PAN-OS: Understanding WildFire Submissions and Verdicts

Introduction: The WildFire Cycle

Palo Alto Networks WildFire service provides protection against unknown threats by analyzing suspicious files and links in a cloud-based or on-premises sandbox environment. This process involves two key phases relevant to the firewall's operation:

Submission: The process by which the PAN-OS firewall identifies an unknown file or link traversing allowed traffic and forwards a sample to the WildFire analysis environment.
Verdict: The result of the WildFire analysis, classifying the submitted sample as Benign, Grayware, Phishing, or Malware. This verdict is returned to the submitting firewall and shared globally.

Understanding how submissions are triggered and how verdicts are generated and utilized is crucial for leveraging WildFire effectively.

The Submission Process

Triggering a Submission

A submission occurs when all the following conditions are met:

A file or web link traverses the firewall.
The traffic matches a Security Policy rule with an Action of `Allow` .
That Security Policy rule has a WildFire Analysis Profile attached.
The firewall checks its local cache and potentially the WildFire cloud for a pre-existing verdict for the file's hash or URL. No known verdict exists (the sample is unknown).
The file type, application context, and traffic direction ( upload/download/both ) match the criteria defined within the attached WildFire Analysis Profile.

Role of the WildFire Analysis Profile

This profile ( Objects > Security Profiles > WildFire Analysis ) acts as the filter determining *what gets submitted*:

Applications: Filters based on the App-ID carrying the file (e.g., `web-browsing`, `smb`, `smtp`). Setting to `any` is common for broad coverage.
File Types: Specifies which types of unknown files to forward (e.g., `PE`, `PDF`, `MSOFFICE`, `APK`). Selecting relevant types is crucial; `any` can cause high submission volume.
Direction: Selects whether to submit files being downloaded, uploaded, or both. `both` is recommended.

SSL/TLS Decryption is necessary to identify and submit files transferred within encrypted sessions.

Forwarding Mechanism

The firewall securely forwards the unknown file sample or URL information to the configured WildFire destination:
- WildFire Public Cloud: Choose the geographically closest region ( Device > Setup > WildFire > General Settings ).
- WildFire Private Cloud (Appliance): Specify the IP/FQDN of the WF-500/VM appliance.
Requires appropriate firewall configuration (DNS, routing/Service Routes) and Security Policy rules to allow connectivity to the WildFire service.

The Verdict Process

Analysis in WildFire

Once a sample is received by the WildFire cloud or appliance, it undergoes multiple stages of analysis:

Static Analysis: Examines file structure, metadata, embedded scripts, known malicious patterns without actually executing the file.
Dynamic Analysis (Sandboxing): Executes the file in instrumented virtual environments (Windows, macOS, Linux, Android) that mimic real endpoints. Monitors behavior such as file system changes, registry modifications, process creation, network connections, and exploitation techniques.
Machine Learning: Analyzes extracted features and behaviors using trained models to identify malicious characteristics even in novel threats.
Bare Metal Analysis (Cloud): For highly evasive malware, analysis can occur on physical hardware to bypass virtual machine detection techniques.

Generating and Delivering Verdicts

Based on the analysis results, WildFire assigns a verdict:
- Benign: File/URL is known to be safe.
- Grayware: Potentially unwanted software (e.g., adware, certain utilities) but not strictly malicious.
- Malware: File exhibits confirmed malicious behavior (virus, worm, ransomware, trojan, etc.).
- Phishing: URL is identified as part of a phishing campaign.
The verdict is immediately available to the submitting firewall via its connection to WildFire (stored in a local cache).
The verdict (for malicious samples) is also used to generate new protections (AV signatures, C2 signatures, DNS signatures, malicious URL database entries).
These protections are distributed globally via Content Updates , typically within minutes for the WildFire subscription updates.

Firewalls can also be configured for real-time cloud lookups for unknown hashes, getting verdicts faster than waiting for content updates, provided the sample has been analyzed previously by WildFire from any source.

Monitoring Submissions and Verdicts

WildFire Submissions Log

Location: Monitor > Logs > WildFire Submissions
Content: Shows details about each file/URL submitted, including:
- Timestamp
- Source/Destination IP/User
- Application
- Filename/URL
- File Type / File Hash
- WildFire Verdict (once available)
- Session ID (links back to Traffic log)
Purpose: Used to verify submissions are occurring as expected, track the status of analysis, and see the verdicts for submitted samples.

Threat Log

Location: Monitor > Logs > Threat
Content: Logs actions taken based on *known* verdicts (via Antivirus Profile WildFire actions) or WildFire signatures received via content updates.
Type/Threat Name: Look for types like `wildfire-virus`, `wildfire-grayware`, or specific AV/AS/VP signatures generated based on WildFire analysis.
Purpose: Shows when the firewall *blocked* or *alerted* on traffic due to a WildFire-derived verdict or signature.

Best Practices Summary

Enable WildFire & Content Updates: Foundation for the entire process.
Submit Common Threat Vectors: Configure Analysis Profiles to submit PE, Office, PDF, Scripts, Archives, APKs, etc. Avoid `any` file type unless justified.
Submit 'Any' Application, 'Both' Directions: Maximize coverage in Analysis Profiles.
Enable SSL Decryption: Crucial for submitting files from encrypted sessions.
Configure Antivirus Profile Actions: Set actions (Block/Alert) for known WildFire verdicts (Malware, Phishing, Grayware) for immediate protection.
Monitor Logs: Regularly check WildFire Submissions and Threat logs.
Choose Cloud Region/Appliance Carefully: Consider latency and data residency.
Verify Connectivity: Ensure the firewall can reach the WildFire service.

Caveats and Considerations

Unknown vs. Known: The Analysis profile triggers submission only for *unknown* files. The Antivirus profile acts on files where WildFire already *has* a verdict.
Decryption Dependency: Failure to decrypt SSL/TLS traffic is the most common reason files are *not* submitted to WildFire.
Latency: There is a delay between submission and verdict. Protection against a brand new threat relies first on the verdict return and subsequent signature updates (or real-time lookup if enabled and verdict exists).
Volume/Bandwidth: Submitting large files or using `any` file type can consume significant bandwidth.
Privacy: Consider data privacy implications when submitting files to the public cloud.
Evasion Techniques: Advanced malware may attempt to detect sandboxes or delay malicious activity. WildFire employs counter-evasion techniques (like Bare Metal Analysis) but no system is perfect.
Encrypted Archives: Password-protected files cannot be analyzed.

PCNSE Exam Focus

For the PCNSE exam, understand:

The purpose of WildFire: Analyze unknown files/links.
The difference between Submissions (sending unknowns) and Verdicts (analysis results).
The role of the WildFire Analysis Profile in controlling submissions (what, where, direction).
The role of the Antivirus Profile in configuring actions based on received verdicts.
The different WildFire verdicts: Benign, Grayware, Malware, Phishing .
The process of signature generation and distribution via Content Updates .
The critical dependency on SSL Decryption for visibility.
The difference between Public Cloud and Private Appliance options.
Where to monitor submissions ( WildFire Submissions log ) and verdict actions ( Threat log ).
The WildFire license requirement.