PAN-OS: WildFire Forwarding of Decrypted SSL/TLS Traffic

Introduction: Why Decryption Matters for WildFire

A vast majority of modern web and application traffic, including malware delivery and command-and-control (C2) communication, is encrypted using SSL/TLS. While WildFire is designed to analyze unknown files and links, it cannot analyze what it cannot see. If malicious files or links are hidden within encrypted sessions, the firewall's standard WildFire submission mechanisms (based on file type identification) will be bypassed.

Therefore, SSL Decryption (specifically SSL Forward Proxy for outbound traffic and potentially SSL Inbound Inspection for inbound traffic) is a critical prerequisite for enabling effective WildFire analysis of files transferred over encrypted channels like HTTPS, SMTPS, IMAPS, POP3S, etc.

This page focuses on how to ensure that files revealed through the decryption process are correctly forwarded to WildFire for analysis.

The Workflow: Decrypt First, Then Analyze

When both SSL Decryption and WildFire Analysis are configured, the process for handling an encrypted file download (e.g., via HTTPS) typically follows these steps:

  1. Client Request: Internal client requests a file from an external HTTPS server.
  2. Firewall Intercept & Decryption Policy Match: The initial HTTPS connection attempt matches a Decryption Policy rule with Action `Decrypt` and Type `SSL Forward Proxy`.
  3. Decryption Occurs: The firewall performs the SSL Forward Proxy MITM process, establishing separate encrypted sessions with the client and the server, gaining access to the cleartext data stream.
  4. Security Policy Match & Profile Application: The cleartext stream (now identifiable by App-ID, potentially as the specific application like `web-browsing` or `file-sharing`) matches a Security Policy rule with Action `Allow`. Crucially, this Security Policy rule must have both a WildFire Analysis profile and relevant Security Profiles (like Antivirus) attached.
  5. File Identification (Post-Decryption): As the file data flows through the decrypted session, the firewall's engines identify it (e.g., as a PDF, PE file).
  6. WildFire Analysis Profile Check: The firewall checks the attached WildFire Analysis Profile to see if this specific file type, application context, and traffic direction are configured for forwarding.
  7. Verdict Check: The firewall checks its local cache or queries the WildFire cloud for a known verdict for the file's hash.
  8. Forwarding Decision: If the verdict is unknown AND the file matches the WildFire Analysis Profile criteria, the firewall forwards the decrypted file content to the configured WildFire cloud or appliance.
  9. Delivery to Client: Concurrently (unless using WildFire Hold Mode), the file transfer to the client continues while analysis happens in the background.
  10. Verdict & Protection: WildFire returns a verdict. If malicious, signatures are generated and distributed via Content Updates for future protection. The firewall logs the submission and verdict.

The key is that the WildFire Analysis profile operates on the *decrypted* data stream made visible by the SSL Decryption process and allowed by the Security Policy.

Visualization 

graph TD
    Client[Internal Client] -- 1. HTTPS Request --> FW(Firewall);
    subgraph Firewall Processing Stages
        subgraph Stage 1: Decryption
            DecPol{Decryption Policy\n*Action: Decrypt*\n*Type: SSL Fwd Proxy*} -- Matches --> Traffic;
            Traffic --> DecryptEng[Decryption Engine\n*Performs MITM*];
        end
        subgraph Stage 2: Security Policy & Inspection
            DecryptEng --> CleartextStream[Cleartext Data Stream];
            CleartextStream --> SecPol{Security Policy\n*Action: Allow*\n*Applies Profiles*};
            SecPol -- Applies --> AVProf(Antivirus Profile\n*Incl. WF Verdict Actions*);
            SecPol -- Applies --> WFProf(WildFire Analysis Profile);
            SecPol -- Applies --> OtherProf(Threat, URL, File Profiles...);
            WFProf -- Checks File Type/App/Dir --> FileCheck{Is this file\ntype/app/dir\nin WF Profile?};
        end
        subgraph Stage 3: WildFire Submission
            FileCheck -- Yes & Unknown Verdict --> ForwardWF[Forward Decrypted\nFile to WildFire];
            ForwardWF --> WFCloud[WildFire Cloud/\nAppliance];
            FileCheck -- No or Known Verdict --> SkipWF(Do Not Forward);
        end
    end
    CleartextStream --> ClientDelivery[Forward to Client\n*Unless WF Hold Mode*];

    WFCloud -- Verdict --> FW;

    linkStyle 0 stroke:#007bff,stroke-width:1px;
    linkStyle 1 stroke:#dc3545,stroke-width:1px,color:red;
    linkStyle 2 stroke:#6f42c1,stroke-width:1px,color:purple;
    linkStyle 3 stroke:#17a2b8,stroke-width:1px,color:teal;
    linkStyle 4 stroke:#28a745,stroke-width:1px,color:green;
    linkStyle 5 stroke:#28a745,stroke-width:1px,color:green;
    linkStyle 6 stroke:#28a745,stroke-width:1px,color:green;
    linkStyle 7 stroke:#28a745,stroke-width:1px,color:green;
    linkStyle 8 stroke:#ffc107,stroke-width:1px,color:orange;
    linkStyle 9 stroke:#fd7e14,stroke-width:2px,color:darkorange;
    linkStyle 10 stroke:#adb5bd,stroke-width:1px,color:gray,stroke-dasharray: 5 5;
    linkStyle 11 stroke:#007bff,stroke-width:1px;
    linkStyle 12 stroke:#6c757d,stroke-width:1px,stroke-dasharray: 5 5;
Workflow: Decryption Enables WildFire Analysis.

Configuration Summary

To ensure decrypted traffic is forwarded to WildFire, verify the following:

  1. SSL Decryption is Enabled: A Decryption Policy rule with Action Decrypt and Type SSL Forward Proxy (or SSL Inbound Inspection ) must match the encrypted traffic flow.
  2. WildFire Analysis Profile Exists: An appropriate profile is configured under Objects > Security Profiles > WildFire Analysis specifying the desired file types, applications (`any` recommended), and direction (`both` recommended).
  3. Security Policy Allows Traffic: A Security Policy rule allows the traffic (matching the source/destination zones, addresses, users, and crucially, the *application* identified *after* decryption, or at least `ssl` initially). This rule must have Action Allow .
  4. WildFire Analysis Profile Attached to Security Policy: The configured WildFire Analysis Profile must be selected in the 'WildFire Analysis' dropdown within the Actions tab of the Security Policy rule identified in step 3.
  5. Firewall Connectivity to WildFire: The firewall must have DNS resolution and network reachability (including routing/Service Routes if needed) to the selected WildFire cloud region or private appliance.
  6. WildFire License Active.

A common mistake is attaching the WildFire Analysis profile only to a Decryption policy rule. This will NOT work. The WildFire Analysis profile must be attached to the Security Policy rule that permits the (potentially decrypted) application flow.

Best Practices

Caveats and Considerations

PCNSE Exam Focus

For the PCNSE exam, regarding WildFire and Decryption:

WildFire Forwarding of Decrypted Traffic Quiz

1. Can WildFire analyze a file downloaded by a user over an standard HTTPS connection if SSL Forward Proxy decryption is NOT enabled?

Decryption is essential. WildFire needs the actual file content for analysis, which is hidden inside the encrypted SSL/TLS tunnel unless the firewall performs decryption.

2. A firewall successfully decrypts an HTTPS session containing an unknown executable file download. Which policy object determines IF this specific decrypted file should be forwarded to WildFire?

The WildFire Analysis Profile defines the criteria (File Types, Applications, Direction) that determine whether an unknown file, once visible after decryption, should be forwarded. This profile is applied via the Security Policy rule.

3. To enable WildFire submission for decrypted traffic, where should the WildFire Analysis Profile be applied?

WildFire Analysis, like other Security Profiles (AV, AS, VP), is applied via the Security Policy rule that ultimately permits the traffic flow after decryption and App-ID classification have occurred.

4. An administrator has decryption enabled but notices no files downloaded over HTTPS are being submitted to WildFire. What is a likely configuration error?

b) The WildFire Analysis profile is missing necessary file types.
A common mistake is forgetting to attach the WildFire Analysis profile to the Security Policy rule that actually allows the decrypted web/application traffic. Without being applied to the relevant Security rule, the profile has no effect on that traffic.

5. Which component performs the actual decryption before WildFire analysis can occur on an SSL/TLS session?

The Decryption Policy rule, specifically configured with Type 'SSL Forward Proxy' or 'SSL Inbound Inspection', triggers the firewall's decryption engine to perform the MITM and gain access to the cleartext data.

6. True or False: If SSL Decryption is enabled, ALL files transferred over decrypted sessions are automatically sent to WildFire.

False. Even after decryption, file submission is governed by the attached WildFire Analysis Profile. Only unknown files matching the criteria (File Type, Application, Direction) defined in that profile will be forwarded.

7. What potential impact should be considered when enabling both SSL Decryption and WildFire forwarding for high-volume traffic?

Both decryption and file analysis/forwarding are resource-intensive processes. Enabling both for large amounts of traffic requires careful firewall sizing and performance monitoring.

8. A Security Policy allows `ssl` and `web-browsing` and has a WildFire Analysis profile attached. A Decryption policy decrypts the 'Social Networking' category. A user downloads an unknown PDF via Facebook (HTTPS). Will the PDF be submitted to WildFire?

The decryption policy allows inspection. The Security Policy allows the flow (initially as ssl, then potentially re-matched as facebook). If the WF Analysis profile attached to that security rule is configured to forward PDFs, the submission occurs based on the decrypted content.

9. What firewall log should be checked to confirm that specific files *forwarded* due to decryption are being analyzed by WildFire?

The WildFire Submissions log explicitly tracks which files were forwarded, session details, and the eventual verdict received from the WildFire cloud/appliance. The Decryption log shows which sessions were decrypted.

10. True or False: Attaching a WildFire Analysis profile to a Decryption Policy rule is the correct way to ensure decrypted files are submitted.

False. This is a common misconception. The WildFire Analysis Profile, like other content inspection profiles (AV, AS, VP, File Blocking), must be attached to the **Security Policy rule** that allows the (now decrypted) traffic flow, not the Decryption Policy rule itself.

References