PAN-OS: Configuring WildFire Verdict Actions (within Antivirus Profiles)

Introduction: Acting on WildFire Intelligence

While the WildFire Analysis Profile determines *which* unknown files get submitted to the WildFire cloud for analysis, another crucial part of the configuration determines *what the firewall should do* when it encounters a file for which WildFire has already returned a verdict (e.g., Malware, Phishing, Grayware, Benign).

These actions based on known WildFire verdicts are configured within the Antivirus Security Profile , not in a separate "WildFire Action Profile" object (though older documentation or concepts might sometimes use that term loosely).

Configuring these actions allows the firewall to immediately block known malicious files identified by WildFire, providing much faster protection than waiting for the next signature-based Content Update.

How WildFire Verdict Actions Work

  1. Traffic Inspection: A user downloads a file that matches an `Allow` Security Policy rule.
  2. Security Profile Application: The Security rule has an Antivirus Profile attached (and likely also a WildFire Analysis Profile).
  3. File Hashing & Verdict Check: The Antivirus engine calculates the hash of the file. The firewall checks its local WildFire verdict cache, and potentially queries the WildFire cloud in real-time, for a known verdict associated with that file hash.
  4. Verdict Found: The firewall receives a verdict (e.g., `Malware`, `Phishing`, `Grayware`, `Benign`).
  5. Action Lookup in Antivirus Profile: The firewall refers to the attached Antivirus Profile to determine the configured Action for that specific WildFire verdict (`Malware`, `Phishing`, `Grayware`, `Benign`).
  6. Action Enforcement: The firewall takes the configured action (e.g., `block`, `alert`, `allow`, `sinkhole`).
  7. Logging: The action taken based on the WildFire verdict is typically logged in the Threat log under the type `wildfire-virus` or `wildfire-grayware` etc.

This process leverages the verdict database built by WildFire analysis but acts independently of the initial submission process defined by the WildFire Analysis Profile. 

graph TD
    A[User Downloads File] --> B(Firewall: Security Policy Match, Action=Allow);
    B --> C{Apply Antivirus Profile};
    C --> D{File Hash & Verdict Lookup: Local Cache / Cloud Query};
    D -- Verdict Found e.g. Malware --> E{Check Action for 'Malware' in Antivirus Profile};
    E -- Action = 'block' --> F[Block File Download];
    E -- Action = 'alert' --> G[Allow File, Log Threat];
    E -- Action = 'allow' --> H[Allow File, No Threat Log];
    F --> I{Log Threat Log - Type: wildfire-virus};
    G --> I;
    D -- Verdict = Benign --> J{Check Action for 'Benign'};
    J -- Action = 'allow' --> H;

    style C fill:#d5f5e3,stroke:#58d68d,stroke-width:1px
    style E fill:#fdebd0,stroke:#f5b041,stroke-width:1px
Simplified Flow for WildFire Verdict Action Enforcement via Antivirus Profile.

Configuration Location and Parameters

Antivirus Profile Settings

Key Parameters (WildFire Actions within Antivirus Profile):

Verdict Type Available Actions Description & Recommendation
Malware alert , allow , drop , block , reset-client , reset-server , reset-both Action taken when a file verdict is 'Malware'.
Recommendation: block or drop (or reset equivalent) to prevent known malware delivery.
Phishing alert , allow , drop , block , reset-client , reset-server , reset-both , sinkhole Action taken for URLs/links with a 'Phishing' verdict (often checked during web access, relies on WildFire URL analysis).
Recommendation: block or sinkhole (redirects to a safe internal IP/FQDN).
Grayware alert , allow , drop , block , reset-client , reset-server , reset-both Action for files classified as 'Grayware' (potentially unwanted programs - adware, some utilities).
Recommendation: Depends on policy. Often alert (to monitor) or block / drop if actively prohibited.
Benign alert , allow Action for files confirmed as 'Benign'.
Recommendation: allow (default). Setting to alert can create excessive logging.

The firewall checks for verdicts in its local cache first. If not found, and if configured ( Device > Setup > WildFire > General Settings ), it can perform a real-time cloud lookup for a verdict before applying the action. This provides faster protection than waiting for the next Content Update.

Applying the Configuration

Attaching the Antivirus Profile to Security Policy

To enforce the WildFire verdict actions, the configured Antivirus Profile must be attached to relevant Security Policy rules:

Attaching the Antivirus profile enables both standard antivirus scanning AND the enforcement of actions based on WildFire verdicts for files traversing the matching Security Policy rules.

Best Practices

Caveats and Considerations

PCNSE Exam Focus

For the PCNSE exam, understand:

WildFire Verdict Actions Quiz

1. What is the primary function of configuring WildFire verdict actions?

WildFire verdict actions allow the firewall to act immediately based on the intelligence already provided by WildFire for known files/URLs, distinct from the submission process for unknowns.

2. Where are the actions for different WildFire verdicts (Malware, Grayware, Benign, Phishing) configured in PAN-OS?

Actions based on known WildFire verdicts are configured as part of the Antivirus Security Profile settings.

3. What is the recommended best practice action in an Antivirus profile for files identified by WildFire with a 'Malware' verdict?

To prevent known threats identified by WildFire, the most secure action is to block (or equivalent drop/reset) files with a confirmed malware verdict.

4. How are the WildFire verdict actions defined in an Antivirus profile enforced on network traffic?

The Antivirus profile acts as the container for these settings. It must be applied to Security Policy rules governing the traffic flow where files are expected, and only applies if the Security rule action is 'Allow'.

5. To enforce WildFire verdict actions on files downloaded over HTTPS, what other feature must typically be enabled?

The firewall cannot inspect or identify files within encrypted streams without decrypting them first. SSL Forward Proxy is needed to decrypt outbound HTTPS sessions so the Antivirus profile (and its WildFire actions) can be applied to the files inside.

6. What firewall log type primarily records the actions taken based on WildFire verdicts (e.g., file blocked due to malware verdict)?

Actions taken based on WildFire verdicts (Malware, Grayware, Phishing) are considered threat events and are recorded in the Threat log, typically with a type like 'wildfire-virus' or 'wildfire-grayware'. The Submissions log tracks the analysis process itself.

7. How does the firewall obtain the WildFire verdicts it uses to enforce actions defined in the Antivirus profile?

The firewall maintains a database of known verdicts learned through Content Updates. It can also query the WildFire cloud in real-time for verdicts on hashes it hasn't seen recently (if configured/licensed), providing access to the latest intelligence.

8. What action is typically recommended for the 'Grayware' verdict in the Antivirus profile's WildFire Actions?

Grayware includes items like adware or potentially unwanted applications. Some organizations block it outright, while others prefer to 'alert' and monitor its presence before deciding on a blocking policy.

9. Which PAN-OS component is responsible for generating new signatures AFTER WildFire determines a submitted file is malicious?

The WildFire cloud infrastructure performs the analysis and, upon confirming maliciousness, automatically generates the corresponding threat signatures (AV, C2, DNS, etc.).

10. Does configuring WildFire verdict actions in an Antivirus profile eliminate the need for a WildFire Analysis profile?

They serve different purposes. The Antivirus profile actions respond to *known* WildFire verdicts. The WildFire Analysis profile is needed to *submit* previously *unknown* files to WildFire so verdicts can be generated in the first place. Both are needed for comprehensive protection.