b176ca0786128f8064d47edf26186b95845aa3678868496| 2 -> 1 | Yes |

+-----------------------------------------------------------------+---------+--------+
admin@WF-500> show wildfire global sample-analysis
Last Created 100 Malicious Samples

+--------------+---------------------+---------------------+-----------+
+--------------+---------------------+---------------------+-----------+
| <HASH VALUE> | 2017-03-01 23:27:57 | 2017-03-01 23:27:57 | Yes |
+--------------+---------------------+---------------------+-----------+
+----------------------+----------------+---------------+----------------+
+----------------------+----------------+---------------+----------------+
| 00926ld1_2,0094:d1_2 | qa16 | Notify Finish | Elink File |
+----------------------+----------------+---------------+----------------+
Last Created 100 Non-malicious Samples

+--------------+---------------------+---------------------+-----------+
+--------------+---------------------+---------------------+-----------+
| <HASH VALUE> | 2017-03-01 23:31:15 | 2017-03-01 23:24:29 | No |
+--------------+---------------------+---------------------+-----------+
+----------------------+----------------+---------------+--------------------+
+----------------------+----------------+---------------+--------------------+
| 0712:smp_27,94:smp_7 | qa16 | Notify Finish | MS Office document |
+----------------------+----------------+---------------+--------------------+
admin@WF-500> show wildfire global sample-status sha256 equal

dc9f3a2a053c825e7619581f3b31d53296fe41658b924381b60aee3eeea4c088
+---------------------+---------------------+-----------+----------------------------+
| Finish Date | Create Date | Malicious | Storage Nodes |
+---------------------+---------------------+-----------+----------------------------+
| 2017-03-01 22:34:17 | 2017-03-01 22:28:23 | No | 009026:smp_27,097010smp_27 |
+---------------------+---------------------+-----------+----------------------------+
+----------------+---------------+------------------+
| Analysis Nodes | Status | File Type |
+----------------+---------------+------------------+
| qa15 | Notify Finish | Adobe Flash File |
+----------------+---------------+------------------+
admin@WF-500> show wildfire global signature-status sha256

equalc883b5d2e16d22b09b176ca0786128f8064d47edf26186b95845aa3678868496
Signature Name: Virus/Win32.WPCGeneric.cr

Current Status: released
Release History:
+---------------+---------------------+---------+-------------+----------+
| Build Version | Timestamp | UTID | Internal ID | Status |

+---------------+---------------------+---------+-------------+----------+
| 155392 | 2017-02-03 10:11:06 | 5000259 | 10411 | released |
+---------------+---------------------+---------+-------------+----------+
showwildfirelocal
Description
Showsvariousinformationaboutlocaldevicesandsamples,activity,recentsamplesthattheappliance
analyzed,andbasicWildFirestatistics.
HierarchyLocation
show wildfire local
Syntax
latest {
analysis {
filter malicious|benign;
sort-by SHA256|Submit Time|Start Time|Finish Time|Malicious|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
OR...
samples {
filter malicious|benign;
sort-by SHA256|Create Time|File Name|File Type|File Size|Malicious|Status;
sort-direction asc|desc;
limit 1-20000;
days 1-7;
}
sample-status {
sha256 {
equal <value>;
}
}
statistics days <1-31> | hours <0-24> | minutes <0-60>;

Options
admin@WF-500> show wildfire local

>latestShowlatest30activities,whichincludethelast30analysisactivities,thelast30filesthatwere
analyzed,networksessioninformationonfilesthatwereanalyzedandfilesthatwereuploadedtothepublic
cloudserver.
>sample-statusShowwildfiresamplestatus.EntertheSHA256valueofthefiletoviewthecurrent
analysisstatus.
>statisticsDisplaybasicwildfirestatistics.
SampleOutput
admin@WF-500> show wildfire latest analysis

Latest analysis information:
+-------------+---------------------+---------------------+---------------------+
| SHA256 | Submit Time | Start Time | Finish Time |
+-------------+---------------------+---------------------+---------------------+
| <HASH VALUE>| 2017-03-01 14:28:26 | 2017-03-01 14:28:26 | 2017-03-01 14:34:24 |
| <HASH VALUE>| 2017-03-01 14:28:25 | 2017-03-01 14:28:25 | 2017-03-01 14:28:41 |
| <HASH VALUE>| 2017-03-01 14:28:25 | 2017-03-01 14:28:25 | 2017-03-01 14:28:26 |
+-------------+---------------------+---------------------+---------------------+
+------------+-----------------------------------------------------------+-----------+
| Malicious | VM Image | Status |
+------------+-----------------------------------------------------------+-----------+
| Yes | Windows 7 x64 SP1, Adobe Reader 11, Flash 11, Office 2010 | completed |
| No | Java/Jar Static Analyzer | completed |
| Suspicious | Java/Jar Static Analyzer | completed |
+------------+-----------------------------------------------------------+-----------+
admin@WF-500> show wildfire latest samples
Latest samples information:

+--------------+---------------------+----------------+---------------+
| SHA256 | Create Time | File Name | File Type |
+--------------+---------------------+----------------+---------------+
| <HASH VALUE> | 2017-03-01 14:28:25 | | JAVA Class |
| <HASH VALUE> | 2017-03-01 14:28:25 | | JAVA Class |
| <HASH VALUE> | 2017-03-01 14:28:25 | | PE |
+--------------+---------------------+----------------+---------------+
+--------------+-----------+-------------------+
| File Size | Malicious | Status |
+--------------+-----------+-------------------+
| 20,407 | No | analysis complete |
| 1,584 | Yes | analysis complete |

| 259,024 | No | analysis complete |

+--------------+-----------+-------------------+
admin@WF-500> show wildfire local sample-status sha256 equal

0f2114010d00d7fa453177de93abca9643f4660457536114898c56149f819a9b
Sample information:
+---------------------+-----------+-----------------------------------+
| Create Time | File Name | File Type |
+---------------------+-----------+-----------------------------------+
| 2017-03-01 22:28:24 | rmr.doc | Microsoft Word 97 - 2003 Document |
+---------------------+-----------+-----------------------------------+
+-----------+-----------+-------------------+
| File Size | Malicious | Status |
+-----------+-----------+-------------------+
| 133120 | Yes | analysis complete |
+-----------+-----------+-------------------+
Analysis information:
+---------------------+---------------------+---------------------+------------+
| Submit Time | Start Time | Finish Time | Malicious |
+---------------------+---------------------+---------------------+------------+
| 2017-03-01 22:28:24 | 2017-03-01 22:28:24 | 2017-03-01 22:28:24 | Suspicious |
| 2017-03-01 22:28:24 | 2017-03-01 22:28:24 | 2017-03-01 22:34:07 | Yes |
+---------------------+---------------------+---------------------+------------+
+-----------------------------------------------------------+-----------+
| VM Image | Status |
+-----------------------------------------------------------+-----------+
| DOC/CDF Static Analyzer | completed |
| Windows 7 x64 SP1, Adobe Reader 11, Flash 11, Office 2010 | completed |
+-----------------------------------------------------------+-----------+
admin@WF-500> show wildfire local statistics
Current Time: 2017-03-01 17:44:31

Received After: 2017-02-28 17:44:31
Received Before: 2017-03-01 17:44:31
-------------------------------------------------------------------------------------
| Wildfire Stats |
+-----------------------------------------------------------------------------------+
|+----------------------------------------------------------------------------------+|
|| Executable ||
|+---------------------------------------------------------------------------------+|
|| FileType | Submitted | Analyzed | Pending | Malware | Grayware | Benign | Error ||
|+---------------------------------------------------------------------------------+|
|| exe | 2 | 2 | 0 | 0 | 0 | 2 | 0 ||
|+---------------------------------------------------------------------------------+|
|| dll | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
Environment Analysis Summary for Executable:

VM Utilization : 0/10

Files Analyzed : 2
+-----------------------------------------------------------------------------------+
|| Non-Executable ||
|+---------------------------------------------------------------------------------+|
|+---------------------------------------------------------------------------------+|
|| pdf | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| jar | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| doc | 1 | 1 | 0 | 1 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| ppt | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| xls | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| docx | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| pptx | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| xlsx | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| rtf | 0 | 0 | 0 | 0 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
|| class | 2 | 2 | 0 | 1 | 0 | 1 | 0 ||
|+---------------------------------------------------------------------------------+|
|| swf | 1 | 1 | 0 | 0 | 0 | 1 | 0 ||
|+---------------------------------------------------------------------------------+|
Environment Analysis Summary for Non-Executable:

VM Utilization : 0/16
Files Analyzed : 4
+-----------------------------------------------------------------------------------+
|| Links ||
|+---------------------------------------------------------------------------------+|
|+---------------------------------------------------------------------------------+|
|| elink | 1 | 1 | 0 | 1 | 0 | 0 | 0 ||
|+---------------------------------------------------------------------------------+|
Environment Analysis Summary for Links:

Files Analyzed : 1
----------------------------------------------------------
| General Stats |
+--------------------------------------------------------+
Total Disk Usage: 67/1283(GB) (5%)
||+---------------------------+----------+-+-----------+||

||| Sample Queue |||

||+-----------------+-------------------+--------------+||
||| SUBMITTED | ANALYZED | PENDING |||
||+---------------------------+----------+-+-----------+||
||| 7 | 7 | 0 |||
||+--------------------------+-----------+-+----------+|||
|+--------------------------+---------------------------+|
||| Verdicts |||
||+-------------------------+--------------------------+||
||| Malware | Grayware | Benign | Error |||
||+-----------------------------+----------------------+||
||| 3 | 0 | 4 | 0 |||
||+--------------------------+-----------+-+----------+|||
|+--------------------------+---------------------------+|
||| Session and Upload Count |||
||+------------------------+---------------------------+||
||| Sessions | Uploads |||
||+---------------------------+------------------------+||
||| 7 | 5 |||
||+---------------------------+------------------------+||
testwildfireregistration
Description
PerformsatesttochecktheregistrationstatusofaWildFireapplianceorPaloAltoNetworksfirewalltoa
WildFireserver.Ifthetestissuccessful,theIPaddressorservernameoftheWildFireserverisdisplayed.A
successfulregistrationisrequiredbeforeaWildFireapplianceorfirewallcanforwardfilestotheWildFire
server.
Syntax
test {
wildfire {
registration;
}
}

Options
SampleOutput
ThefollowingshowsasuccessfuloutputonafirewallthatcancommunicatewithaWildFireappliance.Ifthis
isaWildFireappliancepointingtothePaloAltoNetworksWildFirecloud,theservernameofoneofthe
cloudserversisdisplayedintheselect the best server:field.
Test wildfire
wildfire registration: successful
download server list: successful
select the best server: ca-s1.wildfire.paloaltonetworks.com

WildFire Administrator Guide-8.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WildFire Administrator Guide-8.0

Uploaded by

Copyright:

Available Formats

WildFire

UsetheWildFireApplianceCLI ...................................... 113

FileTypesSupportedfor WildFire WildFire WildFireJapan WildFire WildFire

Step4 ConfirmyourWildFirelicenseisactive 1. Logintothefirewall.

Step5 ConnectthefirewalltoWildFireand 1. SelectDevice > Setup > WildFire andeditGeneralSettings.

Step7 StartsubmittingsamplesforWildFire 1. DefinetraffictoforwardforWildFireanalysis.(SelectObjects

Step8 Enablethefirewalltogetthelatest 1. SelectDevice > Dynamic Updates:

Step9 Startscanningtrafficforthreats, AttachthedefaultAntivirusprofiletoasecuritypolicyruletoscan

Step10 Controlsiteaccesstowebsiteswhere ToconfigureURLFiltering:

Step11 Confirmthatthefirewallissuccessfully IfyouenabledloggingofbenignfilesinStep 4,selectMonitor >

Step12 InvestigateWildFireanalysisresults. FindWildFireanalysisresults:

Step13 Nextstep: ReviewandimplementWildFireBestPractices.

Step1 SpecifytheWildFireDeploymentsto SelectDevice > Setup > WildFireandedittheGeneralSettings

Step2 Definethesizelimitsforfilesthefirewall ContinueeditingWildFireGeneralSettings(Device > Setup >

Step3 (PanoramaOnly)ConfigurePanoramato Select Panorama > Setup > WildFireandenteraWildFire Server if

Step5 (Optional)AllocateWildFireappliance UsethefollowingCLIcommand:

Step6 AttachtheWildFireAnalysisprofiletoa 1. SelectPolicies > SecurityandAdd ormodifyapolicyrule.

Step9 Click CommittoapplytheWildFiresettings.

Step10 Choosewhattodonext... VerifyWildFireSubmissionstoconfirmthatthefirewallis

Step2 Onthefirewallwebinterface,selectMonitor > WildFire Submissionstoconfirmthatthefilewasforwarded

Verifythatthefirewalliscommunicatingwith Usethetest wildfire registrationcommandtoverifythatthe

Verifythestatusofthefirewallconnectionto Usetheshow wildfire status commandto:

Viewsamplesforwardedbythefirewall Usetheshow wildfire statisticscommandtoconfirmthefile

Monitorsamplessuccessfullysubmittedfor Usingthefirewallwebinterface,selectMonitor > Logs > WildFire

Step1 ManuallyuploadfilesorURLstothe 1. LogintotheWildFirePortal.

3. ClosetheUploaded File Informationpopup.

Step2 ViewtheWildFireverdictandanalysis 1. ReturntotheWildFirePortaldashboard.

Platform MaximumFilesPerMinute ReservedDriveSpace

PA5200Series 150 1500MB

PA7000Series 100 1GB

Step1 RackmountandcabletheWildFire RefertotheWildFireApplianceHardwareReferenceGuidefor

Step2 Connectacomputertotheappliance 1. ConnecttotheconsoleportortheMGTport.Botharelocated

Step3 RegistertheWildFireappliance. 1. ObtaintheserialnumberfromtheS/Ntagontheappliance,or

Step4 Resettheadminpassword. 1. Setanewpasswordbyrunningthecommand:

Step5 Configurethemanagementinterface 1. LogintotheappliancewithanSSHclientorbyusingthe

Step6 ActivatetheappliancewiththeWildFire 1. Changetooperationalmode:

Step7 SettheWildFireapplianceclock. Tosettheclockmanually,enterthefollowingcommands:

Step8 (OptionalforNTPconfiguration)Setup DisableNTPauthentication:

Step9 Choosethevirtualmachineimageforthe Toviewalistofavailablevirtualmachinestodeterminewhich

Step10 EnabletheWildFireappliancetoobserve SetUptheWildFireApplianceVMInterface.

Step11 (Optional)EnabletheWildFireappliance ThefollowingCLIcommandenablestheWildFireapplianceto

Step12 (Optional)EnabletheWildFireappliance EnableWildFireApplianceAnalysisFeatures

Step13 (Optional)EnabletheWildFireappliance EnableLocalSignatureandURLCategoryGeneration

Step14 (Optional)Automaticallysubmitmalware SubmitMalwaretotheWildFirePublicCloud..

Step15 (Optional)Ifyoudonotwanttoforward SubmitAnalysisReportstotheWildFirePublicCloud.

Step16 (Optional)Allowadditionalusersto Inthisexample,youwillcreateasuperreaderaccountfortheuser

Step17 ConfigureRADIUSauthenticationfor 1. CreateaRADIUSprofileusingthefollowingoptions:

Step1 SettheIPinformationfortheVM 1. Enterconfigurationmode:

Step2 EnabletheVMinterface. 1. EnabletheVMinterface:

Step3 TestconnectivityoftheVMinterface. PingasystemandspecifytheVMinterfaceasthesource.For

Step4 (Optional)Sendanymalicioustrafficthat 1. EnabletheTornetwork:

Step1 Configuretheinterfaceonthefirewall 1. Fromthewebinterfaceonthefirewall,selectNetwork >

Step2 Createasecuritypolicyonthefirewallto 1. SelectPolicies > SecurityandclickAdd

Step3 Connectthecables. PhysicallyconnecttheVMinterfaceontheWildFireapplianceto

Step4 VerifythattheVMinterfaceis 1. ViewtheVMinterfacesettings:

Step1 Verifyconnectivityfromtheappliance 1. LogintotheWildFireapplianceandrunthefollowing

Step2 Downloadandinstallthelatestcontent 1. Downloadthelatestcontentupdate:

Step3 Verifythecontentupdate. Runthefollowingcommandandrefertothewf-content-version

Step4 (Optional)Schedulecontentupdatesto 1. Scheduletheappliancetodownloadandinstallcontent

Step1 Retrievethecontentupdatefilefrom 1. LogintothePaloAltoNetworksSupportPortalandclick

Step2 Installthecontentupdateonthe 1. LogintotheWildFireapplianceanddownloadthecontent

Step3 Verifythecontentupdate. Verifythecontentversion:

Step1 SetUpWildFireApplianceContent ThisallowstheWildFireappliancetoreceivethelatestthreat

Step2 EnablesignatureandURLcategory 1. Logintotheapplianceandtypeconfiguretoenter