+ All Categories
Home > Documents > PaloAlto_101

PaloAlto_101

Date post: 01-Jun-2018
Category:

Documents
Upload: munifrida
View: 218 times
Download: 0 times
Download Report this document
Share this document with a friend

of 12

Download
Transcript

  • 8/9/2019 PaloAlto_101

    1/12

    WildFireAdministrators Guide 1

    WildFire Overview

    WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxingand signature-based detection and blocking of malware. WildFire extends the capabilities of Palo Alto Networks

    next-generation firewalls to identify and block targeted and unknown malware.

    The following topics describe WildFire and how to integrate into your environment:

    About WildFire

    WildFire Concepts

    WildFire Deployments

    WildFire Subscription Requirements

    Best Practices for Keeping Signatures up to Date

    Reference: Firewall File Forwarding Capacity by Platform

    Copyright 2007-2014 Palo Alto Networks

    http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-

  • 8/9/2019 PaloAlto_101

    2/12

    2 WildFireAdministrators Guide

    About WildFire WildFire Overview

    About WildFire

    Modern malware is at the heart of many of today's most sophisticated network attacks and is increasinglycustomized to avoid traditional security solutions. Palo Alto Networks has developed an integrated approachthat addresses the full malware life cycle, which includes preventing infections, identifying zero-day malware(that is, malware that has not previously been identified by other antivirus vendors) or targeted malware

    (malware targeting a specific industry or corporation), as well as pinpointing and disrupting active infections.

    The Palo Alto Networks WildFire engine exposes zero-day and targeted malware through direct observation ina virtual environment within the WildFire system. The WildFire feature also makes extensive use of the PaloAlto Networks App-ID technology by identifying file transfers within all applications, not just emailattachments or browser-based file downloads.

    For information on Palo Alto Networks WildFire privacy policy, refer tohttps://live.paloaltonetworks.com/docs/DOC-2880.

    Figure: High-Level WildFire Decision Workflowthat follows describes the basic WildFire workflow andFigure: Detailed WildFire Decision Flowprovides a more detailed workflow and shows the decision workflowfrom the initial file download by a user through the entire workflow to the point where a signature is generated

    if the file is determined to be malicious.

    Copyright 2007-2014 Palo Alto Networks

    https://live.paloaltonetworks.com/docs/DOC-2880http://-/?-http://-/?-http://-/?-http://-/?-https://live.paloaltonetworks.com/docs/DOC-2880

  • 8/9/2019 PaloAlto_101

    3/12

    WildFireAdministrators Guide 3

    WildFire Overview About WildFire

    Figure: High-Level WildFire Decision Workflow

    Copyright 2007-2014 Palo Alto Networks

  • 8/9/2019 PaloAlto_101

    4/12

    4 WildFireAdministrators Guide

    About WildFire WildFire Overview

    Figure: Detailed WildFire Decision Flow

    Copyright 2007-2014 Palo Alto Networks

  • 8/9/2019 PaloAlto_101

    5/12

    WildFireAdministrators Guide 5

    WildFire Overview WildFire Concepts

    WildFire Concepts

    File Forwarding

    Supported File Types

    WildFire Virtual Sandboxes

    WildFire Signatures

    WildFire Alerts

    WildFire Logging and Reporting

    Malware Test Samples

    File Forwarding

    With this integrated solution, you configure the firewall with a file blocking profile and attach it to a security

    policy rule that instructs the firewall to automatically forward certain file types to the WildFire system foranalysis. Whenever a file is transferred over a session that matches the security rule, the firewall performs a filehash check with WildFire to see if the file has been previously analyzed. If the file is new, it is forwarded foranalyses, even if it is contained within a ZIP file or over compressed HTTP. The firewall can also be configuredto forward files inside of decrypted SSL sessions. See Forward Files to a WF-500 WildFire ApplianceorForwardFiles to the WildFire Cloud.

    Supported File Types

    WildFire can analyze the following file types:

    APKAndroid Application Package

    PEPortable Executable, which includes executable files, object code, DLLs, FON (fonts), and others

    PDFPortable Document Format

    Microsoft OfficeIncludes document (doc, docx, rtf), workbook (xls, xlsx), and PowerPoint (ppt, pptx)

    Java AppletJAR/Class files types

    WildFire Virtual Sandboxes

    WildFire executes the suspect files it receives in a virtual environment and observes the behavior for signs ofmalicious activities, such as changes to browser security settings, injection of code into other processes,modification of files in the Windows system folder, or domains that the sample attempted to access. When the

    A subscription is not required to analyze PE file types, but is required to analyze all other

    supported file types: APK (cloud only; not supported on the WF-500 appliance), PDF, Microsoft

    Office, and Java Applet.

    Copyright 2007-2014 Palo Alto Networks

    http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-

  • 8/9/2019 PaloAlto_101

    6/12

    6 WildFireAdministrators Guide

    WildFire Concepts WildFire Overview

    WildFire engine completes the analysis, it generates a detailed forensics report that summarizes the observedbehaviors and assigns a verdict of malware or benign. WildFire includes sandbox support for the followingoperating system environments:

    Microsoft Windows XP 32-bit

    Windows 7 32-bit

    WildFire Signatures

    The key benefits of the Palo Alto Networks WildFire feature is that it can discover zero-day malware and canquickly generate signatures to protect against future infections of all of the malware it discovers. For files thatare determined to be malicious, WildFire automatically generates a signature based on the malware payload ofthe sample and tests it for accuracy and safety. Because malware evolves rapidly, the signatures that WildFiregenerates will address multiple variants of the malware. The new signature is then distributed within 30-60minutes to all Palo Alto Networks firewalls equipped with a WildFire subscription, or the following day as part

    of the antivirus update for firewalls equipped with a Threat Prevention subscription only.As soon as the firewall is updated with the new signature, any files that contain that malware or a variant of itwill automatically be dropped. Information gathered by WildFire during the analysis of malware is also used tofortify other Threat Prevention features, such as the PAN-DB malware URL categories, DNS signatures,antivirus, and anti-spyware signatures. Palo Alto Networks also develops signatures for command and controltraffic, enabling immediate disruption in the communications of any malware inside the network. For details onsignatures and the benefits of having a WildFire subscription, seeWildFire Subscription Requirements.

    WildFire Alerts

    The firewall can provide instant alerts whenever malware is detected on your network by sending email alerts,syslog, or SNMP traps. This allows you to quickly identify the user who downloaded the malware and eradicateit before it causes extensive damage or propagates to other users. In addition, every signature generated byWildFire is automatically propagated to all Palo Alto Networks firewalls protected with a Threat Preventionand/or WildFire subscription, which provides automatic protection from malware even if it was not found inyour network.

    WildFire Logging and Reporting

    For each file that WildFire analyzes, a detailed behavioral report is generated within minutes of the file

    submission. These reports are available in the WildFire Submissions log on the firewall, from theWildFirePortal, or though WildFire API queries. The reports show detailed behavioral information about the file,information on the targeted user, the application that delivered the file, and all URLs involved in the delivery orphone-home activity of the file. For details on how to access the reports and descriptions of the report fields,seeView WildFire Reports.

    Copyright 2007-2014 Palo Alto Networks

    http://-/?-https://wildfire.paloaltonetworks.com/https://wildfire.paloaltonetworks.com/http://-/?-http://-/?-http://-/?-https://wildfire.paloaltonetworks.com/https://wildfire.paloaltonetworks.com/

  • 8/9/2019 PaloAlto_101

    7/12

    WildFireAdministrators Guide 7

    WildFire Overview WildFire Concepts

    Malware Test Samples

    Palo Alto Networks provides a sample malware file that can be used to test a WildFire configuration on aPAN-OS firewall. Before downloading the file to test your configuration, make sure that the firewall that is beingtested is configured based on the procedures described in Forward Files to a WF-500 WildFire ApplianceorForward Files to the WildFire Cloud.

    The following lists information about the test file:

    Each time the file download link is clicked, a unique file named wildfire-test-pe-file.exe is generated anddownloaded and each file will have a different SHA256 value.

    The verdict of the file will always be malicious.

    Although a signature is generated for the file, the signature is disabled and will not be distributed.

    Download the test file here: http://wildfire.paloaltonetworks.com/publicapi/test/pe.

    If you have enabled decryption on the firewall, you can access the encrypted version of the site by replacingHTTP with HTTPS.

    Copyright 2007-2014 Palo Alto Networks

    http://-/?-http://-/?-http://wildfire.paloaltonetworks.com/publicapi/test/pehttp://-/?-http://-/?-http://wildfire.paloaltonetworks.com/publicapi/test/pe

  • 8/9/2019 PaloAlto_101

    8/12

    8 WildFireAdministrators Guide

    WildFire Concepts WildFire Overview

    After downloading the file, check the Data Filteringlog on the firewall to see if the file was forwarded and afterabout five minutes, look for the results in the WildFire Submissionslog. For more information, seeVerify that theFirewall Can Forward Files to a WildFire ApplianceandVerify Firewall File Forwarding to the WildFire Cloud.

    To use the API to retrieve the sample test file, see Use the API to Retrieve a Sample Malware Test File.

    Copyright 2007-2014 Palo Alto Networks

    http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-

  • 8/9/2019 PaloAlto_101

    9/12

    WildFireAdministrators Guide 9

    WildFire Overview WildFire Deployments

    WildFire Deployments

    Palo Alto Networks next-generation firewalls support the following WildFire deployments:

    Palo Alto Networks WildFire CloudIn this deployment, the firewall forwards files to the hostedWildFire environment that is owned and maintained by Palo Alto Networks. As WildFire detects new

    malware, it generates new signatures within the hour. Firewalls equipped with a WildFire subscription canreceive the new signatures within 30-60 minutes; firewalls with only a Threat Prevention subscription canreceive the new signatures in the next antivirus signature update within 24-48 hours.

    The available WildFire cloud servers are wildfire-public-cloudfor the WildFire cloud hosted inthe United States and wildfire.paloaltonetworks.jpfor the WildFire cloud hosted in Japan.You may want to use the Japan server if you do not want benign files forwarded to the U.S. cloud servers. Ifa file sent to the Japan cloud is determined to be malicious, it will be forwarded to the U.S. servers where thefile will be analyzed again and signatures will be generated. If you are in the Japan region, you may alsoexperience faster response time for sample submissions and report generation. Panorama can also beconfigured for the Japan cloud. See Forward Files to the WildFire Cloudfor more details.

    WildFire ApplianceIn this deployment, you install aWF-500 WildFire applianceon your corporate

    network and configure your firewalls to forward files to it instead of to the Palo Alto Networks WildFirecloud (the default). This deployment prevents the firewall from having to send any files outside of yournetwork for analysis. By default, the appliance will not send any files out of your network unless you explicitlyenable the auto-submit feature, which enables forwarding of any malware it detects to the Palo AltoNetworks WildFire cloud where the files are analyzed to generate antivirus signatures. The antivirussignatures are then distributed to all Palo Alto Networks firewalls with a threat prevention and/or WildFiresubscription. A single WildFire appliance can receive and analyze files from up to 100 Palo Alto Networksfirewalls.

    The main differences between the Palo Alto Networks WildFire cloud and the WildFire appliance are as follows:

    The WildFire Appliance enables local sandboxing of malware so that benign files never leave yournetwork. By default, the WildFire appliance does not forward any files to the WildFire cloud and

    therefore signatures are not generated for malware detected by the appliance. If you want WildFiresignatures locally-detected malware, you can enable the auto-submit feature on the appliance to enablethe appliance to send the malware it detects to the WildFire cloud for signature generation.

    The WildFire API, which is available with a WildFire subscription, can only be used with the publiccloud, not a private WF-500 appliance.

    Manual submission of samples to the public cloud through theWildFire Portal. With the WF-500appliance, there is no portal, so any logs received from the appliance will contain a link that can beclicked to manually submit the sample to the public cloud. The sample is then analyzed and a signatureis generated if the sample is found to be malicious. This is useful if auto-submit is not enabled.

    Multiple virtual machines run on the WildFire cloud and will represent a variety of operating systems

    and applications that are used when running sample files. On the WF-500 appliance, multiple virtualmachines are available, but only one can be chosen for file analysis. When selecting which virtualmachine to use, you can review what is installed and choose the virtual machine that best matches yourenvironment. For information on viewing and selecting the virtual machine, see Integrate the WF-500Appliance into the Network.

    Copyright 2007-2014 Palo Alto Networks

    http://-/?-https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technical-documentation/hardware-guides/wf-500/WF-500-Hardware_Guide.pdfhttps://wildfire.paloaltonetworks.com/http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-https://wildfire.paloaltonetworks.com/https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technical-documentation/hardware-guides/wf-500/WF-500-Hardware_Guide.pdf

  • 8/9/2019 PaloAlto_101

    10/12

    10 WildFireAdministrators Guide

    WildFire Subscription Requirements WildFire Overview

    WildFire Subscription Requirements

    WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxingand signature-based detection and blocking of malware. No subscription is required to use WildFire forsandboxing files sent from Palo Alto Networks firewalls to the WildFire cloud.

    To perform detection and blocking of known malware detected by WildFire requires a Threat Preventionand/or WildFire subscription. The Threat Prevention subscription enables the firewall to receive daily antivirussignature updates, which provides coverage for all malware samples detected by WildFire globally to all firewallswith a Threat Prevention subscription. The Threat Prevention subscription also provides access to weeklycontent updates that include new vulnerability protection and anti-spyware signatures.

    To receive the full benefits of the WildFire service, each firewall must have a WildFire subscription, whichprovides the following benefits:

    WildFire Dynamic UpdatesProvide new malware signatures on a sub-hourly basis, configurablethrough Device > Dynamic Updates. Within an hour of detecting new malware, WildFire creates a new malwaresignature and distributes it through the WildFire dynamic updates, which the firewall can poll every 15, 30,or 60 minutes. The firewall can be configured to take specific actions on malware signatures separate from

    the regular antivirus signature actions in the antivirus profile. The WildFire signatures delivered in thedynamic update include signatures generated for malware detected in files submitted to WildFire by all PaloAlto Networks WildFire customers, not just the file samples that your firewalls send to WildFire.

    WildFire Advanced File Type SupportIn addition to PE files, a subscription allows the firewall to alsoforward the following advanced file types: APK (WildFire cloud only), PDF, Microsoft Office, and JavaApplet.

    WildFire APIThe WildFire subscription provides access to the WildFire API, which enables directprogrammatic access to the WildFire service on the Palo Alto Networks WildFire cloud. You can use theWildFire API to submit files to the WildFire cloud and to retrieve reports for the submitted files. TheWildFire API supports up to 100 file submissions per day and up to 1000 queries per day. Note that you

    cannot use the WildFire API to submit files to the WildFire appliance.

    WildFire ApplianceOnly firewalls with a valid WildFire subscription can forward files to a WildFireappliance for analysis. Firewalls that only have a Threat Prevention subscription installed can forward filesto the WildFire cloud, but not to a WildFire appliance.

    It takes approximately 30 to 60 minutes for WildFire to generate a signature and make it available

    for subscribers after discovering malware. Firewalls equipped with a WildFire subscription can

    poll for new malware signatures every 15, 30, or 60 minutes. If, for example, the firewall is set to

    poll for WildFire signature updates every 30 minutes, it may not receive a signature for a file it

    uploaded until the second polling interval after the malware was discovered because of the time

    required to generate the signature. If the firewall only has a Threat Prevention subscription, it will

    still receive signatures generated by WildFire after they are rolled into the antivirus updates,

    which occurs about every 24-48 hours.

    For files analyzed by a WF-500 WildFire appliance, signatures can only be generated for malware

    detected on your network if you have explicitly enabled the auto-submit feature (unless the same

    malware was observed by another customer and submitted the same sample to the WildFirepublic cloud). When auto-submit is enabled, the appliance will forward all discovered malware to

    the Palo Alto Networks WildFire cloud where they will be used to generate an antivirus signature

    to detect and block future instances of the malware.

    Copyright 2007-2014 Palo Alto Networks

  • 8/9/2019 PaloAlto_101

    11/12

    WildFireAdministrators Guide 11

    WildFire Overview Best Practices for Keeping Signatures up to Date

    Best Practices for Keeping Signatures up to Date

    This section describes the best practices for keeping a firewall with a Threat Prevention and WildFire up-to-datewith the latest protection. For a streamlined workflow, use Panorama to push dynamic update schedules tomanaged firewalls using Panorama templates. This ensures consistency across all firewalls and simplifiesmanagement of update schedules.

    These guidelines provide two schedule options: the minimum recommended schedule and a more aggressiveschedule. Choosing the more aggressive approach causes the device to perform updates much more frequently,some of which can be very large (over 100MB for antivirus updates). Also, in rare instances, there could beerrors in signature updates. Therefore, consider delaying new update installations until they have been releasedfor a certain number of hours. Use the Threshold (Hours)field to specify how long after a release to wait beforeperforming a content update.

    AntivirusNew antivirus content updates are released on a daily basis. To get the latest content, schedule

    these updates daily at minimum. For a more aggressive schedule, schedule them hourly.

    Applications and ThreatsNew App-ID, vulnerability protection, and anti-spyware signatures are

    released as weekly content updates (normally on Tuesdays). To receive the latest content, schedule the

    updates at least weekly. For a more aggressive schedule to ensure that the firewall receives the latestcontent soon after they are released (including occasional off-schedule emergency content releases),schedule them daily.

    WildFireNew WildFire antivirus signatures are published every 30 minutes. Depending on when new

    malware is discovered within the release cycle, coverage is provided in the form of a WildFire signature30-60 minutes after it is first discovered by WildFire. To get the latest WildFire signatures, schedule theseupdates every hour or half-hour. For a more aggressive schedule, you may want to schedule the firewall tocheck for updates as often as every 15 minutes.

    When configuring a WildFire signature update schedule, the number of minutes past the hour can

    not be set to zero or the updates will fail. For example, if you set the recurrence to 15 minutes,

    the valid values for minutes past the hour is 1-14. For a recurrence of 30 minutes the valid range

    is 1-29 and for every hour the valid range is 1-59 minutes.

    Copyright 2007-2014 Palo Alto Networks

  • 8/9/2019 PaloAlto_101

    12/12

    12 WildFireAdministrators Guide

    Reference: Firewall File Forwarding Capacity by Platform WildFire Overview

    Reference: Firewall File Forwarding Capacity by Platform

    This section describes the maximum rate per minute at which each Palo Alto Network firewall platform cansubmit files to the WildFire cloud or a WF-500 appliance for analyses. If the per-minute limit is reached, filesare queued.

    The Reserved Drive Spacecolumn in the following table lists the amount of drive space on the firewall that isreserved for queuing files that are waiting to be forwarded to WildFire. If the limit is reached, forwarding of newfiles will be canceled until more space in the queue is available.

    The speed at which the firewall can forward files to WildFire also depend on the bandwidth of the

    upload link to the WildFire systems.

    Platform Maximum Files Per-Minute Reserved Drive Space

    VM-100 5 100MB

    VM-200 10 200MB

    VM-300 20 200MB

    PA-200 5 100MB

    PA-500 10 200MB

    PA-2000 Series 20 200MB

    PA-3020 50 200MB

    PA-3050 50 500MB

    PA-4020 20 200MB

    PA-4050/4060 50 500MB

    PA-5020/5050 50 500MB

    PA-5060 100 500MB

    PA-7050 100 1GB