PAN-OS: Configuring WildFire Analysis Profiles

Introduction: Analyzing the Unknown

WildFire® is Palo Alto Networks' cloud-based malware analysis service designed to detect and prevent unknown, zero-day threats. Traditional signature-based security relies on previously identified patterns, but advanced threats often use new or polymorphic techniques to evade detection. WildFire addresses this by analyzing unknown files and links in a secure sandbox environment.

When the firewall encounters a file or web link it doesn't recognize (i.e., no existing signature or known verdict), it can be configured to forward a sample to the WildFire cloud (or a private WildFire appliance) for analysis. Based on the analysis, WildFire returns a verdict ( Benign, Grayware, Malware, Phishing ). If malicious, WildFire automatically generates new protections (signatures) that are distributed globally via content updates, protecting all subscribed customers.

WildFire Analysis Profiles are the configuration objects used on the firewall to define *which* unknown files and links should be submitted for analysis.

How WildFire Submission Works

Traffic Inspection: A user downloads a file or clicks a link. The traffic passes through the firewall and matches a Security Policy rule with Action `Allow`.
Security Profile Check: The Security rule has an attached WildFire Analysis Profile.
Forwarding Decision: The firewall checks if it has a known verdict for the file's hash or the link's URL. If the verdict is unknown and the file type, application, and traffic direction match the criteria defined in the WildFire Analysis Profile, the firewall forwards the sample.
WildFire Cloud/Appliance Analysis: The WildFire service receives the sample and performs static analysis, dynamic analysis (detonation in a sandbox), and machine learning analysis.
Verdict Returned: WildFire determines a verdict (Benign, Grayware, Malware, Phishing) and sends it back to the submitting firewall (and globally).
Log Generation: The firewall logs the submission and the verdict in the WildFire Submissions log.
Signature Generation (if Malicious): If the sample is malicious, WildFire generates new C2, DNS, Antivirus, and potentially other signatures.
Content Update Distribution: These new signatures are included in subsequent Content Updates downloaded by subscribed firewalls worldwide.

graph TD
    A[User Downloads Unknown File Link] --> B(Firewall Security Policy Match, Action=Allow);
    B --> C{Apply WildFire Analysis Profile};
    C -- Matches Criteria? --> D{Forward Sample};
    D --> E[WildFire Cloud - Private Appliance Analysis];
    E -- Verdict --> B;
    B --> F[Log Submission & Verdict];
    E -- If Malicious --> G(Generate Signatures);
    G --> H(Distribute via Content Updates);
    H --> AllFWs[Other Subscribed Firewalls];

    style E fill:#eaf2f8,stroke:#aed6f1,stroke-width:2px
    style H fill:#fdebd0,stroke:#f5b041,stroke-width:1px

Simplified WildFire Submission and Protection Flow.

Configuring a WildFire Analysis Profile

Location and Parameters

GUI Path: Objects > Security Profiles > WildFire Analysis
Click Add to create a new profile.

Parameter (Analysis Tab)	Description	Best Practice Recommendation
Name	Descriptive name (e.g., `WildFire-Forward-Executables-Office`).	Required
Applications	Specify applications for which files/links should be forwarded. Can be `any` or a selection.	`any` - Ensures files transferred via any application are analyzed, maximizing visibility.
File Types	Select specific file types to forward (e.g., PE, PDF, Office, APK, Scripts) or `any`.	Select common threat vectors (PE, PDF, MS Office, Scripts, APK, Flash, Java Archives, etc.). Avoid `any` unless you have specific needs and understand the volume/privacy implications, as it can forward benign file types unnecessarily.
Direction	Choose `upload`, `download`, or `both`.	`both` - Threats can enter via downloads and data can be exfiltrated via uploads.
Maximum File Size	Defines the max size (MB) for submitted files (cloud limits vary but generally up to 100MB or more for PE, lower for others).	Leave defaults unless specific reason to change; ensure it's within cloud/appliance limits.
Report Benign Files / Report Grayware Files	Forward files even if previously determined benign/grayware by WildFire (e.g., for re-analysis or logging).	Usually leave unchecked unless needed for specific forensic or analysis purposes (can increase submission volume).

Cloud Settings Tab:

WildFire Cloud: Choose the Public Cloud region geographically closest to the firewall for best performance (e.g., `Americas`, `Europe`, `Asia`).
Private Cloud (WildFire Appliance): Enter the IP address or FQDN of your on-premise WF-500 appliance or VM-Series in analysis mode.

Applying the Profile

Attaching to Security Policy Rules

A WildFire Analysis Profile only takes effect when applied to Security Policy rules.

Location: Policies > Security
Edit the relevant Security Policy rule(s).
Action Tab: Under 'Profile Setting', select 'Profiles'.
WildFire Analysis Dropdown: Choose the WildFire Analysis Profile you created.
Rule Action Requirement: WildFire analysis (and other Security Profile actions) only apply to rules with Action = Allow . Files in denied sessions are not submitted.
Commit the changes.

Typically, apply WildFire Analysis profiles to rules allowing traffic ingress from untrusted zones (like the internet) and potentially egress to untrusted zones to catch both malicious downloads and uploads/exfiltration attempts.

Best Practices

Enable WildFire Globally: Ensure the WildFire license is active and Content Updates are scheduled regularly to receive the latest verdicts and protections.
Apply Profiles Broadly (but Wisely): Attach a WildFire Analysis profile to all relevant `Allow` rules, especially those handling traffic to/from the internet or less trusted zones.
Forward Common Threat Vectors: Prioritize forwarding file types commonly used to deliver malware (PE executables, Microsoft Office documents, PDFs, Java archives, Flash, APKs, scripts). Avoid forwarding `any` file type unless absolutely necessary.
Forward for 'Any' Application: Maximizes visibility as threats can be delivered via various applications.
Forward in 'Both' Directions: Catches malicious downloads and potential data exfiltration uploads.
Choose Correct Cloud Region/Appliance: Select the nearest Public Cloud region or correctly configure the Private Cloud appliance address for optimal performance and data residency compliance.
Ensure Firewall Connectivity: Verify the firewall can reach the selected WildFire Public Cloud region or Private Appliance (check routing, Service Routes if needed, DNS resolution, and Security Policy allowing egress traffic to WildFire).
Enable SSL Decryption: WildFire cannot analyze files transferred within encrypted SSL/TLS sessions unless the session is decrypted by the firewall using SSL Forward Proxy or Inbound Inspection. This is crucial for effectiveness.
Monitor Submissions: Regularly check the WildFire Submissions log ( Monitor > Logs > WildFire Submissions ) to verify files are being submitted and verdicts received.
Review Verdicts: Pay attention to Malware and Phishing verdicts. Investigate Grayware verdicts to determine if they represent unwanted software in your environment.

Caveats and Considerations

License Requirement: A valid WildFire subscription is required on the firewall.
Internet Connectivity: Required for submissions to the Public WildFire Cloud. Firewall needs DNS resolution and reachability.
SSL Decryption Dependency: WildFire cannot see inside encrypted traffic (SSL/TLS). If you don't decrypt relevant traffic (like web downloads), files transferred over HTTPS will NOT be submitted, significantly reducing effectiveness.
File Size Limits: Files exceeding the maximum size configured (or the cloud's inherent limits) will not be submitted.
Password-Protected Archives: WildFire generally cannot analyze files inside encrypted archives (e.g., password-protected ZIP files).
Submission Volume & Bandwidth: Forwarding many large files can consume upload bandwidth. Forwarding `any` file type can lead to high volumes of benign submissions.
Privacy (Public Cloud): Submitting files to the Public WildFire Cloud means potentially sensitive internal documents could leave the organization's direct control (though Palo Alto Networks has processes for data handling). Organizations with strict data residency or confidentiality requirements should consider a Private WildFire Appliance.
Private Cloud Appliance: Requires purchasing, deploying, managing, and updating the WF-500 appliance or VM-Series analyzer.
Verdict Latency: While often fast, analysis takes time (seconds to minutes). Initial packets of a file might traverse the firewall before a verdict is returned. Blocking based on WildFire signatures relies on subsequent Content Updates or real-time signature streaming (depending on license/feature).

WildFire License vs. No License: Antivirus Protection Speed Comparison

Feature	With WildFire License	Without WildFire License
Signature Update Frequency	Real-time updates as soon as signatures are generated	Every 24–48 hours via standard antivirus updates
File Analysis Capabilities	Supports advanced file types including PE, APK, PDF, Office documents, and scripts	Limited to basic PE file analysis
Inline Machine Learning (ML)	Enabled for real-time detection of unknown threats	Not available
API Access	Full access to submit files and retrieve analysis reports	Not available
Hold Mode for Real-Time Signature Lookup	Available to delay file delivery until signature verdict is received	Not available

For more detailed information, refer to the official Palo Alto Networks documentation on Advanced WildFire Subscription .

PCNSE Exam Focus

For the PCNSE exam, regarding WildFire Submissions:

Understand the purpose of WildFire : Analyzing unknown files/links for zero-day threats.
Identify the configuration object: WildFire Analysis Profile .
Know where the profile is configured: Objects > Security Profiles > WildFire Analysis .
Know how the profile is applied: Attached to Security Policy rules with Action = Allow .
Identify key settings within the profile: Applications, File Types, Direction , Cloud selection (Public/Private).
Understand the difference between Public Cloud and Private Appliance options.
Recognize the importance of Content Updates for receiving WildFire-generated signatures.
Know the critical dependency on SSL Decryption for inspecting files within encrypted sessions.
Be aware of the WildFire Submissions log for monitoring.
Understand the basic WildFire workflow (submit -> analyze -> verdict -> signature).
Know the license requirement (WildFire subscription).

PAN-OS: Configuring WildFire Analysis Profiles (Submissions)