PAN-OS: WildFire Signatures and Actions

Introduction: Leveraging WildFire-Generated Protections

After the WildFire cloud service analyzes an unknown file or URL and determines it to be malicious (Malware, Phishing) or unwanted (Grayware), it doesn't just stop at providing a verdict. A key part of the WildFire ecosystem is the automatic generation of new signatures based on this analysis. These signatures provide proactive protection against future encounters with the same or similar threats.

These WildFire-generated signatures are then distributed globally via Content Updates . Once downloaded by a PAN-OS firewall, these signatures are used by the existing security engines (Antivirus, Anti-Spyware, DNS Security, URL Filtering) to detect the threat. The action taken when a WildFire-generated signature matches traffic is configured within the corresponding Security Profile (Antivirus, Anti-Spyware, etc.), just like any other vendor-provided signature.

This topic focuses on configuring the firewall's response when traffic matches a signature that was *created* as a result of WildFire analysis, distinguishing it from the immediate action based on a WildFire *verdict* (configured in the Antivirus profile) or the submission of *unknown* files (configured in the WildFire Analysis profile).

WildFire automatically generates various types of protections based on its analysis:

Antivirus Signatures: Detects malicious files based on hashes or patterns identified during sandbox analysis. These signatures are integrated into the main Antivirus signature database.
Anti-Spyware Signatures (C2): Detects command-and-control (C2) traffic associated with malware analyzed by WildFire. This includes signatures for malicious domains, URLs, or specific C2 traffic patterns. These signatures are integrated into the Anti-Spyware database, often categorized under spyware or command-and-control.
DNS Signatures: Identifies malicious domain names used by malware or phishing campaigns discovered through WildFire analysis. These are part of the DNS Security signature set.
URL Filtering Categories: URLs identified by WildFire as hosting malware or involved in phishing are added to the `malware` and `phishing` URL categories, respectively.
(Potentially other types like Vulnerability Protection signatures if exploits are detected).

The key point is that these are standard signature types, delivered via Content Updates, but their *origin* is the WildFire analysis process.

Because WildFire-generated signatures become part of the standard signature databases, the actions taken upon matching them are configured within the standard Security Profiles:

Antivirus Profiles:
- Location: Objects > Security Profiles > Antivirus
- Mechanism: WildFire-generated AV signatures are treated like any other AV signature.
- Configuration: Configure the desired action (e.g., `reset-both`, `drop`, `alert`) for specific decoders (like HTTP, SMTP, FTP, SMB) or globally within the profile. The action set for the relevant decoder will apply when a WildFire AV signature matches a file transferred over that protocol.
- Recommendation: Set actions to `reset-both`, `drop`, or `block` for relevant protocols to prevent malware delivery.
Anti-Spyware Profiles:
- Location: Objects > Security Profiles > Anti-Spyware
- Mechanism: WildFire-generated C2 signatures are categorized, typically under spyware types like `command-and-control` or specific malware families, and assigned a severity (Critical, High, Medium, etc.).
- Configuration: Configure actions based on Severity or create specific rules targeting WildFire-related categories or individual Threat IDs. Actions include `alert`, `drop`, `reset-client`, `reset-server`, `reset-both`, `block-ip`. DNS Security actions (if not using a separate DNS Security profile) are also configured here (e.g., `sinkhole`, `block`).
- Recommendation: Set actions to `reset-both`, `drop`, or `block-ip` for Critical/High/Medium severity spyware signatures, including those generated by WildFire. Configure DNS Sinkhole or Block for malicious domains.
DNS Security Profiles (If Licensed/Used):
- Location: Objects > Security Profiles > DNS Security
- Mechanism: Leverages Palo Alto Networks' DNS signature database, which includes domains identified by WildFire as malicious.
- Configuration: Define actions (`allow`, `alert`, `block`, `sinkhole`) for various threat categories, including those populated by WildFire intelligence.
- Recommendation: Use `sinkhole` (preferred) or `block` for known malicious DNS categories.
URL Filtering Profiles:
- Location: Objects > Security Profiles > URL Filtering
- Mechanism: WildFire contributes URLs to the `malware` and `phishing` categories within the PAN-DB URL database.
- Configuration: Configure actions (`alert`, `allow`, `block`, `continue`, `override`) for the `malware` and `phishing` URL categories within the profile.
- Recommendation: Set action to `block` for both `malware` and `phishing` categories.

Applying the Profiles:

These configured Security Profiles (Antivirus, Anti-Spyware, DNS Security, URL Filtering) must be attached to the relevant Security Policy rules ( Policies > Security ) that have an Action of `Allow`.
The firewall inspects traffic permitted by the Security Policy using the attached profiles and takes the configured action if a WildFire-generated (or any other) signature matches.

It's crucial to distinguish between actions based on WildFire *signatures* and actions based on WildFire *verdicts*:

Feature	WildFire Verdict Actions	WildFire Signature Actions
Trigger	Firewall sees a file hash/URL with a known verdict (from cache or cloud lookup)	Firewall content matches a downloaded signature (AV, AS, DNS, URL) originally generated by WildFire
Configuration Location	`Antivirus Profile` (WildFire Actions section)	`Antivirus Profile` , `Anti-Spyware Profile` , `DNS Security Profile` , `URL Filtering Profile` (within standard signature/category actions)
Timing of Protection	Near real-time (as soon as verdict is known)	After signature generation and distribution via Content Update
Primary Purpose	Immediate blocking of known malicious hashes/URLs based on WildFire's database	Broader protection against known threats using standard security engines powered by WildFire intelligence

Both mechanisms work together. Verdict actions provide faster blocking for items WildFire *already* knows about. Signature actions provide protection once the formal signature is created and distributed.

Best Practices

Keep Content Updates Frequent: Schedule regular (daily or more frequent) and automatic Content Updates to receive the latest WildFire-generated signatures promptly.
Apply Comprehensive Security Profiles: Attach Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, and DNS Security profiles to relevant `Allow` rules to leverage all types of WildFire-generated protections.
Use Recommended Actions: Configure Security Profiles to block high/critical severity threats identified by signatures (including WildFire-sourced ones). Use Sinkhole for malicious DNS. Block malware/phishing URLs.
Enable SSL Decryption: Crucial. Most modern threats use encryption. Without decrypting SSL/TLS traffic, the firewall cannot inspect the payload to match most AV, AS, and VP signatures, including those from WildFire. URL Filtering effectiveness is also limited without decryption.
Monitor Threat Logs: Check Threat logs regularly to see which signatures (including those sourced from WildFire) are triggering and what actions are being taken.
Combine with Verdict Actions: Configure WildFire verdict actions within the Antivirus profile for immediate blocking of known bad hashes, complementing the signature-based protection.

WildFire Signature Generation and Distribution

After WildFire analyzes a sample and confirms it is malicious, a crucial part of the process is the automatic generation and distribution of protective signatures:

Automated Generation: WildFire automatically generates signatures based on the malware payload and tests them for accuracy and safety. These signatures often cover multiple variants of the initially discovered malware.
Types Generated: Common types include Antivirus , Anti-Spyware (C2 patterns) , DNS Signatures , and contributions to URL Filtering categories (Malware, Phishing).
Global Sharing: Signatures generated by any public WildFire cloud (except private cloud signatures) are shared globally. This means analysis of a threat in one region provides protection for all subscribed customers worldwide shortly after.
Delivery Mechanism: These generated signatures are packaged into the standard Dynamic Content Updates (specifically Applications and Threats, Antivirus updates) downloaded by the firewall.

This signature generation and distribution process is distinct from the immediate verdict lookup performed by the firewall for known hashes/URLs.

Content Updates and WildFire Signature Timing

Palo Alto Networks frequently publishes dynamic content updates containing the latest security intelligence, including WildFire-generated signatures. Understanding the different update types and timing is important:

Antivirus Updates: Released typically every 24 hours. Include WildFire malware signatures and other AV updates. Also include C2 signatures, built-in EDL updates, and DNS signature updates (requires Threat Prevention license).
Applications and Threats Updates: Released frequently (sometimes multiple times a week). Includes updated App-IDs (new App-IDs monthly on 3rd Tuesday) and threat signatures (AV, AS, VP). Requires Threat Prevention license. This is the primary vehicle for most WildFire threat signatures.
WildFire Updates (Real-time - Requires WildFire License): Firewalls with an active WildFire subscription can check for and download *new WildFire malware and AV signatures* much more frequently (as often as every minute ). This provides near real-time protection against newly generated signatures, bridging the gap between cloud analysis and the daily Antivirus update schedule.
WF-Private Updates: Specific updates for environments using an on-premise WildFire appliance (WF-500/VM).
GlobalProtect Data Files & Clientless VPN Updates: Separate updates related to HIP definitions and Clientless VPN application support (require GP license).
Device Dictionary Updates: Used for Device-ID features, updated automatically every two hours.

Configuration: Update schedules are configured under Device > Dynamic Updates .

While real-time WildFire updates provide the fastest signature delivery, regular Antivirus and Applications and Threats updates are still essential for comprehensive protection.

Decryption Profile Best Practices (Related to WildFire/Threats)

Configure Decryption Profiles ( Objects > Decryption > Decryption Profile ) to maximize security posture during decryption:

Block Problematic Sessions: For both SSL Forward Proxy and SSL Inbound Inspection, configure the profiles to block sessions with:
- Expired Certificates
- Untrusted Issuers (especially important for Forward Proxy and No Decrypt rules)
- Unsupported Protocol Versions (Recommend Min TLSv1.2 for Forward Proxy)
- Unsupported Cipher Suites
Handle Client Authentication (Forward Proxy): Block sessions requesting client authentication by default. If required for a specific application, use a separate Decryption Policy rule and Profile allowing it *only* for that traffic.
Enforce Strong Ciphers (SSL Protocol Settings): Use associated SSL Protocol Settings profiles to allow only strong, modern key exchange, encryption, and authentication algorithms. Create separate, more permissive profiles only if needed for essential legacy site compatibility and apply them via targeted Decryption Policy rules.
Certificate Revocation Checks: For SSL Forward Proxy and "No Decrypt" scenarios, enable CRL and/or OCSP checking within the Decryption Profile to verify server certificate validity.
SSH Proxy Profiles: Similarly, configure SSH Proxy profiles to block sessions with unsupported versions or weak algorithms.

Best Practice: Block QUIC Protocol

To ensure visibility for decryption and inspection, it is a best practice to block the QUIC protocol commonly used by Google Chrome and other services.

Reason: QUIC uses UDP and has built-in encryption (often based on TLS 1.3) that PAN-OS typically cannot decrypt using standard SSL Forward Proxy mechanisms. Allowing QUIC creates an encrypted channel that bypasses inspection engines.
Method: Create Security Policy rules ( Policies > Security ) to block traffic:
- Rule 1: Match Application quic , Action Deny .
- Rule 2 (Optional but Recommended): Match Service UDP/80 and UDP/443, Action Deny . (Place below legitimate UDP rules).
Result: Blocking QUIC forces browsers and applications to fall back to using standard TLS over TCP (usually on port 443), which *can* then be decrypted and inspected by the firewall according to your Decryption Policies.

Leveraging DNS Security with WildFire Intelligence

Palo Alto Networks DNS Security service provides enhanced protection against DNS-based threats, leveraging multiple techniques including signatures derived from WildFire analysis.

WildFire Contribution: Domains identified by WildFire as being associated with malware, C2, or phishing are fed into the DNS Security signature database.
Additional Detection: DNS Security also uses machine learning and analytics to detect other threats like DNS tunneling, DGA (Domain Generation Algorithms), DNS rebinding, etc.
Configuration: Enabled via Anti-Spyware profiles (or dedicated DNS Security profiles in some newer versions/licenses). Requires Threat Prevention and DNS Security licenses.
Action: Typically configured to Sinkhole malicious DNS requests (redirecting the client to a safe internal IP) or block them.
Benefit: Provides early-stage blocking by preventing clients from even resolving the IPs of known malicious domains identified via WildFire and other intelligence sources.

DNS Security complements WildFire file/URL analysis by blocking threats at the domain resolution stage.

WildFire Signature Generation and Distribution

After analyzing samples and identifying malware, the WildFire cloud automatically generates signatures to protect against the discovered threat and its variants. These signatures are not just for the specific submitted file hash but often cover broader patterns or C2 communication.

Signatures are generated independently by each WildFire cloud (regional public clouds or private appliances) but are typically shared globally (except private cloud signatures).
These generated signatures are packaged into standard Content Updates (specifically the Antivirus and Applications and Threats packages).
Firewalls download these Content Updates to receive the latest protections derived from WildFire analysis.

This means protection via WildFire-generated signatures relies on both the analysis process *and* the timely download and installation of Content Updates on the firewall.

Dynamic Content Updates and WildFire

Palo Alto Networks delivers various dynamic content updates to keep firewalls equipped with the latest protections without requiring PAN-OS upgrades. Key update types relevant to WildFire include:

Update Type	Content Includes (Relevant to WildFire)	Frequency / License Notes
Antivirus	WildFire malware signatures (Daily default) Auto-generated C2 signatures (Requires Threat Prevention) Built-in EDL updates (Malicious IPs, etc.) (Requires Threat Prevention) Local DNS signature updates (Requires Threat Prevention)	Daily default. WildFire malware signatures available every ~5 mins with WildFire License (see Real-time Updates below). Base AV updates included with support.
Applications and Threats	Includes everything in Antivirus updates. Adds new/updated App-IDs. Adds new/updated Threat signatures (beyond WildFire C2).	Requires Threat Prevention License . Threat updates are frequent (multiple times per week); New App-IDs published monthly (3rd Tuesday).
WildFire	Provides near real-time access (as fast as every minute) to new malware signatures generated by the WildFire public cloud.	Requires WildFire License . This is the fastest way to get new malware protection.
WF-Private	Provides near real-time signatures generated by an on-premise WildFire appliance (WF-500/VM) .	Requires Private WildFire appliance deployment and appropriate firewall configuration.

Configuration: Update schedules are configured under Device > Dynamic Updates .

WildFire Configuration Best Practices Summary

Enable Real-time Signatures: If licensed for WildFire, configure the firewall to retrieve WildFire content updates frequently (e.g., every 1-5 minutes) for the fastest protection against newly discovered malware.
Forward Decrypted Traffic: If using SSL Decryption, ensure the option to forward decrypted content for WildFire Analysis is enabled (requires superuser privileges).
Use Default Analysis Profile (Initially): The default WildFire Analysis profile forwards all supported file types in both directions across all applications. This provides maximum initial coverage. Customize only if specific exclusions are well-justified.
Monitor File Size Limits: Be aware of the default and maximum file size limits for forwarding ( Device > Setup > WildFire > General Settings ). While defaults cover most malware, increasing limits (especially for PEs) might catch uncommon large threats but can impact forwarding capacity if many large files are seen.
Check Submissions Log: Use Monitor > Logs > WildFire Submissions to verify forwarding is occurring and to identify potential custom internal applications being flagged, which might require exclusion or signature development.

Decryption Profile Best Practices (Summary)

Block Unsupported/Insecure Sessions: Configure SSL Forward Proxy and SSH Proxy profiles to block sessions using expired/untrusted certificates (where applicable), unsupported protocol versions (Min TLSv1.2 for Fwd Proxy recommended), and weak cipher suites/algorithms.
Handle Client Auth Carefully: Block sessions requesting client authentication in Forward Proxy unless specifically required by an application; use a separate, targeted rule/profile if needed.
Enable Revocation Checking: Use CRL and/or OCSP checks for Forward Proxy and No Decrypt traffic to validate certificate revocation status.
Address Certificate Pinning: For applications that break with decryption (especially mobile apps), set the Max TLS version to 1.2 in the Decryption Profile or use a specific "No Decrypt" policy rule targeting that application/destination.
Validate Certificates on Non-Decrypted Traffic: Use "No Decryption" profiles attached to "No Decrypt" rules to check server certificate validity (expiry/trust) even when not decrypting (less effective for TLS 1.3+).

Decryption Policy Best Practices (Summary)

Prioritize "No Decrypt" Rules: Place rules excluding sensitive URL categories (finance, health), problematic sites (pinning, technical issues), or specific sources/users at the *top* of the policy list.
Use URL Categories / EDLs for Exclusions: Leverage standard categories, Custom URL Categories, or EDLs for efficient management of exclusions. Group common exclusions into fewer rules where possible.
Decrypt Selectively Based on Risk: Create "Decrypt" rules below exclusions, targeting higher-risk URL categories (webmail, storage, social media, high-risk, unknown, etc.) rather than decrypting everything.
Limit SSH Proxy Scope: Apply SSH decryption only to necessary administrative flows, ideally combined with MFA.
Log Decryption Events: Enable logging on decryption rules (especially failures and potentially successes if storage permits) for visibility and troubleshooting.

Supporting Best Practices for Decryption & WildFire

Block QUIC Protocol: Create Security rules to block the `QUIC` application and UDP ports 80/443 to force browsers to fall back to decryptable TLS.
Forward to WildFire: Ensure Security policies allowing traffic also apply a WildFire Analysis profile and forward files identified in decrypted traffic to WildFire.
Content & Software Updates: Keep PAN-OS and Content (Apps & Threats, Antivirus, WildFire) versions up-to-date.
Phased Rollout: Implement decryption gradually, starting with pilot groups or less critical categories, monitoring impact before expanding.
Layer 4/7 Evasion Protection: Ensure TCP and Content-ID settings are configured according to best practices ( Device > Setup > Session / Content-ID ) to prevent evasion techniques.

Caveats and Considerations

Latency between Discovery and Protection: There is an inherent delay between WildFire analyzing a new threat, generating signatures, and distributing them via Content Updates. Verdict actions and real-time lookups help bridge this gap for known hashes/URLs.
SSL Decryption Requirement: The effectiveness of nearly all WildFire-generated signatures (except perhaps some DNS/URL based ones applied pre-decryption) depends heavily on SSL Decryption being enabled for relevant traffic.
Signature Evasion: Like any signature-based system, attackers may attempt to modify malware or C2 traffic to evade existing WildFire-generated signatures until WildFire re-analyzes and updates them.
Content Updates Need Connectivity: The firewall must be able to reach the Palo Alto Networks update servers to download new Content Updates containing WildFire signatures.
False Positives: Although rare, signature generation could potentially lead to a false positive, which would be corrected in subsequent Content Updates.

For the PCNSE exam, regarding WildFire Signatures and Actions:

Understand that WildFire generates standard signature types (AV, AS, DNS, URL categories) based on its analysis.
Know that these signatures are delivered via Content Updates .
Recognize that actions for these signatures are configured within the standard Security Profiles (Antivirus, Anti-Spyware, DNS Security, URL Filtering) based on severity, category, or rule.
Differentiate this from WildFire verdict actions (configured in AV Profile for known hashes/URLs) and WildFire submissions (configured in WildFire Analysis Profile for unknowns).
Understand the critical dependency on SSL Decryption for signature matching within encrypted traffic.
Know where to monitor signature matches (Threat Log, URL Log).
Understand the importance of timely Content Updates.

PAN-OS: Configuring Actions for WildFire Signatures

Introduction: Leveraging WildFire-Generated Protections

Types of WildFire-Generated Signatures

Configuring Actions for WildFire Signatures (via Security Profiles)

Antivirus Profiles:

Anti-Spyware Profiles:

DNS Security Profiles (If Licensed/Used):

URL Filtering Profiles:

Applying the Profiles:

Relationship to WildFire Verdict Actions

Best Practices

WildFire Signature Generation and Distribution

Content Updates and WildFire Signature Timing

Decryption Profile Best Practices (Related to WildFire/Threats)

Best Practice: Block QUIC Protocol

Leveraging DNS Security with WildFire Intelligence

WildFire Signature Generation and Distribution

Dynamic Content Updates and WildFire

WildFire Configuration Best Practices Summary

Decryption Profile Best Practices (Summary)

Decryption Policy Best Practices (Summary)

Supporting Best Practices for Decryption & WildFire

Caveats and Considerations

PCNSE Exam Focus

WildFire Signature Actions Quiz