User Expert forum Wildfire configuration

Modern Malware Protection
Wildfire configuration
PANOS 5.0/6.0
Alberto Rivai
CISSP, CCIE #20068, CNSE

The Lifecycle of Network Attacks

1

Bait the
end-user
End-user
lured to a
dangerous
application or
website
containing
malicious
content

2 | ©2012, Palo Alto Networks. Confidential and Proprietary.

2

3

4

5

Exploit

Download
Backdoor

Establish
Back-Channel

Explore
& Steal

Infected
content
exploits the
end-user,
often without
their
knowledge

Secondary
payload is
downloaded
in the
background.
Malware
installed

Malware
establishes an
outbound
connection to
the attacker
for ongoing
control

Remote attacker
has control
inside the
network and
escalates the
attack

Anatomy of a Network Compromise
Brute-force

Command
injection

SMTP
Exploitation
Hypervisor

Application servers

Phishing email
(corporate email
with link to malicious
site)

Corporate
Email Server

Virtual server host

Exploitation, tool drops,
credential and data theft

Exploitation, tool drops,
credential and data theft

HTTP
SSL

Phishing email
(web-based email with
malicious attachment)

Initially targeted client

Domain
Controller

Compromise of
mobile devices
Network ownership complete
Legitimate credentials used

Exploit delivery

Remote access tool
download
Command-and-control

Mobile
Devices
Data exfiltration

Workstations harvested for
IP and used as mules

Command-and-control


Advanced threat prevention solution
Rapid, global sharing

Identify & control

Prevent known
threats

Detect unknown
threats

All applications

Our unique approach makes us the only solution that…


Scans ALL applications (including SSL traffic) to secure all avenues in/out of a
network, reduce the attack surface area, and provide context for forensics



Prevents attacks across ALL attack vectors (exploit, malware, DNS, command &
control, and URL) with content-based signatures



Detects zero day malware & exploits using public/private cloud and
automatically creates signatures for global customer base

Wildfire Service Architecture
and Security measure


WildFire Architecture


Security Measures to protect customers
 Device administrators have control over what session information is
sent to the cloud, so users can maintain compliance with local laws
and regulations
 PANOS 5.0/6.0 Device -> Setup –> Wildfire


Cloud Security: Behind the Scenes
 Industry best practices to protect customer data within the cloud
infrastructure
 Data protection, HA and data privacy


Cloud Security: Behind the Scenes

 All communication between customer firewalls and the WildFire cloud
occurs between the customer firewall and the WildFire cloud’s nearest
Amazon EC2 server
 Communication between customer firewalls and the Amazon EC2 server
is encrypted using HTTPS/SSL encryption
 Clientside and server-side certificates signed by Palo Alto Networks’
Certificate Authority (CA) ensure that Palo Alto Networks firewalls
will only connect to a valid WildFire cloud instance and vice-versa.


Performance impact on Control Plane
 Test environment
 PA-5060 1 vsys
 100 security policies with Antivirus, threat prevention, and URL filtering,
and WildFire forwarding was enabled on select policies such that the
average rate of forwarding to the WildFire cloud was approximately 2
samples per second
 A traffic load of approximately 16Gbps over 9 different protocols

 Management plane CPU utilization was captured during both tests over a
60 second period and averaged per CPU core.


Configuring Wildfire


File forwarding capacity


Check licenses PANOS 5.0/6.0
 Device -> License tab

Basic WildFire

PAN-OS 5.0

PAN-OS 6.0

WildFire Subscription

WF-500

PAN-OS 5.0

PAN-OS 6.0

✓

✓

Public Cloud

✓

✓

✓

WF-500 support

✓

✓

N/A

API access

✓

✓

Public Cloud

✓

✓

✓

PDF

✓

✓

Office Documents

✓

✓

Java

✓

✓

30 minute signatures
✓

Integrated logging

Windows PE (DLL & EXE)

✓

✓

Windows XP

✓

✓

✓

✓

✓

Windows 7

✓

✓

✓

✓

✓

Android APK


✓

Add File Blocking profile
 PANOS 5.0/6.0
 Objects -> Security Profiles -> File Blocking


Add rule to File Blocking profile
 Click Add to add file forwarding rule

 Action
 Forward - The file is automatically sent to WildFire.
 continue-and-forward—A continue page is presented, and the file is sent to
WildFire (combines the continue and forwardactions). This action only works
with web-based traffic. This is due to the fact that a user must click continue
before the file will be forward and the continue response page option is only
available with http/https.


Add rule to File Blocking profile - continue
 Optional
 Click Add to add rule to monitor other file types

 Click OK


Apply the File Blocking profile in Policies


Go to Policies -> Security



Choose the security policy that you want to inspect for Wildfire



Normally security policy that controls inside to outside



Attach the File Blocking profile to the security policy


Check connectivity
 Execute “test wildfire registration”

 Note: Do not use PING to test connectivity to the server. Ping requests
are disabled on the Wildfire server.


Verify


To verify, if any files have been forwarded to the server, use the following
command: show wildfire status



The total file forwarded counter will provide the number of files being
forwarded to the server.


To view Wildfire Logs
 Note : PANOS 5.0 users with no Wildifre license do not have the
ability to view Wildfire logs from the firewall. You need to go to
https://wildifre.paloaltonetworks.com
 Monitor -> Wildfire Submissions for PANOS 6.0
 Monitor -> Wildfire for PANOS 5.0


To view Wildfire Logs - continue
 For PANOS 5.0 users without Wildfire license, Data Filtering logs can
be used to check the status of the file , here are the three actions
available:
 If you only see “forward” with no “wildfire-upload-success” or “wildfireupload-skip”, means that it is either signed by a trusted file signer, or it
is benign sample that the cloud has already seen.

 Forward
 Data plane detected a Potentially Executable file on a Wildfire-enabled
policy. The file is buffered in the management plane.

 wildfire-upload-success
 This means that the file wasn't signed by a trusted signer, and the file
hasn't yet been seen by the cloud. In this case, the file (and session info)
was uploaded to the cloud for analysis.


To view Wildfire Logs - continue
 wildfire-upload-skip
 This means that the file was already seen by the cloud, but the file was
confirmed to be malware. The device skips the file but still sends the
session info for logging purposes.

 Note : Not every download will be visible in the Dashboard reports.
The WildFire Dashboard reports will remain blank until an unknown
file is uploaded to the cloud.


To show statistics
 Execute “ show wildfire statistics”

 https://live.paloaltonetworks.com/docs/DOC-5097

An Integrated Approach to Threat
Coordinated Threat Prevention Prevention
Bait the
end-user

Exploit

Download
Backdoor

Establish
Back-Channel

App-ID

Block
high-risk apps

Block C&C on
non-standard
ports

URL

Block
known malware
sites

Explore &
Steal

Block malware,
fast-flux domains

Spyware
AV

Threat License

IPS

Block
the exploit
Block spyware,
C&C traffic
Block malware

Files

WildFire


Prevent drive-bydownloads

Detect unknown
malware

Block new C&C
traffic

Coordinated
intelligence to
detect and block
active attacks
based on
signatures,
sources and
behaviors

WildFire Coverage Report
Request your report to see:
 The number of detected
malware samples
 Which samples would have
been prevented by WildFire
 The percent of increased
signature coverage with
WildFire


User Expert forum Wildfire configuration

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to User Expert forum Wildfire configuration (20)

Recently uploaded (20)

User Expert forum Wildfire configuration